From 88fee4de6760e5e8b70da0f6def2a39ea370acd7 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 30 Apr 2017 23:26:16 +0000 Subject: [PATCH] remove the (in)famous SSHv1 CRC compensation attack detector. Despite your cameo in The Matrix movies, you will not be missed. ok markus --- usr.bin/ssh/LICENCE | 23 +----- usr.bin/ssh/deattack.c | 163 --------------------------------------- usr.bin/ssh/deattack.h | 38 --------- usr.bin/ssh/lib/Makefile | 4 +- usr.bin/ssh/packet.c | 7 +- 5 files changed, 4 insertions(+), 231 deletions(-) diff --git a/usr.bin/ssh/LICENCE b/usr.bin/ssh/LICENCE index 926f758ef9e..acac80c54a6 100644 --- a/usr.bin/ssh/LICENCE +++ b/usr.bin/ssh/LICENCE @@ -75,27 +75,6 @@ OpenSSH contains no GPL code. PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. -2) - The 32-bit CRC compensation attack detector in deattack.c was - contributed by CORE SDI S.A. under a BSD-style license. - - * Cryptographic attack detector for ssh - source code - * - * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. - * - * All rights reserved. Redistribution and use in source and binary - * forms, with or without modification, are permitted provided that - * this copyright notice is retained. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR - * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS - * SOFTWARE. - * - * Ariel Futoransky - * - 3) ssh-keyscan was contributed by David Mazieres under a BSD-style license. @@ -203,4 +182,4 @@ OpenSSH contains no GPL code. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------ -$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $ +$OpenBSD: LICENCE,v 1.20 2017/04/30 23:26:16 djm Exp $ diff --git a/usr.bin/ssh/deattack.c b/usr.bin/ssh/deattack.c index 2cdbbff2cdb..e69de29bb2d 100644 --- a/usr.bin/ssh/deattack.c +++ b/usr.bin/ssh/deattack.c @@ -1,163 +0,0 @@ -/* $OpenBSD: deattack.c,v 1.32 2015/01/20 23:14:00 deraadt Exp $ */ -/* - * Cryptographic attack detector for ssh - source code - * - * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. - * - * All rights reserved. Redistribution and use in source and binary - * forms, with or without modification, are permitted provided that - * this copyright notice is retained. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR - * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS - * SOFTWARE. - * - * Ariel Futoransky - * - */ - -#include -#include -#include - -#include "deattack.h" -#include "crc32.h" -#include "sshbuf.h" -#include "misc.h" - -/* - * CRC attack detection has a worst-case behaviour that is O(N^3) over - * the number of identical blocks in a packet. This behaviour can be - * exploited to create a limited denial of service attack. - * - * However, because we are dealing with encrypted data, identical - * blocks should only occur every 2^35 maximally-sized packets or so. - * Consequently, we can detect this DoS by looking for identical blocks - * in a packet. - * - * The parameter below determines how many identical blocks we will - * accept in a single packet, trading off between attack detection and - * likelihood of terminating a legitimate connection. A value of 32 - * corresponds to an average of 2^40 messages before an attack is - * misdetected - */ -#define MAX_IDENTICAL 32 - -/* SSH Constants */ -#define SSH_MAXBLOCKS (32 * 1024) -#define SSH_BLOCKSIZE (8) - -/* Hashing constants */ -#define HASH_MINSIZE (8 * 1024) -#define HASH_ENTRYSIZE (2) -#define HASH_FACTOR(x) ((x)*3/2) -#define HASH_UNUSEDCHAR (0xff) -#define HASH_UNUSED (0xffff) -#define HASH_IV (0xfffe) - -#define HASH_MINBLOCKS (7*SSH_BLOCKSIZE) - - -/* Hash function (Input keys are cipher results) */ -#define HASH(x) PEEK_U32(x) - -#define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE)) - -static void -crc_update(u_int32_t *a, u_int32_t b) -{ - b ^= *a; - *a = ssh_crc32((u_char *)&b, sizeof(b)); -} - -/* detect if a block is used in a particular pattern */ -static int -check_crc(const u_char *S, const u_char *buf, u_int32_t len) -{ - u_int32_t crc; - const u_char *c; - - crc = 0; - for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { - if (!CMP(S, c)) { - crc_update(&crc, 1); - crc_update(&crc, 0); - } else { - crc_update(&crc, 0); - crc_update(&crc, 0); - } - } - return crc == 0; -} - -void -deattack_init(struct deattack_ctx *dctx) -{ - bzero(dctx, sizeof(*dctx)); - dctx->n = HASH_MINSIZE / HASH_ENTRYSIZE; -} - -/* Detect a crc32 compensation attack on a packet */ -int -detect_attack(struct deattack_ctx *dctx, const u_char *buf, u_int32_t len) -{ - u_int32_t i, j, l, same; - u_int16_t *tmp; - const u_char *c, *d; - - if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) || - len % SSH_BLOCKSIZE != 0) - return DEATTACK_ERROR; - for (l = dctx->n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2) - ; - - if (dctx->h == NULL) { - if ((dctx->h = calloc(l, HASH_ENTRYSIZE)) == NULL) - return DEATTACK_ERROR; - dctx->n = l; - } else { - if (l > dctx->n) { - if ((tmp = reallocarray(dctx->h, l, HASH_ENTRYSIZE)) - == NULL) { - free(dctx->h); - dctx->h = NULL; - return DEATTACK_ERROR; - } - dctx->h = tmp; - dctx->n = l; - } - } - - if (len <= HASH_MINBLOCKS) { - for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { - for (d = buf; d < c; d += SSH_BLOCKSIZE) { - if (!CMP(c, d)) { - if ((check_crc(c, buf, len))) - return DEATTACK_DETECTED; - else - break; - } - } - } - return DEATTACK_OK; - } - memset(dctx->h, HASH_UNUSEDCHAR, dctx->n * HASH_ENTRYSIZE); - - for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { - for (i = HASH(c) & (dctx->n - 1); dctx->h[i] != HASH_UNUSED; - i = (i + 1) & (dctx->n - 1)) { - if (!CMP(c, buf + dctx->h[i] * SSH_BLOCKSIZE)) { - if (++same > MAX_IDENTICAL) - return DEATTACK_DOS_DETECTED; - if (check_crc(c, buf, len)) - return DEATTACK_DETECTED; - else - break; - } - } - dctx->h[i] = j; - } - return DEATTACK_OK; -} diff --git a/usr.bin/ssh/deattack.h b/usr.bin/ssh/deattack.h index ce67a30ffdd..e69de29bb2d 100644 --- a/usr.bin/ssh/deattack.h +++ b/usr.bin/ssh/deattack.h @@ -1,38 +0,0 @@ -/* $OpenBSD: deattack.h,v 1.11 2015/01/19 19:52:16 markus Exp $ */ - -/* - * Cryptographic attack detector for ssh - Header file - * - * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. - * - * All rights reserved. Redistribution and use in source and binary - * forms, with or without modification, are permitted provided that - * this copyright notice is retained. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR - * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS - * SOFTWARE. - * - * Ariel Futoransky - * - */ - -#ifndef _DEATTACK_H -#define _DEATTACK_H - -/* Return codes */ -#define DEATTACK_OK 0 -#define DEATTACK_DETECTED 1 -#define DEATTACK_DOS_DETECTED 2 -#define DEATTACK_ERROR 3 - -struct deattack_ctx { - u_int16_t *h; - u_int32_t n; -}; - -void deattack_init(struct deattack_ctx *); -int detect_attack(struct deattack_ctx *, const u_char *, u_int32_t); -#endif diff --git a/usr.bin/ssh/lib/Makefile b/usr.bin/ssh/lib/Makefile index 316cf2e8943..13b329fb1ee 100644 --- a/usr.bin/ssh/lib/Makefile +++ b/usr.bin/ssh/lib/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.87 2017/04/30 23:17:37 djm Exp $ +# $OpenBSD: Makefile,v 1.88 2017/04/30 23:26:16 djm Exp $ .PATH: ${.CURDIR}/.. .include "${.CURDIR}/../Makefile.inc" @@ -25,7 +25,7 @@ LIB_SRCS+= digest-libc.c SRCS= ${LIB_SRCS} \ authfd.c authfile.c bufaux.c buffer.c canohost.c \ channels.c cipher.c \ - cleanup.c compat.c crc32.c deattack.c fatal.c \ + cleanup.c compat.c crc32.c fatal.c \ hostfile.c log.c match.c nchan.c packet.c opacket.c readpass.c \ ttymodes.c xmalloc.c atomicio.c \ key.c dispatch.c kex.c mac.c uidswap.c uuencode.c misc.c utf8.c \ diff --git a/usr.bin/ssh/packet.c b/usr.bin/ssh/packet.c index 60bc507990f..6fe03affdee 100644 --- a/usr.bin/ssh/packet.c +++ b/usr.bin/ssh/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.250 2017/04/30 23:23:54 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.251 2017/04/30 23:26:16 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -62,7 +62,6 @@ #include "xmalloc.h" #include "crc32.h" -#include "deattack.h" #include "compat.h" #include "ssh1.h" #include "ssh2.h" @@ -210,9 +209,6 @@ struct session_state { /* One-off warning about weak ciphers */ int cipher_warning_done; - /* SSH1 CRC compensation attack detector */ - struct deattack_ctx deattack; - /* Hook for fuzzing inbound packets */ ssh_packet_hook_fn *hook_in; void *hook_in_ctx; @@ -309,7 +305,6 @@ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) return NULL; } state->newkeys[MODE_IN] = state->newkeys[MODE_OUT] = NULL; - deattack_init(&state->deattack); /* * Cache the IP address of the remote connection for use in error * messages that might be generated after the connection has closed. -- 2.20.1