From 8d88cd21ef760e691faf8fe075b38399e34a34ad Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Wed, 16 Jan 2019 06:35:31 +0000 Subject: [PATCH] SSH-1 BPP: pass the IV to detect_attack. In the course of writing the tests for detect_attack, I noticed that it had a parameter where you can pass in the last cipher block of the previous packet (or the CBC IV, of course, if there was no previous packet), so that it can detect a pattern of repeated cipher blocks even if one of them is just outside the current packet. But the actual use of the attack detector in ssh1bpp wasn't using that parameter. Now it is! --- ssh1bpp.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ssh1bpp.c b/ssh1bpp.c index b54883a0..8c661292 100644 --- a/ssh1bpp.c +++ b/ssh1bpp.c @@ -20,6 +20,7 @@ struct ssh1_bpp_state { ssh1_cipher *cipher; struct crcda_ctx *crcda_ctx; + uint8_t iv[8]; /* for crcda */ bool pending_compression_request; ssh_compressor *compctx; @@ -86,6 +87,8 @@ void ssh1_bpp_new_cipher(BinaryPacketProtocol *bpp, s->crcda_ctx = crcda_make_context(); bpp_logevent("Initialised %s encryption", cipher->text_name); + + memset(s->iv, 0, sizeof(s->iv)); } } @@ -155,11 +158,15 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp) BPP_READ(s->data, s->biglen); if (s->cipher && detect_attack(s->crcda_ctx, - s->data, s->biglen, NULL)) { + s->data, s->biglen, s->iv)) { ssh_sw_abort(s->bpp.ssh, "Network attack (CRC compensation) detected!"); crStopV; } + /* Save the last cipher block, to be passed to the next call + * to detect_attack */ + assert(s->biglen >= 8); + memcpy(s->iv, s->data + s->biglen - 8, sizeof(s->iv)); if (s->cipher) ssh1_cipher_decrypt(s->cipher, s->data, s->biglen);