dropbear: crypto_desc.c annotate

annotate crypto_desc.c @ 1790:42745af83b7d

Introduce extra delay before closing unauthenticated sessions To make it harder for attackers, introduce a delay to keep an unauthenticated session open a bit longer, thus blocking a connection slot until after the delay. Without this, while there is a limit on the amount of attempts an attacker can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one attempt is still short and thus for each of the allowed parallel attempts many attempts can be chained one after the other. The attempt rate is then: "MAX_UNAUTH_PER_IP / <process time of one attempt>". With the delay, this rate becomes: "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".

author	Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
date	Wed, 15 Feb 2017 13:53:04 +0100
parents	34d9d3c022ce
children	13cb8cc1b0e4

rev	line source
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1 #include "includes.h"
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2 #include "dbutil.h"
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3 #include "crypto_desc.h"
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	4 #include "ltc_prng.h"
767 e465ed10c51d Be safer with how we handle ltc_ecc_sets[] (particularly with Matt Johnston <matt@ucc.asn.au> parents: 766 diff changeset	5 #include "ecc.h"
1748 34d9d3c022ce Use Dropbear's random source rather than libtommath's platform Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	6 #include "dbrandom.h"
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	7
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	8 #if DROPBEAR_LTC_PRNG
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	9 int dropbear_ltc_prng = -1;
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	10 #endif
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	11
1748 34d9d3c022ce Use Dropbear's random source rather than libtommath's platform Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	12 /* Wrapper for libtommath */
34d9d3c022ce Use Dropbear's random source rather than libtommath's platform Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	13 static mp_err dropbear_rand_source(void* out, size_t size) {
34d9d3c022ce Use Dropbear's random source rather than libtommath's platform Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	14 genrandom((unsigned char*)out, (unsigned int)size);
34d9d3c022ce Use Dropbear's random source rather than libtommath's platform Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	15 return MP_OKAY;
34d9d3c022ce Use Dropbear's random source rather than libtommath's platform Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	16 }
34d9d3c022ce Use Dropbear's random source rather than libtommath's platform Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	17
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	18
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	19 /* Register the compiled in ciphers.
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	20 * This should be run before using any of the ciphers/hashes */
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	21 void crypto_init() {
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	22
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	23 const struct ltc_cipher_descriptor *regciphers[] = {
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	24 #if DROPBEAR_AES
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	25 &aes_desc,
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	26 #endif
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	27 #if DROPBEAR_BLOWFISH
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	28 &blowfish_desc,
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	29 #endif
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	30 #if DROPBEAR_TWOFISH
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	31 &twofish_desc,
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	32 #endif
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	33 #if DROPBEAR_3DES
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	34 &des3_desc,
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	35 #endif
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	36 NULL
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	37 };
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	38
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	39 const struct ltc_hash_descriptor *reghashes[] = {
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	40 /* we need sha1 for hostkey stuff regardless */
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	41 &sha1_desc,
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	42 #if DROPBEAR_MD5_HMAC
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	43 &md5_desc,
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	44 #endif
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	45 #if DROPBEAR_SHA256
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	46 &sha256_desc,
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	47 #endif
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	48 #if DROPBEAR_SHA384
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	49 &sha384_desc,
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	50 #endif
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	51 #if DROPBEAR_SHA512
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	52 &sha512_desc,
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	53 #endif
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	54 NULL
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	55 };
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	56 int i;
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	57
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	58 for (i = 0; regciphers[i] != NULL; i++) {
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	59 if (register_cipher(regciphers[i]) == -1) {
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	60 dropbear_exit("Error registering crypto");
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	61 }
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	62 }
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	63
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	64 for (i = 0; reghashes[i] != NULL; i++) {
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	65 if (register_hash(reghashes[i]) == -1) {
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	66 dropbear_exit("Error registering crypto");
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	67 }
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	68 }
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	69
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	70 #if DROPBEAR_LTC_PRNG
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	71 dropbear_ltc_prng = register_prng(&dropbear_prng_desc);
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	72 if (dropbear_ltc_prng == -1) {
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	73 dropbear_exit("Error registering crypto");
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	74 }
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	75 #endif
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	76
1748 34d9d3c022ce Use Dropbear's random source rather than libtommath's platform Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	77 mp_rand_source(dropbear_rand_source);
34d9d3c022ce Use Dropbear's random source rather than libtommath's platform Matt Johnston <matt@ucc.asn.au> parents: 1295 diff changeset	78
1295 750ec4ec4cbe Convert #ifdef to #if, other build changes Matt Johnston <matt@ucc.asn.au> parents: 767 diff changeset	79 #if DROPBEAR_ECC
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	80 ltc_mp = ltm_desc;
767 e465ed10c51d Be safer with how we handle ltc_ecc_sets[] (particularly with Matt Johnston <matt@ucc.asn.au> parents: 766 diff changeset	81 dropbear_ecc_fill_dp();
766 d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	82 #endif
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	83 }
d1575fdc29a6 start on ecdsa keys Matt Johnston <matt@ucc.asn.au> parents: diff changeset	84

Mercurial > dropbear

annotate crypto_desc.c @ 1790:42745af83b7d