Mercurial > dropbear
annotate crypto_desc.c @ 1790:42745af83b7d
Introduce extra delay before closing unauthenticated sessions
To make it harder for attackers, introduce a delay to keep an
unauthenticated session open a bit longer, thus blocking a connection
slot until after the delay.
Without this, while there is a limit on the amount of attempts an attacker
can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
handle one attempt is still short and thus for each of the allowed parallel
attempts many attempts can be chained one after the other. The attempt rate
is then:
"MAX_UNAUTH_PER_IP / <process time of one attempt>".
With the delay, this rate becomes:
"MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Wed, 15 Feb 2017 13:53:04 +0100 |
parents | 34d9d3c022ce |
children | 13cb8cc1b0e4 |
rev | line source |
---|---|
766 | 1 #include "includes.h" |
2 #include "dbutil.h" | |
3 #include "crypto_desc.h" | |
4 #include "ltc_prng.h" | |
767
e465ed10c51d
Be safer with how we handle ltc_ecc_sets[] (particularly with
Matt Johnston <matt@ucc.asn.au>
parents:
766
diff
changeset
|
5 #include "ecc.h" |
1748
34d9d3c022ce
Use Dropbear's random source rather than libtommath's platform
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
6 #include "dbrandom.h" |
766 | 7 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
8 #if DROPBEAR_LTC_PRNG |
766 | 9 int dropbear_ltc_prng = -1; |
10 #endif | |
11 | |
1748
34d9d3c022ce
Use Dropbear's random source rather than libtommath's platform
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
12 /* Wrapper for libtommath */ |
34d9d3c022ce
Use Dropbear's random source rather than libtommath's platform
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
13 static mp_err dropbear_rand_source(void* out, size_t size) { |
34d9d3c022ce
Use Dropbear's random source rather than libtommath's platform
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
14 genrandom((unsigned char*)out, (unsigned int)size); |
34d9d3c022ce
Use Dropbear's random source rather than libtommath's platform
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
15 return MP_OKAY; |
34d9d3c022ce
Use Dropbear's random source rather than libtommath's platform
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
16 } |
34d9d3c022ce
Use Dropbear's random source rather than libtommath's platform
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
17 |
766 | 18 |
19 /* Register the compiled in ciphers. | |
20 * This should be run before using any of the ciphers/hashes */ | |
21 void crypto_init() { | |
22 | |
23 const struct ltc_cipher_descriptor *regciphers[] = { | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
24 #if DROPBEAR_AES |
766 | 25 &aes_desc, |
26 #endif | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
27 #if DROPBEAR_BLOWFISH |
766 | 28 &blowfish_desc, |
29 #endif | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
30 #if DROPBEAR_TWOFISH |
766 | 31 &twofish_desc, |
32 #endif | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
33 #if DROPBEAR_3DES |
766 | 34 &des3_desc, |
35 #endif | |
36 NULL | |
37 }; | |
38 | |
39 const struct ltc_hash_descriptor *reghashes[] = { | |
40 /* we need sha1 for hostkey stuff regardless */ | |
41 &sha1_desc, | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
42 #if DROPBEAR_MD5_HMAC |
766 | 43 &md5_desc, |
44 #endif | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
45 #if DROPBEAR_SHA256 |
766 | 46 &sha256_desc, |
47 #endif | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
48 #if DROPBEAR_SHA384 |
766 | 49 &sha384_desc, |
50 #endif | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
51 #if DROPBEAR_SHA512 |
766 | 52 &sha512_desc, |
53 #endif | |
54 NULL | |
55 }; | |
56 int i; | |
57 | |
58 for (i = 0; regciphers[i] != NULL; i++) { | |
59 if (register_cipher(regciphers[i]) == -1) { | |
60 dropbear_exit("Error registering crypto"); | |
61 } | |
62 } | |
63 | |
64 for (i = 0; reghashes[i] != NULL; i++) { | |
65 if (register_hash(reghashes[i]) == -1) { | |
66 dropbear_exit("Error registering crypto"); | |
67 } | |
68 } | |
69 | |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
70 #if DROPBEAR_LTC_PRNG |
766 | 71 dropbear_ltc_prng = register_prng(&dropbear_prng_desc); |
72 if (dropbear_ltc_prng == -1) { | |
73 dropbear_exit("Error registering crypto"); | |
74 } | |
75 #endif | |
76 | |
1748
34d9d3c022ce
Use Dropbear's random source rather than libtommath's platform
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
77 mp_rand_source(dropbear_rand_source); |
34d9d3c022ce
Use Dropbear's random source rather than libtommath's platform
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
78 |
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
767
diff
changeset
|
79 #if DROPBEAR_ECC |
766 | 80 ltc_mp = ltm_desc; |
767
e465ed10c51d
Be safer with how we handle ltc_ecc_sets[] (particularly with
Matt Johnston <matt@ucc.asn.au>
parents:
766
diff
changeset
|
81 dropbear_ecc_fill_dp(); |
766 | 82 #endif |
83 } | |
84 |