Mercurial > dropbear
view .travis.yml @ 1790:42745af83b7d
Introduce extra delay before closing unauthenticated sessions
To make it harder for attackers, introduce a delay to keep an
unauthenticated session open a bit longer, thus blocking a connection
slot until after the delay.
Without this, while there is a limit on the amount of attempts an attacker
can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
handle one attempt is still short and thus for each of the allowed parallel
attempts many attempts can be chained one after the other. The attempt rate
is then:
"MAX_UNAUTH_PER_IP / <process time of one attempt>".
With the delay, this rate becomes:
"MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Wed, 15 Feb 2017 13:53:04 +0100 |
parents | 32307118bc26 |
children | f78e67527731 |
line wrap: on
line source
language: c git: depth: 3 # use focal which provides libtommath 1.20 dist: focal matrix: include: - name: "plain linux" compiler: gcc env: WEXTRAFLAGS=-Werror - name: "multi binary" env: MULTI=1 WEXTRAFLAGS=-Werror - name: "bundled libtom, xenial, no writev()" # NOWRITEV is unrelated to libtom/xenial, test here to save a job env: CONFIGURE_FLAGS=--enable-bundled-libtom WEXTRAFLAGS=-Werror NOWRITEV=1 # can use an older distro with bundled libtom dist: xenial - name: "linux clang" os: linux compiler: clang env: WEXTRAFLAGS=-Werror - name: "osx" os: osx compiler: clang # OS X says daemon() and utmp are deprecated env: WEXTRAFLAGS="-Wno-deprecated-declarations -Werror" # Note: the fuzzing malloc wrapper doesn't replace free() in system libtomcrypt, so need bundled. # Address sanitizer - name: "fuzz-asan" env: DO_FUZZ=1 CONFIGURE_FLAGS="--enable-fuzz --disable-harden --enable-bundled-libtom" WEXTRAFLAGS=-Werror LDFLAGS=-fsanitize=address EXTRACFLAGS=-fsanitize=address CXX=clang++ compiler: clang # Undefined Behaviour sanitizer - name: "fuzz-ubsan" # don't fail with alignment due to https://github.com/libtom/libtomcrypt/issues/549 env: DO_FUZZ=1 CONFIGURE_FLAGS="--enable-fuzz --disable-harden --enable-bundled-libtom" WEXTRAFLAGS=-Werror LDFLAGS=-fsanitize=undefined EXTRACFLAGS="-fsanitize=undefined -fno-sanitize-recover=undefined -fsanitize-recover=alignment" CXX=clang++ compiler: clang # container-based builds addons: apt: packages: # packages list: https://github.com/travis-ci/apt-package-whitelist/blob/master/ubuntu-precise - zlib1g-dev - libtomcrypt-dev - libtommath-dev - mercurial before_install: - if [ "$CC" = "clang" ]; then WEXTRAFLAGS="$WEXTRAFLAGS -Wno-error=incompatible-library-redeclaration" ; fi # workaround install: - autoconf - autoheader - ./configure $CONFIGURE_FLAGS CFLAGS="-O2 -Wall -Wno-pointer-sign $WEXTRAFLAGS $EXTRACFLAGS" --prefix="$HOME/inst" || (cat config.log; exit 1) - if [ "$NOWRITEV" = "1" ]; then sed -i -e s/HAVE_WRITEV/DONT_HAVE_WRITEV/ config.h ; fi - make lint - make -j3 - test -z $DO_FUZZ || make fuzzstandalone # avoid concurrent install, osx/freebsd is racey (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208093) - make install script: - ~/inst/bin/dropbearkey -t rsa -f testrsa - ~/inst/bin/dropbearkey -t dss -f testdss - ~/inst/bin/dropbearkey -t ecdsa -f testec256 -s 256 - ~/inst/bin/dropbearkey -t ecdsa -f testec384 -s 384 - ~/inst/bin/dropbearkey -t ecdsa -f testec521 -s 521 - ~/inst/bin/dropbearkey -t ed25519 -f tested25519 - test -z $DO_FUZZ || ./fuzzers_test.sh branches: only: - master - coverity