Mercurial > dropbear
view libtomcrypt/src/headers/tomcrypt_dropbear.h @ 1790:42745af83b7d
Introduce extra delay before closing unauthenticated sessions
To make it harder for attackers, introduce a delay to keep an
unauthenticated session open a bit longer, thus blocking a connection
slot until after the delay.
Without this, while there is a limit on the amount of attempts an attacker
can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
handle one attempt is still short and thus for each of the allowed parallel
attempts many attempts can be chained one after the other. The attempt rate
is then:
"MAX_UNAUTH_PER_IP / <process time of one attempt>".
With the delay, this rate becomes:
"MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Wed, 15 Feb 2017 13:53:04 +0100 |
parents | c2c0f43ff827 |
children | 3f4cdf839a1a |
line wrap: on
line source
/* compile options depend on Dropbear options.h */ #include "options.h" /* Dropbear config */ #define LTC_NOTHING /* Use small code where possible */ #if DROPBEAR_SMALL_CODE #define LTC_SMALL_CODE #endif /* Fewer entries needed */ #define TAB_SIZE 5 #if DROPBEAR_AES #define LTC_RIJNDAEL #endif /* _TABLES tells it to use tables during setup, _SMALL means to use the smaller scheduled key format * (saves 4KB of ram), _ALL_TABLES enables all tables during setup */ #if DROPBEAR_TWOFISH #define LTC_TWOFISH #define LTC_TWOFISH_SMALL #endif #if DROPBEAR_3DES #define LTC_DES #endif #if DROPBEAR_ENABLE_CBC_MODE #define LTC_CBC_MODE #endif #if DROPBEAR_ENABLE_CTR_MODE #define LTC_CTR_MODE #endif #if DROPBEAR_ENABLE_GCM_MODE #define LTC_GCM_MODE #endif #if DROPBEAR_CHACHA20POLY1305 #define LTC_CHACHA #define LTC_POLY1305 #endif #if DROPBEAR_SHA512 #define LTC_SHA512 #endif #if DROPBEAR_SHA384 #define LTC_SHA384 #endif #if DROPBEAR_SHA256 #define LTC_SHA256 #endif #define LTC_SHA1 #if DROPBEAR_MD5 #define LTC_MD5 #endif /* ECC */ #if DROPBEAR_ECC #define LTC_MECC #define LTM_DESC /* use Shamir's trick for point mul (speeds up signature verification) */ #define LTC_ECC_SHAMIR #if DROPBEAR_ECC_256 #define LTC_ECC256 #endif #if DROPBEAR_ECC_384 #define LTC_ECC384 #endif #if DROPBEAR_ECC_521 #define LTC_ECC521 #endif #endif /* DROPBEAR_ECC */ #define LTC_HMAC #define LTC_HASH_HELPERS #define LTC_NO_TEST #define LTC_BASE64 /* end Dropbear config */