Mercurial > dropbear
view libtomcrypt/src/pk/asn1/der/sequence/der_decode_sequence_multi.c @ 1790:42745af83b7d
Introduce extra delay before closing unauthenticated sessions
To make it harder for attackers, introduce a delay to keep an
unauthenticated session open a bit longer, thus blocking a connection
slot until after the delay.
Without this, while there is a limit on the amount of attempts an attacker
can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
handle one attempt is still short and thus for each of the allowed parallel
attempts many attempts can be chained one after the other. The attempt rate
is then:
"MAX_UNAUTH_PER_IP / <process time of one attempt>".
With the delay, this rate becomes:
"MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
| author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
|---|---|
| date | Wed, 15 Feb 2017 13:53:04 +0100 |
| parents | 6dba84798cd5 |
| children |
line wrap: on
line source
/* LibTomCrypt, modular cryptographic library -- Tom St Denis * * LibTomCrypt is a library that provides various cryptographic * algorithms in a highly modular and flexible manner. * * The library is free for all purposes without any express * guarantee it works. */ #include "tomcrypt.h" #include <stdarg.h> /** @file der_decode_sequence_multi.c ASN.1 DER, decode a SEQUENCE, Tom St Denis */ #ifdef LTC_DER /** Decode a SEQUENCE type using a VA list @param in Input buffer @param inlen Length of input in octets @remark <...> is of the form <type, size, data> (int, unsigned long, void*) @return CRYPT_OK on success */ int der_decode_sequence_multi(const unsigned char *in, unsigned long inlen, ...) { int err; ltc_asn1_type type; unsigned long size, x; void *data; va_list args; ltc_asn1_list *list; LTC_ARGCHK(in != NULL); /* get size of output that will be required */ va_start(args, inlen); x = 0; for (;;) { type = (ltc_asn1_type)va_arg(args, int); size = va_arg(args, unsigned long); data = va_arg(args, void*); LTC_UNUSED_PARAM(size); LTC_UNUSED_PARAM(data); if (type == LTC_ASN1_EOL) { break; } switch (type) { case LTC_ASN1_BOOLEAN: case LTC_ASN1_INTEGER: case LTC_ASN1_SHORT_INTEGER: case LTC_ASN1_BIT_STRING: case LTC_ASN1_OCTET_STRING: case LTC_ASN1_NULL: case LTC_ASN1_OBJECT_IDENTIFIER: case LTC_ASN1_IA5_STRING: case LTC_ASN1_PRINTABLE_STRING: case LTC_ASN1_UTF8_STRING: case LTC_ASN1_UTCTIME: case LTC_ASN1_SET: case LTC_ASN1_SETOF: case LTC_ASN1_SEQUENCE: case LTC_ASN1_CHOICE: case LTC_ASN1_RAW_BIT_STRING: case LTC_ASN1_TELETEX_STRING: case LTC_ASN1_GENERALIZEDTIME: ++x; break; case LTC_ASN1_EOL: case LTC_ASN1_CONSTRUCTED: case LTC_ASN1_CONTEXT_SPECIFIC: va_end(args); return CRYPT_INVALID_ARG; } } va_end(args); /* allocate structure for x elements */ if (x == 0) { return CRYPT_NOP; } list = XCALLOC(sizeof(*list), x); if (list == NULL) { return CRYPT_MEM; } /* fill in the structure */ va_start(args, inlen); x = 0; for (;;) { type = (ltc_asn1_type)va_arg(args, int); size = va_arg(args, unsigned long); data = va_arg(args, void*); if (type == LTC_ASN1_EOL) { break; } switch (type) { case LTC_ASN1_BOOLEAN: case LTC_ASN1_INTEGER: case LTC_ASN1_SHORT_INTEGER: case LTC_ASN1_BIT_STRING: case LTC_ASN1_OCTET_STRING: case LTC_ASN1_NULL: case LTC_ASN1_OBJECT_IDENTIFIER: case LTC_ASN1_IA5_STRING: case LTC_ASN1_PRINTABLE_STRING: case LTC_ASN1_UTF8_STRING: case LTC_ASN1_UTCTIME: case LTC_ASN1_SEQUENCE: case LTC_ASN1_SET: case LTC_ASN1_SETOF: case LTC_ASN1_CHOICE: case LTC_ASN1_RAW_BIT_STRING: case LTC_ASN1_TELETEX_STRING: case LTC_ASN1_GENERALIZEDTIME: LTC_SET_ASN1(list, x++, type, data, size); break; /* coverity[dead_error_line] */ case LTC_ASN1_EOL: case LTC_ASN1_CONSTRUCTED: case LTC_ASN1_CONTEXT_SPECIFIC: break; } } va_end(args); err = der_decode_sequence(in, inlen, list, x); XFREE(list); return err; } #endif /* ref: $Format:%D$ */ /* git commit: $Format:%H$ */ /* commit time: $Format:%ai$ */