[dovecot-cvs] dovecot/src/auth main.c, 1.25, 1.26 mech-cram-md5.c, 1.5, 1.6 mech-digest-md5.c, 1.21, 1.22 mech.c, 1.25, 1.26 mech.h, 1.18, 1.19

cras at procontrol.fi cras at procontrol.fi
Mon May 31 23:10:04 EEST 2004 

Update of /home/cvs/dovecot/src/auth
In directory talvi:/tmp/cvs-serv8155

Modified Files:
	main.c mech-cram-md5.c mech-digest-md5.c mech.c mech.h 
Log Message:
Delay reporting failed authentications



Index: main.c
===================================================================
RCS file: /home/cvs/dovecot/src/auth/main.c,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -d -r1.25 -r1.26
--- a/main.c	30 May 2004 03:57:15 -0000	1.25
+++ b/main.c	31 May 2004 20:10:02 -0000	1.26
@@ -51,10 +51,14 @@
 
 static void drop_privileges(void)
 {
+	unsigned int seed;
+
 	open_logfile();
 
 	/* Open /dev/urandom before chrooting */
 	random_init();
+	random_fill(&seed, sizeof(seed));
+	srand(seed);
 
 	/* Password lookups etc. may require roots, allow it. */
 	restrict_access_by_env(FALSE);
@@ -156,6 +160,8 @@
         if (lib_signal_kill != 0)
 		i_warning("Killed with signal %d", lib_signal_kill);
 
+	auth_failure_buf_flush();
+
 	master = buffer_get_modifyable_data(masters_buf, &size);
 	size /= sizeof(*master);
 	for (i = 0; i < size; i++) {

Index: mech-cram-md5.c
===================================================================
RCS file: /home/cvs/dovecot/src/auth/mech-cram-md5.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- a/mech-cram-md5.c	31 May 2004 18:57:25 -0000	1.5
+++ b/mech-cram-md5.c	31 May 2004 20:10:02 -0000	1.6
@@ -132,13 +132,9 @@
 	struct cram_auth_request *auth =
 		(struct cram_auth_request *) request;
 
-	if (verify_credentials(auth, result)) {
-		if (verbose) {
-			i_info("cram-md5(%s): authenticated",
-			       get_log_prefix(&auth->auth_request));
-		}
+	if (verify_credentials(auth, result))
 		mech_auth_finish(request, NULL, 0, TRUE);
-	} else {
+	else {
 		if (verbose) {
 			i_info("cram-md5(%s): authentication failed",
 			       get_log_prefix(&auth->auth_request));

Index: mech-digest-md5.c
===================================================================
RCS file: /home/cvs/dovecot/src/auth/mech-digest-md5.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -d -r1.21 -r1.22
--- a/mech-digest-md5.c	31 May 2004 18:57:25 -0000	1.21
+++ b/mech-digest-md5.c	31 May 2004 20:10:02 -0000	1.22
@@ -511,16 +511,16 @@
 		(struct digest_auth_request *) request;
 	struct auth_client_request_reply reply;
 
+	if (!verify_credentials(auth, result)) {
+		mech_auth_finish(request, NULL, 0, FALSE);
+		return;
+	}
+
 	mech_init_auth_client_reply(&reply);
 	reply.id = request->id;
-
-	if (!verify_credentials(auth, result))
-		reply.result = AUTH_CLIENT_RESULT_FAILURE;
-	else {
-		reply.result = AUTH_CLIENT_RESULT_CONTINUE;
-		reply.data_size = strlen(auth->rspauth);
-		auth->authenticated = TRUE;
-	}
+	reply.result = AUTH_CLIENT_RESULT_CONTINUE;
+	reply.data_size = strlen(auth->rspauth);
+	auth->authenticated = TRUE;
 
 	request->callback(&reply, auth->rspauth, request->conn);
 }

Index: mech.c
===================================================================
RCS file: /home/cvs/dovecot/src/auth/mech.c,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -d -r1.25 -r1.26
--- a/mech.c	31 May 2004 18:57:25 -0000	1.25
+++ b/mech.c	31 May 2004 20:10:02 -0000	1.26
@@ -22,6 +22,9 @@
 static int ssl_require_client_cert;
 static struct auth_client_request_reply failure_reply;
 
+static buffer_t *auth_failures_buf;
+static struct timeout *to_auth_failures;
+
 void mech_register_module(struct mech_module *module)
 {
 	struct mech_module_list *list;
@@ -224,24 +227,24 @@
 	struct auth_client_request_reply reply;
 	void *reply_data;
 
+	if (!success) {
+		/* failure. don't announce it immediately to avoid
+		   a) timing attacks, b) flooding */
+		buffer_append(auth_failures_buf,
+			      &auth_request, sizeof(auth_request));
+		return;
+	}
+
 	memset(&reply, 0, sizeof(reply));
 	reply.id = auth_request->id;
+	reply.result = AUTH_CLIENT_RESULT_SUCCESS;
 
-	if (success) {
-		reply_data = mech_auth_success(&reply, auth_request,
-					       data, data_size);
-		reply.result = AUTH_CLIENT_RESULT_SUCCESS;
-	} else {
-		reply_data = NULL;
-		reply.result = AUTH_CLIENT_RESULT_FAILURE;
-	}
-
+	reply_data = mech_auth_success(&reply, auth_request, data, data_size);
 	auth_request->callback(&reply, reply_data, auth_request->conn);
 
-	if (!success || AUTH_MASTER_IS_DUMMY(auth_request->conn->master)) {
-		/* request is no longer needed, either because the
-		   authentication failed or because we don't have master
-		   process */
+	if (AUTH_MASTER_IS_DUMMY(auth_request->conn->master)) {
+		/* we don't have master process, the request is no longer
+		   needed */
 		mech_request_free(auth_request, auth_request->id);
 	}
 }
@@ -355,6 +358,31 @@
 	return str_c(str);
 }
 
+void auth_failure_buf_flush(void)
+{
+	struct auth_request **auth_request;
+	struct auth_client_request_reply reply;
+	size_t i, size;
+
+	auth_request = buffer_get_modifyable_data(auth_failures_buf, &size);
+	size /= sizeof(*auth_request);
+
+	memset(&reply, 0, sizeof(reply));
+	reply.result = AUTH_CLIENT_RESULT_FAILURE;
+
+	for (i = 0; i < size; i++) {
+		reply.id = auth_request[i]->id;
+		auth_request[i]->callback(&reply, NULL, auth_request[i]->conn);
+		mech_request_free(auth_request[i], auth_request[i]->id);
+	}
+	buffer_set_used_size(auth_failures_buf, 0);
+}
+
+static void auth_failure_timeout(void *context __attr_unused__)
+{
+	auth_failure_buf_flush();
+}
+
 extern struct mech_module mech_plain;
 extern struct mech_module mech_cram_md5;
 extern struct mech_module mech_digest_md5;
@@ -431,11 +459,17 @@
 	if (set_use_cyrus_sasl)
 		mech_cyrus_sasl_init_lib();
 #endif
-        ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
+	ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
+
+	auth_failures_buf =
+		buffer_create_dynamic(default_pool, 1024, (size_t)-1);
+        to_auth_failures = timeout_add(2000, auth_failure_timeout, NULL);
 }
 
 void mech_deinit(void)
 {
+	timeout_remove(to_auth_failures);
+
 	mech_unregister_module(&mech_plain);
 	mech_unregister_module(&mech_cram_md5);
 	mech_unregister_module(&mech_digest_md5);

Index: mech.h
===================================================================
RCS file: /home/cvs/dovecot/src/auth/mech.h,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -d -r1.18 -r1.19
--- a/mech.h	31 May 2004 18:57:25 -0000	1.18
+++ b/mech.h	31 May 2004 20:10:02 -0000	1.19
@@ -99,6 +99,8 @@
 
 const char *get_log_prefix(const struct auth_request *auth_request);
 
+void auth_failure_buf_flush(void);
+
 void mech_init(void);
 void mech_deinit(void);

More information about the dovecot-cvs mailing list