vbatts/grub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

2009-11-09 Robert Millan <rmh.grub@aybabtu.com>

Browse source 
* normal/auth.c (punishment_delay): New variable.
        (grub_auth_strcmp): Rewrite using grub_get_time_ms ().
        (grub_auth_check_authentication): Punish failed login attempts with  
        an incremental (2^N) delay.
This commit is contained in:
Robert Millan 2009-11-09 00:37:56 +00:00
parent a4cd68e41d
commit 3fd6f044f1
2 changed files with 35 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
ChangeLog
View file

@ -1,3 +1,10 @@
2009-11-09 Robert Millan <rmh.grub@aybabtu.com>
* normal/auth.c (punishment_delay): New variable.
(grub_auth_strcmp): Rewrite using grub_get_time_ms ().
(grub_auth_check_authentication): Punish failed login attempts with
an incremental (2^N) delay.
2009-11-09 Robert Millan <rmh.grub@aybabtu.com> 2009-11-09 Robert Millan <rmh.grub@aybabtu.com>
* conf/common.rmk (grub_mkisofs_CFLAGS): Prefix include * conf/common.rmk (grub_mkisofs_CFLAGS): Prefix include

43
normal/auth.c
View file

@ -33,26 +33,22 @@ struct grub_auth_user
}; };
struct grub_auth_user *users = NULL; struct grub_auth_user *users = NULL;
static unsigned long punishment_delay = 1;
int int
grub_auth_strcmp (const char *user_input, const char *template) grub_auth_strcmp (const char *s1, const char *s2)
{ {
int ok = 1; int ret;
const char *ptr1, *ptr2; grub_uint64_t end;
if (template == NULL) end = grub_get_time_ms () + 100;
ok = 0; ret = strcmp (s1, s2);
for (ptr1 = user_input, ptr2 = template; *ptr1; ptr1++) /* This prevents an attacker from deriving information about the
if (*ptr1 == (ptr2 ? *ptr2 : ptr1[1]) && ok) password from the time it took to execute this function. */
ptr2++; while (grub_get_time_ms () < end);
else
ok = 0;
if (ptr2 == NULL || *ptr2 != 0) return ret;
ok = 0;
return !ok;
} }
static int static int
@ -235,11 +231,14 @@ grub_auth_check_authentication (const char *userlist)
grub_memset (login, 0, sizeof (login)); grub_memset (login, 0, sizeof (login));
if (is_authenticated (userlist)) if (is_authenticated (userlist))
{
punishment_delay = 1;
return GRUB_ERR_NONE; return GRUB_ERR_NONE;
}
if (!grub_cmdline_get ("Enter username: ", login, sizeof (login) - 1, if (!grub_cmdline_get ("Enter username: ", login, sizeof (login) - 1,
0, 0, 0)) 0, 0, 0))
return GRUB_ACCESS_DENIED; goto access_denied;
grub_list_iterate (GRUB_AS_LIST (users), hook); grub_list_iterate (GRUB_AS_LIST (users), hook);
@ -249,15 +248,25 @@ grub_auth_check_authentication (const char *userlist)
/* No users present at all. */ /* No users present at all. */
if (!cur) if (!cur)
return GRUB_ACCESS_DENIED; goto access_denied;
/* Display any of available authentication schemes. */ /* Display any of available authentication schemes. */
err = cur->callback (login, 0); err = cur->callback (login, 0);
return GRUB_ACCESS_DENIED; goto access_denied;
} }
err = cur->callback (login, cur->arg); err = cur->callback (login, cur->arg);
if (is_authenticated (userlist)) if (is_authenticated (userlist))
{
punishment_delay = 1;
return GRUB_ERR_NONE; return GRUB_ERR_NONE;
}
access_denied:
grub_sleep (punishment_delay);
if (punishment_delay < GRUB_ULONG_MAX / 2)
punishment_delay *= 2;
return GRUB_ACCESS_DENIED; return GRUB_ACCESS_DENIED;
} }