package/network/services/dropbear/patches/010-runtime-maxauthtries.patch

   1 From 46b22e57d91e33a591d0fba97da52672af4d6ed2 Mon Sep 17 00:00:00 2001
   2 From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
   3 Date: Mon, 29 May 2017 10:25:09 +0100
   4 Subject: [PATCH] dropbear server: support -T max auth tries
   5
   6 Add support for '-T n' for a run-time specification for maximum number
   7 of authentication attempts where 'n' is between 1 and compile time
   8 option MAX_AUTH_TRIES.
   9
  10 A default number of tries can be specified at compile time using
  11 'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for
  12 backwards compatibility.
  13
  14 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
  15 ---
  16  options.h     |  7 +++++++
  17  runopts.h     |  1 +
  18  svr-auth.c    |  2 +-
  19  svr-runopts.c | 17 +++++++++++++++++
  20  4 files changed, 26 insertions(+), 1 deletion(-)
  21
  22 diff --git a/options.h b/options.h
  23 index 0c51bb1..4d22704 100644
  24 --- a/options.h
  25 +++ b/options.h
  26 @@ -284,6 +284,13 @@ Homedir is prepended unless path begins with / */
  27  #define MAX_AUTH_TRIES 10
  28  #endif
  29
  30 +/* Default maximum number of failed authentication tries.
  31 + * defaults to MAX_AUTH_TRIES */
  32 +
  33 +#ifndef DEFAULT_AUTH_TRIES
  34 +#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES
  35 +#endif
  36 +
  37  /* The default file to store the daemon's process ID, for shutdown
  38     scripts etc. This can be overridden with the -P flag */
  39  #ifndef DROPBEAR_PIDFILE
  40 diff --git a/runopts.h b/runopts.h
  41 index f7c869d..2f7da63 100644
  42 --- a/runopts.h
  43 +++ b/runopts.h
  44 @@ -96,6 +96,7 @@ typedef struct svr_runopts {
  45         int noauthpass;
  46         int norootpass;
  47         int allowblankpass;
  48 +       unsigned int maxauthtries;
  49
  50  #ifdef ENABLE_SVR_REMOTETCPFWD
  51         int noremotetcp;
  52 diff --git a/svr-auth.c b/svr-auth.c
  53 index 577ea88..6a7ce0b 100644
  54 --- a/svr-auth.c
  55 +++ b/svr-auth.c
  56 @@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) {
  57                 ses.authstate.failcount++;
  58         }
  59
  60 -       if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
  61 +       if (ses.authstate.failcount >= svr_opts.maxauthtries) {
  62                 char * userstr;
  63                 /* XXX - send disconnect ? */
  64                 TRACE(("Max auth tries reached, exiting"))
  65 diff --git a/svr-runopts.c b/svr-runopts.c
  66 index 8f60059..1e7440f 100644
  67 --- a/svr-runopts.c
  68 +++ b/svr-runopts.c
  69 @@ -73,6 +73,7 @@ static void printhelp(const char * progname) {
  70                                         "-g             Disable password logins for root\n"
  71                                         "-B             Allow blank password logins\n"
  72  #endif
  73 +                                       "-T <1 to %d>   Maximum authentication tries (default %d)\n"
  74  #ifdef ENABLE_SVR_LOCALTCPFWD
  75                                         "-j             Disable local port forwarding\n"
  76  #endif
  77 @@ -106,6 +107,7 @@ static void printhelp(const char * progname) {
  78  #ifdef DROPBEAR_ECDSA
  79                                         ECDSA_PRIV_FILENAME,
  80  #endif
  81 +                                       MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES,
  82                                         DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
  83                                         DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
  84  }
  85 @@ -118,6 +120,7 @@ void svr_getopts(int argc, char ** argv) {
  86         char* recv_window_arg = NULL;
  87         char* keepalive_arg = NULL;
  88         char* idle_timeout_arg = NULL;
  89 +       char* maxauthtries_arg = NULL;
  90         char* keyfile = NULL;
  91         char c;
  92
  93 @@ -130,6 +133,7 @@ void svr_getopts(int argc, char ** argv) {
  94         svr_opts.noauthpass = 0;
  95         svr_opts.norootpass = 0;
  96         svr_opts.allowblankpass = 0;
  97 +       svr_opts.maxauthtries = DEFAULT_AUTH_TRIES;
  98         svr_opts.inetdmode = 0;
  99         svr_opts.portcount = 0;
 100         svr_opts.hostkey = NULL;
 101 @@ -234,6 +238,9 @@ void svr_getopts(int argc, char ** argv) {
 102                                 case 'I':
 103                                         next = &idle_timeout_arg;
 104                                         break;
 105 +                               case 'T':
 106 +                                       next = &maxauthtries_arg;
 107 +                                       break;
 108  #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
 109                                 case 's':
 110                                         svr_opts.noauthpass = 1;
 111 @@ -330,6 +337,16 @@ void svr_getopts(int argc, char ** argv) {
 112                         dropbear_exit("Bad recv window '%s'", recv_window_arg);
 113                 }
 114         }
 115 +
 116 +       if (maxauthtries_arg) {
 117 +               unsigned int val = 0;
 118 +               if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE ||
 119 +                       val == 0 || val > MAX_AUTH_TRIES) {
 120 +                       dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg);
 121 +               }
 122 +               svr_opts.maxauthtries = val;
 123 +       }
 124 +
 125
 126         if (keepalive_arg) {
 127                 unsigned int val;
 128 --
 129 2.7.4
 130