Mercurial > dovecot > core-2.2

annotate src/auth/auth-penalty.c @ 22614:cf66220d281e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doveadm proxy: Don't crash if remote doesn't support log proxying
author Timo Sirainen <timo.sirainen@dovecot.fi>
date Sat, 14 Oct 2017 12:54:18 +0300
parents 2e2563132d5f
children cb108f786fb4
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
21390
2e2563132d5f Updated copyright notices to include the year 2017.
Stephan Bosch <stephan.bosch@dovecot.fi>
parents: 19552
diff changeset
1 /* Copyright (c) 2009-2017 Dovecot authors, see the included COPYING file */
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
2
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
3 #include "lib.h"
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
4 #include "ioloop.h"
15187
02451e967a06 Renamed network.[ch] to net.[ch].
Timo Sirainen <tss@iki.fi>
parents: 14133
diff changeset
5 #include "net.h"
10773
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
6 #include "crc32.h"
12449
3e4a65a74c40 auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents: 12279
diff changeset
7 #include "master-service.h"
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
8 #include "anvil-client.h"
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
9 #include "auth-request.h"
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
10 #include "auth-penalty.h"
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
11
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
12 #include <stdio.h>
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
13
10774
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
14 /* We don't want IPv6 hosts being able to flood our penalty
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
15 tracking with tons of different IPs. */
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
16 #define PENALTY_IPV6_MASK_BITS 48
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
17
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
18 struct auth_penalty_request {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
19 struct auth_request *auth_request;
12449
3e4a65a74c40 auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents: 12279
diff changeset
20 struct anvil_client *client;
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
21 auth_penalty_callback_t *callback;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
22 };
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
23
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
24 struct auth_penalty {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
25 struct anvil_client *client;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
26
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
27 unsigned int disabled:1;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
28 };
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
29
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
30 struct auth_penalty *auth_penalty_init(const char *path)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
31 {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
32 struct auth_penalty *penalty;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
33
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
34 penalty = i_new(struct auth_penalty, 1);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
35 penalty->client = anvil_client_init(path, NULL,
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
36 ANVIL_CLIENT_FLAG_HIDE_ENOENT);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
37 if (anvil_client_connect(penalty->client, TRUE) < 0)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
38 penalty->disabled = TRUE;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
39 else {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
40 anvil_client_cmd(penalty->client, t_strdup_printf(
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
41 "PENALTY-SET-EXPIRE-SECS\t%u", AUTH_PENALTY_TIMEOUT));
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
42 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
43 return penalty;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
44 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
45
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
46 void auth_penalty_deinit(struct auth_penalty **_penalty)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
47 {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
48 struct auth_penalty *penalty = *_penalty;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
49
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
50 *_penalty = NULL;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
51 anvil_client_deinit(&penalty->client);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
52 i_free(penalty);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
53 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
54
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
55 unsigned int auth_penalty_to_secs(unsigned int penalty)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
56 {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
57 unsigned int i, secs = AUTH_PENALTY_INIT_SECS;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
58
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
59 for (i = 0; i < penalty; i++)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
60 secs *= 2;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
61 return secs < AUTH_PENALTY_MAX_SECS ? secs : AUTH_PENALTY_MAX_SECS;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
62 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
63
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
64 static void auth_penalty_anvil_callback(const char *reply, void *context)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
65 {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
66 struct auth_penalty_request *request = context;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
67 unsigned int penalty = 0;
10773
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
68 unsigned long last_penalty = 0;
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
69 unsigned int secs, drop_penalty;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
70
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
71 if (reply == NULL) {
12449
3e4a65a74c40 auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents: 12279
diff changeset
72 /* internal failure. */
3e4a65a74c40 auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents: 12279
diff changeset
73 if (!anvil_client_is_connected(request->client)) {
3e4a65a74c40 auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents: 12279
diff changeset
74 /* we probably didn't have permissions to reconnect
3e4a65a74c40 auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents: 12279
diff changeset
75 back to anvil. need to restart ourself. */
3e4a65a74c40 auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents: 12279
diff changeset
76 master_service_stop(master_service);
3e4a65a74c40 auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents: 12279
diff changeset
77 }
10773
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
78 } else if (sscanf(reply, "%u %lu", &penalty, &last_penalty) != 2) {
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
79 i_error("Invalid PENALTY-GET reply: %s", reply);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
80 } else {
10773
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
81 if ((time_t)last_penalty > ioloop_time) {
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
82 /* time moved backwards? */
10773
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
83 last_penalty = ioloop_time;
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
84 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
85
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
86 /* update penalty. */
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
87 drop_penalty = AUTH_PENALTY_MAX_PENALTY;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
88 while (penalty > 0) {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
89 secs = auth_penalty_to_secs(drop_penalty);
10773
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
90 if (ioloop_time - last_penalty < secs)
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
91 break;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
92 drop_penalty--;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
93 penalty--;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
94 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
95 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
96
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
97 request->callback(penalty, request->auth_request);
12279
0b509f1ee95c auth: Make sure auth request is kept referenced during the lookup.
Timo Sirainen <tss@iki.fi>
parents: 11500
diff changeset
98 auth_request_unref(&request->auth_request);
11500
6f85840f8171 auth: Fixed a memory leak when looking up penalty value from anvil.
Timo Sirainen <tss@iki.fi>
parents: 10774
diff changeset
99 i_free(request);
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
100 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
101
10774
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
102 static const char *
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
103 auth_penalty_get_ident(struct auth_request *auth_request)
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
104 {
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
105 struct ip_addr ip;
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
106
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
107 ip = auth_request->remote_ip;
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
108 #ifdef HAVE_IPV6
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
109 if (IPADDR_IS_V6(&ip)) {
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
110 memset(ip.u.ip6.s6_addr + PENALTY_IPV6_MASK_BITS/CHAR_BIT, 0,
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
111 sizeof(ip.u.ip6.s6_addr) -
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
112 PENALTY_IPV6_MASK_BITS/CHAR_BIT);
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
113 }
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
114 #endif
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
115 return net_ip2addr(&ip);
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
116 }
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
117
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
118 void auth_penalty_lookup(struct auth_penalty *penalty,
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
119 struct auth_request *auth_request,
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
120 auth_penalty_callback_t *callback)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
121 {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
122 struct auth_penalty_request *request;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
123 const char *ident;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
124
10774
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
125 ident = auth_penalty_get_ident(auth_request);
12812
bf6749d4db08 auth: Allow clients to specify that they want to skip auth penalty check.
Timo Sirainen <tss@iki.fi>
parents: 12449
diff changeset
126 if (penalty->disabled || ident == NULL || auth_request->no_penalty) {
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
127 callback(0, auth_request);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
128 return;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
129 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
130
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
131 request = i_new(struct auth_penalty_request, 1);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
132 request->auth_request = auth_request;
12449
3e4a65a74c40 auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents: 12279
diff changeset
133 request->client = penalty->client;
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
134 request->callback = callback;
12279
0b509f1ee95c auth: Make sure auth request is kept referenced during the lookup.
Timo Sirainen <tss@iki.fi>
parents: 11500
diff changeset
135 auth_request_ref(auth_request);
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
136
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
137 T_BEGIN {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
138 anvil_client_query(penalty->client,
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
139 t_strdup_printf("PENALTY-GET\t%s", ident),
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
140 auth_penalty_anvil_callback, request);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
141 } T_END;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
142 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
143
10773
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
144 static unsigned int
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
145 get_userpass_checksum(struct auth_request *auth_request)
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
146 {
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
147 return auth_request->mech_password == NULL ? 0 :
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
148 crc32_str_more(crc32_str(auth_request->mech_password),
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
149 auth_request->user);
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
150 }
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
151
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
152 void auth_penalty_update(struct auth_penalty *penalty,
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
153 struct auth_request *auth_request, unsigned int value)
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
154 {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
155 const char *ident;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
156
10774
77d990bee666 auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents: 10773
diff changeset
157 ident = auth_penalty_get_ident(auth_request);
12812
bf6749d4db08 auth: Allow clients to specify that they want to skip auth penalty check.
Timo Sirainen <tss@iki.fi>
parents: 12449
diff changeset
158 if (penalty->disabled || ident == NULL || auth_request->no_penalty)
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
159 return;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
160
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
161 if (value > AUTH_PENALTY_MAX_PENALTY) {
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
162 /* even if the actual value doesn't change, the last_change
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
163 timestamp does. */
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
164 value = AUTH_PENALTY_MAX_PENALTY;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
165 }
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
166 T_BEGIN {
10773
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
167 const char *cmd;
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
168 unsigned int checksum;
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
169
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
170 checksum = value == 0 ? 0 : get_userpass_checksum(auth_request);
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
171 cmd = t_strdup_printf("PENALTY-INC\t%s\t%u\t%u",
4cdb58bb0360 auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents: 10582
diff changeset
172 ident, checksum, value);
10301
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
173 anvil_client_cmd(penalty->client, cmd);
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
174 } T_END;
fbff8ca77d2e auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
175 }