Here are a few more patches. Still keeping it easy for now. Again the basis for these patches is dovecot-1.1.7. Patch #6. Solve a cross-compilation endianness issue. Currently, Dovecot assumes that the endianness of the build system is the same as the endianness of the runtime system. This is not necessarily true. We ran into this while compiling for i386 on a ppc machine. The patch switches to using gcc's __BIG_ENDIAN__ macro; see the comment in the patch to configure.in. It also removes the related and unused MAIL_INDEX_COMPAT_FLAGS parameter. This patch may be applicable to other build environments with a little tweaking. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch6.txt URL: <http://dovecot.org/pipermail/dovecot/attachments/20081217/9ea4d051/attachment-0006.txt> -------------- next part -------------- Patch #7. Replace all occurrences of "hash_create" and "hash_destroy" with "hash_table_create" and "hash_table_destroy" respectively. The symbols hash_create and hash_destroy conflict with symbols defined in <strhash.h> and libc. This showed up when loading dovecot's quota plugin (one of our future patches will add a hash table to it; stay tuned). The wrong hash_create was called which caused a crash at the first hash_insert. Apparently this is only a problem in loaded dynamic libraries and not linked-in ones. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch7.txt URL: <http://dovecot.org/pipermail/dovecot/attachments/20081217/9ea4d051/attachment-0007.txt> -------------- next part -------------- Patch #8. Back off after auth failures to deter abusers. Stalls 5 seconds per failed attempt. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch8.txt URL: <http://dovecot.org/pipermail/dovecot/attachments/20081217/9ea4d051/attachment-0008.txt> -------------- next part -------------- PS -- Please forgive me if I make a mistake at some point while splitting these patches out from our source tree. They're all mingled together on my end and it's sometimes tricky to extract just the right changes for each patch. If anything seems fishy just let me know and I'll take another look. Thanks.
Words by Mike Abbott [Wed, Dec 17, 2008 at 09:35:16AM -0600]:> Here are a few more patches. Still keeping it easy for now. Again the > basis for these patches is dovecot-1.1.7. >[...]> Patch #8. Back off after auth failures to deter abusers. Stalls 5 > seconds per failed attempt.Can you make #8 configurable? We already have a sleep on auth failure on the module that does the auth (checkpassword) with some extra checks (for instance does not sleep on autentications coming from our webmail servers because they already do that) so we may not want that enabled. -- Jose Celestino | http://japc.uncovering.org/files/japc-pgpkey.asc ---------------------------------------------------------------- "One man?s theology is another man?s belly laugh." -- Robert A. Heinlein
On 352, 12 17, 2008 at 09:35:16AM -0600, Mike Abbott wrote:> Here are a few more patches. Still keeping it easy for now. Again > the basis for these patches is dovecot-1.1.7. > > Patch #6. Solve a cross-compilation endianness issue. Currently, > Dovecot assumes that the endianness of the build system is the same as > the endianness of the runtime system. This is not necessarily true. > We ran into this while compiling for i386 on a ppc machine. The patch > switches to using gcc's __BIG_ENDIAN__ macro; see the comment in the > patch to configure.in. It also removes the related and unused > MAIL_INDEX_COMPAT_FLAGS parameter. This patch may be applicable to > other build environments with a little tweaking.> diff -ur dovecot-1.1.7/src/lib/sha1.c dovecot-patch/src/lib/sha1.c > --- dovecot-1.1.7/src/lib/sha1.c 2008-10-26 10:03:45.000000000 -0500 > +++ dovecot-patch/src/lib/sha1.c 2008-12-16 20:35:37.000000000 -0600 > @@ -80,7 +80,7 @@ > size_t t, s; > uint32_t tmp; > > -#ifndef WORDS_BIGENDIAN > +#if !WORDS_BIGENDIANIs this change (and similar ones below) really necessary ?
>> -#ifndef WORDS_BIGENDIAN >> +#if !WORDS_BIGENDIAN > > Is this change (and similar ones below) really necessary ?Yes, since WORDS_BIGENDIAN is defined as __BIG_ENDIAN__ which is always defined (either 0 or 1), not undef-or-1 like other parameters.
On Wed, 2008-12-17 at 09:35 -0600, Mike Abbott wrote:> Here are a few more patches. Still keeping it easy for now. Again > the basis for these patches is dovecot-1.1.7. > > Patch #6. Solve a cross-compilation endianness issue. Currently, > Dovecot assumes that the endianness of the build system is the same as > the endianness of the runtime system. This is not necessarily true. > We ran into this while compiling for i386 on a ppc machine. The patch > switches to using gcc's __BIG_ENDIAN__ macro; see the comment in the > patch to configure.in. It also removes the related and unused > MAIL_INDEX_COMPAT_FLAGS parameter. This patch may be applicable to > other build environments with a little tweaking.http://hg.dovecot.org/dovecot-1.1/rev/fdcb5fc6f2d9> Patch #7. Replace all occurrences of "hash_create" and "hash_destroy" > with "hash_table_create" and "hash_table_destroy" respectively. The > symbols hash_create and hash_destroy conflict with symbols defined in > <strhash.h> and libc. This showed up when loading dovecot's quota > plugin (one of our future patches will add a hash table to it; stay > tuned). The wrong hash_create was called which caused a crash at the > first hash_insert. Apparently this is only a problem in loaded > dynamic libraries and not linked-in ones.If you start renaming API functions, rename all of them for consistency. :) Probably will stay v1.2-only. http://hg.dovecot.org/dovecot-1.2/rev/f9166a09423a> Patch #8. Back off after auth failures to deter abusers. Stalls 5 > seconds per failed attempt.http://hg.dovecot.org/dovecot-1.2/rev/1b744c38bcac http://hg.dovecot.org/dovecot-1.2/rev/164569761647 Your code disabled idle timeout entirely while waiting for the auth failure reply. This doesn't seem such a good idea to me. Rather it sounds like an easy way to DoS the server. Just connect, send about 100 failing LOGIN commands and then do nothing for the next 7 hours (besides what's necessary to keep the TCP connection alive). Repeat with some thousands of clients. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20081219/8c497a36/attachment-0002.bin>
> If you start renaming API functions, rename all of them for > consistency. :)Agreed, but when changing code on a branch, minimizing code deltas makes merging easier.> Your code disabled idle timeout entirelyYeah, probably not a good idea. If I had realized that I probably would have just dropped the connection after N failed auth attempts, and chosen N for when it matched the idle timeout. Your solution of clamping the backoff to just under the idle timeout is fine too. PS -- Today is busy so I'll try to submit the next patches Monday or Tuesday.
Following up. You checked in a slightly different version of patch 6 and released it with 1.1.8. We will test your solution for this and adopt it if it works. We will update our code to honor both the idle timeout and the auth failure delay, to avoid the DoS situation you described, since you checked this into 1.2 not 1.1. Thanks!