Add delay on authentication failures
This provides some basic rate limiting that will make it difficult
for an attacker to brute force passwords. Only relevant when the
blacklist is disabled as otherwise the attacker only gets a very
limited number of attempts.
diff --git a/common/rfb/SConnection.cxx b/common/rfb/SConnection.cxx
index 690653a..4e224aa 100644
--- a/common/rfb/SConnection.cxx
+++ b/common/rfb/SConnection.cxx
@@ -236,11 +236,8 @@
}
} catch (AuthFailureException& e) {
vlog.error("AuthFailureException: %s", e.str());
- os->writeU32(secResultFailed);
- if (!client.beforeVersion(3,8)) // 3.8 onwards have failure message
- os->writeString(e.str());
- os->flush();
- throw;
+ state_ = RFBSTATE_SECURITY_FAILURE;
+ authFailure(e.str());
}
}
@@ -315,6 +312,19 @@
{
}
+void SConnection::authFailure(const char* reason)
+{
+ if (state_ != RFBSTATE_SECURITY_FAILURE)
+ throw Exception("SConnection::authFailure: invalid state");
+
+ os->writeU32(secResultFailed);
+ if (!client.beforeVersion(3,8)) // 3.8 onwards have failure message
+ os->writeString(reason);
+ os->flush();
+
+ throw AuthFailureException(reason);
+}
+
void SConnection::queryConnection(const char* userName)
{
approveConnection(true);