[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-anastasis] 01/06: fix #6572
|
From: |
gnunet |
|
Subject: |
[taler-anastasis] 01/06: fix #6572 |
|
Date: |
Sat, 13 Mar 2021 19:23:23 +0100 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository anastasis.
commit 2f92dc0713cf8745f21c3e7512057afa373e0ac8
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Sat Mar 13 15:07:58 2021 +0100
fix #6572
---
src/backend/anastasis-httpd_truth.c | 53 ++++++++++++++++++++++++++++---------
1 file changed, 40 insertions(+), 13 deletions(-)
diff --git a/src/backend/anastasis-httpd_truth.c
b/src/backend/anastasis-httpd_truth.c
index bf4b182..3d43a94 100644
--- a/src/backend/anastasis-httpd_truth.c
+++ b/src/backend/anastasis-httpd_truth.c
@@ -30,6 +30,13 @@
#include <taler/taler_merchant_service.h>
#include <taler/taler_json_lib.h>
+/**
+ * What is the maximum frequency at which we allow
+ * clients to attempt to answer security questions?
+ */
+#define MAX_QUESTION_FREQ GNUNET_TIME_relative_multiply ( \
+ GNUNET_TIME_UNIT_SECONDS, 30)
+
/**
* How long do we hold an HTTP client connection if
* we are awaiting payment before giving up?
@@ -894,11 +901,40 @@ AH_handler_truth_get (
TALER_EC_ANASTASIS_TRUTH_CHALLENGE_RESPONSE_REQUIRED,
NULL);
}
- // FIXME: do something here to rate-limit
- // brute force attempts (by checking against the timestamp
- // from 'mark_challenge_sent' and refusing if the response
- // is provided too quickly again!
+ {
+ enum GNUNET_DB_QueryStatus qs;
+ struct GNUNET_TIME_Absolute rt;
+ uint64_t code;
+
+ rt = GNUNET_TIME_UNIT_FOREVER_ABS;
+ qs = db->create_challenge_code (db->cls,
+ &gc->truth_uuid,
+ MAX_QUESTION_FREQ,
+ GNUNET_TIME_UNIT_HOURS,
+ UINT32_MAX,
+ &rt,
+ &code);
+ if (0 > qs)
+ {
+ GNUNET_break (0 < qs);
+ GNUNET_free (decrypted_truth);
+ GNUNET_free (truth_mime);
+ return TALER_MHD_reply_with_error (connection,
+ MHD_HTTP_INTERNAL_SERVER_ERROR,
+ TALER_EC_GENERIC_DB_FETCH_FAILED,
+ "create_challenge_code (for rate
limiting)");
+ }
+ if (0 != rt.abs_value_us)
+ {
+ GNUNET_free (decrypted_truth);
+ GNUNET_free (truth_mime);
+ return TALER_MHD_reply_with_error (connection,
+ MHD_HTTP_TOO_MANY_REQUESTS,
+
TALER_EC_ANASTASIS_TRUTH_RATE_LIMITED,
+ NULL);
+ }
+ }
if ( (decrypted_truth_size != sizeof (challenge_response)) ||
(0 != memcmp (&challenge_response,
decrypted_truth,
@@ -910,15 +946,6 @@ AH_handler_truth_get (
(unsigned int) sizeof (challenge_response));
GNUNET_free (decrypted_truth);
GNUNET_free (truth_mime);
- /* for rate-limiting... */
-#if 0
- enum GNUNET_DB_QueryStatus qs;
- // FIXME: fails: this is an UPDATE statement, we need to possibly INSERT
_or_ UPDATE
- qs = db->mark_challenge_sent (db->cls,
- &gc->truth_uuid,
- 0);
- GNUNET_break (0 < qs);
-#endif
return TALER_MHD_reply_with_error (connection,
MHD_HTTP_FORBIDDEN,
TALER_EC_ANASTASIS_TRUTH_CHALLENGE_FAILED,
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [taler-anastasis] branch master updated (04827aa -> e715a2d), gnunet, 2021/03/13
- [taler-anastasis] 04/06: remove bogus unique constraint, gnunet, 2021/03/13
- [taler-anastasis] 01/06: fix #6572,
gnunet <=
- [taler-anastasis] 03/06: add long polling support for payment on challenge solving, gnunet, 2021/03/13
- [taler-anastasis] 05/06: fix index, gnunet, 2021/03/13
- [taler-anastasis] 02/06: fix #6752, gnunet, 2021/03/13
- [taler-anastasis] 06/06: fix #6748, gnunet, 2021/03/13