diff -ur dovecot-1.1.7/src/imap-login/client-authenticate.c dovecot-patch/src/imap-login/client-authenticate.c
--- dovecot-1.1.7/src/imap-login/client-authenticate.c 2008-10-29 11:18:51.000000000 -0500
+++ dovecot-patch/src/imap-login/client-authenticate.c 2008-12-17 09:00:25.000000000 -0600
@@ -75,16 +75,6 @@
}
}
-static void client_auth_failed(struct imap_client *client)
-{
- /* get back to normal client input. */
- if (client->io != NULL)
- io_remove(&client->io);
- client->io = io_add(client->common.fd, IO_READ,
- client_input, client);
- client_input(client);
-}
-
static bool client_handle_args(struct imap_client *client,
const char *const *args, bool success)
{
diff -ur dovecot-1.1.7/src/imap-login/client.c dovecot-patch/src/imap-login/client.c
--- dovecot-1.1.7/src/imap-login/client.c 2008-10-26 10:03:45.000000000 -0500
+++ dovecot-patch/src/imap-login/client.c 2008-12-17 08:58:53.000000000 -0600
@@ -432,6 +432,45 @@
client_auth_waiting_timeout, client);
}
+/* APPLE */
+static void client_authfail_delay_timeout(struct imap_client *client)
+{
+ i_assert(client->to_authfail_delay != NULL);
+ timeout_remove(&client->to_authfail_delay);
+
+ i_assert(client->to_idle_disconnect == NULL);
+ client->to_idle_disconnect =
+ timeout_add(CLIENT_LOGIN_IDLE_TIMEOUT_MSECS,
+ client_idle_disconnect_timeout, client);
+
+ /* get back to normal client input. */
+ i_assert(client->io == NULL);
+ client->io = io_add(client->common.fd, IO_READ, client_input, client);
+ client_input(client);
+}
+
+/* APPLE - delay after unsuccessful auth to foil attackers */
+void client_auth_failed(struct imap_client *client)
+{
+ unsigned int delay;
+
+ delay = client->common.auth_attempts;
+ if (delay < 1)
+ delay = 1;
+ delay *= 5 * 1000;
+
+ if (client->io != NULL)
+ io_remove(&client->io);
+
+ i_assert(client->to_idle_disconnect != NULL);
+ timeout_remove(&client->to_idle_disconnect);
+
+ i_assert(client->to_authfail_delay == NULL);
+ client->to_authfail_delay = timeout_add(delay,
+ client_authfail_delay_timeout,
+ client);
+}
+
struct client *client_create(int fd, bool ssl, const struct ip_addr *local_ip,
const struct ip_addr *ip)
{
@@ -511,6 +550,10 @@
if (client->to_auth_waiting != NULL)
timeout_remove(&client->to_auth_waiting);
+ /* APPLE */
+ if (client->to_authfail_delay != NULL)
+ timeout_remove(&client->to_authfail_delay);
+
if (client->common.fd != -1) {
net_disconnect(client->common.fd);
client->common.fd = -1;
diff -ur dovecot-1.1.7/src/imap-login/client.h dovecot-patch/src/imap-login/client.h
--- dovecot-1.1.7/src/imap-login/client.h 2008-10-26 10:03:45.000000000 -0500
+++ dovecot-patch/src/imap-login/client.h 2008-12-17 08:58:58.000000000 -0600
@@ -16,6 +16,7 @@
struct ostream *output;
struct imap_parser *parser;
struct timeout *to_idle_disconnect, *to_auth_waiting;
+ struct timeout *to_authfail_delay; /* APPLE */
struct login_proxy *proxy;
char *proxy_user, *proxy_password;
@@ -43,6 +44,7 @@
bool client_read(struct imap_client *client);
bool client_skip_line(struct imap_client *client);
void client_input(struct imap_client *client);
+void client_auth_failed(struct imap_client *client); /* APPLE */
void client_ref(struct imap_client *client);
bool client_unref(struct imap_client *client);
diff -ur dovecot-1.1.7/src/pop3-login/client-authenticate.c dovecot-patch/src/pop3-login/client-authenticate.c
--- dovecot-1.1.7/src/pop3-login/client-authenticate.c 2008-10-29 11:17:08.000000000 -0500
+++ dovecot-patch/src/pop3-login/client-authenticate.c 2008-12-17 09:00:32.000000000 -0600
@@ -146,14 +146,8 @@
client_send_line(client, str_c(reply));
- if (!client->destroyed) {
- /* get back to normal client input. */
- if (client->io != NULL)
- io_remove(&client->io);
- client->io = io_add(client->common.fd, IO_READ,
- client_input, client);
- client_input(client);
- }
+ if (!client->destroyed)
+ client_auth_failed(client); /* APPLE */
return TRUE;
}
@@ -190,14 +184,8 @@
data : AUTH_FAILED_MSG, NULL);
client_send_line(client, msg);
- if (!client->destroyed) {
- /* get back to normal client input. */
- if (client->io != NULL)
- io_remove(&client->io);
- client->io = io_add(client->common.fd, IO_READ,
- client_input, client);
- client_input(client);
- }
+ if (!client->destroyed)
+ client_auth_failed(client); /* APPLE */
break;
case SASL_SERVER_REPLY_MASTER_FAILED:
if (data == NULL)
diff -ur dovecot-1.1.7/src/pop3-login/client.c dovecot-patch/src/pop3-login/client.c
--- dovecot-1.1.7/src/pop3-login/client.c 2008-10-29 11:10:09.000000000 -0500
+++ dovecot-patch/src/pop3-login/client.c 2008-12-17 08:59:04.000000000 -0600
@@ -300,6 +300,45 @@
client_destroy(client, "Disconnected: Inactivity");
}
+/* APPLE */
+static void client_authfail_delay_timeout(struct pop3_client *client)
+{
+ i_assert(client->to_authfail_delay != NULL);
+ timeout_remove(&client->to_authfail_delay);
+
+ i_assert(client->to_idle_disconnect == NULL);
+ client->to_idle_disconnect =
+ timeout_add(CLIENT_LOGIN_IDLE_TIMEOUT_MSECS,
+ client_idle_disconnect_timeout, client);
+
+ /* get back to normal client input. */
+ i_assert(client->io == NULL);
+ client->io = io_add(client->common.fd, IO_READ, client_input, client);
+ client_input(client);
+}
+
+/* APPLE - delay after unsuccessful auth to foil attackers */
+void client_auth_failed(struct pop3_client *client)
+{
+ unsigned int delay;
+
+ delay = client->common.auth_attempts;
+ if (delay < 1)
+ delay = 1;
+ delay *= 5 * 1000;
+
+ if (client->io != NULL)
+ io_remove(&client->io);
+
+ i_assert(client->to_idle_disconnect != NULL);
+ timeout_remove(&client->to_idle_disconnect);
+
+ i_assert(client->to_authfail_delay == NULL);
+ client->to_authfail_delay = timeout_add(delay,
+ client_authfail_delay_timeout,
+ client);
+}
+
struct client *client_create(int fd, bool ssl, const struct ip_addr *local_ip,
const struct ip_addr *ip)
{
@@ -379,6 +418,10 @@
if (client->to_idle_disconnect != NULL)
timeout_remove(&client->to_idle_disconnect);
+ /* APPLE */
+ if (client->to_authfail_delay != NULL)
+ timeout_remove(&client->to_authfail_delay);
+
if (client->common.fd != -1) {
net_disconnect(client->common.fd);
client->common.fd = -1;
diff -ur dovecot-1.1.7/src/pop3-login/client.h dovecot-patch/src/pop3-login/client.h
--- dovecot-1.1.7/src/pop3-login/client.h 2008-10-26 10:03:45.000000000 -0500
+++ dovecot-patch/src/pop3-login/client.h 2008-12-17 08:59:09.000000000 -0600
@@ -16,6 +16,7 @@
struct istream *input;
struct ostream *output;
struct timeout *to_idle_disconnect;
+ struct timeout *to_authfail_delay; /* APPLE */
struct login_proxy *proxy;
char *proxy_user, *proxy_password;
@@ -42,6 +43,7 @@
bool client_read(struct pop3_client *client);
void client_input(struct pop3_client *client);
+void client_auth_failed(struct pop3_client *client); /* APPLE */
void client_ref(struct pop3_client *client);
bool client_unref(struct pop3_client *client);