Protect against fast flooding from the same ip.

2024-11-27 00:43:47 +00:00 · 2017-05-11 09:48:18 +01:00 · 2017-05-11 09:48:18 +01:00 · 9e63a648a1
commit 9e63a648a1
parent f4991dfd5f
5 changed files with 1507 additions and 1 deletions
--- a/src/tawashi/main.cpp
+++ b/src/tawashi/main.cpp
@ -71,6 +71,7 @@ namespace {
 		parSettings.add_default("max_pastie_size", "10000");
 		parSettings.add_default("truncate_long_pasties", "false");
 		parSettings.add_default("logging_level", "err");
 		parSettings.add_default("submit_min_wait", "10");
 	}
 } //unnamed namespace
--- a/src/tawashi_implem/CMakeLists.txt
+++ b/src/tawashi_implem/CMakeLists.txt
@ -1,4 +1,4 @@
-project(tawashi_implem LANGUAGES CXX)
+project(tawashi_implem LANGUAGES CXX C)
 find_package(Boost 1.53.0 REQUIRED COMPONENTS program_options filesystem system)
 find_package(SourceHighlight REQUIRED)
@ -23,6 +23,7 @@ add_library(${PROJECT_NAME} STATIC
 	list_highlight_langs.cpp
 	settings_bag.cpp
 	sanitized_utf8.cpp
 	tiger.c
 )
 target_include_directories(${PROJECT_NAME}
--- a/src/tawashi_implem/submit_paste_response.cpp
+++ b/src/tawashi_implem/submit_paste_response.cpp
@ -18,15 +18,20 @@
 #include "submit_paste_response.hpp"
 #include "incredis/incredis.hpp"
 #include "cgi_post.hpp"
 #include "cgi_env.hpp"
 #include "num_to_token.hpp"
 #include "settings_bag.hpp"
 #include "duckhandy/compatibility.h"
 #include "duckhandy/lexical_cast.hpp"
 #include "duckhandy/int_to_string_ary.hpp"
 #include <ciso646>
 #include <sstream>
 #include <stdexcept>
 #include <algorithm>
 #include <boost/lexical_cast.hpp>
 #include <cstdint>
 extern "C" void tiger (const char* parStr, uint64_t parLength, uint64_t parHash[3], char parPadding);
 namespace tawashi {
 	namespace {
@ -58,6 +63,25 @@ namespace tawashi {
 			}
 			return post_data_it->second;
 		}
 		std::string hashed_ip (const std::string& parIP) {
 			uint64_t hash[3];
 			tiger(parIP.data(), parIP.size(), hash, 0x80);
 			auto h1 = dhandy::int_to_string_ary<char>(hash[0]);
 			auto h2 = dhandy::int_to_string_ary<char>(hash[1]);
 			auto h3 = dhandy::int_to_string_ary<char>(hash[2]);
 			std::string retval(2 * sizeof(uint64_t) * 3, '0');
 			assert(h1.size() <= 2 * sizeof(uint64_t));
 			std::copy(h1.begin(), h1.end(), retval.begin() + 2 * sizeof(uint64_t) * 0 + 2 * sizeof(uint64_t) - h1.size());
 			assert(h2.size() <= 2 * sizeof(uint64_t));
 			std::copy(h2.begin(), h2.end(), retval.begin() + 2 * sizeof(uint64_t) * 1 +  2 * sizeof(uint64_t) - h2.size());
 			assert(h3.size() <= 2 * sizeof(uint64_t));
 			std::copy(h3.begin(), h3.end(), retval.begin() + 2 * sizeof(uint64_t) * 2 +  2 * sizeof(uint64_t) - h3.size());
 			return retval;
 		}
 	} //unnamed namespace
 	SubmitPasteResponse::SubmitPasteResponse (
@ -117,6 +141,12 @@ namespace tawashi {
 		if (not redis.is_connected())
 			return boost::optional<std::string>();
 		std::string ip_hash = hashed_ip(cgi_env().remote_addr());
 		if (redis.get(ip_hash)) {
 			//please wait and submit again
 			return boost::optional<std::string>();
 		}
 		const auto next_id = redis.incr("paste_counter");
 		const std::string token = num_to_token(next_id);
 		assert(not token.empty());
@ -125,6 +155,8 @@ namespace tawashi {
 			"max_ttl", dhandy::lexical_cast<std::string>(parExpiry),
 			"lang", parLang)
 		) {
 			redis.set(ip_hash, "");
 			redis.expire(ip_hash, settings().as<uint32_t>("submit_min_wait"));
 			if (redis.expire(token, parExpiry))
 				return boost::make_optional(token);
 		}
--- a/src/tawashi_implem/tiger.c
+++ b/src/tawashi_implem/tiger.c
--- a/src/tawashi_implem/tiger.h
+++ b/src/tawashi_implem/tiger.h
@ -0,0 +1,125 @@
 /**
 * Copyright (c) 2012 Francisco Blas Izquierdo Riera (klondike)
 * The Tiger algorithm was written by Eli Biham and Ross Anderson and is
 * available on the official Tiger algorithm page.
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 *    the algorithm authorsip notice, this list of conditions and the following
 *    disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 * 4. If this license is not appropriate for you please write me at
 *    klondike ( a t ) klondike ( d o t ) es to negotiate another license.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 **/
 /**
 * These are some implementations of tiger made without looking at the original
 * reference code to ensure the resulting code can be published under a free
 * license. The paper was looked though to know how did tiger work.
 */
 /** Implementation details:
 * * Here we assume char and unsigned char have size 1. If thats not the case in
 *     your compiler you may want to replace them by a type that does
 */
 #ifndef TIGER_H
 #define TIGER_H 1
 #if !defined(_MSC_VER) || (_MSC_VER >= 1600)
 #include <stdint.h>
 #else
 typedef __int32 int32_t;
 typedef unsigned __int32 uint32_t;
 typedef __int64 int64_t;
 typedef unsigned __int64 uint64_t;
 #endif
 #if _M_IX86_FP >= 2
 #define __SSE2__
 #endif
 #ifdef __linux
 #include <endian.h>
 #if __BYTE_ORDER == __LITTLE_ENDIAN
 #define IS_LITTLE_ENDIAN
 #elif  __BYTE_ORDER == __BIG_ENDIAN
 #define USE_BIG_ENDIAN
 #elif  __BYTE_ORDER == __PDP_ENDIAN
 #error "If you feel like writting code for PDP endianess go ahead, I'm not doing that"
 #else
 #error "Unknown endianess"
 #endif
 #else
 //Assume little endian if you know how to detect endianism well on other compilers state it.
 #define IS_LITTLE_ENDIAN
 #endif
 #if defined(_WIN64) || defined(__x86_64__) || defined(__amd64__)
 #define HASX64
 #endif
 /** A word in the tiger hash, 64 bits **/
 typedef uint64_t t_word;
 /** This one is provided as a commodity for people wanting an easy way to declare result variables **/
 typedef t_word t_res[3];
 /** Partial calculation as used by tigerp1 and tigerp2 **/
 typedef struct {
    t_res h; // Hash status
    char r[128]; // SALT
    t_word n; // Number of characters of r used
    t_word hs; // Amount of total data hashed
 } t_pres;
 /** This one is provided as a commodity for people wanting an easy way to declare block variables **/
 typedef t_word t_block[8];
 /** Standard tiger calculation, put your string in str and the string length on length and get the result on res **/
 void tiger(const char *str, t_word length, t_res res, char pad);
 /** Similar to tiger but interleaving accesses to both equally sized strings to reduce overhead and pipeline stalls you get the result of str1 on res1 and the one of str2 on res2 **/
 void tiger_2(const char *str1, const char *str2, t_word length, t_res res1, t_res res2, char pad);
 #ifdef __SSE2__
 /** This is equivalent to tiger_2 but uses SSE2 for the key schduling making it faster **/
 void tiger_sse2(const char *str1, const char *str2, t_word length, t_res res1, t_res res2, char pad);
 #endif
 /** This function is optimized for use on TTHs just send the two concatenated hashes and you will get back the hash with a prepended 0x01 **/
 void tiger_49(const char *str, t_res res);
 /** This function is optimized for use on TTHs just send the 1024 sized block and you will get back the hash with a prepended 0x00 **/
 void tiger_1025(const char *str, t_res res);
 /** Interleaved version of tiger_49 you insert two hashes and get back two results **/
 void tiger_2_49(const char *str1, const char *str2, t_res res1, t_res res2);
 /** Interleaved version of tiger_1025 you insert two hashes and get back two results **/
 void tiger_2_1025(const char *str1, const char *str2, t_res res1, t_res res2);
 #ifdef __SSE2__
 /** SSE2 version of tiger_49 you insert two hashes and get back two results **/
 void tiger_sse2_49(const char *str1, const char *str2, t_res res1, t_res res2);
 /** SSE2 version of tiger_1025 you insert two hashes and get back two results **/
 void tiger_sse2_1025(const char *str1, const char *str2, t_res res1, t_res res2);
 #endif
 /** First stage of partial tiger calculation to improve password security during storage **/
 void tigerp1(const char *password, t_word length, const char *salt, t_pres *pres);
 /** Second stage of partial tiger calculation **/
 void tigerp2(const t_pres *pres, const char *salt, t_word length, t_res res);
 #endif