update reject_delay and add delay_proxy_rejects

reject delay now enforces _at least_ that delay, and does not _add_
the delay.

we can also enforce that delay for proxied rejects, too

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a95921718cf4ffa2c5766baee0c14d6c228d9865..e0787e14c321b6a2d4fa1e3b00f9d765eb94ae7f 100644 (file)
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -589,9 +589,18 @@ security {
 
        #
        #  reject_delay: When sending an Access-Reject, it can be
-       #  delayed for a few seconds.  This may help slow down a DoS
-       #  attack.  It also helps to slow down people trying to brute-force
-       #  crack a users password.
+       #  delayed for a short period of time.  This may help slow
+       #  down a DoS attack.  It also helps to slow down people
+       #  trying to brute-force crack a users password.
+       #
+       #  The reject will be sent no earlier then "recieve time + delay".
+       #  This configuration will not _add_ a fixed delay, it makes sure
+       #  that the time between Access-Request and Access-Reject is
+       #  _at least_ the given reject_delay value.
+       #
+       #  i.e. if "reject_delay = 1", and the server takes 4 seconds to
+       #  query an SQL database, then the reject has already been delayed
+       #  for 4 seconds.
        #
        #  Setting this number to 0 means "send rejects immediately"
        #
@@ -607,6 +616,11 @@ security {
        #  Useful ranges: 0.5 to 5
        reject_delay = 1
 
+       #
+       #  Do we apply reject delays to proxied packets, too?
+       #
+#      delay_proxy_rejects = no
+
        #
        #  status_server: Whether or not the server will respond
        #  to Status-Server requests.

diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index da7a6b8421fbaed9baebcca46c6cdb114022e9b7..790fcaabe85a06bdc9f43a1c8a8587c9c8372ea9 100644 (file)
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -133,6 +133,7 @@ typedef struct main_config {
        bool            proxy_requests;                 //!< Toggle to enable/disable proxying globally.
 #endif
        struct timeval  reject_delay;                   //!< How long to wait before sending an Access-Reject.
+       bool            delay_proxy_rejects;            //!< do we delay proxied rejects
        bool            status_server;                  //!< Whether to respond to status-server messages.
 
 

diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index 775aec32ad4408bd417cf0bf3254832334051c06..147caaf323510b3dbfc52368cd98ca5f0d5556d9 100644 (file)
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -211,6 +211,7 @@ static const CONF_PARSER log_config[] = {
 static const CONF_PARSER security_config[] = {
        { "max_attributes",  FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
        { "reject_delay",  FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
+       { "delay_proxy_rejects",  FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.delay_proxy_rejects), "no" },
        { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
        { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING, &require_message_authenticator), "auto"},
        { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_STRING, &limit_proxy_state), "auto"},

diff --git a/src/main/process.c b/src/main/process.c
index 887161228f457b54079fbcebddb63b33cc78ed97..4565074d935fc55901f63ff14766fb63eaed959c 100644 (file)
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -1640,11 +1640,36 @@ static void request_finish(REQUEST *request, int action)
                 *      adding their own reject delay, which would
                 *      result in N*reject_delays being applied.
                 */
-               if (request->proxy && (!request->proxy_reply || request->proxy->dst_port != 0)) {
+               if (request->proxy && !request->root->delay_proxy_rejects &&
+                   (!request->proxy_reply || request->proxy->dst_port != 0)) {
                        request->response_delay.tv_sec = 0;
                        request->response_delay.tv_usec = 0;
                }
 #endif
+
+               /*
+                *      We want to delay for AT LEAST the delay.  We
+                *      don't want to ADD in the delay.
+                */
+               if ((request->response_delay.tv_sec != 0) ||
+                   (request->response_delay.tv_usec != 0)) {
+                       struct timeval when;
+
+                       /*
+                        *      if ((received time + delay) < now) {
+                        *              send packet
+                        *      else
+                        *              delay = (received time + delay) - now
+                        */
+                       timeradd(&request->packet->timestamp, &request->response_delay, &when);
+
+                       if (timercmp(&when, &request->reply->timestamp, <=)) {
+                               request->response_delay.tv_sec = 0;
+                               request->response_delay.tv_usec = 0;
+                       } else {
+                               timersub(&when, &request->reply->timestamp, &request->response_delay);
+                       }
+               }
        }
 
        /*