Hi!
> > 1) {
> > 2) static time_t last_kill_time = 0;
> > 3) if (time(NULL) - last_kill_time > 60 && getppid() != 1)
> > 4) {
> > 5) last_kill_time = time(NULL);
> > 6) kill(SIGALRM, getppid());
> > 7) }
> > 8) fatal("Bad result from rsa_private_decrypt");
> > 9) }
This looks more like ugly workaround than proper fix to me. If
attacker can do 400*60 requests per second, he can still decrypt
private key.
Solution would be to reconfig after number of _attempts_, not
time. Plus, it is still racy, as it uses kill().
What about attacker doing 400*3600 requests before kill actually
reaches the parent?
Pavel
--
I'm [EMAIL PROTECTED] "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents at [EMAIL PROTECTED]
