prevent user enumeration attacks

[pve-access-control.git] / PVE / API2 / AccessControl.pm

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 1679ed45eb4c0d6ff81682eb967fbce3c5521cfd..8daf10cf5f9763750af85cb70b7126d259bde296 100644 (file)
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -2,6 +2,7 @@ package PVE::API2::AccessControl;
 
 use strict;
 use warnings;
+use Time::HiRes qw(usleep gettimeofday tv_interval);
 
 use PVE::Exception qw(raise raise_perm_exc);
 use PVE::SafeSyslog;
@@ -265,6 +266,8 @@ __PACKAGE__->register_method ({
 
        my $res;
 
+       my $starttime = [gettimeofday];
+
        eval {
            # test if user exists and is enabled
            $rpcenv->check_user_enabled($username);
@@ -279,7 +282,13 @@ __PACKAGE__->register_method ({
        if (my $err = $@) {
            my $clientip = $rpcenv->get_client_ip() || '';
            syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
-           die $err;
+           # do not return any info to prevent user enumeration attacks
+           # always try to delay exactly 3 seconds to prevent timing attacks
+           my $elapsed;
+           while (($elapsed = tv_interval($starttime)) < 3) {
+               usleep(int((3 - $elapsed)*1000000));
+           }
+           die "authentication failure\n"; 
        }
 
        $res->{cap} = &$compute_api_permission($rpcenv, $username);