From 09d766c5d20d8900990e75a335e72b5705e4f4fd Mon Sep 17 00:00:00 2001
From: Bluesheet <toitoine_gicquel@orange.fr>
Date: Fri, 21 Apr 2023 01:07:02 +0200
Subject: [PATCH 1/2] Update Configuration.cpp

Add "login.fail_delay" config option
---
 src/lib/common/Configuration.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lib/common/Configuration.cpp b/src/lib/common/Configuration.cpp
index ab984d036..929faa8a1 100644
--- a/src/lib/common/Configuration.cpp
+++ b/src/lib/common/Configuration.cpp
@@ -51,6 +51,7 @@ const struct config Configuration::valid_config[] = {
 	{ "slots.removable",		CONFIG_TYPE_BOOL },
 	{ "slots.mechanisms",		CONFIG_TYPE_STRING },
 	{ "library.reset_on_fork",	CONFIG_TYPE_BOOL },
+	{ "login.fail_delay",		CONFIG_TYPE_INT },
 	{ "",				CONFIG_TYPE_UNSUPPORTED }
 };
 

From 58f6dff7b46c5300287b767a0b863571e41ddfe4 Mon Sep 17 00:00:00 2001
From: Bluesheet <toitoine_gicquel@orange.fr>
Date: Fri, 21 Apr 2023 01:09:59 +0200
Subject: [PATCH 2/2] Update SecureDataManager.cpp

Add delay on failed attempt to mitigate bruteforce
---
 src/lib/data_mgr/SecureDataManager.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/lib/data_mgr/SecureDataManager.cpp b/src/lib/data_mgr/SecureDataManager.cpp
index 987e76b09..27bd809f0 100644
--- a/src/lib/data_mgr/SecureDataManager.cpp
+++ b/src/lib/data_mgr/SecureDataManager.cpp
@@ -40,12 +40,19 @@
  *****************************************************************************/
 
 #include "config.h"
+#include "Configuration.h"
 #include "SecureDataManager.h"
 #include "CryptoFactory.h"
 #include "AESKey.h"
 #include "SymmetricAlgorithm.h"
 #include "RFC4880.h"
 
+#ifdef _WIN32
+#include <Windows.h>
+#else
+#include <unistd.h>
+#endif
+
 // Constructors
 
 // Initialise the object; called by all constructors
@@ -263,6 +270,7 @@ bool SecureDataManager::login(const ByteString& passphrase, const ByteString& en
 
 	if (!RFC4880::PBEDeriveKey(passphrase, salt, &pbeKey))
 	{
+		sleep(Configuration::i()->getInt("login.fail_delay", 0));
 		return false;
 	}
 
@@ -275,6 +283,7 @@ bool SecureDataManager::login(const ByteString& passphrase, const ByteString& en
 	    !aes->decryptUpdate(encryptedKeyData, decryptedKeyData) ||
 	    !aes->decryptFinal(finalBlock))
 	{
+		sleep(Configuration::i()->getInt("login.fail_delay", 0));
 		delete pbeKey;
 
 		return false;
@@ -288,6 +297,7 @@ bool SecureDataManager::login(const ByteString& passphrase, const ByteString& en
 	if (decryptedKeyData.substr(0, 3) != magic)
 	{
 		// The passphrase was incorrect
+		sleep(Configuration::i()->getInt("login.fail_delay", 0));
 		DEBUG_MSG("Incorrect passphrase supplied");
 
 		return false;