diff options
author | irungentoo <irungentoo@gmail.com> | 2014-05-19 12:56:36 -0400 |
---|---|---|
committer | irungentoo <irungentoo@gmail.com> | 2014-05-19 12:56:36 -0400 |
commit | e85feb8a3db42a0285b940a090c60102fae50374 (patch) | |
tree | 5f7106d655e8349a3118deb902518f77d1f70401 /toxcore/ping.c | |
parent | 8cec3cdd667975532747db13f7a4d5f279f94548 (diff) |
Fixed a bug where someone could just send back the ping request packet
with only the first byte set to 1 instead of 0 and the public key set
to the one of the reciever as a valid response packet.
This breaks network compatibility with all previous cores.
Diffstat (limited to 'toxcore/ping.c')
-rw-r--r-- | toxcore/ping.c | 45 |
1 files changed, 32 insertions, 13 deletions
diff --git a/toxcore/ping.c b/toxcore/ping.c index 2d16e354..c01170ab 100644 --- a/toxcore/ping.c +++ b/toxcore/ping.c | |||
@@ -54,7 +54,8 @@ struct PING { | |||
54 | }; | 54 | }; |
55 | 55 | ||
56 | 56 | ||
57 | #define DHT_PING_SIZE (1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES + sizeof(uint64_t) + crypto_box_MACBYTES) | 57 | #define PING_PLAIN_SIZE (1 + sizeof(uint64_t)) |
58 | #define DHT_PING_SIZE (1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES + PING_PLAIN_SIZE + crypto_box_MACBYTES) | ||
58 | #define PING_DATA_SIZE (CLIENT_ID_SIZE + sizeof(IP_Port)) | 59 | #define PING_DATA_SIZE (CLIENT_ID_SIZE + sizeof(IP_Port)) |
59 | 60 | ||
60 | int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id) | 61 | int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id) |
@@ -79,6 +80,10 @@ int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id) | |||
79 | if (ping_id == 0) | 80 | if (ping_id == 0) |
80 | return 1; | 81 | return 1; |
81 | 82 | ||
83 | uint8_t ping_plain[PING_PLAIN_SIZE]; | ||
84 | ping_plain[0] = NET_PACKET_PING_REQUEST; | ||
85 | memcpy(ping_plain + 1, &ping_id, sizeof(ping_id)); | ||
86 | |||
82 | pk[0] = NET_PACKET_PING_REQUEST; | 87 | pk[0] = NET_PACKET_PING_REQUEST; |
83 | id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey | 88 | id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey |
84 | new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce | 89 | new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce |
@@ -86,10 +91,10 @@ int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id) | |||
86 | 91 | ||
87 | rc = encrypt_data_symmetric(shared_key, | 92 | rc = encrypt_data_symmetric(shared_key, |
88 | pk + 1 + CLIENT_ID_SIZE, | 93 | pk + 1 + CLIENT_ID_SIZE, |
89 | (uint8_t *) &ping_id, sizeof(ping_id), | 94 | ping_plain, sizeof(ping_plain), |
90 | pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES); | 95 | pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES); |
91 | 96 | ||
92 | if (rc != sizeof(ping_id) + crypto_box_MACBYTES) | 97 | if (rc != PING_PLAIN_SIZE + crypto_box_MACBYTES) |
93 | return 1; | 98 | return 1; |
94 | 99 | ||
95 | return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); | 100 | return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); |
@@ -104,6 +109,10 @@ static int send_ping_response(PING *ping, IP_Port ipp, uint8_t *client_id, uint6 | |||
104 | if (id_equal(client_id, ping->dht->self_public_key)) | 109 | if (id_equal(client_id, ping->dht->self_public_key)) |
105 | return 1; | 110 | return 1; |
106 | 111 | ||
112 | uint8_t ping_plain[PING_PLAIN_SIZE]; | ||
113 | ping_plain[0] = NET_PACKET_PING_RESPONSE; | ||
114 | memcpy(ping_plain + 1, &ping_id, sizeof(ping_id)); | ||
115 | |||
107 | pk[0] = NET_PACKET_PING_RESPONSE; | 116 | pk[0] = NET_PACKET_PING_RESPONSE; |
108 | id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey | 117 | id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey |
109 | new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce | 118 | new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce |
@@ -111,10 +120,10 @@ static int send_ping_response(PING *ping, IP_Port ipp, uint8_t *client_id, uint6 | |||
111 | // Encrypt ping_id using recipient privkey | 120 | // Encrypt ping_id using recipient privkey |
112 | rc = encrypt_data_symmetric(shared_encryption_key, | 121 | rc = encrypt_data_symmetric(shared_encryption_key, |
113 | pk + 1 + CLIENT_ID_SIZE, | 122 | pk + 1 + CLIENT_ID_SIZE, |
114 | (uint8_t *) &ping_id, sizeof(ping_id), | 123 | ping_plain, sizeof(ping_plain), |
115 | pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES ); | 124 | pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES ); |
116 | 125 | ||
117 | if (rc != sizeof(ping_id) + crypto_box_MACBYTES) | 126 | if (rc != PING_PLAIN_SIZE + crypto_box_MACBYTES) |
118 | return 1; | 127 | return 1; |
119 | 128 | ||
120 | return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); | 129 | return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); |
@@ -124,7 +133,6 @@ static int handle_ping_request(void *_dht, IP_Port source, uint8_t *packet, uint | |||
124 | { | 133 | { |
125 | DHT *dht = _dht; | 134 | DHT *dht = _dht; |
126 | int rc; | 135 | int rc; |
127 | uint64_t ping_id; | ||
128 | 136 | ||
129 | if (length != DHT_PING_SIZE) | 137 | if (length != DHT_PING_SIZE) |
130 | return 1; | 138 | return 1; |
@@ -136,17 +144,23 @@ static int handle_ping_request(void *_dht, IP_Port source, uint8_t *packet, uint | |||
136 | 144 | ||
137 | uint8_t shared_key[crypto_box_BEFORENMBYTES]; | 145 | uint8_t shared_key[crypto_box_BEFORENMBYTES]; |
138 | 146 | ||
147 | uint8_t ping_plain[PING_PLAIN_SIZE]; | ||
139 | // Decrypt ping_id | 148 | // Decrypt ping_id |
140 | DHT_get_shared_key_recv(dht, shared_key, packet + 1); | 149 | DHT_get_shared_key_recv(dht, shared_key, packet + 1); |
141 | rc = decrypt_data_symmetric(shared_key, | 150 | rc = decrypt_data_symmetric(shared_key, |
142 | packet + 1 + CLIENT_ID_SIZE, | 151 | packet + 1 + CLIENT_ID_SIZE, |
143 | packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, | 152 | packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, |
144 | sizeof(ping_id) + crypto_box_MACBYTES, | 153 | PING_PLAIN_SIZE + crypto_box_MACBYTES, |
145 | (uint8_t *) &ping_id ); | 154 | ping_plain ); |
155 | |||
156 | if (rc != sizeof(ping_plain)) | ||
157 | return 1; | ||
146 | 158 | ||
147 | if (rc != sizeof(ping_id)) | 159 | if (ping_plain[0] != NET_PACKET_PING_REQUEST) |
148 | return 1; | 160 | return 1; |
149 | 161 | ||
162 | uint64_t ping_id; | ||
163 | memcpy(&ping_id, ping_plain + 1, sizeof(ping_id)); | ||
150 | // Send response | 164 | // Send response |
151 | send_ping_response(ping, source, packet + 1, ping_id, shared_key); | 165 | send_ping_response(ping, source, packet + 1, ping_id, shared_key); |
152 | add_to_ping(ping, packet + 1, source); | 166 | add_to_ping(ping, packet + 1, source); |
@@ -158,7 +172,6 @@ static int handle_ping_response(void *_dht, IP_Port source, uint8_t *packet, uin | |||
158 | { | 172 | { |
159 | DHT *dht = _dht; | 173 | DHT *dht = _dht; |
160 | int rc; | 174 | int rc; |
161 | uint64_t ping_id; | ||
162 | 175 | ||
163 | if (length != DHT_PING_SIZE) | 176 | if (length != DHT_PING_SIZE) |
164 | return 1; | 177 | return 1; |
@@ -173,16 +186,22 @@ static int handle_ping_response(void *_dht, IP_Port source, uint8_t *packet, uin | |||
173 | // generate key to encrypt ping_id with recipient privkey | 186 | // generate key to encrypt ping_id with recipient privkey |
174 | DHT_get_shared_key_sent(ping->dht, shared_key, packet + 1); | 187 | DHT_get_shared_key_sent(ping->dht, shared_key, packet + 1); |
175 | 188 | ||
189 | uint8_t ping_plain[PING_PLAIN_SIZE]; | ||
176 | // Decrypt ping_id | 190 | // Decrypt ping_id |
177 | rc = decrypt_data_symmetric(shared_key, | 191 | rc = decrypt_data_symmetric(shared_key, |
178 | packet + 1 + CLIENT_ID_SIZE, | 192 | packet + 1 + CLIENT_ID_SIZE, |
179 | packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, | 193 | packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, |
180 | sizeof(ping_id) + crypto_box_MACBYTES, | 194 | PING_PLAIN_SIZE + crypto_box_MACBYTES, |
181 | (uint8_t *) &ping_id); | 195 | ping_plain); |
182 | 196 | ||
183 | if (rc != sizeof(ping_id)) | 197 | if (rc != sizeof(ping_plain)) |
184 | return 1; | 198 | return 1; |
185 | 199 | ||
200 | if (ping_plain[0] != NET_PACKET_PING_RESPONSE) | ||
201 | return 1; | ||
202 | |||
203 | uint64_t ping_id; | ||
204 | memcpy(&ping_id, ping_plain + 1, sizeof(ping_id)); | ||
186 | uint8_t data[PING_DATA_SIZE]; | 205 | uint8_t data[PING_DATA_SIZE]; |
187 | 206 | ||
188 | if (ping_array_check(data, sizeof(data), &ping->ping_array, ping_id) != sizeof(data)) | 207 | if (ping_array_check(data, sizeof(data), &ping->ping_array, ping_id) != sizeof(data)) |