diff options
| author | irungentoo <irungentoo@gmail.com> | 2014-05-19 12:56:36 -0400 |
|---|---|---|
| committer | irungentoo <irungentoo@gmail.com> | 2014-05-19 12:56:36 -0400 |
| commit | e85feb8a3db42a0285b940a090c60102fae50374 (patch) | |
| tree | 5f7106d655e8349a3118deb902518f77d1f70401 /toxcore/ping.c | |
| parent | 8cec3cdd667975532747db13f7a4d5f279f94548 (diff) | |
Fixed a bug where someone could just send back the ping request packet
with only the first byte set to 1 instead of 0 and the public key set
to the one of the reciever as a valid response packet.
This breaks network compatibility with all previous cores.
Diffstat (limited to 'toxcore/ping.c')
| -rw-r--r-- | toxcore/ping.c | 45 |
1 files changed, 32 insertions, 13 deletions
diff --git a/toxcore/ping.c b/toxcore/ping.c index 2d16e354..c01170ab 100644 --- a/toxcore/ping.c +++ b/toxcore/ping.c | |||
| @@ -54,7 +54,8 @@ struct PING { | |||
| 54 | }; | 54 | }; |
| 55 | 55 | ||
| 56 | 56 | ||
| 57 | #define DHT_PING_SIZE (1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES + sizeof(uint64_t) + crypto_box_MACBYTES) | 57 | #define PING_PLAIN_SIZE (1 + sizeof(uint64_t)) |
| 58 | #define DHT_PING_SIZE (1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES + PING_PLAIN_SIZE + crypto_box_MACBYTES) | ||
| 58 | #define PING_DATA_SIZE (CLIENT_ID_SIZE + sizeof(IP_Port)) | 59 | #define PING_DATA_SIZE (CLIENT_ID_SIZE + sizeof(IP_Port)) |
| 59 | 60 | ||
| 60 | int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id) | 61 | int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id) |
| @@ -79,6 +80,10 @@ int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id) | |||
| 79 | if (ping_id == 0) | 80 | if (ping_id == 0) |
| 80 | return 1; | 81 | return 1; |
| 81 | 82 | ||
| 83 | uint8_t ping_plain[PING_PLAIN_SIZE]; | ||
| 84 | ping_plain[0] = NET_PACKET_PING_REQUEST; | ||
| 85 | memcpy(ping_plain + 1, &ping_id, sizeof(ping_id)); | ||
| 86 | |||
| 82 | pk[0] = NET_PACKET_PING_REQUEST; | 87 | pk[0] = NET_PACKET_PING_REQUEST; |
| 83 | id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey | 88 | id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey |
| 84 | new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce | 89 | new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce |
| @@ -86,10 +91,10 @@ int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id) | |||
| 86 | 91 | ||
| 87 | rc = encrypt_data_symmetric(shared_key, | 92 | rc = encrypt_data_symmetric(shared_key, |
| 88 | pk + 1 + CLIENT_ID_SIZE, | 93 | pk + 1 + CLIENT_ID_SIZE, |
| 89 | (uint8_t *) &ping_id, sizeof(ping_id), | 94 | ping_plain, sizeof(ping_plain), |
| 90 | pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES); | 95 | pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES); |
| 91 | 96 | ||
| 92 | if (rc != sizeof(ping_id) + crypto_box_MACBYTES) | 97 | if (rc != PING_PLAIN_SIZE + crypto_box_MACBYTES) |
| 93 | return 1; | 98 | return 1; |
| 94 | 99 | ||
| 95 | return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); | 100 | return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); |
| @@ -104,6 +109,10 @@ static int send_ping_response(PING *ping, IP_Port ipp, uint8_t *client_id, uint6 | |||
| 104 | if (id_equal(client_id, ping->dht->self_public_key)) | 109 | if (id_equal(client_id, ping->dht->self_public_key)) |
| 105 | return 1; | 110 | return 1; |
| 106 | 111 | ||
| 112 | uint8_t ping_plain[PING_PLAIN_SIZE]; | ||
| 113 | ping_plain[0] = NET_PACKET_PING_RESPONSE; | ||
| 114 | memcpy(ping_plain + 1, &ping_id, sizeof(ping_id)); | ||
| 115 | |||
| 107 | pk[0] = NET_PACKET_PING_RESPONSE; | 116 | pk[0] = NET_PACKET_PING_RESPONSE; |
| 108 | id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey | 117 | id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey |
| 109 | new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce | 118 | new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce |
| @@ -111,10 +120,10 @@ static int send_ping_response(PING *ping, IP_Port ipp, uint8_t *client_id, uint6 | |||
| 111 | // Encrypt ping_id using recipient privkey | 120 | // Encrypt ping_id using recipient privkey |
| 112 | rc = encrypt_data_symmetric(shared_encryption_key, | 121 | rc = encrypt_data_symmetric(shared_encryption_key, |
| 113 | pk + 1 + CLIENT_ID_SIZE, | 122 | pk + 1 + CLIENT_ID_SIZE, |
| 114 | (uint8_t *) &ping_id, sizeof(ping_id), | 123 | ping_plain, sizeof(ping_plain), |
| 115 | pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES ); | 124 | pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES ); |
| 116 | 125 | ||
| 117 | if (rc != sizeof(ping_id) + crypto_box_MACBYTES) | 126 | if (rc != PING_PLAIN_SIZE + crypto_box_MACBYTES) |
| 118 | return 1; | 127 | return 1; |
| 119 | 128 | ||
| 120 | return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); | 129 | return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); |
| @@ -124,7 +133,6 @@ static int handle_ping_request(void *_dht, IP_Port source, uint8_t *packet, uint | |||
| 124 | { | 133 | { |
| 125 | DHT *dht = _dht; | 134 | DHT *dht = _dht; |
| 126 | int rc; | 135 | int rc; |
| 127 | uint64_t ping_id; | ||
| 128 | 136 | ||
| 129 | if (length != DHT_PING_SIZE) | 137 | if (length != DHT_PING_SIZE) |
| 130 | return 1; | 138 | return 1; |
| @@ -136,17 +144,23 @@ static int handle_ping_request(void *_dht, IP_Port source, uint8_t *packet, uint | |||
| 136 | 144 | ||
| 137 | uint8_t shared_key[crypto_box_BEFORENMBYTES]; | 145 | uint8_t shared_key[crypto_box_BEFORENMBYTES]; |
| 138 | 146 | ||
| 147 | uint8_t ping_plain[PING_PLAIN_SIZE]; | ||
| 139 | // Decrypt ping_id | 148 | // Decrypt ping_id |
| 140 | DHT_get_shared_key_recv(dht, shared_key, packet + 1); | 149 | DHT_get_shared_key_recv(dht, shared_key, packet + 1); |
| 141 | rc = decrypt_data_symmetric(shared_key, | 150 | rc = decrypt_data_symmetric(shared_key, |
| 142 | packet + 1 + CLIENT_ID_SIZE, | 151 | packet + 1 + CLIENT_ID_SIZE, |
| 143 | packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, | 152 | packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, |
| 144 | sizeof(ping_id) + crypto_box_MACBYTES, | 153 | PING_PLAIN_SIZE + crypto_box_MACBYTES, |
| 145 | (uint8_t *) &ping_id ); | 154 | ping_plain ); |
| 155 | |||
| 156 | if (rc != sizeof(ping_plain)) | ||
| 157 | return 1; | ||
| 146 | 158 | ||
| 147 | if (rc != sizeof(ping_id)) | 159 | if (ping_plain[0] != NET_PACKET_PING_REQUEST) |
| 148 | return 1; | 160 | return 1; |
| 149 | 161 | ||
| 162 | uint64_t ping_id; | ||
| 163 | memcpy(&ping_id, ping_plain + 1, sizeof(ping_id)); | ||
| 150 | // Send response | 164 | // Send response |
| 151 | send_ping_response(ping, source, packet + 1, ping_id, shared_key); | 165 | send_ping_response(ping, source, packet + 1, ping_id, shared_key); |
| 152 | add_to_ping(ping, packet + 1, source); | 166 | add_to_ping(ping, packet + 1, source); |
| @@ -158,7 +172,6 @@ static int handle_ping_response(void *_dht, IP_Port source, uint8_t *packet, uin | |||
| 158 | { | 172 | { |
| 159 | DHT *dht = _dht; | 173 | DHT *dht = _dht; |
| 160 | int rc; | 174 | int rc; |
| 161 | uint64_t ping_id; | ||
| 162 | 175 | ||
| 163 | if (length != DHT_PING_SIZE) | 176 | if (length != DHT_PING_SIZE) |
| 164 | return 1; | 177 | return 1; |
| @@ -173,16 +186,22 @@ static int handle_ping_response(void *_dht, IP_Port source, uint8_t *packet, uin | |||
| 173 | // generate key to encrypt ping_id with recipient privkey | 186 | // generate key to encrypt ping_id with recipient privkey |
| 174 | DHT_get_shared_key_sent(ping->dht, shared_key, packet + 1); | 187 | DHT_get_shared_key_sent(ping->dht, shared_key, packet + 1); |
| 175 | 188 | ||
| 189 | uint8_t ping_plain[PING_PLAIN_SIZE]; | ||
| 176 | // Decrypt ping_id | 190 | // Decrypt ping_id |
| 177 | rc = decrypt_data_symmetric(shared_key, | 191 | rc = decrypt_data_symmetric(shared_key, |
| 178 | packet + 1 + CLIENT_ID_SIZE, | 192 | packet + 1 + CLIENT_ID_SIZE, |
| 179 | packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, | 193 | packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, |
| 180 | sizeof(ping_id) + crypto_box_MACBYTES, | 194 | PING_PLAIN_SIZE + crypto_box_MACBYTES, |
| 181 | (uint8_t *) &ping_id); | 195 | ping_plain); |
| 182 | 196 | ||
| 183 | if (rc != sizeof(ping_id)) | 197 | if (rc != sizeof(ping_plain)) |
| 184 | return 1; | 198 | return 1; |
| 185 | 199 | ||
| 200 | if (ping_plain[0] != NET_PACKET_PING_RESPONSE) | ||
| 201 | return 1; | ||
| 202 | |||
| 203 | uint64_t ping_id; | ||
| 204 | memcpy(&ping_id, ping_plain + 1, sizeof(ping_id)); | ||
| 186 | uint8_t data[PING_DATA_SIZE]; | 205 | uint8_t data[PING_DATA_SIZE]; |
| 187 | 206 | ||
| 188 | if (ping_array_check(data, sizeof(data), &ping->ping_array, ping_id) != sizeof(data)) | 207 | if (ping_array_check(data, sizeof(data), &ping->ping_array, ping_id) != sizeof(data)) |