udp now generates a cryptographically secure token for connecting clients. This is later verified.

dynamic-accesslists
erdgeist 13 years ago
parent 3eeb536a44
commit 37db5f94fa

@ -18,15 +18,40 @@
#include "trackerlogic.h" #include "trackerlogic.h"
#include "ot_udp.h" #include "ot_udp.h"
#include "ot_stats.h" #include "ot_stats.h"
#include "ot_rijndael.h"
static const uint8_t g_static_connid[8] = { 0x23, 0x42, 0x05, 0x17, 0xde, 0x41, 0x50, 0xff }; static const uint8_t g_static_connid[8] = { 0x23, 0x42, 0x05, 0x17, 0xde, 0x41, 0x50, 0xff };
static uint32_t g_rijndael_round_key[44] = {0};
static uint32_t g_key_of_the_hour[2] = {0};
static ot_time g_hour_of_the_key;
static void udp_make_connectionid( uint32_t * connid, const ot_ip6 remoteip ) { static void udp_generate_rijndael_round_key() {
/* Touch unused variable */ uint8_t key[16];
(void)remoteip; key[0] = random(); key[1] = random(); key[2] = random(); key[3] = random();
rijndaelKeySetupEnc128( g_rijndael_round_key, key );
/* Use a static secret for now */ g_key_of_the_hour[0] = random();
memcpy( connid, g_static_connid, 8 ); g_hour_of_the_key = g_now_minutes;
}
/* Generate current and previous connection id for ip */
static void udp_make_connectionid( uint32_t connid[4], const ot_ip6 remoteip ) {
uint32_t plain[4], crypt[4];
int age, i;
if( g_now_minutes + 60 > g_hour_of_the_key ) {
g_hour_of_the_key = g_now_minutes;
g_key_of_the_hour[1] = g_key_of_the_hour[0];
g_key_of_the_hour[0] = random();
}
for( age = 0; age < 1; ++age ) {
memcpy( plain, remoteip, sizeof( plain ) );
for( i=0; i<4; ++i ) plain[i] ^= g_key_of_the_hour[age];
rijndaelEncrypt128( g_rijndael_round_key, (uint8_t*)remoteip, (uint8_t*)crypt );
connid[2*age ] = crypt[0] ^ crypt[1];
connid[2*age+1] = crypt[2] ^ crypt[3];
}
} }
/* UDP implementation according to http://xbtt.sourceforge.net/udp_tracker_protocol.html */ /* UDP implementation according to http://xbtt.sourceforge.net/udp_tracker_protocol.html */
@ -35,6 +60,7 @@ int handle_udp6( int64 serversocket, struct ot_workstruct *ws ) {
uint32_t *inpacket = (uint32_t*)ws->inbuf; uint32_t *inpacket = (uint32_t*)ws->inbuf;
uint32_t *outpacket = (uint32_t*)ws->outbuf; uint32_t *outpacket = (uint32_t*)ws->outbuf;
uint32_t numwant, left, event, scopeid; uint32_t numwant, left, event, scopeid;
uint32_t connid[4];
uint16_t port, remoteport; uint16_t port, remoteport;
size_t byte_count, scrape_count; size_t byte_count, scrape_count;
@ -44,13 +70,29 @@ int handle_udp6( int64 serversocket, struct ot_workstruct *ws ) {
stats_issue_event( EVENT_ACCEPT, FLAG_UDP, (uintptr_t)remoteip ); stats_issue_event( EVENT_ACCEPT, FLAG_UDP, (uintptr_t)remoteip );
stats_issue_event( EVENT_READ, FLAG_UDP, byte_count ); stats_issue_event( EVENT_READ, FLAG_UDP, byte_count );
/* Minimum udp tracker packet size, also catches error */
if( byte_count < 16 )
return 1;
/* Generate the connection id we give out and expect to and from
the requesting ip address, this prevents udp spoofing */
udp_make_connectionid( connid, remoteip );
/* Initialise hash pointer */ /* Initialise hash pointer */
ws->hash = NULL; ws->hash = NULL;
ws->peer_id = NULL; ws->peer_id = NULL;
/* Minimum udp tracker packet size, also catches error */ /* If action is not a ntohl(a) == a == 0, then we
if( byte_count < 16 ) expect the derived connection id in first 64 bit */
if( inpacket[2] && ( inpacket[0] != connid[0] || inpacket[1] != connid[1] ) &&
( inpacket[0] != connid[2] || inpacket[1] != connid[3] ) ) {
const size_t s = sizeof( "Connection ID missmatch." );
outpacket[0] = 3; outpacket[1] = inpacket[3];
memcpy( &outpacket[2], "Connection ID missmatch.", s );
socket_send6( serversocket, ws->outbuf, 8 + s, remoteip, remoteport, 0 );
stats_issue_event( EVENT_CONNID_MISSMATCH, FLAG_UDP, 8 + s );
return 1; return 1;
}
switch( ntohl( inpacket[2] ) ) { switch( ntohl( inpacket[2] ) ) {
case 0: /* This is a connect action */ case 0: /* This is a connect action */
@ -60,7 +102,8 @@ int handle_udp6( int64 serversocket, struct ot_workstruct *ws ) {
outpacket[0] = 0; outpacket[0] = 0;
outpacket[1] = inpacket[3]; outpacket[1] = inpacket[3];
udp_make_connectionid( outpacket + 2, remoteip ); outpacket[2] = connid[0];
outpacket[3] = connid[1];
socket_send6( serversocket, ws->outbuf, 16, remoteip, remoteport, 0 ); socket_send6( serversocket, ws->outbuf, 16, remoteip, remoteport, 0 );
stats_issue_event( EVENT_CONNECT, FLAG_UDP, 16 ); stats_issue_event( EVENT_CONNECT, FLAG_UDP, 16 );
@ -146,6 +189,8 @@ static void* udp_worker( void * args ) {
void udp_init( int64 sock, unsigned int worker_count ) { void udp_init( int64 sock, unsigned int worker_count ) {
pthread_t thread_id; pthread_t thread_id;
if( !g_rijndael_round_key[0] )
udp_generate_rijndael_round_key();
#ifdef _DEBUG #ifdef _DEBUG
fprintf( stderr, " installing %d workers on udp socket %ld", worker_count, (unsigned long)sock ); fprintf( stderr, " installing %d workers on udp socket %ld", worker_count, (unsigned long)sock );
#endif #endif

Loading…
Cancel
Save