StarMirror/toxcore
1
0
Fork 0
mirror of https://github.com/irungentoo/toxcore.git synced 2024-03-22 13:30:51 +08:00
Code Issues Projects Releases Wiki Activity

Fixed a bug where someone could just send back the ping request packet

Browse Source 
with only the first byte set to 1 instead of 0 and the public key set
to the one of the reciever as a valid response packet.

This breaks network compatibility with all previous cores.
This commit is contained in:
irungentoo 2014-05-19 12:56:36 -04:00
parent 8cec3cdd66
commit e85feb8a3d
No known key found for this signature in database
GPG Key ID: 10349DC9BED89E98
2 changed files with 33 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/updates/DHT.md
View File

@ -87,7 +87,7 @@ Valid queries and Responses:
Ping(Request and response): Ping(Request and response):
``` ```
[byte with value: 00 for request, 01 for response][char array (client node_id), length=32 bytes][random 24 byte nonce][Encrypted with the nonce and private key of the sender: [random 8 byte (ping_id)]] [byte with value: 00 for request, 01 for response][char array (client node_id), length=32 bytes][random 24 byte nonce][Encrypted with the nonce and private key of the sender: [1 byte type (0 for request, 1 for response)][random 8 byte (ping_id)]]
``` ```
ping_id = a random integer, the response must contain the exact same number as the request ping_id = a random integer, the response must contain the exact same number as the request

45
toxcore/ping.c
View File

@ -54,7 +54,8 @@ struct PING {
}; };
#define DHT_PING_SIZE (1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES + sizeof(uint64_t) + crypto_box_MACBYTES) #define PING_PLAIN_SIZE (1 + sizeof(uint64_t))
#define DHT_PING_SIZE (1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES + PING_PLAIN_SIZE + crypto_box_MACBYTES)
#define PING_DATA_SIZE (CLIENT_ID_SIZE + sizeof(IP_Port)) #define PING_DATA_SIZE (CLIENT_ID_SIZE + sizeof(IP_Port))
int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id) int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id)
@ -79,6 +80,10 @@ int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id)
if (ping_id == 0) if (ping_id == 0)
return 1; return 1;
uint8_t ping_plain[PING_PLAIN_SIZE];
ping_plain[0] = NET_PACKET_PING_REQUEST;
memcpy(ping_plain + 1, &ping_id, sizeof(ping_id));
pk[0] = NET_PACKET_PING_REQUEST; pk[0] = NET_PACKET_PING_REQUEST;
id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey
new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce
@ -86,10 +91,10 @@ int send_ping_request(PING *ping, IP_Port ipp, uint8_t *client_id)
rc = encrypt_data_symmetric(shared_key, rc = encrypt_data_symmetric(shared_key,
pk + 1 + CLIENT_ID_SIZE, pk + 1 + CLIENT_ID_SIZE,
(uint8_t *) &ping_id, sizeof(ping_id), ping_plain, sizeof(ping_plain),
pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES); pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES);
if (rc != sizeof(ping_id) + crypto_box_MACBYTES) if (rc != PING_PLAIN_SIZE + crypto_box_MACBYTES)
return 1; return 1;
return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); return sendpacket(ping->dht->net, ipp, pk, sizeof(pk));
@ -104,6 +109,10 @@ static int send_ping_response(PING *ping, IP_Port ipp, uint8_t *client_id, uint6
if (id_equal(client_id, ping->dht->self_public_key)) if (id_equal(client_id, ping->dht->self_public_key))
return 1; return 1;
uint8_t ping_plain[PING_PLAIN_SIZE];
ping_plain[0] = NET_PACKET_PING_RESPONSE;
memcpy(ping_plain + 1, &ping_id, sizeof(ping_id));
pk[0] = NET_PACKET_PING_RESPONSE; pk[0] = NET_PACKET_PING_RESPONSE;
id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey id_copy(pk + 1, ping->dht->self_public_key); // Our pubkey
new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce new_nonce(pk + 1 + CLIENT_ID_SIZE); // Generate new nonce
@ -111,10 +120,10 @@ static int send_ping_response(PING *ping, IP_Port ipp, uint8_t *client_id, uint6
// Encrypt ping_id using recipient privkey // Encrypt ping_id using recipient privkey
rc = encrypt_data_symmetric(shared_encryption_key, rc = encrypt_data_symmetric(shared_encryption_key,
pk + 1 + CLIENT_ID_SIZE, pk + 1 + CLIENT_ID_SIZE,
(uint8_t *) &ping_id, sizeof(ping_id), ping_plain, sizeof(ping_plain),
pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES ); pk + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES );
if (rc != sizeof(ping_id) + crypto_box_MACBYTES) if (rc != PING_PLAIN_SIZE + crypto_box_MACBYTES)
return 1; return 1;
return sendpacket(ping->dht->net, ipp, pk, sizeof(pk)); return sendpacket(ping->dht->net, ipp, pk, sizeof(pk));
@ -124,7 +133,6 @@ static int handle_ping_request(void *_dht, IP_Port source, uint8_t *packet, uint
{ {
DHT *dht = _dht; DHT *dht = _dht;
int rc; int rc;
uint64_t ping_id;
if (length != DHT_PING_SIZE) if (length != DHT_PING_SIZE)
return 1; return 1;
@ -136,17 +144,23 @@ static int handle_ping_request(void *_dht, IP_Port source, uint8_t *packet, uint
uint8_t shared_key[crypto_box_BEFORENMBYTES]; uint8_t shared_key[crypto_box_BEFORENMBYTES];
uint8_t ping_plain[PING_PLAIN_SIZE];
// Decrypt ping_id // Decrypt ping_id
DHT_get_shared_key_recv(dht, shared_key, packet + 1); DHT_get_shared_key_recv(dht, shared_key, packet + 1);
rc = decrypt_data_symmetric(shared_key, rc = decrypt_data_symmetric(shared_key,
packet + 1 + CLIENT_ID_SIZE, packet + 1 + CLIENT_ID_SIZE,
packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES,
sizeof(ping_id) + crypto_box_MACBYTES, PING_PLAIN_SIZE + crypto_box_MACBYTES,
(uint8_t *) &ping_id ); ping_plain );
if (rc != sizeof(ping_id)) if (rc != sizeof(ping_plain))
return 1; return 1;
if (ping_plain[0] != NET_PACKET_PING_REQUEST)
return 1;
uint64_t ping_id;
memcpy(&ping_id, ping_plain + 1, sizeof(ping_id));
// Send response // Send response
send_ping_response(ping, source, packet + 1, ping_id, shared_key); send_ping_response(ping, source, packet + 1, ping_id, shared_key);
add_to_ping(ping, packet + 1, source); add_to_ping(ping, packet + 1, source);
@ -158,7 +172,6 @@ static int handle_ping_response(void *_dht, IP_Port source, uint8_t *packet, uin
{ {
DHT *dht = _dht; DHT *dht = _dht;
int rc; int rc;
uint64_t ping_id;
if (length != DHT_PING_SIZE) if (length != DHT_PING_SIZE)
return 1; return 1;
@ -173,16 +186,22 @@ static int handle_ping_response(void *_dht, IP_Port source, uint8_t *packet, uin
// generate key to encrypt ping_id with recipient privkey // generate key to encrypt ping_id with recipient privkey
DHT_get_shared_key_sent(ping->dht, shared_key, packet + 1); DHT_get_shared_key_sent(ping->dht, shared_key, packet + 1);
uint8_t ping_plain[PING_PLAIN_SIZE];
// Decrypt ping_id // Decrypt ping_id
rc = decrypt_data_symmetric(shared_key, rc = decrypt_data_symmetric(shared_key,
packet + 1 + CLIENT_ID_SIZE, packet + 1 + CLIENT_ID_SIZE,
packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES, packet + 1 + CLIENT_ID_SIZE + crypto_box_NONCEBYTES,
sizeof(ping_id) + crypto_box_MACBYTES, PING_PLAIN_SIZE + crypto_box_MACBYTES,
(uint8_t *) &ping_id); ping_plain);
if (rc != sizeof(ping_id)) if (rc != sizeof(ping_plain))
return 1; return 1;
if (ping_plain[0] != NET_PACKET_PING_RESPONSE)
return 1;
uint64_t ping_id;
memcpy(&ping_id, ping_plain + 1, sizeof(ping_id));
uint8_t data[PING_DATA_SIZE]; uint8_t data[PING_DATA_SIZE];
if (ping_array_check(data, sizeof(data), &ping->ping_array, ping_id) != sizeof(data)) if (ping_array_check(data, sizeof(data), &ping->ping_array, ping_id) != sizeof(data))