Add DS option to turn off packet authentication

domain-server/resources/describe-settings.json

@@ -46,6 +46,14 @@
           "default": "40102",
           "type": "int",
           "advanced": true
+        },
+        {
+          "name": "enable_authentication",
+          "label": "Enable Authentication",
+          "help": "Enable secure checksums on communication that uses the High Fidelity protocol. Increases security with possibly a small performance penalty.",
+          "default": true,
+          "type": "checkbox",
+          "advanced":  true
         }
       ]
     },

domain-server/src/DomainServer.cpp

@@ -630,6 +630,7 @@ bool DomainServer::isPacketVerified(const udt::Packet& packet) {
 
 void DomainServer::setupNodeListAndAssignments() {
     const QString CUSTOM_LOCAL_PORT_OPTION = "metaverse.local_port";
+    static const QString ENABLE_PACKET_AUTHENTICATION = "metaverse.enable_authentication";
 
     QVariant localPortValue = _settingsManager.valueOrDefaultValueForKeyPath(CUSTOM_LOCAL_PORT_OPTION);
     int domainServerPort = localPortValue.toInt();
@@ -696,6 +697,9 @@ void DomainServer::setupNodeListAndAssignments() {
         }
     }
 
+    bool isAuthEnabled = _settingsManager.valueOrDefaultValueForKeyPath(ENABLE_PACKET_AUTHENTICATION).toBool();
+    nodeList->setAuthenticatePackets(isAuthEnabled);
+
     connect(nodeList.data(), &LimitedNodeList::nodeAdded, this, &DomainServer::nodeAdded);
     connect(nodeList.data(), &LimitedNodeList::nodeKilled, this, &DomainServer::nodeKilled);
 
@@ -1133,7 +1137,7 @@ void DomainServer::sendDomainListToNode(const SharedNodePointer& node, const Hif
     extendedHeaderStream << node->getUUID();
     extendedHeaderStream << node->getLocalID();
     extendedHeaderStream << node->getPermissions();
-
+    extendedHeaderStream << limitedNodeList->getAuthenticatePackets();
     auto domainListPackets = NLPacketList::create(PacketType::DomainList, extendedHeader);
 
     // always send the node their own UUID back

libraries/networking/src/LimitedNodeList.cpp

@@ -328,9 +328,10 @@ bool LimitedNodeList::packetSourceAndHashMatchAndTrackBandwidth(const udt::Packe
 
         if (sourceNode) {
             bool verifiedPacket = !PacketTypeEnum::getNonVerifiedPackets().contains(headerType);
-            bool ignoreVerification = isDomainServer() && PacketTypeEnum::getDomainIgnoredVerificationPackets().contains(headerType);
+            bool verificationEnabled = !(isDomainServer() && PacketTypeEnum::getDomainIgnoredVerificationPackets().contains(headerType))
+                && _useAuthentication;
 
-            if (verifiedPacket && !ignoreVerification) {
+            if (verifiedPacket && verificationEnabled) {
 
                 QByteArray packetHeaderHash = NLPacket::verificationHashInHeader(packet);
                 QByteArray expectedHash;
@@ -383,7 +384,7 @@ void LimitedNodeList::fillPacketHeader(const NLPacket& packet, HMACAuth* hmacAut
         packet.writeSourceID(getSessionLocalID());
     }
 
-    if (hmacAuth
+    if (_useAuthentication && hmacAuth
         && !PacketTypeEnum::getNonSourcedPackets().contains(packet.getType())
         && !PacketTypeEnum::getNonVerifiedPackets().contains(packet.getType())) {
         packet.writeVerificationHash(*hmacAuth);

libraries/networking/src/LimitedNodeList.h

@@ -307,6 +307,8 @@ public:
 
     bool isPacketVerifiedWithSource(const udt::Packet& packet, Node* sourceNode = nullptr);
     bool isPacketVerified(const udt::Packet& packet) { return isPacketVerifiedWithSource(packet); }
+    void setAuthenticatePackets(bool useAuthentication) { _useAuthentication = useAuthentication; }
+    bool getAuthenticatePackets() const { return _useAuthentication; }
 
     static void makeSTUNRequestPacket(char* stunRequestPacket);
 
@@ -394,6 +396,7 @@ protected:
     HifiSockAddr _publicSockAddr;
     HifiSockAddr _stunSockAddr { STUN_SERVER_HOSTNAME, STUN_SERVER_PORT };
     bool _hasTCPCheckedLocalSocket { false };
+    bool _useAuthentication { true };
 
     PacketReceiver* _packetReceiver;
 

libraries/networking/src/NodeList.cpp

@@ -665,6 +665,10 @@ void NodeList::processDomainServerList(QSharedPointer<ReceivedMessage> message)
     NodePermissions newPermissions;
     packetStream >> newPermissions;
     setPermissions(newPermissions);
+    // Is packet authentication enabled?
+    bool isAuthenticated;
+    packetStream >> isAuthenticated;
+    setAuthenticatePackets(isAuthenticated);
 
     // pull each node in the packet
     while (packetStream.device()->pos() < message->getSize()) {