mirror of
https://github.com/overte-org/overte.git
synced 2025-08-09 09:28:46 +02:00
Merge pull request #13643 from SimonWalton-HiFi/user-setting-hmac
Add DS option to disable HMAC packet authentication
This commit is contained in:
John Conklin II
GitHub
commit
3a6a72a079
7 changed files with 27 additions and 6 deletions
|
|
@ -46,6 +46,14 @@
|
||||||
"default": "40102",
|
"default": "40102",
|
||||||
"type": "int",
|
"type": "int",
|
||||||
"advanced": true
|
"advanced": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "enable_packet_verification",
|
||||||
|
"label": "Enable Packet Verification",
|
||||||
|
"help": "Enable secure checksums on communication that uses the High Fidelity protocol. Increases security with possibly a small performance penalty.",
|
||||||
|
"default": true,
|
||||||
|
"type": "checkbox",
|
||||||
|
"advanced": true
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -630,6 +630,7 @@ bool DomainServer::isPacketVerified(const udt::Packet& packet) {
|
||||||
|
|
||||||
void DomainServer::setupNodeListAndAssignments() {
|
void DomainServer::setupNodeListAndAssignments() {
|
||||||
const QString CUSTOM_LOCAL_PORT_OPTION = "metaverse.local_port";
|
const QString CUSTOM_LOCAL_PORT_OPTION = "metaverse.local_port";
|
||||||
|
static const QString ENABLE_PACKET_AUTHENTICATION = "metaverse.enable_packet_verification";
|
||||||
|
|
||||||
QVariant localPortValue = _settingsManager.valueOrDefaultValueForKeyPath(CUSTOM_LOCAL_PORT_OPTION);
|
QVariant localPortValue = _settingsManager.valueOrDefaultValueForKeyPath(CUSTOM_LOCAL_PORT_OPTION);
|
||||||
int domainServerPort = localPortValue.toInt();
|
int domainServerPort = localPortValue.toInt();
|
||||||
|
|
@ -696,6 +697,9 @@ void DomainServer::setupNodeListAndAssignments() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool isAuthEnabled = _settingsManager.valueOrDefaultValueForKeyPath(ENABLE_PACKET_AUTHENTICATION).toBool();
|
||||||
|
nodeList->setAuthenticatePackets(isAuthEnabled);
|
||||||
|
|
||||||
connect(nodeList.data(), &LimitedNodeList::nodeAdded, this, &DomainServer::nodeAdded);
|
connect(nodeList.data(), &LimitedNodeList::nodeAdded, this, &DomainServer::nodeAdded);
|
||||||
connect(nodeList.data(), &LimitedNodeList::nodeKilled, this, &DomainServer::nodeKilled);
|
connect(nodeList.data(), &LimitedNodeList::nodeKilled, this, &DomainServer::nodeKilled);
|
||||||
|
|
||||||
|
|
@ -1133,7 +1137,7 @@ void DomainServer::sendDomainListToNode(const SharedNodePointer& node, const Hif
|
||||||
extendedHeaderStream << node->getUUID();
|
extendedHeaderStream << node->getUUID();
|
||||||
extendedHeaderStream << node->getLocalID();
|
extendedHeaderStream << node->getLocalID();
|
||||||
extendedHeaderStream << node->getPermissions();
|
extendedHeaderStream << node->getPermissions();
|
||||||
|
extendedHeaderStream << limitedNodeList->getAuthenticatePackets();
|
||||||
auto domainListPackets = NLPacketList::create(PacketType::DomainList, extendedHeader);
|
auto domainListPackets = NLPacketList::create(PacketType::DomainList, extendedHeader);
|
||||||
|
|
||||||
// always send the node their own UUID back
|
// always send the node their own UUID back
|
||||||
|
|
|
||||||
|
|
@ -328,9 +328,10 @@ bool LimitedNodeList::packetSourceAndHashMatchAndTrackBandwidth(const udt::Packe
|
||||||
|
|
||||||
if (sourceNode) {
|
if (sourceNode) {
|
||||||
bool verifiedPacket = !PacketTypeEnum::getNonVerifiedPackets().contains(headerType);
|
bool verifiedPacket = !PacketTypeEnum::getNonVerifiedPackets().contains(headerType);
|
||||||
bool ignoreVerification = isDomainServer() && PacketTypeEnum::getDomainIgnoredVerificationPackets().contains(headerType);
|
bool verificationEnabled = !(isDomainServer() && PacketTypeEnum::getDomainIgnoredVerificationPackets().contains(headerType))
|
||||||
|
&& _useAuthentication;
|
||||||
|
|
||||||
if (verifiedPacket && !ignoreVerification) {
|
if (verifiedPacket && verificationEnabled) {
|
||||||
|
|
||||||
QByteArray packetHeaderHash = NLPacket::verificationHashInHeader(packet);
|
QByteArray packetHeaderHash = NLPacket::verificationHashInHeader(packet);
|
||||||
QByteArray expectedHash;
|
QByteArray expectedHash;
|
||||||
|
|
@ -383,7 +384,7 @@ void LimitedNodeList::fillPacketHeader(const NLPacket& packet, HMACAuth* hmacAut
|
||||||
packet.writeSourceID(getSessionLocalID());
|
packet.writeSourceID(getSessionLocalID());
|
||||||
}
|
}
|
||||||
|
|
||||||
if (hmacAuth
|
if (_useAuthentication && hmacAuth
|
||||||
&& !PacketTypeEnum::getNonSourcedPackets().contains(packet.getType())
|
&& !PacketTypeEnum::getNonSourcedPackets().contains(packet.getType())
|
||||||
&& !PacketTypeEnum::getNonVerifiedPackets().contains(packet.getType())) {
|
&& !PacketTypeEnum::getNonVerifiedPackets().contains(packet.getType())) {
|
||||||
packet.writeVerificationHash(*hmacAuth);
|
packet.writeVerificationHash(*hmacAuth);
|
||||||
|
|
|
||||||
|
|
@ -307,6 +307,8 @@ public:
|
||||||
|
|
||||||
bool isPacketVerifiedWithSource(const udt::Packet& packet, Node* sourceNode = nullptr);
|
bool isPacketVerifiedWithSource(const udt::Packet& packet, Node* sourceNode = nullptr);
|
||||||
bool isPacketVerified(const udt::Packet& packet) { return isPacketVerifiedWithSource(packet); }
|
bool isPacketVerified(const udt::Packet& packet) { return isPacketVerifiedWithSource(packet); }
|
||||||
|
void setAuthenticatePackets(bool useAuthentication) { _useAuthentication = useAuthentication; }
|
||||||
|
bool getAuthenticatePackets() const { return _useAuthentication; }
|
||||||
|
|
||||||
static void makeSTUNRequestPacket(char* stunRequestPacket);
|
static void makeSTUNRequestPacket(char* stunRequestPacket);
|
||||||
|
|
||||||
|
|
@ -394,6 +396,7 @@ protected:
|
||||||
HifiSockAddr _publicSockAddr;
|
HifiSockAddr _publicSockAddr;
|
||||||
HifiSockAddr _stunSockAddr { STUN_SERVER_HOSTNAME, STUN_SERVER_PORT };
|
HifiSockAddr _stunSockAddr { STUN_SERVER_HOSTNAME, STUN_SERVER_PORT };
|
||||||
bool _hasTCPCheckedLocalSocket { false };
|
bool _hasTCPCheckedLocalSocket { false };
|
||||||
|
bool _useAuthentication { true };
|
||||||
|
|
||||||
PacketReceiver* _packetReceiver;
|
PacketReceiver* _packetReceiver;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -665,6 +665,10 @@ void NodeList::processDomainServerList(QSharedPointer<ReceivedMessage> message)
|
||||||
NodePermissions newPermissions;
|
NodePermissions newPermissions;
|
||||||
packetStream >> newPermissions;
|
packetStream >> newPermissions;
|
||||||
setPermissions(newPermissions);
|
setPermissions(newPermissions);
|
||||||
|
// Is packet authentication enabled?
|
||||||
|
bool isAuthenticated;
|
||||||
|
packetStream >> isAuthenticated;
|
||||||
|
setAuthenticatePackets(isAuthenticated);
|
||||||
|
|
||||||
// pull each node in the packet
|
// pull each node in the packet
|
||||||
while (packetStream.device()->pos() < message->getSize()) {
|
while (packetStream.device()->pos() < message->getSize()) {
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ PacketVersion versionForPacketType(PacketType packetType) {
|
||||||
case PacketType::StunResponse:
|
case PacketType::StunResponse:
|
||||||
return 17;
|
return 17;
|
||||||
case PacketType::DomainList:
|
case PacketType::DomainList:
|
||||||
return static_cast<PacketVersion>(DomainListVersion::GetMachineFingerprintFromUUIDSupport);
|
return static_cast<PacketVersion>(DomainListVersion::AuthenticationOptional);
|
||||||
case PacketType::EntityAdd:
|
case PacketType::EntityAdd:
|
||||||
case PacketType::EntityClone:
|
case PacketType::EntityClone:
|
||||||
case PacketType::EntityEdit:
|
case PacketType::EntityEdit:
|
||||||
|
|
|
||||||
|
|
@ -315,7 +315,8 @@ enum class DomainListVersion : PacketVersion {
|
||||||
PrePermissionsGrid = 18,
|
PrePermissionsGrid = 18,
|
||||||
PermissionsGrid,
|
PermissionsGrid,
|
||||||
GetUsernameFromUUIDSupport,
|
GetUsernameFromUUIDSupport,
|
||||||
GetMachineFingerprintFromUUIDSupport
|
GetMachineFingerprintFromUUIDSupport,
|
||||||
|
AuthenticationOptional
|
||||||
};
|
};
|
||||||
|
|
||||||
enum class AudioVersion : PacketVersion {
|
enum class AudioVersion : PacketVersion {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue