use connection secret to verify domain-server packets

2025-04-20 03:44:02 +02:00 · 2014-02-20 17:57:58 -08:00 · 2014-02-20 17:57:58 -08:00 · c728463410
commit c728463410
parent a8e96441ab
3 changed files with 32 additions and 10 deletions
--- a/domain-server/src/DomainServer.cpp
+++ b/domain-server/src/DomainServer.cpp
@ -109,6 +109,7 @@ void DomainServer::processTokenRedeemResponse(const QJsonObject& jsonObject) {
    
    // if we have a registration token add it to our hash of redeemed token responses
    if (!registrationToken.isEmpty()) {
+        qDebug() << "Redeemed registration token" << registrationToken;
        _redeemedTokenResponses.insert(registrationToken, jsonObject);
    }
 }
@ -341,6 +342,12 @@ void DomainServer::addNodeToNodeListAndConfirmConnection(const QByteArray& packe
    
    SharedNodePointer newNode = NodeList::getInstance()->addOrUpdateNode(nodeUUID, nodeType, publicSockAddr, localSockAddr);
    
+    if (!authJsonObject.isEmpty()) {
+        // pull the connection secret from the authJsonObject and set it as the connection secret for this node
+        QUuid connectionSecret(authJsonObject["data"].toObject()["connection_secret"].toString());
+        newNode->setConnectionSecret(connectionSecret);
+    }
+    
    // reply back to the user with a PacketTypeDomainList
    sendDomainListToNode(newNode, senderSockAddr, nodeInterestListFromPacket(packet, numPreInterestBytes));
 }
--- a/libraries/shared/src/DomainInfo.cpp
+++ b/libraries/shared/src/DomainInfo.cpp
@ -34,9 +34,10 @@ void DomainInfo::reset() {
 }

 void DomainInfo::parseAuthInformationFromJsonObject(const QJsonObject& jsonObject) {
-    _connectionSecret = QUuid(jsonObject["connection_uuid"].toString());
-    _registrationToken = QByteArray::fromHex(jsonObject["registration_token"].toString().toUtf8());
-    _publicKey = jsonObject["public_key"].toString();
+    QJsonObject dataObject = jsonObject["data"].toObject();
+    _connectionSecret = QUuid(dataObject["connection_secret"].toString());
+    _registrationToken = QByteArray::fromHex(dataObject["registration_token"].toString().toUtf8());
+    _publicKey = dataObject["public_key"].toString();
 }

 void DomainInfo::setHostname(const QString& hostname) {
--- a/libraries/shared/src/NodeList.cpp
+++ b/libraries/shared/src/NodeList.cpp
@ -79,8 +79,9 @@ NodeList::NodeList(char newOwnerType, unsigned short int newSocketListenPort) :
 }

 bool NodeList::packetVersionAndHashMatch(const QByteArray& packet) {
-    if (packet[1] != versionForPacketType(packetTypeForPacket(packet))
-        && packetTypeForPacket(packet) != PacketTypeStunResponse) {
+    PacketType checkType = packetTypeForPacket(packet);
+    if (packet[1] != versionForPacketType(checkType)
+        && checkType != PacketTypeStunResponse) {
        PacketType mismatchType = packetTypeForPacket(packet);
        int numPacketTypeBytes = numBytesArithmeticCodingFromBuffer(packet.data());
        
@ -89,13 +90,13 @@ bool NodeList::packetVersionAndHashMatch(const QByteArray& packet) {
            << qPrintable(QString::number(versionForPacketType(mismatchType))) << "expected.";
    }
    
-    const QSet<PacketType> NON_VERIFIED_PACKETS = QSet<PacketType>() << PacketTypeDomainList
-        << PacketTypeDomainListRequest << PacketTypeDomainServerAuthRequest << PacketTypeDomainConnectRequest
+    const QSet<PacketType> NON_VERIFIED_PACKETS = QSet<PacketType>()
+        << PacketTypeDomainServerAuthRequest << PacketTypeDomainConnectRequest
        << PacketTypeStunResponse << PacketTypeDataServerConfirm
        << PacketTypeDataServerGet << PacketTypeDataServerPut << PacketTypeDataServerSend
        << PacketTypeCreateAssignment << PacketTypeRequestAssignment;
    
-    if (!NON_VERIFIED_PACKETS.contains(packetTypeForPacket(packet))) {
+    if (!NON_VERIFIED_PACKETS.contains(checkType)) {
        // figure out which node this is from
        SharedNodePointer sendingNode = sendingNodeForPacket(packet);
        if (sendingNode) {
@ -103,11 +104,24 @@ bool NodeList::packetVersionAndHashMatch(const QByteArray& packet) {
            if (hashFromPacketHeader(packet) == hashForPacketAndConnectionUUID(packet, sendingNode->getConnectionSecret())) {
                return true;
            } else {
-                qDebug() << "Packet hash mismatch on" << packetTypeForPacket(packet) << "- Sender"
+                qDebug() << "Packet hash mismatch on" << checkType << "- Sender"
                    << uuidFromPacketHeader(packet);
            }
        } else {
-            qDebug() << "Packet of type" << packetTypeForPacket(packet) << "received from unknown node with UUID"
+            if (checkType == PacketTypeDomainList
+                && _domainInfo.getUUID() == uuidFromPacketHeader(packet)) {
+                if (hashForPacketAndConnectionUUID(packet, _domainInfo.getConnectionSecret()) == hashFromPacketHeader(packet)) {
+                    // this is a packet from the domain-server (PacketTypeDomainServerListRequest)
+                    // and the sender UUID matches the UUID we expect for the domain
+                    return true;
+                } else {
+                    // this is a packet from the domain-server but there is a hash mismatch
+                    qDebug() << "Packet hash mismatch on" << checkType << "from domain-server at" << _domainInfo.getHostname();
+                    return false;
+                }
+            }
+            
+            qDebug() << "Packet of type" << checkType << "received from unknown node with UUID"
                << uuidFromPacketHeader(packet);
        }
    } else {