From c72846341025d51bc61769023d53c90ddfe371bc Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Thu, 20 Feb 2014 17:57:58 -0800
Subject: [PATCH] use connection secret to verify domain-server packets

---
 domain-server/src/DomainServer.cpp  |  7 +++++++
 libraries/shared/src/DomainInfo.cpp |  7 ++++---
 libraries/shared/src/NodeList.cpp   | 28 +++++++++++++++++++++-------
 3 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/domain-server/src/DomainServer.cpp b/domain-server/src/DomainServer.cpp
index 1e023736e3..29d2d04c13 100644
--- a/domain-server/src/DomainServer.cpp
+++ b/domain-server/src/DomainServer.cpp
@@ -109,6 +109,7 @@ void DomainServer::processTokenRedeemResponse(const QJsonObject& jsonObject) {
     
     // if we have a registration token add it to our hash of redeemed token responses
     if (!registrationToken.isEmpty()) {
+        qDebug() << "Redeemed registration token" << registrationToken;
         _redeemedTokenResponses.insert(registrationToken, jsonObject);
     }
 }
@@ -341,6 +342,12 @@ void DomainServer::addNodeToNodeListAndConfirmConnection(const QByteArray& packe
     
     SharedNodePointer newNode = NodeList::getInstance()->addOrUpdateNode(nodeUUID, nodeType, publicSockAddr, localSockAddr);
     
+    if (!authJsonObject.isEmpty()) {
+        // pull the connection secret from the authJsonObject and set it as the connection secret for this node
+        QUuid connectionSecret(authJsonObject["data"].toObject()["connection_secret"].toString());
+        newNode->setConnectionSecret(connectionSecret);
+    }
+    
     // reply back to the user with a PacketTypeDomainList
     sendDomainListToNode(newNode, senderSockAddr, nodeInterestListFromPacket(packet, numPreInterestBytes));
 }
diff --git a/libraries/shared/src/DomainInfo.cpp b/libraries/shared/src/DomainInfo.cpp
index cdc835c718..98d7d2c39b 100644
--- a/libraries/shared/src/DomainInfo.cpp
+++ b/libraries/shared/src/DomainInfo.cpp
@@ -34,9 +34,10 @@ void DomainInfo::reset() {
 }
 
 void DomainInfo::parseAuthInformationFromJsonObject(const QJsonObject& jsonObject) {
-    _connectionSecret = QUuid(jsonObject["connection_uuid"].toString());
-    _registrationToken = QByteArray::fromHex(jsonObject["registration_token"].toString().toUtf8());
-    _publicKey = jsonObject["public_key"].toString();
+    QJsonObject dataObject = jsonObject["data"].toObject();
+    _connectionSecret = QUuid(dataObject["connection_secret"].toString());
+    _registrationToken = QByteArray::fromHex(dataObject["registration_token"].toString().toUtf8());
+    _publicKey = dataObject["public_key"].toString();
 }
 
 void DomainInfo::setHostname(const QString& hostname) {
diff --git a/libraries/shared/src/NodeList.cpp b/libraries/shared/src/NodeList.cpp
index 5b33f82985..9089e48fb9 100644
--- a/libraries/shared/src/NodeList.cpp
+++ b/libraries/shared/src/NodeList.cpp
@@ -79,8 +79,9 @@ NodeList::NodeList(char newOwnerType, unsigned short int newSocketListenPort) :
 }
 
 bool NodeList::packetVersionAndHashMatch(const QByteArray& packet) {
-    if (packet[1] != versionForPacketType(packetTypeForPacket(packet))
-        && packetTypeForPacket(packet) != PacketTypeStunResponse) {
+    PacketType checkType = packetTypeForPacket(packet);
+    if (packet[1] != versionForPacketType(checkType)
+        && checkType != PacketTypeStunResponse) {
         PacketType mismatchType = packetTypeForPacket(packet);
         int numPacketTypeBytes = numBytesArithmeticCodingFromBuffer(packet.data());
         
@@ -89,13 +90,13 @@ bool NodeList::packetVersionAndHashMatch(const QByteArray& packet) {
             << qPrintable(QString::number(versionForPacketType(mismatchType))) << "expected.";
     }
     
-    const QSet<PacketType> NON_VERIFIED_PACKETS = QSet<PacketType>() << PacketTypeDomainList
-        << PacketTypeDomainListRequest << PacketTypeDomainServerAuthRequest << PacketTypeDomainConnectRequest
+    const QSet<PacketType> NON_VERIFIED_PACKETS = QSet<PacketType>()
+        << PacketTypeDomainServerAuthRequest << PacketTypeDomainConnectRequest
         << PacketTypeStunResponse << PacketTypeDataServerConfirm
         << PacketTypeDataServerGet << PacketTypeDataServerPut << PacketTypeDataServerSend
         << PacketTypeCreateAssignment << PacketTypeRequestAssignment;
     
-    if (!NON_VERIFIED_PACKETS.contains(packetTypeForPacket(packet))) {
+    if (!NON_VERIFIED_PACKETS.contains(checkType)) {
         // figure out which node this is from
         SharedNodePointer sendingNode = sendingNodeForPacket(packet);
         if (sendingNode) {
@@ -103,11 +104,24 @@ bool NodeList::packetVersionAndHashMatch(const QByteArray& packet) {
             if (hashFromPacketHeader(packet) == hashForPacketAndConnectionUUID(packet, sendingNode->getConnectionSecret())) {
                 return true;
             } else {
-                qDebug() << "Packet hash mismatch on" << packetTypeForPacket(packet) << "- Sender"
+                qDebug() << "Packet hash mismatch on" << checkType << "- Sender"
                     << uuidFromPacketHeader(packet);
             }
         } else {
-            qDebug() << "Packet of type" << packetTypeForPacket(packet) << "received from unknown node with UUID"
+            if (checkType == PacketTypeDomainList
+                && _domainInfo.getUUID() == uuidFromPacketHeader(packet)) {
+                if (hashForPacketAndConnectionUUID(packet, _domainInfo.getConnectionSecret()) == hashFromPacketHeader(packet)) {
+                    // this is a packet from the domain-server (PacketTypeDomainServerListRequest)
+                    // and the sender UUID matches the UUID we expect for the domain
+                    return true;
+                } else {
+                    // this is a packet from the domain-server but there is a hash mismatch
+                    qDebug() << "Packet hash mismatch on" << checkType << "from domain-server at" << _domainInfo.getHostname();
+                    return false;
+                }
+            }
+            
+            qDebug() << "Packet of type" << checkType << "received from unknown node with UUID"
                 << uuidFromPacketHeader(packet);
         }
     } else {