Add connection token to sign with username when connecting to domain-server

domain-server/src/DomainServer.cpp

@@ -644,18 +644,16 @@ void DomainServer::processConnectRequestPacket(QSharedPointer<NLPacket> packet)
     bool isRestrictingAccess =
     _settingsManager.valueOrDefaultValueForKeyPath(RESTRICTED_ACCESS_SETTINGS_KEYPATH).toBool();
     
-//     //we always let in a user who is sending a packet from our local socket or from the localhost address
-//        bool isLocalUser =  (senderSockAddr.getAddress() == DependencyManager::get<LimitedNodeList>()->getLocalSockAddr().getAddress()
-//                    || senderSockAddr.getAddress() == QHostAddress::LocalHost);
+     // we always let in a user who is sending a packet from our local socket or from the localhost address
+    bool isLocalUser =  (senderSockAddr.getAddress() == DependencyManager::get<LimitedNodeList>()->getLocalSockAddr().getAddress() || senderSockAddr.getAddress() == QHostAddress::LocalHost);
     
-    // if username is empty, don't attempt to unpack username signature
-    if(isRestrictingAccess) {
+    if (isRestrictingAccess) {
         if (!username.isEmpty()) {
-           
+            // if there's a username, try to unpack username signature
             packetStream >> usernameSignature;
             
-            if(usernameSignature.isEmpty()) {
-                // if user didn't include username and usernameSignature in connect request, send a connectionToken packet
+            if (usernameSignature.isEmpty()) {
+                // if user didn't include usernameSignature in connect request, send a connectionToken packet
                 QUuid& connectionToken = _connectionTokenHash[username.toLower()];
                 
                 if (connectionToken.isNull()) {
@@ -666,11 +664,7 @@ void DomainServer::processConnectRequestPacket(QSharedPointer<NLPacket> packet)
                 connectionTokenPacket->reset();
                 connectionTokenPacket->write(connectionToken.toRfc4122());
                 limitedNodeList->sendUnreliablePacket(*connectionTokenPacket, packet->getSenderSockAddr());
-                
-                qDebug() << "Sending connectionToken packet with connectionUUID " << _connectionTokenHash[username.toLower()];
-                
                 return;
-
             }
         }
     }
@@ -827,8 +821,6 @@ bool DomainServer::verifyUserSignature(const QString& username,
         // first load up the public key into an RSA struct
         RSA* rsaPublicKey = d2i_RSA_PUBKEY(NULL, &publicKeyData, publicKeyArray.size());
         
-        //qDebug() << "Verifying signature: " << usernameSignature.toHex();
-        
         QByteArray lowercaseUsername = username.toLower().toUtf8();
         QByteArray usernameWithToken = QCryptographicHash::hash(lowercaseUsername.append(connectionToken.toRfc4122()), QCryptographicHash::Sha256);
         
@@ -837,17 +829,14 @@ bool DomainServer::verifyUserSignature(const QString& username,
             int decryptResult =
             RSA_verify(NID_sha256, reinterpret_cast<const unsigned char*>(usernameWithToken.constData()), usernameWithToken.size(), reinterpret_cast<const unsigned char*>(usernameSignature.constData()), usernameSignature.size(), rsaPublicKey);
             
-            
             int err = ERR_get_error();
             qDebug() << "Decrypt result: " << decryptResult << " Error: " << err;
             
             if (decryptResult == 1) {
                 qDebug() << "Username signature matches for" << username << "- allowing connection.";
 
-                // free up the public key before we return
+                // free up the public key and remove connection token before we return
                 RSA_free(rsaPublicKey);
-                    
-                // remove the username's connection token from the hash
                 _connectionTokenHash.remove(username);
 
                 return true;

libraries/networking/src/DataServerAccountInfo.cpp

@@ -135,7 +135,8 @@ QByteArray DataServerAccountInfo::getUsernameSignature(const QUuid& connectionTo
             if (rsaPrivateKey) {
                 QByteArray lowercaseUsername = _username.toLower().toUtf8();
                 QByteArray usernameWithToken = QCryptographicHash::hash(lowercaseUsername.append(connectionToken.toRfc4122()), QCryptographicHash::Sha256);
-                                QByteArray usernameSignature(RSA_size(rsaPrivateKey), 0);
+                
+                QByteArray usernameSignature(RSA_size(rsaPrivateKey), 0);
                 unsigned int usernameSignatureSize = 0;
                 
                 int encryptReturn = RSA_sign(NID_sha256, reinterpret_cast<const unsigned char*>(usernameWithToken.constData()), usernameWithToken.size(), reinterpret_cast<unsigned char*>(usernameSignature.data()), &usernameSignatureSize, rsaPrivateKey);
@@ -147,7 +148,7 @@ QByteArray DataServerAccountInfo::getUsernameSignature(const QUuid& connectionTo
                     qCDebug(networking) << "Error encrypting username signature.";
                     qCDebug(networking) << "Will re-attempt on next domain-server check in.";
                 } else {
-                    qDebug(networking) << "Signing username with connectionUUID " << connectionToken;
+                    qDebug(networking) << "Signing username with connectionUUID.";
                     return usernameSignature;
                 }
                 

libraries/networking/src/DomainHandler.cpp

@@ -44,7 +44,8 @@ DomainHandler::DomainHandler(QObject* parent) :
 
 void DomainHandler::clearConnectionInfo() {
     _uuid = QUuid();
-
+    _connectionToken = QUuid();
+    
     _icePeer.reset();
 
     if (requiresICE()) {
@@ -62,7 +63,6 @@ void DomainHandler::clearSettings() {
 
 void DomainHandler::softReset() {
     qCDebug(networking) << "Resetting current domain connection information.";
-    _connectionToken = QUuid();
     clearConnectionInfo();
     clearSettings();
 }

libraries/networking/src/NodeList.cpp

@@ -284,12 +284,11 @@ void NodeList::sendDomainServerCheckIn() {
             // get connection token from the domain-server
             QUuid connectionToken = _domainHandler.getConnectionToken();
             
-            if(!connectionToken.isNull()) {
+            if (!connectionToken.isNull()) {
                 
                 QByteArray usernameSignature = AccountManager::getInstance().getAccountInfo().getUsernameSignature(connectionToken);
                 
                 if (!usernameSignature.isEmpty()) {
-                    qDebug() << "Sending signature to packet stream " << usernameSignature.toHex();
                     packetStream << usernameSignature;
                 }
             }
@@ -464,7 +463,6 @@ void NodeList::processDomainServerConnectionTokenPacket(QSharedPointer<NLPacket>
         // refuse to process this packet if we aren't currently connected to the DS
         return;
     }
-    qDebug() << "Setting connection token and sending domain server checkin";
     // read in the connection token from the packet, then send domain-server checkin
     _domainHandler.setConnectionToken(QUuid::fromRfc4122(packet->read(NUM_BYTES_RFC4122_UUID)));
     sendDomainServerCheckIn();