From d9c98ca4cd3bb6c17249f5b1a8bccc5a126864f0 Mon Sep 17 00:00:00 2001 From: bwent Date: Wed, 5 Aug 2015 15:33:59 -0700 Subject: [PATCH] Add connection token to sign with username when connecting to domain-server --- domain-server/src/DomainServer.cpp | 25 ++++++------------- .../networking/src/DataServerAccountInfo.cpp | 5 ++-- libraries/networking/src/DomainHandler.cpp | 4 +-- libraries/networking/src/NodeList.cpp | 4 +-- 4 files changed, 13 insertions(+), 25 deletions(-) diff --git a/domain-server/src/DomainServer.cpp b/domain-server/src/DomainServer.cpp index 706307dd70..09c5e31f06 100644 --- a/domain-server/src/DomainServer.cpp +++ b/domain-server/src/DomainServer.cpp @@ -644,18 +644,16 @@ void DomainServer::processConnectRequestPacket(QSharedPointer packet) bool isRestrictingAccess = _settingsManager.valueOrDefaultValueForKeyPath(RESTRICTED_ACCESS_SETTINGS_KEYPATH).toBool(); -// //we always let in a user who is sending a packet from our local socket or from the localhost address -// bool isLocalUser = (senderSockAddr.getAddress() == DependencyManager::get()->getLocalSockAddr().getAddress() -// || senderSockAddr.getAddress() == QHostAddress::LocalHost); + // we always let in a user who is sending a packet from our local socket or from the localhost address + bool isLocalUser = (senderSockAddr.getAddress() == DependencyManager::get()->getLocalSockAddr().getAddress() || senderSockAddr.getAddress() == QHostAddress::LocalHost); - // if username is empty, don't attempt to unpack username signature - if(isRestrictingAccess) { + if (isRestrictingAccess) { if (!username.isEmpty()) { - + // if there's a username, try to unpack username signature packetStream >> usernameSignature; - if(usernameSignature.isEmpty()) { - // if user didn't include username and usernameSignature in connect request, send a connectionToken packet + if (usernameSignature.isEmpty()) { + // if user didn't include usernameSignature in connect request, send a connectionToken packet QUuid& connectionToken = _connectionTokenHash[username.toLower()]; if (connectionToken.isNull()) { @@ -666,11 +664,7 @@ void DomainServer::processConnectRequestPacket(QSharedPointer packet) connectionTokenPacket->reset(); connectionTokenPacket->write(connectionToken.toRfc4122()); limitedNodeList->sendUnreliablePacket(*connectionTokenPacket, packet->getSenderSockAddr()); - - qDebug() << "Sending connectionToken packet with connectionUUID " << _connectionTokenHash[username.toLower()]; - return; - } } } @@ -827,8 +821,6 @@ bool DomainServer::verifyUserSignature(const QString& username, // first load up the public key into an RSA struct RSA* rsaPublicKey = d2i_RSA_PUBKEY(NULL, &publicKeyData, publicKeyArray.size()); - //qDebug() << "Verifying signature: " << usernameSignature.toHex(); - QByteArray lowercaseUsername = username.toLower().toUtf8(); QByteArray usernameWithToken = QCryptographicHash::hash(lowercaseUsername.append(connectionToken.toRfc4122()), QCryptographicHash::Sha256); @@ -837,17 +829,14 @@ bool DomainServer::verifyUserSignature(const QString& username, int decryptResult = RSA_verify(NID_sha256, reinterpret_cast(usernameWithToken.constData()), usernameWithToken.size(), reinterpret_cast(usernameSignature.constData()), usernameSignature.size(), rsaPublicKey); - int err = ERR_get_error(); qDebug() << "Decrypt result: " << decryptResult << " Error: " << err; if (decryptResult == 1) { qDebug() << "Username signature matches for" << username << "- allowing connection."; - // free up the public key before we return + // free up the public key and remove connection token before we return RSA_free(rsaPublicKey); - - // remove the username's connection token from the hash _connectionTokenHash.remove(username); return true; diff --git a/libraries/networking/src/DataServerAccountInfo.cpp b/libraries/networking/src/DataServerAccountInfo.cpp index 0d38de7cf0..9824c1a811 100644 --- a/libraries/networking/src/DataServerAccountInfo.cpp +++ b/libraries/networking/src/DataServerAccountInfo.cpp @@ -135,7 +135,8 @@ QByteArray DataServerAccountInfo::getUsernameSignature(const QUuid& connectionTo if (rsaPrivateKey) { QByteArray lowercaseUsername = _username.toLower().toUtf8(); QByteArray usernameWithToken = QCryptographicHash::hash(lowercaseUsername.append(connectionToken.toRfc4122()), QCryptographicHash::Sha256); - QByteArray usernameSignature(RSA_size(rsaPrivateKey), 0); + + QByteArray usernameSignature(RSA_size(rsaPrivateKey), 0); unsigned int usernameSignatureSize = 0; int encryptReturn = RSA_sign(NID_sha256, reinterpret_cast(usernameWithToken.constData()), usernameWithToken.size(), reinterpret_cast(usernameSignature.data()), &usernameSignatureSize, rsaPrivateKey); @@ -147,7 +148,7 @@ QByteArray DataServerAccountInfo::getUsernameSignature(const QUuid& connectionTo qCDebug(networking) << "Error encrypting username signature."; qCDebug(networking) << "Will re-attempt on next domain-server check in."; } else { - qDebug(networking) << "Signing username with connectionUUID " << connectionToken; + qDebug(networking) << "Signing username with connectionUUID."; return usernameSignature; } diff --git a/libraries/networking/src/DomainHandler.cpp b/libraries/networking/src/DomainHandler.cpp index cd53d2608e..8f4b9cc61f 100644 --- a/libraries/networking/src/DomainHandler.cpp +++ b/libraries/networking/src/DomainHandler.cpp @@ -44,7 +44,8 @@ DomainHandler::DomainHandler(QObject* parent) : void DomainHandler::clearConnectionInfo() { _uuid = QUuid(); - + _connectionToken = QUuid(); + _icePeer.reset(); if (requiresICE()) { @@ -62,7 +63,6 @@ void DomainHandler::clearSettings() { void DomainHandler::softReset() { qCDebug(networking) << "Resetting current domain connection information."; - _connectionToken = QUuid(); clearConnectionInfo(); clearSettings(); } diff --git a/libraries/networking/src/NodeList.cpp b/libraries/networking/src/NodeList.cpp index e8c92e37e3..a1c99e9747 100644 --- a/libraries/networking/src/NodeList.cpp +++ b/libraries/networking/src/NodeList.cpp @@ -284,12 +284,11 @@ void NodeList::sendDomainServerCheckIn() { // get connection token from the domain-server QUuid connectionToken = _domainHandler.getConnectionToken(); - if(!connectionToken.isNull()) { + if (!connectionToken.isNull()) { QByteArray usernameSignature = AccountManager::getInstance().getAccountInfo().getUsernameSignature(connectionToken); if (!usernameSignature.isEmpty()) { - qDebug() << "Sending signature to packet stream " << usernameSignature.toHex(); packetStream << usernameSignature; } } @@ -464,7 +463,6 @@ void NodeList::processDomainServerConnectionTokenPacket(QSharedPointer // refuse to process this packet if we aren't currently connected to the DS return; } - qDebug() << "Setting connection token and sending domain server checkin"; // read in the connection token from the packet, then send domain-server checkin _domainHandler.setConnectionToken(QUuid::fromRfc4122(packet->read(NUM_BYTES_RFC4122_UUID))); sendDomainServerCheckIn();