From 37db5f94fadae6993585d447b4faa00cacca49a2 Mon Sep 17 00:00:00 2001 From: erdgeist <> Date: Mon, 28 May 2012 15:26:13 +0000 Subject: udp now generates a cryptographically secure token for connecting clients. This is later verified. --- ot_udp.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 53 insertions(+), 8 deletions(-) (limited to 'ot_udp.c') diff --git a/ot_udp.c b/ot_udp.c index d3fb82a..b79bc76 100644 --- a/ot_udp.c +++ b/ot_udp.c @@ -18,15 +18,40 @@ #include "trackerlogic.h" #include "ot_udp.h" #include "ot_stats.h" +#include "ot_rijndael.h" static const uint8_t g_static_connid[8] = { 0x23, 0x42, 0x05, 0x17, 0xde, 0x41, 0x50, 0xff }; +static uint32_t g_rijndael_round_key[44] = {0}; +static uint32_t g_key_of_the_hour[2] = {0}; +static ot_time g_hour_of_the_key; -static void udp_make_connectionid( uint32_t * connid, const ot_ip6 remoteip ) { - /* Touch unused variable */ - (void)remoteip; +static void udp_generate_rijndael_round_key() { + uint8_t key[16]; + key[0] = random(); key[1] = random(); key[2] = random(); key[3] = random(); + rijndaelKeySetupEnc128( g_rijndael_round_key, key ); - /* Use a static secret for now */ - memcpy( connid, g_static_connid, 8 ); + g_key_of_the_hour[0] = random(); + g_hour_of_the_key = g_now_minutes; +} + +/* Generate current and previous connection id for ip */ +static void udp_make_connectionid( uint32_t connid[4], const ot_ip6 remoteip ) { + uint32_t plain[4], crypt[4]; + int age, i; + + if( g_now_minutes + 60 > g_hour_of_the_key ) { + g_hour_of_the_key = g_now_minutes; + g_key_of_the_hour[1] = g_key_of_the_hour[0]; + g_key_of_the_hour[0] = random(); + } + + for( age = 0; age < 1; ++age ) { + memcpy( plain, remoteip, sizeof( plain ) ); + for( i=0; i<4; ++i ) plain[i] ^= g_key_of_the_hour[age]; + rijndaelEncrypt128( g_rijndael_round_key, (uint8_t*)remoteip, (uint8_t*)crypt ); + connid[2*age ] = crypt[0] ^ crypt[1]; + connid[2*age+1] = crypt[2] ^ crypt[3]; + } } /* UDP implementation according to http://xbtt.sourceforge.net/udp_tracker_protocol.html */ @@ -35,6 +60,7 @@ int handle_udp6( int64 serversocket, struct ot_workstruct *ws ) { uint32_t *inpacket = (uint32_t*)ws->inbuf; uint32_t *outpacket = (uint32_t*)ws->outbuf; uint32_t numwant, left, event, scopeid; + uint32_t connid[4]; uint16_t port, remoteport; size_t byte_count, scrape_count; @@ -44,13 +70,29 @@ int handle_udp6( int64 serversocket, struct ot_workstruct *ws ) { stats_issue_event( EVENT_ACCEPT, FLAG_UDP, (uintptr_t)remoteip ); stats_issue_event( EVENT_READ, FLAG_UDP, byte_count ); + /* Minimum udp tracker packet size, also catches error */ + if( byte_count < 16 ) + return 1; + + /* Generate the connection id we give out and expect to and from + the requesting ip address, this prevents udp spoofing */ + udp_make_connectionid( connid, remoteip ); + /* Initialise hash pointer */ ws->hash = NULL; ws->peer_id = NULL; - /* Minimum udp tracker packet size, also catches error */ - if( byte_count < 16 ) + /* If action is not a ntohl(a) == a == 0, then we + expect the derived connection id in first 64 bit */ + if( inpacket[2] && ( inpacket[0] != connid[0] || inpacket[1] != connid[1] ) && + ( inpacket[0] != connid[2] || inpacket[1] != connid[3] ) ) { + const size_t s = sizeof( "Connection ID missmatch." ); + outpacket[0] = 3; outpacket[1] = inpacket[3]; + memcpy( &outpacket[2], "Connection ID missmatch.", s ); + socket_send6( serversocket, ws->outbuf, 8 + s, remoteip, remoteport, 0 ); + stats_issue_event( EVENT_CONNID_MISSMATCH, FLAG_UDP, 8 + s ); return 1; + } switch( ntohl( inpacket[2] ) ) { case 0: /* This is a connect action */ @@ -60,7 +102,8 @@ int handle_udp6( int64 serversocket, struct ot_workstruct *ws ) { outpacket[0] = 0; outpacket[1] = inpacket[3]; - udp_make_connectionid( outpacket + 2, remoteip ); + outpacket[2] = connid[0]; + outpacket[3] = connid[1]; socket_send6( serversocket, ws->outbuf, 16, remoteip, remoteport, 0 ); stats_issue_event( EVENT_CONNECT, FLAG_UDP, 16 ); @@ -146,6 +189,8 @@ static void* udp_worker( void * args ) { void udp_init( int64 sock, unsigned int worker_count ) { pthread_t thread_id; + if( !g_rijndael_round_key[0] ) + udp_generate_rijndael_round_key(); #ifdef _DEBUG fprintf( stderr, " installing %d workers on udp socket %ld", worker_count, (unsigned long)sock ); #endif -- cgit v1.2.3