From 03d7f3be231de93e18e0469d30f3f34938d3cd59 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 16:07:18 -0700 Subject: [PATCH 01/70] Add LICENSE-3RD-PARTY.txt On Toaster's recommendation, I've added the LICENSE-3RD-PARTY.txt from v1.6, so that it can be kept up-to-date in the same workflow as the dependencies are being added in the first place. There may be deps missing that were added in RR! --- LICENSE-3RD-PARTY.txt | 1579 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1579 insertions(+) create mode 100644 LICENSE-3RD-PARTY.txt diff --git a/LICENSE-3RD-PARTY.txt b/LICENSE-3RD-PARTY.txt new file mode 100644 index 000000000..259e9804a --- /dev/null +++ b/LICENSE-3RD-PARTY.txt @@ -0,0 +1,1579 @@ +-------------------------------------------------------------------------------- + 3-Clause BSD License + applies to: + - MiniUPnPc + Copyright (c) 2005-2011, Thomas BERNARD + All rights reserved. + http://miniupnp.free.fr +-------------------------------------------------------------------------------- + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +-------------------------------------------------------------------------------- + curl License + applies to: + - curl + Copyright (c) 1996 - 2018, Daniel Stenberg, daniel@haxx.se, + and many contributors, see the THANKS file. + https://curl.haxx.se +-------------------------------------------------------------------------------- + +All rights reserved. + +Permission to use, copy, modify, and distribute this software for any purpose +with or without fee is hereby granted, provided that the above copyright notice +and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN +NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of a copyright holder shall not be +used in advertising or otherwise to promote the sale, use or other dealings in +this Software without prior written authorization of the copyright holder. + +-------------------------------------------------------------------------------- + GCC Runtime Library Exception, Version 3.1 + applies to: + - GCC Runtime Library + Copyright (C) Free Software Foundation, Inc. + https://www.gnu.org/software/gcc/ +-------------------------------------------------------------------------------- + +GCC RUNTIME LIBRARY EXCEPTION Version 3.1, 31 March 2009 + +Copyright © 2009 Free Software Foundation, Inc. + +Everyone is permitted to copy and distribute verbatim copies of this license +document, but changing it is not allowed. + +This GCC Runtime Library Exception ("Exception") is an additional permission +under section 7 of the GNU General Public License, version 3 ("GPLv3"). It +applies to a given file (the "Runtime Library") that bears a notice placed by +the copyright holder of the file stating that the file is governed by GPLv3 +along with this Exception. + +When you use GCC to compile a program, GCC may combine portions of certain GCC +header files and runtime libraries with the compiled program. The purpose of +this Exception is to allow compilation of non-GPL (including proprietary) +programs to use, in this way, the header files and runtime libraries covered by +this Exception. + +0. Definitions. A file is an "Independent Module" if it either requires the +Runtime Library for execution after a Compilation Process, or makes use of an +interface provided by the Runtime Library, but is not otherwise based on the +Runtime Library. + +"GCC" means a version of the GNU Compiler Collection, with or without +modifications, governed by version 3 (or a specified later version) of the GNU +General Public License (GPL) with the option of using any subsequent versions +published by the FSF. + +"GPL-compatible Software" is software whose conditions of propagation, +modification and use would permit combination with GCC in accord with the +license of GCC. + +"Target Code" refers to output from any compiler for a real or virtual target +processor architecture, in executable form or suitable for input to an +assembler, loader, linker and/or execution phase. Notwithstanding that, Target +Code does not include data in any format that is used as a compiler +intermediate representation, or used for producing a compiler intermediate +representation. + +The "Compilation Process" transforms code entirely represented in +non-intermediate languages designed for human-written code, and/or in Java +Virtual Machine byte code, into Target Code. Thus, for example, use of source +code generators and preprocessors need not be considered part of the +Compilation Process, since the Compilation Process can be understood as +starting with the output of the generators or preprocessors. + +A Compilation Process is "Eligible" if it is done using GCC, alone or with +other GPL-compatible software, or if it is done without using any work based on +GCC. For example, using non-GPL-compatible Software to optimize any GCC +intermediate representations would not qualify as an Eligible Compilation +Process. + +1. Grant of Additional Permission. You have permission to propagate a work of +Target Code formed by combining the Runtime Library with Independent Modules, +even if such propagation would otherwise violate the terms of GPLv3, provided +that all Target Code was generated by Eligible Compilation Processes. You may +then convey such a combination under terms of your choice, consistent with the +licensing of the Independent Modules. + +2. No Weakening of GCC Copyleft. The availability of this Exception does not +imply any general presumption that third-party software is unaffected by the +copyleft requirements of the license of GCC. + +-------------------------------------------------------------------------------- + GNU General Public License, Version 3 + applies to: + - GCC Runtime Library + Copyright (C) Free Software Foundation, Inc. + https://www.gnu.org/software/gcc/ +-------------------------------------------------------------------------------- + + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. + +-------------------------------------------------------------------------------- + GNU Lesser General Public License, Version 2.1 + applies to: + - Game_Music_Emu + Shay Green + http://www.slack.net/~ant/ + + - libintl + Copyright (C) 1995-2018 Free Software Foundation, Inc. + https://www.gnu.org/software/gettext/ + + - mpg123 + Copyright (c) 1995-2013 by Michael Hipp and others, + free software under the terms of the LGPL v2.1 + https://www.mpg123.de +-------------------------------------------------------------------------------- + + GNU LESSER GENERAL PUBLIC LICENSE + Version 2.1, February 1999 + + Copyright (C) 1991, 1999 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + +[This is the first released version of the Lesser GPL. It also counts + as the successor of the GNU Library Public License, version 2, hence + the version number 2.1.] + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +Licenses are intended to guarantee your freedom to share and change +free software--to make sure the software is free for all its users. + + This license, the Lesser General Public License, applies to some +specially designated software packages--typically libraries--of the +Free Software Foundation and other authors who decide to use it. You +can use it too, but we suggest you first think carefully about whether +this license or the ordinary General Public License is the better +strategy to use in any particular case, based on the explanations below. + + When we speak of free software, we are referring to freedom of use, +not price. Our General Public Licenses are designed to make sure that +you have the freedom to distribute copies of free software (and charge +for this service if you wish); that you receive source code or can get +it if you want it; that you can change the software and use pieces of +it in new free programs; and that you are informed that you can do +these things. + + To protect your rights, we need to make restrictions that forbid +distributors to deny you these rights or to ask you to surrender these +rights. These restrictions translate to certain responsibilities for +you if you distribute copies of the library or if you modify it. + + For example, if you distribute copies of the library, whether gratis +or for a fee, you must give the recipients all the rights that we gave +you. You must make sure that they, too, receive or can get the source +code. If you link other code with the library, you must provide +complete object files to the recipients, so that they can relink them +with the library after making changes to the library and recompiling +it. And you must show them these terms so they know their rights. + + We protect your rights with a two-step method: (1) we copyright the +library, and (2) we offer you this license, which gives you legal +permission to copy, distribute and/or modify the library. + + To protect each distributor, we want to make it very clear that +there is no warranty for the free library. Also, if the library is +modified by someone else and passed on, the recipients should know +that what they have is not the original version, so that the original +author's reputation will not be affected by problems that might be +introduced by others. + + Finally, software patents pose a constant threat to the existence of +any free program. We wish to make sure that a company cannot +effectively restrict the users of a free program by obtaining a +restrictive license from a patent holder. Therefore, we insist that +any patent license obtained for a version of the library must be +consistent with the full freedom of use specified in this license. + + Most GNU software, including some libraries, is covered by the +ordinary GNU General Public License. This license, the GNU Lesser +General Public License, applies to certain designated libraries, and +is quite different from the ordinary General Public License. We use +this license for certain libraries in order to permit linking those +libraries into non-free programs. + + When a program is linked with a library, whether statically or using +a shared library, the combination of the two is legally speaking a +combined work, a derivative of the original library. The ordinary +General Public License therefore permits such linking only if the +entire combination fits its criteria of freedom. The Lesser General +Public License permits more lax criteria for linking other code with +the library. + + We call this license the "Lesser" General Public License because it +does Less to protect the user's freedom than the ordinary General +Public License. It also provides other free software developers Less +of an advantage over competing non-free programs. These disadvantages +are the reason we use the ordinary General Public License for many +libraries. However, the Lesser license provides advantages in certain +special circumstances. + + For example, on rare occasions, there may be a special need to +encourage the widest possible use of a certain library, so that it becomes +a de-facto standard. To achieve this, non-free programs must be +allowed to use the library. A more frequent case is that a free +library does the same job as widely used non-free libraries. In this +case, there is little to gain by limiting the free library to free +software only, so we use the Lesser General Public License. + + In other cases, permission to use a particular library in non-free +programs enables a greater number of people to use a large body of +free software. For example, permission to use the GNU C Library in +non-free programs enables many more people to use the whole GNU +operating system, as well as its variant, the GNU/Linux operating +system. + + Although the Lesser General Public License is Less protective of the +users' freedom, it does ensure that the user of a program that is +linked with the Library has the freedom and the wherewithal to run +that program using a modified version of the Library. + + The precise terms and conditions for copying, distribution and +modification follow. Pay close attention to the difference between a +"work based on the library" and a "work that uses the library". The +former contains code derived from the library, whereas the latter must +be combined with the library in order to run. + + GNU LESSER GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License Agreement applies to any software library or other +program which contains a notice placed by the copyright holder or +other authorized party saying it may be distributed under the terms of +this Lesser General Public License (also called "this License"). +Each licensee is addressed as "you". + + A "library" means a collection of software functions and/or data +prepared so as to be conveniently linked with application programs +(which use some of those functions and data) to form executables. + + The "Library", below, refers to any such software library or work +which has been distributed under these terms. A "work based on the +Library" means either the Library or any derivative work under +copyright law: that is to say, a work containing the Library or a +portion of it, either verbatim or with modifications and/or translated +straightforwardly into another language. (Hereinafter, translation is +included without limitation in the term "modification".) + + "Source code" for a work means the preferred form of the work for +making modifications to it. For a library, complete source code means +all the source code for all modules it contains, plus any associated +interface definition files, plus the scripts used to control compilation +and installation of the library. + + Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running a program using the Library is not restricted, and output from +such a program is covered only if its contents constitute a work based +on the Library (independent of the use of the Library in a tool for +writing it). Whether that is true depends on what the Library does +and what the program that uses the Library does. + + 1. You may copy and distribute verbatim copies of the Library's +complete source code as you receive it, in any medium, provided that +you conspicuously and appropriately publish on each copy an +appropriate copyright notice and disclaimer of warranty; keep intact +all the notices that refer to this License and to the absence of any +warranty; and distribute a copy of this License along with the +Library. + + You may charge a fee for the physical act of transferring a copy, +and you may at your option offer warranty protection in exchange for a +fee. + + 2. You may modify your copy or copies of the Library or any portion +of it, thus forming a work based on the Library, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) The modified work must itself be a software library. + + b) You must cause the files modified to carry prominent notices + stating that you changed the files and the date of any change. + + c) You must cause the whole of the work to be licensed at no + charge to all third parties under the terms of this License. + + d) If a facility in the modified Library refers to a function or a + table of data to be supplied by an application program that uses + the facility, other than as an argument passed when the facility + is invoked, then you must make a good faith effort to ensure that, + in the event an application does not supply such function or + table, the facility still operates, and performs whatever part of + its purpose remains meaningful. + + (For example, a function in a library to compute square roots has + a purpose that is entirely well-defined independent of the + application. Therefore, Subsection 2d requires that any + application-supplied function or table used by this function must + be optional: if the application does not supply it, the square + root function must still compute square roots.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Library, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Library, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote +it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Library. + +In addition, mere aggregation of another work not based on the Library +with the Library (or with a work based on the Library) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may opt to apply the terms of the ordinary GNU General Public +License instead of this License to a given copy of the Library. To do +this, you must alter all the notices that refer to this License, so +that they refer to the ordinary GNU General Public License, version 2, +instead of to this License. (If a newer version than version 2 of the +ordinary GNU General Public License has appeared, then you can specify +that version instead if you wish.) Do not make any other change in +these notices. + + Once this change is made in a given copy, it is irreversible for +that copy, so the ordinary GNU General Public License applies to all +subsequent copies and derivative works made from that copy. + + This option is useful when you wish to copy part of the code of +the Library into a program that is not a library. + + 4. You may copy and distribute the Library (or a portion or +derivative of it, under Section 2) in object code or executable form +under the terms of Sections 1 and 2 above provided that you accompany +it with the complete corresponding machine-readable source code, which +must be distributed under the terms of Sections 1 and 2 above on a +medium customarily used for software interchange. + + If distribution of object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the +source code from the same place satisfies the requirement to +distribute the source code, even though third parties are not +compelled to copy the source along with the object code. + + 5. A program that contains no derivative of any portion of the +Library, but is designed to work with the Library by being compiled or +linked with it, is called a "work that uses the Library". Such a +work, in isolation, is not a derivative work of the Library, and +therefore falls outside the scope of this License. + + However, linking a "work that uses the Library" with the Library +creates an executable that is a derivative of the Library (because it +contains portions of the Library), rather than a "work that uses the +library". The executable is therefore covered by this License. +Section 6 states terms for distribution of such executables. + + When a "work that uses the Library" uses material from a header file +that is part of the Library, the object code for the work may be a +derivative work of the Library even though the source code is not. +Whether this is true is especially significant if the work can be +linked without the Library, or if the work is itself a library. The +threshold for this to be true is not precisely defined by law. + + If such an object file uses only numerical parameters, data +structure layouts and accessors, and small macros and small inline +functions (ten lines or less in length), then the use of the object +file is unrestricted, regardless of whether it is legally a derivative +work. (Executables containing this object code plus portions of the +Library will still fall under Section 6.) + + Otherwise, if the work is a derivative of the Library, you may +distribute the object code for the work under the terms of Section 6. +Any executables containing that work also fall under Section 6, +whether or not they are linked directly with the Library itself. + + 6. As an exception to the Sections above, you may also combine or +link a "work that uses the Library" with the Library to produce a +work containing portions of the Library, and distribute that work +under terms of your choice, provided that the terms permit +modification of the work for the customer's own use and reverse +engineering for debugging such modifications. + + You must give prominent notice with each copy of the work that the +Library is used in it and that the Library and its use are covered by +this License. You must supply a copy of this License. If the work +during execution displays copyright notices, you must include the +copyright notice for the Library among them, as well as a reference +directing the user to the copy of this License. Also, you must do one +of these things: + + a) Accompany the work with the complete corresponding + machine-readable source code for the Library including whatever + changes were used in the work (which must be distributed under + Sections 1 and 2 above); and, if the work is an executable linked + with the Library, with the complete machine-readable "work that + uses the Library", as object code and/or source code, so that the + user can modify the Library and then relink to produce a modified + executable containing the modified Library. (It is understood + that the user who changes the contents of definitions files in the + Library will not necessarily be able to recompile the application + to use the modified definitions.) + + b) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (1) uses at run time a + copy of the library already present on the user's computer system, + rather than copying library functions into the executable, and (2) + will operate properly with a modified version of the library, if + the user installs one, as long as the modified version is + interface-compatible with the version that the work was made with. + + c) Accompany the work with a written offer, valid for at + least three years, to give the same user the materials + specified in Subsection 6a, above, for a charge no more + than the cost of performing this distribution. + + d) If distribution of the work is made by offering access to copy + from a designated place, offer equivalent access to copy the above + specified materials from the same place. + + e) Verify that the user has already received a copy of these + materials or that you have already sent this user a copy. + + For an executable, the required form of the "work that uses the +Library" must include any data and utility programs needed for +reproducing the executable from it. However, as a special exception, +the materials to be distributed need not include anything that is +normally distributed (in either source or binary form) with the major +components (compiler, kernel, and so on) of the operating system on +which the executable runs, unless that component itself accompanies +the executable. + + It may happen that this requirement contradicts the license +restrictions of other proprietary libraries that do not normally +accompany the operating system. Such a contradiction means you cannot +use both them and the Library together in an executable that you +distribute. + + 7. You may place library facilities that are a work based on the +Library side-by-side in a single library together with other library +facilities not covered by this License, and distribute such a combined +library, provided that the separate distribution of the work based on +the Library and of the other library facilities is otherwise +permitted, and provided that you do these two things: + + a) Accompany the combined library with a copy of the same work + based on the Library, uncombined with any other library + facilities. This must be distributed under the terms of the + Sections above. + + b) Give prominent notice with the combined library of the fact + that part of it is a work based on the Library, and explaining + where to find the accompanying uncombined form of the same work. + + 8. You may not copy, modify, sublicense, link with, or distribute +the Library except as expressly provided under this License. Any +attempt otherwise to copy, modify, sublicense, link with, or +distribute the Library is void, and will automatically terminate your +rights under this License. However, parties who have received copies, +or rights, from you under this License will not have their licenses +terminated so long as such parties remain in full compliance. + + 9. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Library or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Library (or any work based on the +Library), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Library or works based on it. + + 10. Each time you redistribute the Library (or any work based on the +Library), the recipient automatically receives a license from the +original licensor to copy, distribute, link with or modify the Library +subject to these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties with +this License. + + 11. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Library at all. For example, if a patent +license would not permit royalty-free redistribution of the Library by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Library. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply, +and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 12. If the distribution and/or use of the Library is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Library under this License may add +an explicit geographical distribution limitation excluding those countries, +so that distribution is permitted only in or among countries not thus +excluded. In such case, this License incorporates the limitation as if +written in the body of this License. + + 13. The Free Software Foundation may publish revised and/or new +versions of the Lesser General Public License from time to time. +Such new versions will be similar in spirit to the present version, +but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Library +specifies a version number of this License which applies to it and +"any later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Library does not specify a +license version number, you may choose any version ever published by +the Free Software Foundation. + + 14. If you wish to incorporate parts of the Library into other free +programs whose distribution conditions are incompatible with these, +write to the author to ask for permission. For software which is +copyrighted by the Free Software Foundation, write to the Free +Software Foundation; we sometimes make exceptions for this. Our +decision will be guided by the two goals of preserving the free status +of all derivatives of our free software and of promoting the sharing +and reuse of software generally. + + NO WARRANTY + + 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY +KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME +THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU +FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR +CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A +FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF +SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Libraries + + If you develop a new library, and you want it to be of the greatest +possible use to the public, we recommend making it free software that +everyone can redistribute and change. You can do so by permitting +redistribution under these terms (or, alternatively, under the terms of the +ordinary General Public License). + + To apply these terms, attach the following notices to the library. It is +safest to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +Also add information on how to contact you by electronic and paper mail. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the library, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + library `Frob' (a library for tweaking knobs) written by James Random Hacker. + + , 1 April 1990 + Ty Coon, President of Vice + +That's all there is to it! + +-------------------------------------------------------------------------------- + libpng License + applies to: + - libpng + Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson + http://www.libpng.org/pub/png/libpng.html +-------------------------------------------------------------------------------- + +This copy of the libpng notices is provided for your convenience. In case of +any discrepancy between this copy and the notices in the file png.h that is +included in the libpng distribution, the latter shall prevail. + +COPYRIGHT NOTICE, DISCLAIMER, and LICENSE: + +If you modify libpng you may insert additional notices immediately following +this sentence. + +This code is released under the libpng license. + +libpng versions 1.0.7, July 1, 2000 through 1.6.35, July 15, 2018 are +Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson, are +derived from libpng-1.0.6, and are distributed according to the same +disclaimer and license as libpng-1.0.6 with the following individuals +added to the list of Contributing Authors: + + Simon-Pierre Cadieux + Eric S. Raymond + Mans Rullgard + Cosmin Truta + Gilles Vollant + James Yu + Mandar Sahastrabuddhe + Google Inc. + Vadim Barkov + +and with the following additions to the disclaimer: + + There is no warranty against interference with your enjoyment of the + library or against infringement. There is no warranty that our + efforts or the library will fulfill any of your particular purposes + or needs. This library is provided with all faults, and the entire + risk of satisfactory quality, performance, accuracy, and effort is with + the user. + +Some files in the "contrib" directory and some configure-generated +files that are distributed with libpng have other copyright owners and +are released under other open source licenses. + +libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, are +Copyright (c) 1998-2000 Glenn Randers-Pehrson, are derived from +libpng-0.96, and are distributed according to the same disclaimer and +license as libpng-0.96, with the following individuals added to the list +of Contributing Authors: + + Tom Lane + Glenn Randers-Pehrson + Willem van Schaik + +libpng versions 0.89, June 1996, through 0.96, May 1997, are +Copyright (c) 1996-1997 Andreas Dilger, are derived from libpng-0.88, +and are distributed according to the same disclaimer and license as +libpng-0.88, with the following individuals added to the list of +Contributing Authors: + + John Bowler + Kevin Bracey + Sam Bushell + Magnus Holmgren + Greg Roelofs + Tom Tanner + +Some files in the "scripts" directory have other copyright owners +but are released under this license. + +libpng versions 0.5, May 1995, through 0.88, January 1996, are +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. + +For the purposes of this copyright and license, "Contributing Authors" +is defined as the following set of individuals: + + Andreas Dilger + Dave Martindale + Guy Eric Schalnat + Paul Schmidt + Tim Wegner + +The PNG Reference Library is supplied "AS IS". The Contributing Authors +and Group 42, Inc. disclaim all warranties, expressed or implied, +including, without limitation, the warranties of merchantability and of +fitness for any purpose. The Contributing Authors and Group 42, Inc. +assume no liability for direct, indirect, incidental, special, exemplary, +or consequential damages, which may result from the use of the PNG +Reference Library, even if advised of the possibility of such damage. + +Permission is hereby granted to use, copy, modify, and distribute this +source code, or portions hereof, for any purpose, without fee, subject +to the following restrictions: + + 1. The origin of this source code must not be misrepresented. + + 2. Altered versions must be plainly marked as such and must not + be misrepresented as being the original source. + + 3. This Copyright notice may not be removed or altered from any + source or altered source distribution. + +The Contributing Authors and Group 42, Inc. specifically permit, without +fee, and encourage the use of this source code as a component to +supporting the PNG file format in commercial products. If you use this +source code in a product, acknowledgment is not required but would be +appreciated. + +END OF COPYRIGHT NOTICE, DISCLAIMER, and LICENSE. + +TRADEMARK: + +The name "libpng" has not been registered by the Copyright owner +as a trademark in any jurisdiction. However, because libpng has +been distributed and maintained world-wide, continually since 1995, +the Copyright owner claims "common-law trademark protection" in any +jurisdiction where common-law trademark is recognized. + +OSI CERTIFICATION: + +Libpng is OSI Certified Open Source Software. OSI Certified Open Source is +a certification mark of the Open Source Initiative. OSI has not addressed +the additional disclaimers inserted at version 1.0.7. + +EXPORT CONTROL: + +The Copyright owner believes that the Export Control Classification +Number (ECCN) for libpng is EAR99, which means not subject to export +controls or International Traffic in Arms Regulations (ITAR) because +it is open source, publicly available software, that does not contain +any encryption software. See the EAR, paragraphs 734.3(b)(3) and +734.7(b). + +Glenn Randers-Pehrson +glennrp at users.sourceforge.net +July 15, 2018 + +-------------------------------------------------------------------------------- + New BSD License + applies to: + - FLAC + Copyright (C) 2000-2009 Josh Coalson + Copyright (C) 2011-2016 Xiph.Org Foundation + https://xiph.org/flac/api/ + + - Vorbis + Copyright (c) 2002-2008 Xiph.org Foundation + https://xiph.org/vorbis/ + + - Opus + Copyright 2001-2011 Xiph.Org, Skype Limited, Octasic, + Jean-Marc Valin, Timothy B. Terriberry, + CSIRO, Gregory Maxwell, Mark Borgerding, + Erik de Castro Lopo + https://opus-codec.org + + - Opus File + Copyright (c) 1994-2013 Xiph.Org Foundation and contributors + https://opus-codec.org +-------------------------------------------------------------------------------- + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +- Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + +- Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +[ For FLAC, Vorbis, and Opus File +- Neither the name of the Xiph.org Foundation nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. +] + +[ For Opus +- Neither the name of Internet Society, IETF or IETF Trust, nor the +names of specific contributors, may be used to endorse or promote +products derived from this software without specific prior written +permission. +] + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR +CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +-------------------------------------------------------------------------------- + Public Domain + applies to: + - win_iconv + Yukihiro Nakadaira + win_iconv is placed in the public domain. + https://github.com/win-iconv/win-iconv + + - libmodplug + ModPlug-XMMS and libmodplug are now in the public domain. + http://modplug-xmms.sourceforge.net +-------------------------------------------------------------------------------- + +-------------------------------------------------------------------------------- + zlib License + applies to: + - Simple DirectMedia Layer + Copyright (C) 1997-2018 Sam Lantinga + https://www.libsdl.org/hg.php + + - SDL_mixer: An audio mixer library based on the SDL library + Copyright (C) 1997-2018 Sam Lantinga + https://www.libsdl.org/projects/SDL_mixer/ + + - zlib + Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler + https://zlib.net +-------------------------------------------------------------------------------- + +This software is provided 'as-is', without any express or implied +warranty. In no event will the authors be held liable for any damages +arising from the use of this software. + +Permission is granted to anyone to use this software for any purpose, +including commercial applications, and to alter it and redistribute it +freely, subject to the following restrictions: + +1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. +2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. +3. This notice may not be removed or altered from any source distribution. From c3f4fc33c4c380ac286c1aaaa53c7d1419fe2950 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 16:51:40 -0700 Subject: [PATCH 02/70] License compliance for libwebm, libyuv, libvpx, libxmp, fmt, imgui, tcbrindle span --- LICENSE-3RD-PARTY.txt | 76 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/LICENSE-3RD-PARTY.txt b/LICENSE-3RD-PARTY.txt index 259e9804a..8a839cf94 100644 --- a/LICENSE-3RD-PARTY.txt +++ b/LICENSE-3RD-PARTY.txt @@ -5,6 +5,18 @@ Copyright (c) 2005-2011, Thomas BERNARD All rights reserved. http://miniupnp.free.fr + - libwebm + Copyright (c) 2010, Google Inc. + All rights reserved. + https://chromium.googlesource.com/webm/libwebm/ + - libyuv + Copyright 2011 The LibYuv Project Authors. + All rights reserved. + https://chromium.googlesource.com/libyuv/libyuv/ + - libvpx + Copyright (c) 2010, The WebM Project authors. All rights reserved. + All rights reserved. + https://chromium.googlesource.com/webm/libvpx -------------------------------------------------------------------------------- Redistribution and use in source and binary forms, with or without @@ -827,6 +839,10 @@ Public License instead of this License. But first, please read Copyright (c) 1995-2013 by Michael Hipp and others, free software under the terms of the LGPL v2.1 https://www.mpg123.de + + - libxmp + https://github.com/libxmp/libxmp/blob/master/docs/CREDITS + https://github.com/libxmp/libxmp -------------------------------------------------------------------------------- GNU LESSER GENERAL PUBLIC LICENSE @@ -1577,3 +1593,63 @@ freely, subject to the following restrictions: 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. + +-------------------------------------------------------------------------------- + MIT License + applies to: + - fmt + Copyright (c) 2012 - present, Victor Zverovich and {fmt} contributors + https://github.com/fmtlib/fmt + - imgui + Copyright (c) 2014-2023 Omar Cornut + https://github.com/ocornut/imgui +-------------------------------------------------------------------------------- + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +-------------------------------------------------------------------------------- + Boost Software License - Version 1.0 + applies to: + - tcbrindle span + https://www.boost.org/ +-------------------------------------------------------------------------------- + +Boost Software License - Version 1.0 - August 17th, 2003 + +Permission is hereby granted, free of charge, to any person or organization +obtaining a copy of the software and accompanying documentation covered by +this license (the "Software") to use, reproduce, display, distribute, +execute, and transmit the Software, and to prepare derivative works of the +Software, and to permit third-parties to whom the Software is furnished to +do so, all subject to the following: + +The copyright notices in the Software and this entire statement, including +the above license grant, this restriction and the following disclaimer, +must be included in all copies of the Software, in whole or in part, and +all derivative works of the Software, unless such copies or derivative +works are solely in the form of machine-executable object code generated by +a source language processor. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT +SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE +FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. From 805186c3a9e2a74a29507e95167ec451350afe93 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 00:26:11 -0700 Subject: [PATCH 03/70] RRID: initial commit, WIP broken --- src/CMakeLists.txt | 1 + src/d_clisrv.c | 12 + src/d_clisrv.h | 17 + src/d_main.c | 33 + src/d_netfil.c | 16 + src/d_netfil.h | 2 + src/monocypher/CMakeLists.txt | 4 + src/monocypher/monocypher.c | 2961 +++++++++++++++++++++++++++++++++ src/monocypher/monocypher.h | 321 ++++ src/stun.c | 2 +- src/stun.h | 2 + src/typedef.h | 2 + 12 files changed, 3372 insertions(+), 1 deletion(-) create mode 100644 src/monocypher/CMakeLists.txt create mode 100644 src/monocypher/monocypher.c create mode 100644 src/monocypher/monocypher.h diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 042ccda03..8fd0c12ac 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -559,6 +559,7 @@ add_subdirectory(sdl) add_subdirectory(objects) add_subdirectory(acs) add_subdirectory(rhi) +add_subdirectory(monocypher) if(SRB2_CONFIG_ENABLE_TESTS) add_subdirectory(tests) endif() diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 080aa1cd1..ffcafc46f 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -156,6 +156,8 @@ char connectedservername[MAXSERVERNAME]; /// \todo WORK! boolean acceptnewnode = true; +char lastReceivedKey[MAXNETNODES][32]; + boolean serverisfull = false; //lets us be aware if the server was full after we check files, but before downloading, so we can ask if the user still wants to download or not tic_t firstconnectattempttime = 0; @@ -545,6 +547,8 @@ typedef enum CL_PREPAREHTTPFILES, CL_DOWNLOADHTTPFILES, #endif + CL_SENDKEY, + CL_WAITCHALLENGE, } cl_mode_t; static void GetPackets(void); @@ -1924,6 +1928,10 @@ static boolean CL_ServerConnectionTicker(const char *tmpsave, tic_t *oldtic, tic cl_mode = CL_ASKJOIN; } break; + case CL_SENDKEY: + break; + case CL_WAITCHALLENGE: + break; case CL_DOWNLOADSAVEGAME: // At this state, the first (and only) needed file is the gamestate if (fileneeded[0].status == FS_FOUND) @@ -4494,6 +4502,10 @@ static void HandlePacketFromAwayNode(SINT8 node) break; /* FALLTHRU */ + case PT_CLIENTKEY: + if (server) + PT_ClientKey(node); + break; default: DEBFILE(va("unknown packet received (%d) from unknown host\n",netbuffer->packettype)); Net_CloseConnection(node); diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 0b51846ca..0b1529fbd 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -119,6 +119,10 @@ typedef enum PT_LOGIN, // Login attempt from the client. PT_PING, // Packet sent to tell clients the other client's latency to server. + + PT_CLIENTKEY, // "Here's my public key" + PT_SERVERCHALLENGE, // "Prove it" + NUMPACKETTYPE } packettype_t; @@ -346,6 +350,16 @@ struct filesneededconfig_pak UINT8 files[MAXFILENEEDED]; // is filled with writexxx (byteptr.h) } ATTRPACK; +struct clientkey_pak +{ + char key[32]; +} ATTRPACK; + +struct serverchallenge_pak +{ + char secret[32]; +} ATTRPACK; + // // Network packet data // @@ -380,6 +394,8 @@ struct doomdata_t INT32 filesneedednum; // 4 bytes filesneededconfig_pak filesneededcfg; // ??? bytes UINT32 pingtable[MAXPLAYERS+1]; // 68 bytes + clientkey_pak clientkey; // TODO: Tyron, does anyone take any of these sizes even remotely seriously + serverchallenge_pak serverchallenge; // Are you even going to update this shit, are you even going to remove this comment } u; // This is needed to pack diff packet types data together } ATTRPACK; @@ -443,6 +459,7 @@ extern UINT16 software_MAXPACKETLENGTH; extern boolean acceptnewnode; extern SINT8 servernode; extern char connectedservername[MAXSERVERNAME]; +extern char lastReceivedKey[MAXNETNODES][32]; void Command_Ping_f(void); extern tic_t connectiontimeout; diff --git a/src/d_main.c b/src/d_main.c index e52ad6a61..d1aacefd2 100644 --- a/src/d_main.c +++ b/src/d_main.c @@ -71,6 +71,9 @@ #include "g_input.h" // tutorial mode control scheming #include "m_perfstats.h" +#include "monocypher/monocypher.h" +#include "stun.h" + // SRB2Kart #include "k_grandprix.h" #include "doomstat.h" @@ -156,6 +159,10 @@ INT32 eventhead, eventtail; boolean dedicated = false; +// For identity negotiation with netgame servers +uint8_t public_key[32]; +uint8_t secret_key[32]; + // // D_PostEvent // Called by the I/O functions when input is detected @@ -1708,6 +1715,32 @@ void D_SRB2Main(void) ACS_Init(); CON_SetLoadingProgress(LOADED_ACSINIT); + // -- IT'S HOMEGROWN CRYPTO TIME -- + + // TODO: This file should probably give a fuck about command line params, + // or not be stored next to the EXE in a way that allows people to unknowingly send it to others. + static char keyfile[16] = "rrid.dat"; + + csprng(secret_key, 32); + + if (FIL_ReadFileOK(keyfile)) + { + UINT8 *readbuffer = NULL; + UINT16 lengthRead = FIL_ReadFile(keyfile, &readbuffer); + if (readbuffer == NULL || lengthRead != 32) + I_Error("Malformed keyfile"); + memcpy(secret_key, readbuffer, 32); + } + else + { + if (!FIL_WriteFile(keyfile, secret_key, 32)) + I_Error("Couldn't open keyfile"); + } + + crypto_x25519_public_key(public_key, secret_key); + + // -- END HOMEGROWN CRYPTO TIME -- + //------------------------------------------------ COMMAND LINE PARAMS // this must be done after loading gamedata, diff --git a/src/d_netfil.c b/src/d_netfil.c index ef99a2321..a23f688d1 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -53,6 +53,7 @@ #include "k_menu.h" #include "md5.h" #include "filesrch.h" +#include "stun.h" #include @@ -1313,6 +1314,21 @@ void PT_FileReceived(void) SV_EndFileSend(doomcom->remotenode); } +void PT_ClientKey(INT32 node) +{ + clientkey_pak *packet = (void*)&netbuffer->u.clientkey; + + // TODO + // Stage 1: Exchange packets with no verification of their contents (YOU ARE HERE) + // Stage 2: Exchange packets with a check, but no crypto + // Stage 3: The crypto part + + memcpy(lastReceivedKey[node], packet->key, 32); + + netbuffer->packettype = PT_SERVERCHALLENGE; + HSendPacket(node, false, 0, sizeof (serverchallenge_pak)); +} + static void SendAckPacket(fileack_pak *packet, UINT8 fileid) { size_t packetsize; diff --git a/src/d_netfil.h b/src/d_netfil.h index 26bffbc18..fb5a6d29a 100644 --- a/src/d_netfil.h +++ b/src/d_netfil.h @@ -106,6 +106,8 @@ boolean CL_CheckDownloadable(void); boolean CL_SendFileRequest(void); boolean PT_RequestFile(INT32 node); +void PT_ClientKey(INT32 node); + typedef enum { LFTNS_NONE, // This node is not connected diff --git a/src/monocypher/CMakeLists.txt b/src/monocypher/CMakeLists.txt new file mode 100644 index 000000000..8122e03ba --- /dev/null +++ b/src/monocypher/CMakeLists.txt @@ -0,0 +1,4 @@ +target_sources(SRB2SDL2 PRIVATE +monocypher.c +monocypher.h +) diff --git a/src/monocypher/monocypher.c b/src/monocypher/monocypher.c new file mode 100644 index 000000000..b01a4b728 --- /dev/null +++ b/src/monocypher/monocypher.c @@ -0,0 +1,2961 @@ +// Monocypher version 4.0.0 +// +// This file is dual-licensed. Choose whichever licence you want from +// the two licences listed below. +// +// The first licence is a regular 2-clause BSD licence. The second licence +// is the CC-0 from Creative Commons. It is intended to release Monocypher +// to the public domain. The BSD licence serves as a fallback option. +// +// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0 +// +// ------------------------------------------------------------------------ +// +// Copyright (c) 2017-2020, Loup Vaillant +// All rights reserved. +// +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// 1. Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright +// notice, this list of conditions and the following disclaimer in the +// documentation and/or other materials provided with the +// distribution. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// ------------------------------------------------------------------------ +// +// Written in 2017-2020 by Loup Vaillant +// +// To the extent possible under law, the author(s) have dedicated all copyright +// and related neighboring rights to this software to the public domain +// worldwide. This software is distributed without any warranty. +// +// You should have received a copy of the CC0 Public Domain Dedication along +// with this software. If not, see +// + +#include "monocypher.h" + +#ifdef MONOCYPHER_CPP_NAMESPACE +namespace MONOCYPHER_CPP_NAMESPACE { +#endif + +///////////////// +/// Utilities /// +///////////////// +#define FOR_T(type, i, start, end) for (type i = (start); i < (end); i++) +#define FOR(i, start, end) FOR_T(size_t, i, start, end) +#define COPY(dst, src, size) FOR(_i_, 0, size) (dst)[_i_] = (src)[_i_] +#define ZERO(buf, size) FOR(_i_, 0, size) (buf)[_i_] = 0 +#define WIPE_CTX(ctx) crypto_wipe(ctx , sizeof(*(ctx))) +#define WIPE_BUFFER(buffer) crypto_wipe(buffer, sizeof(buffer)) +#define MIN(a, b) ((a) <= (b) ? (a) : (b)) +#define MAX(a, b) ((a) >= (b) ? (a) : (b)) + +typedef int8_t i8; +typedef uint8_t u8; +typedef int16_t i16; +typedef uint32_t u32; +typedef int32_t i32; +typedef int64_t i64; +typedef uint64_t u64; + +static const u8 zero[128] = {0}; + +// returns the smallest positive integer y such that +// (x + y) % pow_2 == 0 +// Basically, it's how many bytes we need to add to "align" x. +// Only works when pow_2 is a power of 2. +// Note: we use ~x+1 instead of -x to avoid compiler warnings +static size_t align(size_t x, size_t pow_2) +{ + return (~x + 1) & (pow_2 - 1); +} + +static u32 load24_le(const u8 s[3]) +{ + return + ((u32)s[0] << 0) | + ((u32)s[1] << 8) | + ((u32)s[2] << 16); +} + +static u32 load32_le(const u8 s[4]) +{ + return + ((u32)s[0] << 0) | + ((u32)s[1] << 8) | + ((u32)s[2] << 16) | + ((u32)s[3] << 24); +} + +static u64 load64_le(const u8 s[8]) +{ + return load32_le(s) | ((u64)load32_le(s+4) << 32); +} + +static void store32_le(u8 out[4], u32 in) +{ + out[0] = in & 0xff; + out[1] = (in >> 8) & 0xff; + out[2] = (in >> 16) & 0xff; + out[3] = (in >> 24) & 0xff; +} + +static void store64_le(u8 out[8], u64 in) +{ + store32_le(out , (u32)in ); + store32_le(out + 4, in >> 32); +} + +static void load32_le_buf (u32 *dst, const u8 *src, size_t size) { + FOR(i, 0, size) { dst[i] = load32_le(src + i*4); } +} +static void load64_le_buf (u64 *dst, const u8 *src, size_t size) { + FOR(i, 0, size) { dst[i] = load64_le(src + i*8); } +} +static void store32_le_buf(u8 *dst, const u32 *src, size_t size) { + FOR(i, 0, size) { store32_le(dst + i*4, src[i]); } +} +static void store64_le_buf(u8 *dst, const u64 *src, size_t size) { + FOR(i, 0, size) { store64_le(dst + i*8, src[i]); } +} + +static u64 rotr64(u64 x, u64 n) { return (x >> n) ^ (x << (64 - n)); } +static u32 rotl32(u32 x, u32 n) { return (x << n) ^ (x >> (32 - n)); } + +static int neq0(u64 diff) +{ + // constant time comparison to zero + // return diff != 0 ? -1 : 0 + u64 half = (diff >> 32) | ((u32)diff); + return (1 & ((half - 1) >> 32)) - 1; +} + +static u64 x16(const u8 a[16], const u8 b[16]) +{ + return (load64_le(a + 0) ^ load64_le(b + 0)) + | (load64_le(a + 8) ^ load64_le(b + 8)); +} +static u64 x32(const u8 a[32],const u8 b[32]){return x16(a,b)| x16(a+16, b+16);} +static u64 x64(const u8 a[64],const u8 b[64]){return x32(a,b)| x32(a+32, b+32);} +int crypto_verify16(const u8 a[16], const u8 b[16]){ return neq0(x16(a, b)); } +int crypto_verify32(const u8 a[32], const u8 b[32]){ return neq0(x32(a, b)); } +int crypto_verify64(const u8 a[64], const u8 b[64]){ return neq0(x64(a, b)); } + +void crypto_wipe(void *secret, size_t size) +{ + volatile u8 *v_secret = (u8*)secret; + ZERO(v_secret, size); +} + +///////////////// +/// Chacha 20 /// +///////////////// +#define QUARTERROUND(a, b, c, d) \ + a += b; d = rotl32(d ^ a, 16); \ + c += d; b = rotl32(b ^ c, 12); \ + a += b; d = rotl32(d ^ a, 8); \ + c += d; b = rotl32(b ^ c, 7) + +static void chacha20_rounds(u32 out[16], const u32 in[16]) +{ + // The temporary variables make Chacha20 10% faster. + u32 t0 = in[ 0]; u32 t1 = in[ 1]; u32 t2 = in[ 2]; u32 t3 = in[ 3]; + u32 t4 = in[ 4]; u32 t5 = in[ 5]; u32 t6 = in[ 6]; u32 t7 = in[ 7]; + u32 t8 = in[ 8]; u32 t9 = in[ 9]; u32 t10 = in[10]; u32 t11 = in[11]; + u32 t12 = in[12]; u32 t13 = in[13]; u32 t14 = in[14]; u32 t15 = in[15]; + + FOR (i, 0, 10) { // 20 rounds, 2 rounds per loop. + QUARTERROUND(t0, t4, t8 , t12); // column 0 + QUARTERROUND(t1, t5, t9 , t13); // column 1 + QUARTERROUND(t2, t6, t10, t14); // column 2 + QUARTERROUND(t3, t7, t11, t15); // column 3 + QUARTERROUND(t0, t5, t10, t15); // diagonal 0 + QUARTERROUND(t1, t6, t11, t12); // diagonal 1 + QUARTERROUND(t2, t7, t8 , t13); // diagonal 2 + QUARTERROUND(t3, t4, t9 , t14); // diagonal 3 + } + out[ 0] = t0; out[ 1] = t1; out[ 2] = t2; out[ 3] = t3; + out[ 4] = t4; out[ 5] = t5; out[ 6] = t6; out[ 7] = t7; + out[ 8] = t8; out[ 9] = t9; out[10] = t10; out[11] = t11; + out[12] = t12; out[13] = t13; out[14] = t14; out[15] = t15; +} + +static const u8 *chacha20_constant = (const u8*)"expand 32-byte k"; // 16 bytes + +void crypto_chacha20_h(u8 out[32], const u8 key[32], const u8 in [16]) +{ + u32 block[16]; + load32_le_buf(block , chacha20_constant, 4); + load32_le_buf(block + 4, key , 8); + load32_le_buf(block + 12, in , 4); + + chacha20_rounds(block, block); + + // prevent reversal of the rounds by revealing only half of the buffer. + store32_le_buf(out , block , 4); // constant + store32_le_buf(out+16, block+12, 4); // counter and nonce + WIPE_BUFFER(block); +} + +u64 crypto_chacha20_djb(u8 *cipher_text, const u8 *plain_text, + size_t text_size, const u8 key[32], const u8 nonce[8], + u64 ctr) +{ + u32 input[16]; + load32_le_buf(input , chacha20_constant, 4); + load32_le_buf(input + 4, key , 8); + load32_le_buf(input + 14, nonce , 2); + input[12] = (u32) ctr; + input[13] = (u32)(ctr >> 32); + + // Whole blocks + u32 pool[16]; + size_t nb_blocks = text_size >> 6; + FOR (i, 0, nb_blocks) { + chacha20_rounds(pool, input); + if (plain_text != 0) { + FOR (j, 0, 16) { + u32 p = pool[j] + input[j]; + store32_le(cipher_text, p ^ load32_le(plain_text)); + cipher_text += 4; + plain_text += 4; + } + } else { + FOR (j, 0, 16) { + u32 p = pool[j] + input[j]; + store32_le(cipher_text, p); + cipher_text += 4; + } + } + input[12]++; + if (input[12] == 0) { + input[13]++; + } + } + text_size &= 63; + + // Last (incomplete) block + if (text_size > 0) { + if (plain_text == 0) { + plain_text = zero; + } + chacha20_rounds(pool, input); + u8 tmp[64]; + FOR (i, 0, 16) { + store32_le(tmp + i*4, pool[i] + input[i]); + } + FOR (i, 0, text_size) { + cipher_text[i] = tmp[i] ^ plain_text[i]; + } + WIPE_BUFFER(tmp); + } + ctr = input[12] + ((u64)input[13] << 32) + (text_size > 0); + + WIPE_BUFFER(pool); + WIPE_BUFFER(input); + return ctr; +} + +u32 crypto_chacha20_ietf(u8 *cipher_text, const u8 *plain_text, + size_t text_size, + const u8 key[32], const u8 nonce[12], u32 ctr) +{ + u64 big_ctr = ctr + ((u64)load32_le(nonce) << 32); + return (u32)crypto_chacha20_djb(cipher_text, plain_text, text_size, + key, nonce + 4, big_ctr); +} + +u64 crypto_chacha20_x(u8 *cipher_text, const u8 *plain_text, + size_t text_size, + const u8 key[32], const u8 nonce[24], u64 ctr) +{ + u8 sub_key[32]; + crypto_chacha20_h(sub_key, key, nonce); + ctr = crypto_chacha20_djb(cipher_text, plain_text, text_size, + sub_key, nonce + 16, ctr); + WIPE_BUFFER(sub_key); + return ctr; +} + +///////////////// +/// Poly 1305 /// +///////////////// + +// h = (h + c) * r +// preconditions: +// ctx->h <= 4_ffffffff_ffffffff_ffffffff_ffffffff +// ctx->r <= 0ffffffc_0ffffffc_0ffffffc_0fffffff +// end <= 1 +// Postcondition: +// ctx->h <= 4_ffffffff_ffffffff_ffffffff_ffffffff +static void poly_block(crypto_poly1305_ctx *ctx, const u8 in[16], unsigned end) +{ + u32 s[4]; + load32_le_buf(s, in, 4); + + //- PROOF Poly1305 + //- + //- # Inputs & preconditions + //- ctx->h[0] = u32() + //- ctx->h[1] = u32() + //- ctx->h[2] = u32() + //- ctx->h[3] = u32() + //- ctx->h[4] = u32(limit = 4) + //- + //- ctx->r[0] = u32(limit = 0x0fffffff) + //- ctx->r[1] = u32(limit = 0x0ffffffc) + //- ctx->r[2] = u32(limit = 0x0ffffffc) + //- ctx->r[3] = u32(limit = 0x0ffffffc) + //- + //- s[0] = u32() + //- s[1] = u32() + //- s[2] = u32() + //- s[3] = u32() + //- + //- end = unsigned(limit = 1) + + // s = h + c, without carry propagation + const u64 s0 = ctx->h[0] + (u64)s[0]; // s0 <= 1_fffffffe + const u64 s1 = ctx->h[1] + (u64)s[1]; // s1 <= 1_fffffffe + const u64 s2 = ctx->h[2] + (u64)s[2]; // s2 <= 1_fffffffe + const u64 s3 = ctx->h[3] + (u64)s[3]; // s3 <= 1_fffffffe + const u32 s4 = ctx->h[4] + end; // s4 <= 5 + + // Local all the things! + const u32 r0 = ctx->r[0]; // r0 <= 0fffffff + const u32 r1 = ctx->r[1]; // r1 <= 0ffffffc + const u32 r2 = ctx->r[2]; // r2 <= 0ffffffc + const u32 r3 = ctx->r[3]; // r3 <= 0ffffffc + const u32 rr0 = (r0 >> 2) * 5; // rr0 <= 13fffffb // lose 2 bits... + const u32 rr1 = (r1 >> 2) + r1; // rr1 <= 13fffffb // rr1 == (r1 >> 2) * 5 + const u32 rr2 = (r2 >> 2) + r2; // rr2 <= 13fffffb // rr1 == (r2 >> 2) * 5 + const u32 rr3 = (r3 >> 2) + r3; // rr3 <= 13fffffb // rr1 == (r3 >> 2) * 5 + + // (h + c) * r, without carry propagation + const u64 x0 = s0*r0+ s1*rr3+ s2*rr2+ s3*rr1+ s4*rr0; // <= 97ffffe007fffff8 + const u64 x1 = s0*r1+ s1*r0 + s2*rr3+ s3*rr2+ s4*rr1; // <= 8fffffe20ffffff6 + const u64 x2 = s0*r2+ s1*r1 + s2*r0 + s3*rr3+ s4*rr2; // <= 87ffffe417fffff4 + const u64 x3 = s0*r3+ s1*r2 + s2*r1 + s3*r0 + s4*rr3; // <= 7fffffe61ffffff2 + const u32 x4 = s4 * (r0 & 3); // ...recover 2 bits // <= f + + // partial reduction modulo 2^130 - 5 + const u32 u5 = x4 + (x3 >> 32); // u5 <= 7ffffff5 + const u64 u0 = (u5 >> 2) * 5 + (x0 & 0xffffffff); + const u64 u1 = (u0 >> 32) + (x1 & 0xffffffff) + (x0 >> 32); + const u64 u2 = (u1 >> 32) + (x2 & 0xffffffff) + (x1 >> 32); + const u64 u3 = (u2 >> 32) + (x3 & 0xffffffff) + (x2 >> 32); + const u64 u4 = (u3 >> 32) + (u5 & 3); + + // Update the hash + ctx->h[0] = u0 & 0xffffffff; // u0 <= 1_9ffffff0 + ctx->h[1] = u1 & 0xffffffff; // u1 <= 1_97ffffe0 + ctx->h[2] = u2 & 0xffffffff; // u2 <= 1_8fffffe2 + ctx->h[3] = u3 & 0xffffffff; // u3 <= 1_87ffffe4 + ctx->h[4] = u4 & 0xffffffff; // u4 <= 4 + + //- # postconditions + //- ASSERT(ctx->h[4].limit() <= 4) + //- CQFD Poly1305 +} + +void crypto_poly1305_init(crypto_poly1305_ctx *ctx, const u8 key[32]) +{ + ZERO(ctx->h, 5); // Initial hash is zero + ctx->c_idx = 0; + // load r and pad (r has some of its bits cleared) + load32_le_buf(ctx->r , key , 4); + load32_le_buf(ctx->pad, key+16, 4); + FOR (i, 0, 1) { ctx->r[i] &= 0x0fffffff; } + FOR (i, 1, 4) { ctx->r[i] &= 0x0ffffffc; } +} + +void crypto_poly1305_update(crypto_poly1305_ctx *ctx, + const u8 *message, size_t message_size) +{ + // Align ourselves with block boundaries + size_t aligned = MIN(align(ctx->c_idx, 16), message_size); + FOR (i, 0, aligned) { + ctx->c[ctx->c_idx] = *message; + ctx->c_idx++; + message++; + message_size--; + } + + // If block is complete, process it + if (ctx->c_idx == 16) { + poly_block(ctx, ctx->c, 1); + ctx->c_idx = 0; + } + + // Process the message block by block + size_t nb_blocks = message_size >> 4; + FOR (i, 0, nb_blocks) { + poly_block(ctx, message, 1); + message += 16; + } + message_size &= 15; + + // remaining bytes (we never complete a block here) + FOR (i, 0, message_size) { + ctx->c[ctx->c_idx] = message[i]; + ctx->c_idx++; + } +} + +void crypto_poly1305_final(crypto_poly1305_ctx *ctx, u8 mac[16]) +{ + // Process the last block (if any) + // We move the final 1 according to remaining input length + // (this will add less than 2^130 to the last input block) + if (ctx->c_idx != 0) { + ZERO(ctx->c + ctx->c_idx, 16 - ctx->c_idx); + ctx->c[ctx->c_idx] = 1; + poly_block(ctx, ctx->c, 0); + } + + // check if we should subtract 2^130-5 by performing the + // corresponding carry propagation. + u64 c = 5; + FOR (i, 0, 4) { + c += ctx->h[i]; + c >>= 32; + } + c += ctx->h[4]; + c = (c >> 2) * 5; // shift the carry back to the beginning + // c now indicates how many times we should subtract 2^130-5 (0 or 1) + FOR (i, 0, 4) { + c += (u64)ctx->h[i] + ctx->pad[i]; + store32_le(mac + i*4, (u32)c); + c = c >> 32; + } + WIPE_CTX(ctx); +} + +void crypto_poly1305(u8 mac[16], const u8 *message, + size_t message_size, const u8 key[32]) +{ + crypto_poly1305_ctx ctx; + crypto_poly1305_init (&ctx, key); + crypto_poly1305_update(&ctx, message, message_size); + crypto_poly1305_final (&ctx, mac); +} + +//////////////// +/// BLAKE2 b /// +//////////////// +static const u64 iv[8] = { + 0x6a09e667f3bcc908, 0xbb67ae8584caa73b, + 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1, + 0x510e527fade682d1, 0x9b05688c2b3e6c1f, + 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179, +}; + +static void blake2b_compress(crypto_blake2b_ctx *ctx, int is_last_block) +{ + static const u8 sigma[12][16] = { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + }; + + // increment input offset + u64 *x = ctx->input_offset; + size_t y = ctx->input_idx; + x[0] += y; + if (x[0] < y) { + x[1]++; + } + + // init work vector + u64 v0 = ctx->hash[0]; u64 v8 = iv[0]; + u64 v1 = ctx->hash[1]; u64 v9 = iv[1]; + u64 v2 = ctx->hash[2]; u64 v10 = iv[2]; + u64 v3 = ctx->hash[3]; u64 v11 = iv[3]; + u64 v4 = ctx->hash[4]; u64 v12 = iv[4] ^ ctx->input_offset[0]; + u64 v5 = ctx->hash[5]; u64 v13 = iv[5] ^ ctx->input_offset[1]; + u64 v6 = ctx->hash[6]; u64 v14 = iv[6] ^ (u64)~(is_last_block - 1); + u64 v7 = ctx->hash[7]; u64 v15 = iv[7]; + + // mangle work vector + u64 *input = ctx->input; +#define BLAKE2_G(a, b, c, d, x, y) \ + a += b + x; d = rotr64(d ^ a, 32); \ + c += d; b = rotr64(b ^ c, 24); \ + a += b + y; d = rotr64(d ^ a, 16); \ + c += d; b = rotr64(b ^ c, 63) +#define BLAKE2_ROUND(i) \ + BLAKE2_G(v0, v4, v8 , v12, input[sigma[i][ 0]], input[sigma[i][ 1]]); \ + BLAKE2_G(v1, v5, v9 , v13, input[sigma[i][ 2]], input[sigma[i][ 3]]); \ + BLAKE2_G(v2, v6, v10, v14, input[sigma[i][ 4]], input[sigma[i][ 5]]); \ + BLAKE2_G(v3, v7, v11, v15, input[sigma[i][ 6]], input[sigma[i][ 7]]); \ + BLAKE2_G(v0, v5, v10, v15, input[sigma[i][ 8]], input[sigma[i][ 9]]); \ + BLAKE2_G(v1, v6, v11, v12, input[sigma[i][10]], input[sigma[i][11]]); \ + BLAKE2_G(v2, v7, v8 , v13, input[sigma[i][12]], input[sigma[i][13]]); \ + BLAKE2_G(v3, v4, v9 , v14, input[sigma[i][14]], input[sigma[i][15]]) + +#ifdef BLAKE2_NO_UNROLLING + FOR (i, 0, 12) { + BLAKE2_ROUND(i); + } +#else + BLAKE2_ROUND(0); BLAKE2_ROUND(1); BLAKE2_ROUND(2); BLAKE2_ROUND(3); + BLAKE2_ROUND(4); BLAKE2_ROUND(5); BLAKE2_ROUND(6); BLAKE2_ROUND(7); + BLAKE2_ROUND(8); BLAKE2_ROUND(9); BLAKE2_ROUND(10); BLAKE2_ROUND(11); +#endif + + // update hash + ctx->hash[0] ^= v0 ^ v8; ctx->hash[1] ^= v1 ^ v9; + ctx->hash[2] ^= v2 ^ v10; ctx->hash[3] ^= v3 ^ v11; + ctx->hash[4] ^= v4 ^ v12; ctx->hash[5] ^= v5 ^ v13; + ctx->hash[6] ^= v6 ^ v14; ctx->hash[7] ^= v7 ^ v15; +} + +void crypto_blake2b_keyed_init(crypto_blake2b_ctx *ctx, size_t hash_size, + const u8 *key, size_t key_size) +{ + // initial hash + COPY(ctx->hash, iv, 8); + ctx->hash[0] ^= 0x01010000 ^ (key_size << 8) ^ hash_size; + + ctx->input_offset[0] = 0; // beginning of the input, no offset + ctx->input_offset[1] = 0; // beginning of the input, no offset + ctx->hash_size = hash_size; + ctx->input_idx = 0; + ZERO(ctx->input, 16); + + // if there is a key, the first block is that key (padded with zeroes) + if (key_size > 0) { + u8 key_block[128] = {0}; + COPY(key_block, key, key_size); + // same as calling crypto_blake2b_update(ctx, key_block , 128) + load64_le_buf(ctx->input, key_block, 16); + ctx->input_idx = 128; + } +} + +void crypto_blake2b_init(crypto_blake2b_ctx *ctx, size_t hash_size) +{ + crypto_blake2b_keyed_init(ctx, hash_size, 0, 0); +} + +void crypto_blake2b_update(crypto_blake2b_ctx *ctx, + const u8 *message, size_t message_size) +{ + // Avoid undefined NULL pointer increments with empty messages + if (message_size == 0) { + return; + } + + // Align with word boundaries + if ((ctx->input_idx & 7) != 0) { + size_t nb_bytes = MIN(align(ctx->input_idx, 8), message_size); + size_t word = ctx->input_idx >> 3; + size_t byte = ctx->input_idx & 7; + FOR (i, 0, nb_bytes) { + ctx->input[word] |= (u64)message[i] << ((byte + i) << 3); + } + ctx->input_idx += nb_bytes; + message += nb_bytes; + message_size -= nb_bytes; + } + + // Align with block boundaries (faster than byte by byte) + if ((ctx->input_idx & 127) != 0) { + size_t nb_words = MIN(align(ctx->input_idx, 128), message_size) >> 3; + load64_le_buf(ctx->input + (ctx->input_idx >> 3), message, nb_words); + ctx->input_idx += nb_words << 3; + message += nb_words << 3; + message_size -= nb_words << 3; + } + + // Process block by block + size_t nb_blocks = message_size >> 7; + FOR (i, 0, nb_blocks) { + if (ctx->input_idx == 128) { + blake2b_compress(ctx, 0); + } + load64_le_buf(ctx->input, message, 16); + message += 128; + ctx->input_idx = 128; + } + message_size &= 127; + + if (message_size != 0) { + // Compress block & flush input buffer as needed + if (ctx->input_idx == 128) { + blake2b_compress(ctx, 0); + ctx->input_idx = 0; + } + if (ctx->input_idx == 0) { + ZERO(ctx->input, 16); + } + // Fill remaining words (faster than byte by byte) + size_t nb_words = message_size >> 3; + load64_le_buf(ctx->input, message, nb_words); + ctx->input_idx += nb_words << 3; + message += nb_words << 3; + message_size -= nb_words << 3; + + // Fill remaining bytes + FOR (i, 0, message_size) { + size_t word = ctx->input_idx >> 3; + size_t byte = ctx->input_idx & 7; + ctx->input[word] |= (u64)message[i] << (byte << 3); + ctx->input_idx++; + } + } +} + +void crypto_blake2b_final(crypto_blake2b_ctx *ctx, u8 *hash) +{ + blake2b_compress(ctx, 1); // compress the last block + size_t hash_size = MIN(ctx->hash_size, 64); + size_t nb_words = hash_size >> 3; + store64_le_buf(hash, ctx->hash, nb_words); + FOR (i, nb_words << 3, hash_size) { + hash[i] = (ctx->hash[i >> 3] >> (8 * (i & 7))) & 0xff; + } + WIPE_CTX(ctx); +} + +void crypto_blake2b_keyed(u8 *hash, size_t hash_size, + const u8 *key, size_t key_size, + const u8 *message, size_t message_size) +{ + crypto_blake2b_ctx ctx; + crypto_blake2b_keyed_init(&ctx, hash_size, key, key_size); + crypto_blake2b_update (&ctx, message, message_size); + crypto_blake2b_final (&ctx, hash); +} + +void crypto_blake2b(u8 *hash, size_t hash_size, const u8 *msg, size_t msg_size) +{ + crypto_blake2b_keyed(hash, hash_size, 0, 0, msg, msg_size); +} + +////////////// +/// Argon2 /// +////////////// +// references to R, Z, Q etc. come from the spec + +// Argon2 operates on 1024 byte blocks. +typedef struct { u64 a[128]; } blk; + +// updates a BLAKE2 hash with a 32 bit word, little endian. +static void blake_update_32(crypto_blake2b_ctx *ctx, u32 input) +{ + u8 buf[4]; + store32_le(buf, input); + crypto_blake2b_update(ctx, buf, 4); + WIPE_BUFFER(buf); +} + +static void blake_update_32_buf(crypto_blake2b_ctx *ctx, + const u8 *buf, u32 size) +{ + blake_update_32(ctx, size); + crypto_blake2b_update(ctx, buf, size); +} + + +static void copy_block(blk *o,const blk*in){FOR(i, 0, 128) o->a[i] = in->a[i];} +static void xor_block(blk *o,const blk*in){FOR(i, 0, 128) o->a[i] ^= in->a[i];} + +// Hash with a virtually unlimited digest size. +// Doesn't extract more entropy than the base hash function. +// Mainly used for filling a whole kilobyte block with pseudo-random bytes. +// (One could use a stream cipher with a seed hash as the key, but +// this would introduce another dependency —and point of failure.) +static void extended_hash(u8 *digest, u32 digest_size, + const u8 *input , u32 input_size) +{ + crypto_blake2b_ctx ctx; + crypto_blake2b_init (&ctx, MIN(digest_size, 64)); + blake_update_32 (&ctx, digest_size); + crypto_blake2b_update(&ctx, input, input_size); + crypto_blake2b_final (&ctx, digest); + + if (digest_size > 64) { + // the conversion to u64 avoids integer overflow on + // ludicrously big hash sizes. + u32 r = (u32)(((u64)digest_size + 31) >> 5) - 2; + u32 i = 1; + u32 in = 0; + u32 out = 32; + while (i < r) { + // Input and output overlap. This is intentional + crypto_blake2b(digest + out, 64, digest + in, 64); + i += 1; + in += 32; + out += 32; + } + crypto_blake2b(digest + out, digest_size - (32 * r), digest + in , 64); + } +} + +#define LSB(x) ((x) & 0xffffffff) +#define G(a, b, c, d) \ + a += b + 2 * LSB(a) * LSB(b); d ^= a; d = rotr64(d, 32); \ + c += d + 2 * LSB(c) * LSB(d); b ^= c; b = rotr64(b, 24); \ + a += b + 2 * LSB(a) * LSB(b); d ^= a; d = rotr64(d, 16); \ + c += d + 2 * LSB(c) * LSB(d); b ^= c; b = rotr64(b, 63) +#define ROUND(v0, v1, v2, v3, v4, v5, v6, v7, \ + v8, v9, v10, v11, v12, v13, v14, v15) \ + G(v0, v4, v8, v12); G(v1, v5, v9, v13); \ + G(v2, v6, v10, v14); G(v3, v7, v11, v15); \ + G(v0, v5, v10, v15); G(v1, v6, v11, v12); \ + G(v2, v7, v8, v13); G(v3, v4, v9, v14) + +// Core of the compression function G. Computes Z from R in place. +static void g_rounds(blk *b) +{ + // column rounds (work_block = Q) + for (int i = 0; i < 128; i += 16) { + ROUND(b->a[i ], b->a[i+ 1], b->a[i+ 2], b->a[i+ 3], + b->a[i+ 4], b->a[i+ 5], b->a[i+ 6], b->a[i+ 7], + b->a[i+ 8], b->a[i+ 9], b->a[i+10], b->a[i+11], + b->a[i+12], b->a[i+13], b->a[i+14], b->a[i+15]); + } + // row rounds (b = Z) + for (int i = 0; i < 16; i += 2) { + ROUND(b->a[i ], b->a[i+ 1], b->a[i+ 16], b->a[i+ 17], + b->a[i+32], b->a[i+33], b->a[i+ 48], b->a[i+ 49], + b->a[i+64], b->a[i+65], b->a[i+ 80], b->a[i+ 81], + b->a[i+96], b->a[i+97], b->a[i+112], b->a[i+113]); + } +} + +const crypto_argon2_extras crypto_argon2_no_extras = { 0, 0, 0, 0 }; + +void crypto_argon2(u8 *hash, u32 hash_size, void *work_area, + crypto_argon2_config config, + crypto_argon2_inputs inputs, + crypto_argon2_extras extras) +{ + const u32 segment_size = config.nb_blocks / config.nb_lanes / 4; + const u32 lane_size = segment_size * 4; + const u32 nb_blocks = lane_size * config.nb_lanes; // rounding down + + // work area seen as blocks (must be suitably aligned) + blk *blocks = (blk*)work_area; + { + u8 initial_hash[72]; // 64 bytes plus 2 words for future hashes + crypto_blake2b_ctx ctx; + crypto_blake2b_init (&ctx, 64); + blake_update_32 (&ctx, config.nb_lanes ); // p: number of "threads" + blake_update_32 (&ctx, hash_size); + blake_update_32 (&ctx, config.nb_blocks); + blake_update_32 (&ctx, config.nb_passes); + blake_update_32 (&ctx, 0x13); // v: version number + blake_update_32 (&ctx, config.algorithm); // y: Argon2i, Argon2d... + blake_update_32_buf (&ctx, inputs.pass, inputs.pass_size); + blake_update_32_buf (&ctx, inputs.salt, inputs.salt_size); + blake_update_32_buf (&ctx, extras.key, extras.key_size); + blake_update_32_buf (&ctx, extras.ad, extras.ad_size); + crypto_blake2b_final(&ctx, initial_hash); // fill 64 first bytes only + + // fill first 2 blocks of each lane + u8 hash_area[1024]; + FOR_T(u32, l, 0, config.nb_lanes) { + FOR_T(u32, i, 0, 2) { + store32_le(initial_hash + 64, i); // first additional word + store32_le(initial_hash + 68, l); // second additional word + extended_hash(hash_area, 1024, initial_hash, 72); + load64_le_buf(blocks[l * lane_size + i].a, hash_area, 128); + } + } + + WIPE_BUFFER(initial_hash); + WIPE_BUFFER(hash_area); + } + + // Argon2i and Argon2id start with constant time indexing + int constant_time = config.algorithm != CRYPTO_ARGON2_D; + + // Fill (and re-fill) the rest of the blocks + // + // Note: even though each segment within the same slice can be + // computed in parallel, (one thread per lane), we are computing + // them sequentially, because Monocypher doesn't support threads. + // + // Yet optimal performance (and therefore security) requires one + // thread per lane. The only reason Monocypher supports multiple + // lanes is compatibility. + blk tmp; + FOR_T(u32, pass, 0, config.nb_passes) { + FOR_T(u32, slice, 0, 4) { + // On the first slice of the first pass, + // blocks 0 and 1 are already filled, hence pass_offset. + u32 pass_offset = pass == 0 && slice == 0 ? 2 : 0; + u32 slice_offset = slice * segment_size; + + // Argon2id switches back to non-constant time indexing + // after the first two slices of the first pass + if (slice == 2 && config.algorithm == CRYPTO_ARGON2_ID) { + constant_time = 0; + } + + // Each iteration of the following loop may be performed in + // a separate thread. All segments must be fully completed + // before we start filling the next slice. + FOR_T(u32, segment, 0, config.nb_lanes) { + blk index_block; + u32 index_ctr = 1; + FOR_T (u32, block, pass_offset, segment_size) { + // Current and previous blocks + u32 lane_offset = segment * lane_size; + blk *segment_start = blocks + lane_offset + slice_offset; + blk *current = segment_start + block; + blk *previous = + block == 0 && slice_offset == 0 + ? segment_start + lane_size - 1 + : segment_start + block - 1; + + u64 index_seed; + if (constant_time) { + if (block == pass_offset || (block % 128) == 0) { + // Fill or refresh deterministic indices block + + // seed the beginning of the block... + ZERO(index_block.a, 128); + index_block.a[0] = pass; + index_block.a[1] = segment; + index_block.a[2] = slice; + index_block.a[3] = nb_blocks; + index_block.a[4] = config.nb_passes; + index_block.a[5] = config.algorithm; + index_block.a[6] = index_ctr; + index_ctr++; + + // ... then shuffle it + copy_block(&tmp, &index_block); + g_rounds (&index_block); + xor_block (&index_block, &tmp); + copy_block(&tmp, &index_block); + g_rounds (&index_block); + xor_block (&index_block, &tmp); + } + index_seed = index_block.a[block % 128]; + } else { + index_seed = previous->a[0]; + } + + // Establish the reference set. *Approximately* comprises: + // - The last 3 slices (if they exist yet) + // - The already constructed blocks in the current segment + u32 next_slice = ((slice + 1) % 4) * segment_size; + u32 window_start = pass == 0 ? 0 : next_slice; + u32 nb_segments = pass == 0 ? slice : 3; + u32 window_size = nb_segments * segment_size + block - 1; + + // Find reference block + u64 j1 = index_seed & 0xffffffff; // block selector + u64 j2 = index_seed >> 32; // lane selector + u64 x = (j1 * j1) >> 32; + u64 y = (window_size * x) >> 32; + u64 z = (window_size - 1) - y; + u64 ref = (window_start + z) % lane_size; + u32 index = (j2%config.nb_lanes)*lane_size + (u32)ref; + blk *reference = blocks + index; + + // Shuffle the previous & reference block + // into the current block + copy_block(&tmp, previous); + xor_block (&tmp, reference); + if (pass == 0) { copy_block(current, &tmp); } + else { xor_block (current, &tmp); } + g_rounds (&tmp); + xor_block (current, &tmp); + } + } + } + } + + // Wipe temporary block + volatile u64* p = tmp.a; + ZERO(p, 128); + + // XOR last blocks of each lane + blk *last_block = blocks + lane_size - 1; + FOR_T (u32, lane, 1, config.nb_lanes) { + blk *next_block = last_block + lane_size; + xor_block(next_block, last_block); + last_block = next_block; + } + + // Serialize last block + u8 final_block[1024]; + store64_le_buf(final_block, last_block->a, 128); + + // Wipe work area + p = (u64*)work_area; + ZERO(p, 128 * nb_blocks); + + // Hash the very last block with H' into the output hash + extended_hash(hash, hash_size, final_block, 1024); + WIPE_BUFFER(final_block); +} + +//////////////////////////////////// +/// Arithmetic modulo 2^255 - 19 /// +//////////////////////////////////// +// Originally taken from SUPERCOP's ref10 implementation. +// A bit bigger than TweetNaCl, over 4 times faster. + +// field element +typedef i32 fe[10]; + +// field constants +// +// fe_one : 1 +// sqrtm1 : sqrt(-1) +// d : -121665 / 121666 +// D2 : 2 * -121665 / 121666 +// lop_x, lop_y: low order point in Edwards coordinates +// ufactor : -sqrt(-1) * 2 +// A2 : 486662^2 (A squared) +static const fe fe_one = {1}; +static const fe sqrtm1 = { + -32595792, -7943725, 9377950, 3500415, 12389472, + -272473, -25146209, -2005654, 326686, 11406482, +}; +static const fe d = { + -10913610, 13857413, -15372611, 6949391, 114729, + -8787816, -6275908, -3247719, -18696448, -12055116, +}; +static const fe D2 = { + -21827239, -5839606, -30745221, 13898782, 229458, + 15978800, -12551817, -6495438, 29715968, 9444199, +}; +static const fe lop_x = { + 21352778, 5345713, 4660180, -8347857, 24143090, + 14568123, 30185756, -12247770, -33528939, 8345319, +}; +static const fe lop_y = { + -6952922, -1265500, 6862341, -7057498, -4037696, + -5447722, 31680899, -15325402, -19365852, 1569102, +}; +static const fe ufactor = { + -1917299, 15887451, -18755900, -7000830, -24778944, + 544946, -16816446, 4011309, -653372, 10741468, +}; +static const fe A2 = { + 12721188, 3529, 0, 0, 0, 0, 0, 0, 0, 0, +}; + +static void fe_0(fe h) { ZERO(h , 10); } +static void fe_1(fe h) { h[0] = 1; ZERO(h+1, 9); } + +static void fe_copy(fe h,const fe f ){FOR(i,0,10) h[i] = f[i]; } +static void fe_neg (fe h,const fe f ){FOR(i,0,10) h[i] = -f[i]; } +static void fe_add (fe h,const fe f,const fe g){FOR(i,0,10) h[i] = f[i] + g[i];} +static void fe_sub (fe h,const fe f,const fe g){FOR(i,0,10) h[i] = f[i] - g[i];} + +static void fe_cswap(fe f, fe g, int b) +{ + i32 mask = -b; // -1 = 0xffffffff + FOR (i, 0, 10) { + i32 x = (f[i] ^ g[i]) & mask; + f[i] = f[i] ^ x; + g[i] = g[i] ^ x; + } +} + +static void fe_ccopy(fe f, const fe g, int b) +{ + i32 mask = -b; // -1 = 0xffffffff + FOR (i, 0, 10) { + i32 x = (f[i] ^ g[i]) & mask; + f[i] = f[i] ^ x; + } +} + + +// Signed carry propagation +// ------------------------ +// +// Let t be a number. It can be uniquely decomposed thus: +// +// t = h*2^26 + l +// such that -2^25 <= l < 2^25 +// +// Let c = (t + 2^25) / 2^26 (rounded down) +// c = (h*2^26 + l + 2^25) / 2^26 (rounded down) +// c = h + (l + 2^25) / 2^26 (rounded down) +// c = h (exactly) +// Because 0 <= l + 2^25 < 2^26 +// +// Let u = t - c*2^26 +// u = h*2^26 + l - h*2^26 +// u = l +// Therefore, -2^25 <= u < 2^25 +// +// Additionally, if |t| < x, then |h| < x/2^26 (rounded down) +// +// Notations: +// - In C, 1<<25 means 2^25. +// - In C, x>>25 means floor(x / (2^25)). +// - All of the above applies with 25 & 24 as well as 26 & 25. +// +// +// Note on negative right shifts +// ----------------------------- +// +// In C, x >> n, where x is a negative integer, is implementation +// defined. In practice, all platforms do arithmetic shift, which is +// equivalent to division by 2^26, rounded down. Some compilers, like +// GCC, even guarantee it. +// +// If we ever stumble upon a platform that does not propagate the sign +// bit (we won't), visible failures will show at the slightest test, and +// the signed shifts can be replaced by the following: +// +// typedef struct { i64 x:39; } s25; +// typedef struct { i64 x:38; } s26; +// i64 shift25(i64 x) { s25 s; s.x = ((u64)x)>>25; return s.x; } +// i64 shift26(i64 x) { s26 s; s.x = ((u64)x)>>26; return s.x; } +// +// Current compilers cannot optimise this, causing a 30% drop in +// performance. Fairly expensive for something that never happens. +// +// +// Precondition +// ------------ +// +// |t0| < 2^63 +// |t1|..|t9| < 2^62 +// +// Algorithm +// --------- +// c = t0 + 2^25 / 2^26 -- |c| <= 2^36 +// t0 -= c * 2^26 -- |t0| <= 2^25 +// t1 += c -- |t1| <= 2^63 +// +// c = t4 + 2^25 / 2^26 -- |c| <= 2^36 +// t4 -= c * 2^26 -- |t4| <= 2^25 +// t5 += c -- |t5| <= 2^63 +// +// c = t1 + 2^24 / 2^25 -- |c| <= 2^38 +// t1 -= c * 2^25 -- |t1| <= 2^24 +// t2 += c -- |t2| <= 2^63 +// +// c = t5 + 2^24 / 2^25 -- |c| <= 2^38 +// t5 -= c * 2^25 -- |t5| <= 2^24 +// t6 += c -- |t6| <= 2^63 +// +// c = t2 + 2^25 / 2^26 -- |c| <= 2^37 +// t2 -= c * 2^26 -- |t2| <= 2^25 < 1.1 * 2^25 (final t2) +// t3 += c -- |t3| <= 2^63 +// +// c = t6 + 2^25 / 2^26 -- |c| <= 2^37 +// t6 -= c * 2^26 -- |t6| <= 2^25 < 1.1 * 2^25 (final t6) +// t7 += c -- |t7| <= 2^63 +// +// c = t3 + 2^24 / 2^25 -- |c| <= 2^38 +// t3 -= c * 2^25 -- |t3| <= 2^24 < 1.1 * 2^24 (final t3) +// t4 += c -- |t4| <= 2^25 + 2^38 < 2^39 +// +// c = t7 + 2^24 / 2^25 -- |c| <= 2^38 +// t7 -= c * 2^25 -- |t7| <= 2^24 < 1.1 * 2^24 (final t7) +// t8 += c -- |t8| <= 2^63 +// +// c = t4 + 2^25 / 2^26 -- |c| <= 2^13 +// t4 -= c * 2^26 -- |t4| <= 2^25 < 1.1 * 2^25 (final t4) +// t5 += c -- |t5| <= 2^24 + 2^13 < 1.1 * 2^24 (final t5) +// +// c = t8 + 2^25 / 2^26 -- |c| <= 2^37 +// t8 -= c * 2^26 -- |t8| <= 2^25 < 1.1 * 2^25 (final t8) +// t9 += c -- |t9| <= 2^63 +// +// c = t9 + 2^24 / 2^25 -- |c| <= 2^38 +// t9 -= c * 2^25 -- |t9| <= 2^24 < 1.1 * 2^24 (final t9) +// t0 += c * 19 -- |t0| <= 2^25 + 2^38*19 < 2^44 +// +// c = t0 + 2^25 / 2^26 -- |c| <= 2^18 +// t0 -= c * 2^26 -- |t0| <= 2^25 < 1.1 * 2^25 (final t0) +// t1 += c -- |t1| <= 2^24 + 2^18 < 1.1 * 2^24 (final t1) +// +// Postcondition +// ------------- +// |t0|, |t2|, |t4|, |t6|, |t8| < 1.1 * 2^25 +// |t1|, |t3|, |t5|, |t7|, |t9| < 1.1 * 2^24 +#define FE_CARRY \ + i64 c; \ + c = (t0 + ((i64)1<<25)) >> 26; t0 -= c * ((i64)1 << 26); t1 += c; \ + c = (t4 + ((i64)1<<25)) >> 26; t4 -= c * ((i64)1 << 26); t5 += c; \ + c = (t1 + ((i64)1<<24)) >> 25; t1 -= c * ((i64)1 << 25); t2 += c; \ + c = (t5 + ((i64)1<<24)) >> 25; t5 -= c * ((i64)1 << 25); t6 += c; \ + c = (t2 + ((i64)1<<25)) >> 26; t2 -= c * ((i64)1 << 26); t3 += c; \ + c = (t6 + ((i64)1<<25)) >> 26; t6 -= c * ((i64)1 << 26); t7 += c; \ + c = (t3 + ((i64)1<<24)) >> 25; t3 -= c * ((i64)1 << 25); t4 += c; \ + c = (t7 + ((i64)1<<24)) >> 25; t7 -= c * ((i64)1 << 25); t8 += c; \ + c = (t4 + ((i64)1<<25)) >> 26; t4 -= c * ((i64)1 << 26); t5 += c; \ + c = (t8 + ((i64)1<<25)) >> 26; t8 -= c * ((i64)1 << 26); t9 += c; \ + c = (t9 + ((i64)1<<24)) >> 25; t9 -= c * ((i64)1 << 25); t0 += c * 19; \ + c = (t0 + ((i64)1<<25)) >> 26; t0 -= c * ((i64)1 << 26); t1 += c; \ + h[0]=(i32)t0; h[1]=(i32)t1; h[2]=(i32)t2; h[3]=(i32)t3; h[4]=(i32)t4; \ + h[5]=(i32)t5; h[6]=(i32)t6; h[7]=(i32)t7; h[8]=(i32)t8; h[9]=(i32)t9 + +// Decodes a field element from a byte buffer. +// mask specifies how many bits we ignore. +// Traditionally we ignore 1. It's useful for EdDSA, +// which uses that bit to denote the sign of x. +// Elligator however uses positive representatives, +// which means ignoring 2 bits instead. +static void fe_frombytes_mask(fe h, const u8 s[32], unsigned nb_mask) +{ + u32 mask = 0xffffff >> nb_mask; + i64 t0 = load32_le(s); // t0 < 2^32 + i64 t1 = load24_le(s + 4) << 6; // t1 < 2^30 + i64 t2 = load24_le(s + 7) << 5; // t2 < 2^29 + i64 t3 = load24_le(s + 10) << 3; // t3 < 2^27 + i64 t4 = load24_le(s + 13) << 2; // t4 < 2^26 + i64 t5 = load32_le(s + 16); // t5 < 2^32 + i64 t6 = load24_le(s + 20) << 7; // t6 < 2^31 + i64 t7 = load24_le(s + 23) << 5; // t7 < 2^29 + i64 t8 = load24_le(s + 26) << 4; // t8 < 2^28 + i64 t9 = (load24_le(s + 29) & mask) << 2; // t9 < 2^25 + FE_CARRY; // Carry precondition OK +} + +static void fe_frombytes(fe h, const u8 s[32]) +{ + fe_frombytes_mask(h, s, 1); +} + + +// Precondition +// |h[0]|, |h[2]|, |h[4]|, |h[6]|, |h[8]| < 1.1 * 2^25 +// |h[1]|, |h[3]|, |h[5]|, |h[7]|, |h[9]| < 1.1 * 2^24 +// +// Therefore, |h| < 2^255-19 +// There are two possibilities: +// +// - If h is positive, all we need to do is reduce its individual +// limbs down to their tight positive range. +// - If h is negative, we also need to add 2^255-19 to it. +// Or just remove 19 and chop off any excess bit. +static void fe_tobytes(u8 s[32], const fe h) +{ + i32 t[10]; + COPY(t, h, 10); + i32 q = (19 * t[9] + (((i32) 1) << 24)) >> 25; + // |t9| < 1.1 * 2^24 + // -1.1 * 2^24 < t9 < 1.1 * 2^24 + // -21 * 2^24 < 19 * t9 < 21 * 2^24 + // -2^29 < 19 * t9 + 2^24 < 2^29 + // -2^29 / 2^25 < (19 * t9 + 2^24) / 2^25 < 2^29 / 2^25 + // -16 < (19 * t9 + 2^24) / 2^25 < 16 + FOR (i, 0, 5) { + q += t[2*i ]; q >>= 26; // q = 0 or -1 + q += t[2*i+1]; q >>= 25; // q = 0 or -1 + } + // q = 0 iff h >= 0 + // q = -1 iff h < 0 + // Adding q * 19 to h reduces h to its proper range. + q *= 19; // Shift carry back to the beginning + FOR (i, 0, 5) { + t[i*2 ] += q; q = t[i*2 ] >> 26; t[i*2 ] -= q * ((i32)1 << 26); + t[i*2+1] += q; q = t[i*2+1] >> 25; t[i*2+1] -= q * ((i32)1 << 25); + } + // h is now fully reduced, and q represents the excess bit. + + store32_le(s + 0, ((u32)t[0] >> 0) | ((u32)t[1] << 26)); + store32_le(s + 4, ((u32)t[1] >> 6) | ((u32)t[2] << 19)); + store32_le(s + 8, ((u32)t[2] >> 13) | ((u32)t[3] << 13)); + store32_le(s + 12, ((u32)t[3] >> 19) | ((u32)t[4] << 6)); + store32_le(s + 16, ((u32)t[5] >> 0) | ((u32)t[6] << 25)); + store32_le(s + 20, ((u32)t[6] >> 7) | ((u32)t[7] << 19)); + store32_le(s + 24, ((u32)t[7] >> 13) | ((u32)t[8] << 12)); + store32_le(s + 28, ((u32)t[8] >> 20) | ((u32)t[9] << 6)); + + WIPE_BUFFER(t); +} + +// Precondition +// ------------- +// |f0|, |f2|, |f4|, |f6|, |f8| < 1.65 * 2^26 +// |f1|, |f3|, |f5|, |f7|, |f9| < 1.65 * 2^25 +// +// |g0|, |g2|, |g4|, |g6|, |g8| < 1.65 * 2^26 +// |g1|, |g3|, |g5|, |g7|, |g9| < 1.65 * 2^25 +static void fe_mul_small(fe h, const fe f, i32 g) +{ + i64 t0 = f[0] * (i64) g; i64 t1 = f[1] * (i64) g; + i64 t2 = f[2] * (i64) g; i64 t3 = f[3] * (i64) g; + i64 t4 = f[4] * (i64) g; i64 t5 = f[5] * (i64) g; + i64 t6 = f[6] * (i64) g; i64 t7 = f[7] * (i64) g; + i64 t8 = f[8] * (i64) g; i64 t9 = f[9] * (i64) g; + // |t0|, |t2|, |t4|, |t6|, |t8| < 1.65 * 2^26 * 2^31 < 2^58 + // |t1|, |t3|, |t5|, |t7|, |t9| < 1.65 * 2^25 * 2^31 < 2^57 + + FE_CARRY; // Carry precondition OK +} + +// Precondition +// ------------- +// |f0|, |f2|, |f4|, |f6|, |f8| < 1.65 * 2^26 +// |f1|, |f3|, |f5|, |f7|, |f9| < 1.65 * 2^25 +// +// |g0|, |g2|, |g4|, |g6|, |g8| < 1.65 * 2^26 +// |g1|, |g3|, |g5|, |g7|, |g9| < 1.65 * 2^25 +static void fe_mul(fe h, const fe f, const fe g) +{ + // Everything is unrolled and put in temporary variables. + // We could roll the loop, but that would make curve25519 twice as slow. + i32 f0 = f[0]; i32 f1 = f[1]; i32 f2 = f[2]; i32 f3 = f[3]; i32 f4 = f[4]; + i32 f5 = f[5]; i32 f6 = f[6]; i32 f7 = f[7]; i32 f8 = f[8]; i32 f9 = f[9]; + i32 g0 = g[0]; i32 g1 = g[1]; i32 g2 = g[2]; i32 g3 = g[3]; i32 g4 = g[4]; + i32 g5 = g[5]; i32 g6 = g[6]; i32 g7 = g[7]; i32 g8 = g[8]; i32 g9 = g[9]; + i32 F1 = f1*2; i32 F3 = f3*2; i32 F5 = f5*2; i32 F7 = f7*2; i32 F9 = f9*2; + i32 G1 = g1*19; i32 G2 = g2*19; i32 G3 = g3*19; + i32 G4 = g4*19; i32 G5 = g5*19; i32 G6 = g6*19; + i32 G7 = g7*19; i32 G8 = g8*19; i32 G9 = g9*19; + // |F1|, |F3|, |F5|, |F7|, |F9| < 1.65 * 2^26 + // |G0|, |G2|, |G4|, |G6|, |G8| < 2^31 + // |G1|, |G3|, |G5|, |G7|, |G9| < 2^30 + + i64 t0 = f0*(i64)g0 + F1*(i64)G9 + f2*(i64)G8 + F3*(i64)G7 + f4*(i64)G6 + + F5*(i64)G5 + f6*(i64)G4 + F7*(i64)G3 + f8*(i64)G2 + F9*(i64)G1; + i64 t1 = f0*(i64)g1 + f1*(i64)g0 + f2*(i64)G9 + f3*(i64)G8 + f4*(i64)G7 + + f5*(i64)G6 + f6*(i64)G5 + f7*(i64)G4 + f8*(i64)G3 + f9*(i64)G2; + i64 t2 = f0*(i64)g2 + F1*(i64)g1 + f2*(i64)g0 + F3*(i64)G9 + f4*(i64)G8 + + F5*(i64)G7 + f6*(i64)G6 + F7*(i64)G5 + f8*(i64)G4 + F9*(i64)G3; + i64 t3 = f0*(i64)g3 + f1*(i64)g2 + f2*(i64)g1 + f3*(i64)g0 + f4*(i64)G9 + + f5*(i64)G8 + f6*(i64)G7 + f7*(i64)G6 + f8*(i64)G5 + f9*(i64)G4; + i64 t4 = f0*(i64)g4 + F1*(i64)g3 + f2*(i64)g2 + F3*(i64)g1 + f4*(i64)g0 + + F5*(i64)G9 + f6*(i64)G8 + F7*(i64)G7 + f8*(i64)G6 + F9*(i64)G5; + i64 t5 = f0*(i64)g5 + f1*(i64)g4 + f2*(i64)g3 + f3*(i64)g2 + f4*(i64)g1 + + f5*(i64)g0 + f6*(i64)G9 + f7*(i64)G8 + f8*(i64)G7 + f9*(i64)G6; + i64 t6 = f0*(i64)g6 + F1*(i64)g5 + f2*(i64)g4 + F3*(i64)g3 + f4*(i64)g2 + + F5*(i64)g1 + f6*(i64)g0 + F7*(i64)G9 + f8*(i64)G8 + F9*(i64)G7; + i64 t7 = f0*(i64)g7 + f1*(i64)g6 + f2*(i64)g5 + f3*(i64)g4 + f4*(i64)g3 + + f5*(i64)g2 + f6*(i64)g1 + f7*(i64)g0 + f8*(i64)G9 + f9*(i64)G8; + i64 t8 = f0*(i64)g8 + F1*(i64)g7 + f2*(i64)g6 + F3*(i64)g5 + f4*(i64)g4 + + F5*(i64)g3 + f6*(i64)g2 + F7*(i64)g1 + f8*(i64)g0 + F9*(i64)G9; + i64 t9 = f0*(i64)g9 + f1*(i64)g8 + f2*(i64)g7 + f3*(i64)g6 + f4*(i64)g5 + + f5*(i64)g4 + f6*(i64)g3 + f7*(i64)g2 + f8*(i64)g1 + f9*(i64)g0; + // t0 < 0.67 * 2^61 + // t1 < 0.41 * 2^61 + // t2 < 0.52 * 2^61 + // t3 < 0.32 * 2^61 + // t4 < 0.38 * 2^61 + // t5 < 0.22 * 2^61 + // t6 < 0.23 * 2^61 + // t7 < 0.13 * 2^61 + // t8 < 0.09 * 2^61 + // t9 < 0.03 * 2^61 + + FE_CARRY; // Everything below 2^62, Carry precondition OK +} + +// Precondition +// ------------- +// |f0|, |f2|, |f4|, |f6|, |f8| < 1.65 * 2^26 +// |f1|, |f3|, |f5|, |f7|, |f9| < 1.65 * 2^25 +// +// Note: we could use fe_mul() for this, but this is significantly faster +static void fe_sq(fe h, const fe f) +{ + i32 f0 = f[0]; i32 f1 = f[1]; i32 f2 = f[2]; i32 f3 = f[3]; i32 f4 = f[4]; + i32 f5 = f[5]; i32 f6 = f[6]; i32 f7 = f[7]; i32 f8 = f[8]; i32 f9 = f[9]; + i32 f0_2 = f0*2; i32 f1_2 = f1*2; i32 f2_2 = f2*2; i32 f3_2 = f3*2; + i32 f4_2 = f4*2; i32 f5_2 = f5*2; i32 f6_2 = f6*2; i32 f7_2 = f7*2; + i32 f5_38 = f5*38; i32 f6_19 = f6*19; i32 f7_38 = f7*38; + i32 f8_19 = f8*19; i32 f9_38 = f9*38; + // |f0_2| , |f2_2| , |f4_2| , |f6_2| , |f8_2| < 1.65 * 2^27 + // |f1_2| , |f3_2| , |f5_2| , |f7_2| , |f9_2| < 1.65 * 2^26 + // |f5_38|, |f6_19|, |f7_38|, |f8_19|, |f9_38| < 2^31 + + i64 t0 = f0 *(i64)f0 + f1_2*(i64)f9_38 + f2_2*(i64)f8_19 + + f3_2*(i64)f7_38 + f4_2*(i64)f6_19 + f5 *(i64)f5_38; + i64 t1 = f0_2*(i64)f1 + f2 *(i64)f9_38 + f3_2*(i64)f8_19 + + f4 *(i64)f7_38 + f5_2*(i64)f6_19; + i64 t2 = f0_2*(i64)f2 + f1_2*(i64)f1 + f3_2*(i64)f9_38 + + f4_2*(i64)f8_19 + f5_2*(i64)f7_38 + f6 *(i64)f6_19; + i64 t3 = f0_2*(i64)f3 + f1_2*(i64)f2 + f4 *(i64)f9_38 + + f5_2*(i64)f8_19 + f6 *(i64)f7_38; + i64 t4 = f0_2*(i64)f4 + f1_2*(i64)f3_2 + f2 *(i64)f2 + + f5_2*(i64)f9_38 + f6_2*(i64)f8_19 + f7 *(i64)f7_38; + i64 t5 = f0_2*(i64)f5 + f1_2*(i64)f4 + f2_2*(i64)f3 + + f6 *(i64)f9_38 + f7_2*(i64)f8_19; + i64 t6 = f0_2*(i64)f6 + f1_2*(i64)f5_2 + f2_2*(i64)f4 + + f3_2*(i64)f3 + f7_2*(i64)f9_38 + f8 *(i64)f8_19; + i64 t7 = f0_2*(i64)f7 + f1_2*(i64)f6 + f2_2*(i64)f5 + + f3_2*(i64)f4 + f8 *(i64)f9_38; + i64 t8 = f0_2*(i64)f8 + f1_2*(i64)f7_2 + f2_2*(i64)f6 + + f3_2*(i64)f5_2 + f4 *(i64)f4 + f9 *(i64)f9_38; + i64 t9 = f0_2*(i64)f9 + f1_2*(i64)f8 + f2_2*(i64)f7 + + f3_2*(i64)f6 + f4 *(i64)f5_2; + // t0 < 0.67 * 2^61 + // t1 < 0.41 * 2^61 + // t2 < 0.52 * 2^61 + // t3 < 0.32 * 2^61 + // t4 < 0.38 * 2^61 + // t5 < 0.22 * 2^61 + // t6 < 0.23 * 2^61 + // t7 < 0.13 * 2^61 + // t8 < 0.09 * 2^61 + // t9 < 0.03 * 2^61 + + FE_CARRY; +} + +// Parity check. Returns 0 if even, 1 if odd +static int fe_isodd(const fe f) +{ + u8 s[32]; + fe_tobytes(s, f); + u8 isodd = s[0] & 1; + WIPE_BUFFER(s); + return isodd; +} + +// Returns 1 if equal, 0 if not equal +static int fe_isequal(const fe f, const fe g) +{ + u8 fs[32]; + u8 gs[32]; + fe_tobytes(fs, f); + fe_tobytes(gs, g); + int isdifferent = crypto_verify32(fs, gs); + WIPE_BUFFER(fs); + WIPE_BUFFER(gs); + return 1 + isdifferent; +} + +// Inverse square root. +// Returns true if x is a square, false otherwise. +// After the call: +// isr = sqrt(1/x) if x is a non-zero square. +// isr = sqrt(sqrt(-1)/x) if x is not a square. +// isr = 0 if x is zero. +// We do not guarantee the sign of the square root. +// +// Notes: +// Let quartic = x^((p-1)/4) +// +// x^((p-1)/2) = chi(x) +// quartic^2 = chi(x) +// quartic = sqrt(chi(x)) +// quartic = 1 or -1 or sqrt(-1) or -sqrt(-1) +// +// Note that x is a square if quartic is 1 or -1 +// There are 4 cases to consider: +// +// if quartic = 1 (x is a square) +// then x^((p-1)/4) = 1 +// x^((p-5)/4) * x = 1 +// x^((p-5)/4) = 1/x +// x^((p-5)/8) = sqrt(1/x) or -sqrt(1/x) +// +// if quartic = -1 (x is a square) +// then x^((p-1)/4) = -1 +// x^((p-5)/4) * x = -1 +// x^((p-5)/4) = -1/x +// x^((p-5)/8) = sqrt(-1) / sqrt(x) +// x^((p-5)/8) * sqrt(-1) = sqrt(-1)^2 / sqrt(x) +// x^((p-5)/8) * sqrt(-1) = -1/sqrt(x) +// x^((p-5)/8) * sqrt(-1) = -sqrt(1/x) or sqrt(1/x) +// +// if quartic = sqrt(-1) (x is not a square) +// then x^((p-1)/4) = sqrt(-1) +// x^((p-5)/4) * x = sqrt(-1) +// x^((p-5)/4) = sqrt(-1)/x +// x^((p-5)/8) = sqrt(sqrt(-1)/x) or -sqrt(sqrt(-1)/x) +// +// Note that the product of two non-squares is always a square: +// For any non-squares a and b, chi(a) = -1 and chi(b) = -1. +// Since chi(x) = x^((p-1)/2), chi(a)*chi(b) = chi(a*b) = 1. +// Therefore a*b is a square. +// +// Since sqrt(-1) and x are both non-squares, their product is a +// square, and we can compute their square root. +// +// if quartic = -sqrt(-1) (x is not a square) +// then x^((p-1)/4) = -sqrt(-1) +// x^((p-5)/4) * x = -sqrt(-1) +// x^((p-5)/4) = -sqrt(-1)/x +// x^((p-5)/8) = sqrt(-sqrt(-1)/x) +// x^((p-5)/8) = sqrt( sqrt(-1)/x) * sqrt(-1) +// x^((p-5)/8) * sqrt(-1) = sqrt( sqrt(-1)/x) * sqrt(-1)^2 +// x^((p-5)/8) * sqrt(-1) = sqrt( sqrt(-1)/x) * -1 +// x^((p-5)/8) * sqrt(-1) = -sqrt(sqrt(-1)/x) or sqrt(sqrt(-1)/x) +static int invsqrt(fe isr, const fe x) +{ + fe t0, t1, t2; + + // t0 = x^((p-5)/8) + // Can be achieved with a simple double & add ladder, + // but it would be slower. + fe_sq(t0, x); + fe_sq(t1,t0); fe_sq(t1, t1); fe_mul(t1, x, t1); + fe_mul(t0, t0, t1); + fe_sq(t0, t0); fe_mul(t0, t1, t0); + fe_sq(t1, t0); FOR (i, 1, 5) fe_sq(t1, t1); fe_mul(t0, t1, t0); + fe_sq(t1, t0); FOR (i, 1, 10) fe_sq(t1, t1); fe_mul(t1, t1, t0); + fe_sq(t2, t1); FOR (i, 1, 20) fe_sq(t2, t2); fe_mul(t1, t2, t1); + fe_sq(t1, t1); FOR (i, 1, 10) fe_sq(t1, t1); fe_mul(t0, t1, t0); + fe_sq(t1, t0); FOR (i, 1, 50) fe_sq(t1, t1); fe_mul(t1, t1, t0); + fe_sq(t2, t1); FOR (i, 1, 100) fe_sq(t2, t2); fe_mul(t1, t2, t1); + fe_sq(t1, t1); FOR (i, 1, 50) fe_sq(t1, t1); fe_mul(t0, t1, t0); + fe_sq(t0, t0); FOR (i, 1, 2) fe_sq(t0, t0); fe_mul(t0, t0, x); + + // quartic = x^((p-1)/4) + i32 *quartic = t1; + fe_sq (quartic, t0); + fe_mul(quartic, quartic, x); + + i32 *check = t2; + fe_0 (check); int z0 = fe_isequal(x , check); + fe_1 (check); int p1 = fe_isequal(quartic, check); + fe_neg(check, check ); int m1 = fe_isequal(quartic, check); + fe_neg(check, sqrtm1); int ms = fe_isequal(quartic, check); + + // if quartic == -1 or sqrt(-1) + // then isr = x^((p-1)/4) * sqrt(-1) + // else isr = x^((p-1)/4) + fe_mul(isr, t0, sqrtm1); + fe_ccopy(isr, t0, 1 - (m1 | ms)); + + WIPE_BUFFER(t0); + WIPE_BUFFER(t1); + WIPE_BUFFER(t2); + return p1 | m1 | z0; +} + +// Inverse in terms of inverse square root. +// Requires two additional squarings to get rid of the sign. +// +// 1/x = x * (+invsqrt(x^2))^2 +// = x * (-invsqrt(x^2))^2 +// +// A fully optimised exponentiation by p-1 would save 6 field +// multiplications, but it would require more code. +static void fe_invert(fe out, const fe x) +{ + fe tmp; + fe_sq(tmp, x); + invsqrt(tmp, tmp); + fe_sq(tmp, tmp); + fe_mul(out, tmp, x); + WIPE_BUFFER(tmp); +} + +// trim a scalar for scalar multiplication +void crypto_eddsa_trim_scalar(u8 out[32], const u8 in[32]) +{ + COPY(out, in, 32); + out[ 0] &= 248; + out[31] &= 127; + out[31] |= 64; +} + +// get bit from scalar at position i +static int scalar_bit(const u8 s[32], int i) +{ + if (i < 0) { return 0; } // handle -1 for sliding windows + return (s[i>>3] >> (i&7)) & 1; +} + +/////////////// +/// X-25519 /// Taken from SUPERCOP's ref10 implementation. +/////////////// +static void scalarmult(u8 q[32], const u8 scalar[32], const u8 p[32], + int nb_bits) +{ + // computes the scalar product + fe x1; + fe_frombytes(x1, p); + + // computes the actual scalar product (the result is in x2 and z2) + fe x2, z2, x3, z3, t0, t1; + // Montgomery ladder + // In projective coordinates, to avoid divisions: x = X / Z + // We don't care about the y coordinate, it's only 1 bit of information + fe_1(x2); fe_0(z2); // "zero" point + fe_copy(x3, x1); fe_1(z3); // "one" point + int swap = 0; + for (int pos = nb_bits-1; pos >= 0; --pos) { + // constant time conditional swap before ladder step + int b = scalar_bit(scalar, pos); + swap ^= b; // xor trick avoids swapping at the end of the loop + fe_cswap(x2, x3, swap); + fe_cswap(z2, z3, swap); + swap = b; // anticipates one last swap after the loop + + // Montgomery ladder step: replaces (P2, P3) by (P2*2, P2+P3) + // with differential addition + fe_sub(t0, x3, z3); + fe_sub(t1, x2, z2); + fe_add(x2, x2, z2); + fe_add(z2, x3, z3); + fe_mul(z3, t0, x2); + fe_mul(z2, z2, t1); + fe_sq (t0, t1 ); + fe_sq (t1, x2 ); + fe_add(x3, z3, z2); + fe_sub(z2, z3, z2); + fe_mul(x2, t1, t0); + fe_sub(t1, t1, t0); + fe_sq (z2, z2 ); + fe_mul_small(z3, t1, 121666); + fe_sq (x3, x3 ); + fe_add(t0, t0, z3); + fe_mul(z3, x1, z2); + fe_mul(z2, t1, t0); + } + // last swap is necessary to compensate for the xor trick + // Note: after this swap, P3 == P2 + P1. + fe_cswap(x2, x3, swap); + fe_cswap(z2, z3, swap); + + // normalises the coordinates: x == X / Z + fe_invert(z2, z2); + fe_mul(x2, x2, z2); + fe_tobytes(q, x2); + + WIPE_BUFFER(x1); + WIPE_BUFFER(x2); WIPE_BUFFER(z2); WIPE_BUFFER(t0); + WIPE_BUFFER(x3); WIPE_BUFFER(z3); WIPE_BUFFER(t1); +} + +void crypto_x25519(u8 raw_shared_secret[32], + const u8 your_secret_key [32], + const u8 their_public_key [32]) +{ + // restrict the possible scalar values + u8 e[32]; + crypto_eddsa_trim_scalar(e, your_secret_key); + scalarmult(raw_shared_secret, e, their_public_key, 255); + WIPE_BUFFER(e); +} + +void crypto_x25519_public_key(u8 public_key[32], + const u8 secret_key[32]) +{ + static const u8 base_point[32] = {9}; + crypto_x25519(public_key, secret_key, base_point); +} + +/////////////////////////// +/// Arithmetic modulo L /// +/////////////////////////// +static const u32 L[8] = { + 0x5cf5d3ed, 0x5812631a, 0xa2f79cd6, 0x14def9de, + 0x00000000, 0x00000000, 0x00000000, 0x10000000, +}; + +// p = a*b + p +static void multiply(u32 p[16], const u32 a[8], const u32 b[8]) +{ + FOR (i, 0, 8) { + u64 carry = 0; + FOR (j, 0, 8) { + carry += p[i+j] + (u64)a[i] * b[j]; + p[i+j] = (u32)carry; + carry >>= 32; + } + p[i+8] = (u32)carry; + } +} + +static int is_above_l(const u32 x[8]) +{ + // We work with L directly, in a 2's complement encoding + // (-L == ~L + 1) + u64 carry = 1; + FOR (i, 0, 8) { + carry += (u64)x[i] + (~L[i] & 0xffffffff); + carry >>= 32; + } + return (int)carry; // carry is either 0 or 1 +} + +// Final reduction modulo L, by conditionally removing L. +// if x < l , then r = x +// if l <= x 2*l, then r = x-l +// otherwise the result will be wrong +static void remove_l(u32 r[8], const u32 x[8]) +{ + u64 carry = (u64)is_above_l(x); + u32 mask = ~(u32)carry + 1; // carry == 0 or 1 + FOR (i, 0, 8) { + carry += (u64)x[i] + (~L[i] & mask); + r[i] = (u32)carry; + carry >>= 32; + } +} + +// Full reduction modulo L (Barrett reduction) +static void mod_l(u8 reduced[32], const u32 x[16]) +{ + static const u32 r[9] = { + 0x0a2c131b,0xed9ce5a3,0x086329a7,0x2106215d, + 0xffffffeb,0xffffffff,0xffffffff,0xffffffff,0xf, + }; + // xr = x * r + u32 xr[25] = {0}; + FOR (i, 0, 9) { + u64 carry = 0; + FOR (j, 0, 16) { + carry += xr[i+j] + (u64)r[i] * x[j]; + xr[i+j] = (u32)carry; + carry >>= 32; + } + xr[i+16] = (u32)carry; + } + // xr = floor(xr / 2^512) * L + // Since the result is guaranteed to be below 2*L, + // it is enough to only compute the first 256 bits. + // The division is performed by saying xr[i+16]. (16 * 32 = 512) + ZERO(xr, 8); + FOR (i, 0, 8) { + u64 carry = 0; + FOR (j, 0, 8-i) { + carry += xr[i+j] + (u64)xr[i+16] * L[j]; + xr[i+j] = (u32)carry; + carry >>= 32; + } + } + // xr = x - xr + u64 carry = 1; + FOR (i, 0, 8) { + carry += (u64)x[i] + (~xr[i] & 0xffffffff); + xr[i] = (u32)carry; + carry >>= 32; + } + // Final reduction modulo L (conditional subtraction) + remove_l(xr, xr); + store32_le_buf(reduced, xr, 8); + + WIPE_BUFFER(xr); +} + +void crypto_eddsa_reduce(u8 reduced[32], const u8 expanded[64]) +{ + u32 x[16]; + load32_le_buf(x, expanded, 16); + mod_l(reduced, x); + WIPE_BUFFER(x); +} + +// r = (a * b) + c +void crypto_eddsa_mul_add(u8 r[32], + const u8 a[32], const u8 b[32], const u8 c[32]) +{ + u32 A[8]; load32_le_buf(A, a, 8); + u32 B[8]; load32_le_buf(B, b, 8); + u32 p[16]; load32_le_buf(p, c, 8); ZERO(p + 8, 8); + multiply(p, A, B); + mod_l(r, p); + WIPE_BUFFER(p); + WIPE_BUFFER(A); + WIPE_BUFFER(B); +} + +/////////////// +/// Ed25519 /// +/////////////// + +// Point (group element, ge) in a twisted Edwards curve, +// in extended projective coordinates. +// ge : x = X/Z, y = Y/Z, T = XY/Z +// ge_cached : Yp = X+Y, Ym = X-Y, T2 = T*D2 +// ge_precomp: Z = 1 +typedef struct { fe X; fe Y; fe Z; fe T; } ge; +typedef struct { fe Yp; fe Ym; fe Z; fe T2; } ge_cached; +typedef struct { fe Yp; fe Ym; fe T2; } ge_precomp; + +static void ge_zero(ge *p) +{ + fe_0(p->X); + fe_1(p->Y); + fe_1(p->Z); + fe_0(p->T); +} + +static void ge_tobytes(u8 s[32], const ge *h) +{ + fe recip, x, y; + fe_invert(recip, h->Z); + fe_mul(x, h->X, recip); + fe_mul(y, h->Y, recip); + fe_tobytes(s, y); + s[31] ^= fe_isodd(x) << 7; + + WIPE_BUFFER(recip); + WIPE_BUFFER(x); + WIPE_BUFFER(y); +} + +// h = -s, where s is a point encoded in 32 bytes +// +// Variable time! Inputs must not be secret! +// => Use only to *check* signatures. +// +// From the specifications: +// The encoding of s contains y and the sign of x +// x = sqrt((y^2 - 1) / (d*y^2 + 1)) +// In extended coordinates: +// X = x, Y = y, Z = 1, T = x*y +// +// Note that num * den is a square iff num / den is a square +// If num * den is not a square, the point was not on the curve. +// From the above: +// Let num = y^2 - 1 +// Let den = d*y^2 + 1 +// x = sqrt((y^2 - 1) / (d*y^2 + 1)) +// x = sqrt(num / den) +// x = sqrt(num^2 / (num * den)) +// x = num * sqrt(1 / (num * den)) +// +// Therefore, we can just compute: +// num = y^2 - 1 +// den = d*y^2 + 1 +// isr = invsqrt(num * den) // abort if not square +// x = num * isr +// Finally, negate x if its sign is not as specified. +static int ge_frombytes_neg_vartime(ge *h, const u8 s[32]) +{ + fe_frombytes(h->Y, s); + fe_1(h->Z); + fe_sq (h->T, h->Y); // t = y^2 + fe_mul(h->X, h->T, d ); // x = d*y^2 + fe_sub(h->T, h->T, h->Z); // t = y^2 - 1 + fe_add(h->X, h->X, h->Z); // x = d*y^2 + 1 + fe_mul(h->X, h->T, h->X); // x = (y^2 - 1) * (d*y^2 + 1) + int is_square = invsqrt(h->X, h->X); + if (!is_square) { + return -1; // Not on the curve, abort + } + fe_mul(h->X, h->T, h->X); // x = sqrt((y^2 - 1) / (d*y^2 + 1)) + if (fe_isodd(h->X) == (s[31] >> 7)) { + fe_neg(h->X, h->X); + } + fe_mul(h->T, h->X, h->Y); + return 0; +} + +static void ge_cache(ge_cached *c, const ge *p) +{ + fe_add (c->Yp, p->Y, p->X); + fe_sub (c->Ym, p->Y, p->X); + fe_copy(c->Z , p->Z ); + fe_mul (c->T2, p->T, D2 ); +} + +// Internal buffers are not wiped! Inputs must not be secret! +// => Use only to *check* signatures. +static void ge_add(ge *s, const ge *p, const ge_cached *q) +{ + fe a, b; + fe_add(a , p->Y, p->X ); + fe_sub(b , p->Y, p->X ); + fe_mul(a , a , q->Yp); + fe_mul(b , b , q->Ym); + fe_add(s->Y, a , b ); + fe_sub(s->X, a , b ); + + fe_add(s->Z, p->Z, p->Z ); + fe_mul(s->Z, s->Z, q->Z ); + fe_mul(s->T, p->T, q->T2); + fe_add(a , s->Z, s->T ); + fe_sub(b , s->Z, s->T ); + + fe_mul(s->T, s->X, s->Y); + fe_mul(s->X, s->X, b ); + fe_mul(s->Y, s->Y, a ); + fe_mul(s->Z, a , b ); +} + +// Internal buffers are not wiped! Inputs must not be secret! +// => Use only to *check* signatures. +static void ge_sub(ge *s, const ge *p, const ge_cached *q) +{ + ge_cached neg; + fe_copy(neg.Ym, q->Yp); + fe_copy(neg.Yp, q->Ym); + fe_copy(neg.Z , q->Z ); + fe_neg (neg.T2, q->T2); + ge_add(s, p, &neg); +} + +static void ge_madd(ge *s, const ge *p, const ge_precomp *q, fe a, fe b) +{ + fe_add(a , p->Y, p->X ); + fe_sub(b , p->Y, p->X ); + fe_mul(a , a , q->Yp); + fe_mul(b , b , q->Ym); + fe_add(s->Y, a , b ); + fe_sub(s->X, a , b ); + + fe_add(s->Z, p->Z, p->Z ); + fe_mul(s->T, p->T, q->T2); + fe_add(a , s->Z, s->T ); + fe_sub(b , s->Z, s->T ); + + fe_mul(s->T, s->X, s->Y); + fe_mul(s->X, s->X, b ); + fe_mul(s->Y, s->Y, a ); + fe_mul(s->Z, a , b ); +} + +// Internal buffers are not wiped! Inputs must not be secret! +// => Use only to *check* signatures. +static void ge_msub(ge *s, const ge *p, const ge_precomp *q, fe a, fe b) +{ + ge_precomp neg; + fe_copy(neg.Ym, q->Yp); + fe_copy(neg.Yp, q->Ym); + fe_neg (neg.T2, q->T2); + ge_madd(s, p, &neg, a, b); +} + +static void ge_double(ge *s, const ge *p, ge *q) +{ + fe_sq (q->X, p->X); + fe_sq (q->Y, p->Y); + fe_sq (q->Z, p->Z); // qZ = pZ^2 + fe_mul_small(q->Z, q->Z, 2); // qZ = pZ^2 * 2 + fe_add(q->T, p->X, p->Y); + fe_sq (s->T, q->T); + fe_add(q->T, q->Y, q->X); + fe_sub(q->Y, q->Y, q->X); + fe_sub(q->X, s->T, q->T); + fe_sub(q->Z, q->Z, q->Y); + + fe_mul(s->X, q->X , q->Z); + fe_mul(s->Y, q->T , q->Y); + fe_mul(s->Z, q->Y , q->Z); + fe_mul(s->T, q->X , q->T); +} + +// 5-bit signed window in cached format (Niels coordinates, Z=1) +static const ge_precomp b_window[8] = { + {{25967493,-14356035,29566456,3660896,-12694345, + 4014787,27544626,-11754271,-6079156,2047605,}, + {-12545711,934262,-2722910,3049990,-727428, + 9406986,12720692,5043384,19500929,-15469378,}, + {-8738181,4489570,9688441,-14785194,10184609, + -12363380,29287919,11864899,-24514362,-4438546,},}, + {{15636291,-9688557,24204773,-7912398,616977, + -16685262,27787600,-14772189,28944400,-1550024,}, + {16568933,4717097,-11556148,-1102322,15682896, + -11807043,16354577,-11775962,7689662,11199574,}, + {30464156,-5976125,-11779434,-15670865,23220365, + 15915852,7512774,10017326,-17749093,-9920357,},}, + {{10861363,11473154,27284546,1981175,-30064349, + 12577861,32867885,14515107,-15438304,10819380,}, + {4708026,6336745,20377586,9066809,-11272109, + 6594696,-25653668,12483688,-12668491,5581306,}, + {19563160,16186464,-29386857,4097519,10237984, + -4348115,28542350,13850243,-23678021,-15815942,},}, + {{5153746,9909285,1723747,-2777874,30523605, + 5516873,19480852,5230134,-23952439,-15175766,}, + {-30269007,-3463509,7665486,10083793,28475525, + 1649722,20654025,16520125,30598449,7715701,}, + {28881845,14381568,9657904,3680757,-20181635, + 7843316,-31400660,1370708,29794553,-1409300,},}, + {{-22518993,-6692182,14201702,-8745502,-23510406, + 8844726,18474211,-1361450,-13062696,13821877,}, + {-6455177,-7839871,3374702,-4740862,-27098617, + -10571707,31655028,-7212327,18853322,-14220951,}, + {4566830,-12963868,-28974889,-12240689,-7602672, + -2830569,-8514358,-10431137,2207753,-3209784,},}, + {{-25154831,-4185821,29681144,7868801,-6854661, + -9423865,-12437364,-663000,-31111463,-16132436,}, + {25576264,-2703214,7349804,-11814844,16472782, + 9300885,3844789,15725684,171356,6466918,}, + {23103977,13316479,9739013,-16149481,817875, + -15038942,8965339,-14088058,-30714912,16193877,},}, + {{-33521811,3180713,-2394130,14003687,-16903474, + -16270840,17238398,4729455,-18074513,9256800,}, + {-25182317,-4174131,32336398,5036987,-21236817, + 11360617,22616405,9761698,-19827198,630305,}, + {-13720693,2639453,-24237460,-7406481,9494427, + -5774029,-6554551,-15960994,-2449256,-14291300,},}, + {{-3151181,-5046075,9282714,6866145,-31907062, + -863023,-18940575,15033784,25105118,-7894876,}, + {-24326370,15950226,-31801215,-14592823,-11662737, + -5090925,1573892,-2625887,2198790,-15804619,}, + {-3099351,10324967,-2241613,7453183,-5446979, + -2735503,-13812022,-16236442,-32461234,-12290683,},}, +}; + +// Incremental sliding windows (left to right) +// Based on Roberto Maria Avanzi[2005] +typedef struct { + i16 next_index; // position of the next signed digit + i8 next_digit; // next signed digit (odd number below 2^window_width) + u8 next_check; // point at which we must check for a new window +} slide_ctx; + +static void slide_init(slide_ctx *ctx, const u8 scalar[32]) +{ + // scalar is guaranteed to be below L, either because we checked (s), + // or because we reduced it modulo L (h_ram). L is under 2^253, so + // so bits 253 to 255 are guaranteed to be zero. No need to test them. + // + // Note however that L is very close to 2^252, so bit 252 is almost + // always zero. If we were to start at bit 251, the tests wouldn't + // catch the off-by-one error (constructing one that does would be + // prohibitively expensive). + // + // We should still check bit 252, though. + int i = 252; + while (i > 0 && scalar_bit(scalar, i) == 0) { + i--; + } + ctx->next_check = (u8)(i + 1); + ctx->next_index = -1; + ctx->next_digit = -1; +} + +static int slide_step(slide_ctx *ctx, int width, int i, const u8 scalar[32]) +{ + if (i == ctx->next_check) { + if (scalar_bit(scalar, i) == scalar_bit(scalar, i - 1)) { + ctx->next_check--; + } else { + // compute digit of next window + int w = MIN(width, i + 1); + int v = -(scalar_bit(scalar, i) << (w-1)); + FOR_T (int, j, 0, w-1) { + v += scalar_bit(scalar, i-(w-1)+j) << j; + } + v += scalar_bit(scalar, i-w); + int lsb = v & (~v + 1); // smallest bit of v + int s = // log2(lsb) + (((lsb & 0xAA) != 0) << 0) | + (((lsb & 0xCC) != 0) << 1) | + (((lsb & 0xF0) != 0) << 2); + ctx->next_index = (i16)(i-(w-1)+s); + ctx->next_digit = (i8) (v >> s ); + ctx->next_check -= (u8) w; + } + } + return i == ctx->next_index ? ctx->next_digit: 0; +} + +#define P_W_WIDTH 3 // Affects the size of the stack +#define B_W_WIDTH 5 // Affects the size of the binary +#define P_W_SIZE (1<<(P_W_WIDTH-2)) + +int crypto_eddsa_check_equation(const u8 signature[64], const u8 public_key[32], + const u8 h[32]) +{ + ge minus_A; // -public_key + ge minus_R; // -first_half_of_signature + const u8 *s = signature + 32; + + // Check that A and R are on the curve + // Check that 0 <= S < L (prevents malleability) + // *Allow* non-cannonical encoding for A and R + { + u32 s32[8]; + load32_le_buf(s32, s, 8); + if (ge_frombytes_neg_vartime(&minus_A, public_key) || + ge_frombytes_neg_vartime(&minus_R, signature) || + is_above_l(s32)) { + return -1; + } + } + + // look-up table for minus_A + ge_cached lutA[P_W_SIZE]; + { + ge minus_A2, tmp; + ge_double(&minus_A2, &minus_A, &tmp); + ge_cache(&lutA[0], &minus_A); + FOR (i, 1, P_W_SIZE) { + ge_add(&tmp, &minus_A2, &lutA[i-1]); + ge_cache(&lutA[i], &tmp); + } + } + + // sum = [s]B - [h]A + // Merged double and add ladder, fused with sliding + slide_ctx h_slide; slide_init(&h_slide, h); + slide_ctx s_slide; slide_init(&s_slide, s); + int i = MAX(h_slide.next_check, s_slide.next_check); + ge *sum = &minus_A; // reuse minus_A for the sum + ge_zero(sum); + while (i >= 0) { + ge tmp; + ge_double(sum, sum, &tmp); + int h_digit = slide_step(&h_slide, P_W_WIDTH, i, h); + int s_digit = slide_step(&s_slide, B_W_WIDTH, i, s); + if (h_digit > 0) { ge_add(sum, sum, &lutA[ h_digit / 2]); } + if (h_digit < 0) { ge_sub(sum, sum, &lutA[-h_digit / 2]); } + fe t1, t2; + if (s_digit > 0) { ge_madd(sum, sum, b_window + s_digit/2, t1, t2); } + if (s_digit < 0) { ge_msub(sum, sum, b_window + -s_digit/2, t1, t2); } + i--; + } + + // Compare [8](sum-R) and the zero point + // The multiplication by 8 eliminates any low-order component + // and ensures consistency with batched verification. + ge_cached cached; + u8 check[32]; + static const u8 zero_point[32] = {1}; // Point of order 1 + ge_cache(&cached, &minus_R); + ge_add(sum, sum, &cached); + ge_double(sum, sum, &minus_R); // reuse minus_R as temporary + ge_double(sum, sum, &minus_R); // reuse minus_R as temporary + ge_double(sum, sum, &minus_R); // reuse minus_R as temporary + ge_tobytes(check, sum); + return crypto_verify32(check, zero_point); +} + +// 5-bit signed comb in cached format (Niels coordinates, Z=1) +static const ge_precomp b_comb_low[8] = { + {{-6816601,-2324159,-22559413,124364,18015490, + 8373481,19993724,1979872,-18549925,9085059,}, + {10306321,403248,14839893,9633706,8463310, + -8354981,-14305673,14668847,26301366,2818560,}, + {-22701500,-3210264,-13831292,-2927732,-16326337, + -14016360,12940910,177905,12165515,-2397893,},}, + {{-12282262,-7022066,9920413,-3064358,-32147467, + 2927790,22392436,-14852487,2719975,16402117,}, + {-7236961,-4729776,2685954,-6525055,-24242706, + -15940211,-6238521,14082855,10047669,12228189,}, + {-30495588,-12893761,-11161261,3539405,-11502464, + 16491580,-27286798,-15030530,-7272871,-15934455,},}, + {{17650926,582297,-860412,-187745,-12072900, + -10683391,-20352381,15557840,-31072141,-5019061,}, + {-6283632,-2259834,-4674247,-4598977,-4089240, + 12435688,-31278303,1060251,6256175,10480726,}, + {-13871026,2026300,-21928428,-2741605,-2406664, + -8034988,7355518,15733500,-23379862,7489131,},}, + {{6883359,695140,23196907,9644202,-33430614, + 11354760,-20134606,6388313,-8263585,-8491918,}, + {-7716174,-13605463,-13646110,14757414,-19430591, + -14967316,10359532,-11059670,-21935259,12082603,}, + {-11253345,-15943946,10046784,5414629,24840771, + 8086951,-6694742,9868723,15842692,-16224787,},}, + {{9639399,11810955,-24007778,-9320054,3912937, + -9856959,996125,-8727907,-8919186,-14097242,}, + {7248867,14468564,25228636,-8795035,14346339, + 8224790,6388427,-7181107,6468218,-8720783,}, + {15513115,15439095,7342322,-10157390,18005294, + -7265713,2186239,4884640,10826567,7135781,},}, + {{-14204238,5297536,-5862318,-6004934,28095835, + 4236101,-14203318,1958636,-16816875,3837147,}, + {-5511166,-13176782,-29588215,12339465,15325758, + -15945770,-8813185,11075932,-19608050,-3776283,}, + {11728032,9603156,-4637821,-5304487,-7827751, + 2724948,31236191,-16760175,-7268616,14799772,},}, + {{-28842672,4840636,-12047946,-9101456,-1445464, + 381905,-30977094,-16523389,1290540,12798615,}, + {27246947,-10320914,14792098,-14518944,5302070, + -8746152,-3403974,-4149637,-27061213,10749585,}, + {25572375,-6270368,-15353037,16037944,1146292, + 32198,23487090,9585613,24714571,-1418265,},}, + {{19844825,282124,-17583147,11004019,-32004269, + -2716035,6105106,-1711007,-21010044,14338445,}, + {8027505,8191102,-18504907,-12335737,25173494, + -5923905,15446145,7483684,-30440441,10009108,}, + {-14134701,-4174411,10246585,-14677495,33553567, + -14012935,23366126,15080531,-7969992,7663473,},}, +}; + +static const ge_precomp b_comb_high[8] = { + {{33055887,-4431773,-521787,6654165,951411, + -6266464,-5158124,6995613,-5397442,-6985227,}, + {4014062,6967095,-11977872,3960002,8001989, + 5130302,-2154812,-1899602,-31954493,-16173976,}, + {16271757,-9212948,23792794,731486,-25808309, + -3546396,6964344,-4767590,10976593,10050757,},}, + {{2533007,-4288439,-24467768,-12387405,-13450051, + 14542280,12876301,13893535,15067764,8594792,}, + {20073501,-11623621,3165391,-13119866,13188608, + -11540496,-10751437,-13482671,29588810,2197295,}, + {-1084082,11831693,6031797,14062724,14748428, + -8159962,-20721760,11742548,31368706,13161200,},}, + {{2050412,-6457589,15321215,5273360,25484180, + 124590,-18187548,-7097255,-6691621,-14604792,}, + {9938196,2162889,-6158074,-1711248,4278932, + -2598531,-22865792,-7168500,-24323168,11746309,}, + {-22691768,-14268164,5965485,9383325,20443693, + 5854192,28250679,-1381811,-10837134,13717818,},}, + {{-8495530,16382250,9548884,-4971523,-4491811, + -3902147,6182256,-12832479,26628081,10395408,}, + {27329048,-15853735,7715764,8717446,-9215518, + -14633480,28982250,-5668414,4227628,242148,}, + {-13279943,-7986904,-7100016,8764468,-27276630, + 3096719,29678419,-9141299,3906709,11265498,},}, + {{11918285,15686328,-17757323,-11217300,-27548967, + 4853165,-27168827,6807359,6871949,-1075745,}, + {-29002610,13984323,-27111812,-2713442,28107359, + -13266203,6155126,15104658,3538727,-7513788,}, + {14103158,11233913,-33165269,9279850,31014152, + 4335090,-1827936,4590951,13960841,12787712,},}, + {{1469134,-16738009,33411928,13942824,8092558, + -8778224,-11165065,1437842,22521552,-2792954,}, + {31352705,-4807352,-25327300,3962447,12541566, + -9399651,-27425693,7964818,-23829869,5541287,}, + {-25732021,-6864887,23848984,3039395,-9147354, + 6022816,-27421653,10590137,25309915,-1584678,},}, + {{-22951376,5048948,31139401,-190316,-19542447, + -626310,-17486305,-16511925,-18851313,-12985140,}, + {-9684890,14681754,30487568,7717771,-10829709, + 9630497,30290549,-10531496,-27798994,-13812825,}, + {5827835,16097107,-24501327,12094619,7413972, + 11447087,28057551,-1793987,-14056981,4359312,},}, + {{26323183,2342588,-21887793,-1623758,-6062284, + 2107090,-28724907,9036464,-19618351,-13055189,}, + {-29697200,14829398,-4596333,14220089,-30022969, + 2955645,12094100,-13693652,-5941445,7047569,}, + {-3201977,14413268,-12058324,-16417589,-9035655, + -7224648,9258160,1399236,30397584,-5684634,},}, +}; + +static void lookup_add(ge *p, ge_precomp *tmp_c, fe tmp_a, fe tmp_b, + const ge_precomp comb[8], const u8 scalar[32], int i) +{ + u8 teeth = (u8)((scalar_bit(scalar, i) ) + + (scalar_bit(scalar, i + 32) << 1) + + (scalar_bit(scalar, i + 64) << 2) + + (scalar_bit(scalar, i + 96) << 3)); + u8 high = teeth >> 3; + u8 index = (teeth ^ (high - 1)) & 7; + FOR (j, 0, 8) { + i32 select = 1 & (((j ^ index) - 1) >> 8); + fe_ccopy(tmp_c->Yp, comb[j].Yp, select); + fe_ccopy(tmp_c->Ym, comb[j].Ym, select); + fe_ccopy(tmp_c->T2, comb[j].T2, select); + } + fe_neg(tmp_a, tmp_c->T2); + fe_cswap(tmp_c->T2, tmp_a , high ^ 1); + fe_cswap(tmp_c->Yp, tmp_c->Ym, high ^ 1); + ge_madd(p, p, tmp_c, tmp_a, tmp_b); +} + +// p = [scalar]B, where B is the base point +static void ge_scalarmult_base(ge *p, const u8 scalar[32]) +{ + // twin 4-bits signed combs, from Mike Hamburg's + // Fast and compact elliptic-curve cryptography (2012) + // 1 / 2 modulo L + static const u8 half_mod_L[32] = { + 247,233,122,46,141,49,9,44,107,206,123,81,239,124,111,10, + 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8, + }; + // (2^256 - 1) / 2 modulo L + static const u8 half_ones[32] = { + 142,74,204,70,186,24,118,107,184,231,190,57,250,173,119,99, + 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,7, + }; + + // All bits set form: 1 means 1, 0 means -1 + u8 s_scalar[32]; + crypto_eddsa_mul_add(s_scalar, scalar, half_mod_L, half_ones); + + // Double and add ladder + fe tmp_a, tmp_b; // temporaries for addition + ge_precomp tmp_c; // temporary for comb lookup + ge tmp_d; // temporary for doubling + fe_1(tmp_c.Yp); + fe_1(tmp_c.Ym); + fe_0(tmp_c.T2); + + // Save a double on the first iteration + ge_zero(p); + lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_low , s_scalar, 31); + lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_high, s_scalar, 31+128); + // Regular double & add for the rest + for (int i = 30; i >= 0; i--) { + ge_double(p, p, &tmp_d); + lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_low , s_scalar, i); + lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_high, s_scalar, i+128); + } + // Note: we could save one addition at the end if we assumed the + // scalar fit in 252 bits. Which it does in practice if it is + // selected at random. However, non-random, non-hashed scalars + // *can* overflow 252 bits in practice. Better account for that + // than leaving that kind of subtle corner case. + + WIPE_BUFFER(tmp_a); WIPE_CTX(&tmp_d); + WIPE_BUFFER(tmp_b); WIPE_CTX(&tmp_c); + WIPE_BUFFER(s_scalar); +} + +void crypto_eddsa_scalarbase(u8 point[32], const u8 scalar[32]) +{ + ge P; + ge_scalarmult_base(&P, scalar); + ge_tobytes(point, &P); + WIPE_CTX(&P); +} + +void crypto_eddsa_key_pair(u8 secret_key[64], u8 public_key[32], u8 seed[32]) +{ + // To allow overlaps, observable writes happen in this order: + // 1. seed + // 2. secret_key + // 3. public_key + u8 a[64]; + COPY(a, seed, 32); + crypto_wipe(seed, 32); + COPY(secret_key, a, 32); + crypto_blake2b(a, 64, a, 32); + crypto_eddsa_trim_scalar(a, a); + crypto_eddsa_scalarbase(secret_key + 32, a); + COPY(public_key, secret_key + 32, 32); + WIPE_BUFFER(a); +} + +static void hash_reduce(u8 h[32], + const u8 *a, size_t a_size, + const u8 *b, size_t b_size, + const u8 *c, size_t c_size) +{ + u8 hash[64]; + crypto_blake2b_ctx ctx; + crypto_blake2b_init (&ctx, 64); + crypto_blake2b_update(&ctx, a, a_size); + crypto_blake2b_update(&ctx, b, b_size); + crypto_blake2b_update(&ctx, c, c_size); + crypto_blake2b_final (&ctx, hash); + crypto_eddsa_reduce(h, hash); +} + +// Digital signature of a message with from a secret key. +// +// The secret key comprises two parts: +// - The seed that generates the key (secret_key[ 0..31]) +// - The public key (secret_key[32..63]) +// +// The seed and the public key are bundled together to make sure users +// don't use mismatched seeds and public keys, which would instantly +// leak the secret scalar and allow forgeries (allowing this to happen +// has resulted in critical vulnerabilities in the wild). +// +// The seed is hashed to derive the secret scalar and a secret prefix. +// The sole purpose of the prefix is to generate a secret random nonce. +// The properties of that nonce must be as follows: +// - Unique: we need a different one for each message. +// - Secret: third parties must not be able to predict it. +// - Random: any detectable bias would break all security. +// +// There are two ways to achieve these properties. The obvious one is +// to simply generate a random number. Here that would be a parameter +// (Monocypher doesn't have an RNG). It works, but then users may reuse +// the nonce by accident, which _also_ leaks the secret scalar and +// allows forgeries. This has happened in the wild too. +// +// This is no good, so instead we generate that nonce deterministically +// by reducing modulo L a hash of the secret prefix and the message. +// The secret prefix makes the nonce unpredictable, the message makes it +// unique, and the hash/reduce removes all bias. +// +// The cost of that safety is hashing the message twice. If that cost +// is unacceptable, there are two alternatives: +// +// - Signing a hash of the message instead of the message itself. This +// is fine as long as the hash is collision resistant. It is not +// compatible with existing "pure" signatures, but at least it's safe. +// +// - Using a random nonce. Please exercise **EXTREME CAUTION** if you +// ever do that. It is absolutely **critical** that the nonce is +// really an unbiased random number between 0 and L-1, never reused, +// and wiped immediately. +// +// To lower the likelihood of complete catastrophe if the RNG is +// either flawed or misused, you can hash the RNG output together with +// the secret prefix and the beginning of the message, and use the +// reduction of that hash instead of the RNG output itself. It's not +// foolproof (you'd need to hash the whole message) but it helps. +// +// Signing a message involves the following operations: +// +// scalar, prefix = HASH(secret_key) +// r = HASH(prefix || message) % L +// R = [r]B +// h = HASH(R || public_key || message) % L +// S = ((h * a) + r) % L +// signature = R || S +void crypto_eddsa_sign(u8 signature [64], const u8 secret_key[64], + const u8 *message, size_t message_size) +{ + u8 a[64]; // secret scalar and prefix + u8 r[32]; // secret deterministic "random" nonce + u8 h[32]; // publically verifiable hash of the message (not wiped) + u8 R[32]; // first half of the signature (allows overlapping inputs) + + crypto_blake2b(a, 64, secret_key, 32); + crypto_eddsa_trim_scalar(a, a); + hash_reduce(r, a + 32, 32, message, message_size, 0, 0); + crypto_eddsa_scalarbase(R, r); + hash_reduce(h, R, 32, secret_key + 32, 32, message, message_size); + COPY(signature, R, 32); + crypto_eddsa_mul_add(signature + 32, h, a, r); + + WIPE_BUFFER(a); + WIPE_BUFFER(r); +} + +// To check the signature R, S of the message M with the public key A, +// there are 3 steps: +// +// compute h = HASH(R || A || message) % L +// check that A is on the curve. +// check that R == [s]B - [h]A +// +// The last two steps are done in crypto_eddsa_check_equation() +int crypto_eddsa_check(const u8 signature[64], const u8 public_key[32], + const u8 *message, size_t message_size) +{ + u8 h[32]; + hash_reduce(h, signature, 32, public_key, 32, message, message_size); + return crypto_eddsa_check_equation(signature, public_key, h); +} + +///////////////////////// +/// EdDSA <--> X25519 /// +///////////////////////// +void crypto_eddsa_to_x25519(u8 x25519[32], const u8 eddsa[32]) +{ + // (u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x) + // Only converting y to u, the sign of x is ignored. + fe t1, t2; + fe_frombytes(t2, eddsa); + fe_add(t1, fe_one, t2); + fe_sub(t2, fe_one, t2); + fe_invert(t2, t2); + fe_mul(t1, t1, t2); + fe_tobytes(x25519, t1); + WIPE_BUFFER(t1); + WIPE_BUFFER(t2); +} + +void crypto_x25519_to_eddsa(u8 eddsa[32], const u8 x25519[32]) +{ + // (x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1)) + // Only converting u to y, x is assumed positive. + fe t1, t2; + fe_frombytes(t2, x25519); + fe_sub(t1, t2, fe_one); + fe_add(t2, t2, fe_one); + fe_invert(t2, t2); + fe_mul(t1, t1, t2); + fe_tobytes(eddsa, t1); + WIPE_BUFFER(t1); + WIPE_BUFFER(t2); +} + +///////////////////////////////////////////// +/// Dirty ephemeral public key generation /// +///////////////////////////////////////////// + +// Those functions generates a public key, *without* clearing the +// cofactor. Sending that key over the network leaks 3 bits of the +// private key. Use only to generate ephemeral keys that will be hidden +// with crypto_curve_to_hidden(). +// +// The public key is otherwise compatible with crypto_x25519(), which +// properly clears the cofactor. +// +// Note that the distribution of the resulting public keys is almost +// uniform. Flipping the sign of the v coordinate (not provided by this +// function), covers the entire key space almost perfectly, where +// "almost" means a 2^-128 bias (undetectable). This uniformity is +// needed to ensure the proper randomness of the resulting +// representatives (once we apply crypto_curve_to_hidden()). +// +// Recall that Curve25519 has order C = 2^255 + e, with e < 2^128 (not +// to be confused with the prime order of the main subgroup, L, which is +// 8 times less than that). +// +// Generating all points would require us to multiply a point of order C +// (the base point plus any point of order 8) by all scalars from 0 to +// C-1. Clamping limits us to scalars between 2^254 and 2^255 - 1. But +// by negating the resulting point at random, we also cover scalars from +// -2^255 + 1 to -2^254 (which modulo C is congruent to e+1 to 2^254 + e). +// +// In practice: +// - Scalars from 0 to e + 1 are never generated +// - Scalars from 2^255 to 2^255 + e are never generated +// - Scalars from 2^254 + 1 to 2^254 + e are generated twice +// +// Since e < 2^128, detecting this bias requires observing over 2^100 +// representatives from a given source (this will never happen), *and* +// recovering enough of the private key to determine that they do, or do +// not, belong to the biased set (this practically requires solving +// discrete logarithm, which is conjecturally intractable). +// +// In practice, this means the bias is impossible to detect. + +// s + (x*L) % 8*L +// Guaranteed to fit in 256 bits iff s fits in 255 bits. +// L < 2^253 +// x%8 < 2^3 +// L * (x%8) < 2^255 +// s < 2^255 +// s + L * (x%8) < 2^256 +static void add_xl(u8 s[32], u8 x) +{ + u64 mod8 = x & 7; + u64 carry = 0; + FOR (i , 0, 8) { + carry = carry + load32_le(s + 4*i) + L[i] * mod8; + store32_le(s + 4*i, (u32)carry); + carry >>= 32; + } +} + +// "Small" dirty ephemeral key. +// Use if you need to shrink the size of the binary, and can afford to +// slow down by a factor of two (compared to the fast version) +// +// This version works by decoupling the cofactor from the main factor. +// +// - The trimmed scalar determines the main factor +// - The clamped bits of the scalar determine the cofactor. +// +// Cofactor and main factor are combined into a single scalar, which is +// then multiplied by a point of order 8*L (unlike the base point, which +// has prime order). That "dirty" base point is the addition of the +// regular base point (9), and a point of order 8. +void crypto_x25519_dirty_small(u8 public_key[32], const u8 secret_key[32]) +{ + // Base point of order 8*L + // Raw scalar multiplication with it does not clear the cofactor, + // and the resulting public key will reveal 3 bits of the scalar. + // + // The low order component of this base point has been chosen + // to yield the same results as crypto_x25519_dirty_fast(). + static const u8 dirty_base_point[32] = { + 0xd8, 0x86, 0x1a, 0xa2, 0x78, 0x7a, 0xd9, 0x26, + 0x8b, 0x74, 0x74, 0xb6, 0x82, 0xe3, 0xbe, 0xc3, + 0xce, 0x36, 0x9a, 0x1e, 0x5e, 0x31, 0x47, 0xa2, + 0x6d, 0x37, 0x7c, 0xfd, 0x20, 0xb5, 0xdf, 0x75, + }; + // separate the main factor & the cofactor of the scalar + u8 scalar[32]; + crypto_eddsa_trim_scalar(scalar, secret_key); + + // Separate the main factor and the cofactor + // + // The scalar is trimmed, so its cofactor is cleared. The three + // least significant bits however still have a main factor. We must + // remove it for X25519 compatibility. + // + // cofactor = lsb * L (modulo 8*L) + // combined = scalar + cofactor (modulo 8*L) + add_xl(scalar, secret_key[0]); + scalarmult(public_key, scalar, dirty_base_point, 256); + WIPE_BUFFER(scalar); +} + +// Select low order point +// We're computing the [cofactor]lop scalar multiplication, where: +// +// cofactor = tweak & 7. +// lop = (lop_x, lop_y) +// lop_x = sqrt((sqrt(d + 1) + 1) / d) +// lop_y = -lop_x * sqrtm1 +// +// The low order point has order 8. There are 4 such points. We've +// chosen the one whose both coordinates are positive (below p/2). +// The 8 low order points are as follows: +// +// [0]lop = ( 0 , 1 ) +// [1]lop = ( lop_x , lop_y) +// [2]lop = ( sqrt(-1), -0 ) +// [3]lop = ( lop_x , -lop_y) +// [4]lop = (-0 , -1 ) +// [5]lop = (-lop_x , -lop_y) +// [6]lop = (-sqrt(-1), 0 ) +// [7]lop = (-lop_x , lop_y) +// +// The x coordinate is either 0, sqrt(-1), lop_x, or their opposite. +// The y coordinate is either 0, -1 , lop_y, or their opposite. +// The pattern for both is the same, except for a rotation of 2 (modulo 8) +// +// This helper function captures the pattern, and we can use it thus: +// +// select_lop(x, lop_x, sqrtm1, cofactor); +// select_lop(y, lop_y, fe_one, cofactor + 2); +// +// This is faster than an actual scalar multiplication, +// and requires less code than naive constant time look up. +static void select_lop(fe out, const fe x, const fe k, u8 cofactor) +{ + fe tmp; + fe_0(out); + fe_ccopy(out, k , (cofactor >> 1) & 1); // bit 1 + fe_ccopy(out, x , (cofactor >> 0) & 1); // bit 0 + fe_neg (tmp, out); + fe_ccopy(out, tmp, (cofactor >> 2) & 1); // bit 2 + WIPE_BUFFER(tmp); +} + +// "Fast" dirty ephemeral key +// We use this one by default. +// +// This version works by performing a regular scalar multiplication, +// then add a low order point. The scalar multiplication is done in +// Edwards space for more speed (*2 compared to the "small" version). +// The cost is a bigger binary for programs that don't also sign messages. +void crypto_x25519_dirty_fast(u8 public_key[32], const u8 secret_key[32]) +{ + // Compute clean scalar multiplication + u8 scalar[32]; + ge pk; + crypto_eddsa_trim_scalar(scalar, secret_key); + ge_scalarmult_base(&pk, scalar); + + // Compute low order point + fe t1, t2; + select_lop(t1, lop_x, sqrtm1, secret_key[0]); + select_lop(t2, lop_y, fe_one, secret_key[0] + 2); + ge_precomp low_order_point; + fe_add(low_order_point.Yp, t2, t1); + fe_sub(low_order_point.Ym, t2, t1); + fe_mul(low_order_point.T2, t2, t1); + fe_mul(low_order_point.T2, low_order_point.T2, D2); + + // Add low order point to the public key + ge_madd(&pk, &pk, &low_order_point, t1, t2); + + // Convert to Montgomery u coordinate (we ignore the sign) + fe_add(t1, pk.Z, pk.Y); + fe_sub(t2, pk.Z, pk.Y); + fe_invert(t2, t2); + fe_mul(t1, t1, t2); + + fe_tobytes(public_key, t1); + + WIPE_BUFFER(t1); WIPE_CTX(&pk); + WIPE_BUFFER(t2); WIPE_CTX(&low_order_point); + WIPE_BUFFER(scalar); +} + +/////////////////// +/// Elligator 2 /// +/////////////////// +static const fe A = {486662}; + +// Elligator direct map +// +// Computes the point corresponding to a representative, encoded in 32 +// bytes (little Endian). Since positive representatives fits in 254 +// bits, The two most significant bits are ignored. +// +// From the paper: +// w = -A / (fe(1) + non_square * r^2) +// e = chi(w^3 + A*w^2 + w) +// u = e*w - (fe(1)-e)*(A//2) +// v = -e * sqrt(u^3 + A*u^2 + u) +// +// We ignore v because we don't need it for X25519 (the Montgomery +// ladder only uses u). +// +// Note that e is either 0, 1 or -1 +// if e = 0 u = 0 and v = 0 +// if e = 1 u = w +// if e = -1 u = -w - A = w * non_square * r^2 +// +// Let r1 = non_square * r^2 +// Let r2 = 1 + r1 +// Note that r2 cannot be zero, -1/non_square is not a square. +// We can (tediously) verify that: +// w^3 + A*w^2 + w = (A^2*r1 - r2^2) * A / r2^3 +// Therefore: +// chi(w^3 + A*w^2 + w) = chi((A^2*r1 - r2^2) * (A / r2^3)) +// chi(w^3 + A*w^2 + w) = chi((A^2*r1 - r2^2) * (A / r2^3)) * 1 +// chi(w^3 + A*w^2 + w) = chi((A^2*r1 - r2^2) * (A / r2^3)) * chi(r2^6) +// chi(w^3 + A*w^2 + w) = chi((A^2*r1 - r2^2) * (A / r2^3) * r2^6) +// chi(w^3 + A*w^2 + w) = chi((A^2*r1 - r2^2) * A * r2^3) +// Corollary: +// e = 1 if (A^2*r1 - r2^2) * A * r2^3) is a non-zero square +// e = -1 if (A^2*r1 - r2^2) * A * r2^3) is not a square +// Note that w^3 + A*w^2 + w (and therefore e) can never be zero: +// w^3 + A*w^2 + w = w * (w^2 + A*w + 1) +// w^3 + A*w^2 + w = w * (w^2 + A*w + A^2/4 - A^2/4 + 1) +// w^3 + A*w^2 + w = w * (w + A/2)^2 - A^2/4 + 1) +// which is zero only if: +// w = 0 (impossible) +// (w + A/2)^2 = A^2/4 - 1 (impossible, because A^2/4-1 is not a square) +// +// Let isr = invsqrt((A^2*r1 - r2^2) * A * r2^3) +// isr = sqrt(1 / ((A^2*r1 - r2^2) * A * r2^3)) if e = 1 +// isr = sqrt(sqrt(-1) / ((A^2*r1 - r2^2) * A * r2^3)) if e = -1 +// +// if e = 1 +// let u1 = -A * (A^2*r1 - r2^2) * A * r2^2 * isr^2 +// u1 = w +// u1 = u +// +// if e = -1 +// let ufactor = -non_square * sqrt(-1) * r^2 +// let vfactor = sqrt(ufactor) +// let u2 = -A * (A^2*r1 - r2^2) * A * r2^2 * isr^2 * ufactor +// u2 = w * -1 * -non_square * r^2 +// u2 = w * non_square * r^2 +// u2 = u +void crypto_elligator_map(u8 curve[32], const u8 hidden[32]) +{ + fe r, u, t1, t2, t3; + fe_frombytes_mask(r, hidden, 2); // r is encoded in 254 bits. + fe_sq(r, r); + fe_add(t1, r, r); + fe_add(u, t1, fe_one); + fe_sq (t2, u); + fe_mul(t3, A2, t1); + fe_sub(t3, t3, t2); + fe_mul(t3, t3, A); + fe_mul(t1, t2, u); + fe_mul(t1, t3, t1); + int is_square = invsqrt(t1, t1); + fe_mul(u, r, ufactor); + fe_ccopy(u, fe_one, is_square); + fe_sq (t1, t1); + fe_mul(u, u, A); + fe_mul(u, u, t3); + fe_mul(u, u, t2); + fe_mul(u, u, t1); + fe_neg(u, u); + fe_tobytes(curve, u); + + WIPE_BUFFER(t1); WIPE_BUFFER(r); + WIPE_BUFFER(t2); WIPE_BUFFER(u); + WIPE_BUFFER(t3); +} + +// Elligator inverse map +// +// Computes the representative of a point, if possible. If not, it does +// nothing and returns -1. Note that the success of the operation +// depends only on the point (more precisely its u coordinate). The +// tweak parameter is used only upon success +// +// The tweak should be a random byte. Beyond that, its contents are an +// implementation detail. Currently, the tweak comprises: +// - Bit 1 : sign of the v coordinate (0 if positive, 1 if negative) +// - Bit 2-5: not used +// - Bits 6-7: random padding +// +// From the paper: +// Let sq = -non_square * u * (u+A) +// if sq is not a square, or u = -A, there is no mapping +// Assuming there is a mapping: +// if v is positive: r = sqrt(-u / (non_square * (u+A))) +// if v is negative: r = sqrt(-(u+A) / (non_square * u )) +// +// We compute isr = invsqrt(-non_square * u * (u+A)) +// if it wasn't a square, abort. +// else, isr = sqrt(-1 / (non_square * u * (u+A)) +// +// If v is positive, we return isr * u: +// isr * u = sqrt(-1 / (non_square * u * (u+A)) * u +// isr * u = sqrt(-u / (non_square * (u+A)) +// +// If v is negative, we return isr * (u+A): +// isr * (u+A) = sqrt(-1 / (non_square * u * (u+A)) * (u+A) +// isr * (u+A) = sqrt(-(u+A) / (non_square * u) +int crypto_elligator_rev(u8 hidden[32], const u8 public_key[32], u8 tweak) +{ + fe t1, t2, t3; + fe_frombytes(t1, public_key); // t1 = u + + fe_add(t2, t1, A); // t2 = u + A + fe_mul(t3, t1, t2); + fe_mul_small(t3, t3, -2); + int is_square = invsqrt(t3, t3); // t3 = sqrt(-1 / non_square * u * (u+A)) + if (is_square) { + // The only variable time bit. This ultimately reveals how many + // tries it took us to find a representable key. + // This does not affect security as long as we try keys at random. + + fe_ccopy (t1, t2, tweak & 1); // multiply by u if v is positive, + fe_mul (t3, t1, t3); // multiply by u+A otherwise + fe_mul_small(t1, t3, 2); + fe_neg (t2, t3); + fe_ccopy (t3, t2, fe_isodd(t1)); + fe_tobytes(hidden, t3); + + // Pad with two random bits + hidden[31] |= tweak & 0xc0; + } + + WIPE_BUFFER(t1); + WIPE_BUFFER(t2); + WIPE_BUFFER(t3); + return is_square - 1; +} + +void crypto_elligator_key_pair(u8 hidden[32], u8 secret_key[32], u8 seed[32]) +{ + u8 pk [32]; // public key + u8 buf[64]; // seed + representative + COPY(buf + 32, seed, 32); + do { + crypto_chacha20_djb(buf, 0, 64, buf+32, zero, 0); + crypto_x25519_dirty_fast(pk, buf); // or the "small" version + } while(crypto_elligator_rev(buf+32, pk, buf[32])); + // Note that the return value of crypto_elligator_rev() is + // independent from its tweak parameter. + // Therefore, buf[32] is not actually reused. Either we loop one + // more time and buf[32] is used for the new seed, or we succeeded, + // and buf[32] becomes the tweak parameter. + + crypto_wipe(seed, 32); + COPY(hidden , buf + 32, 32); + COPY(secret_key, buf , 32); + WIPE_BUFFER(buf); + WIPE_BUFFER(pk); +} + +/////////////////////// +/// Scalar division /// +/////////////////////// + +// Montgomery reduction. +// Divides x by (2^256), and reduces the result modulo L +// +// Precondition: +// x < L * 2^256 +// Constants: +// r = 2^256 (makes division by r trivial) +// k = (r * (1/r) - 1) // L (1/r is computed modulo L ) +// Algorithm: +// s = (x * k) % r +// t = x + s*L (t is always a multiple of r) +// u = (t/r) % L (u is always below 2*L, conditional subtraction is enough) +static void redc(u32 u[8], u32 x[16]) +{ + static const u32 k[8] = { + 0x12547e1b, 0xd2b51da3, 0xfdba84ff, 0xb1a206f2, + 0xffa36bea, 0x14e75438, 0x6fe91836, 0x9db6c6f2, + }; + + // s = x * k (modulo 2^256) + // This is cheaper than the full multiplication. + u32 s[8] = {0}; + FOR (i, 0, 8) { + u64 carry = 0; + FOR (j, 0, 8-i) { + carry += s[i+j] + (u64)x[i] * k[j]; + s[i+j] = (u32)carry; + carry >>= 32; + } + } + u32 t[16] = {0}; + multiply(t, s, L); + + // t = t + x + u64 carry = 0; + FOR (i, 0, 16) { + carry += (u64)t[i] + x[i]; + t[i] = (u32)carry; + carry >>= 32; + } + + // u = (t / 2^256) % L + // Note that t / 2^256 is always below 2*L, + // So a constant time conditional subtraction is enough + remove_l(u, t+8); + + WIPE_BUFFER(s); + WIPE_BUFFER(t); +} + +void crypto_x25519_inverse(u8 blind_salt [32], const u8 private_key[32], + const u8 curve_point[32]) +{ + static const u8 Lm2[32] = { // L - 2 + 0xeb, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, + }; + // 1 in Montgomery form + u32 m_inv [8] = { + 0x8d98951d, 0xd6ec3174, 0x737dcf70, 0xc6ef5bf4, + 0xfffffffe, 0xffffffff, 0xffffffff, 0x0fffffff, + }; + + u8 scalar[32]; + crypto_eddsa_trim_scalar(scalar, private_key); + + // Convert the scalar in Montgomery form + // m_scl = scalar * 2^256 (modulo L) + u32 m_scl[8]; + { + u32 tmp[16]; + ZERO(tmp, 8); + load32_le_buf(tmp+8, scalar, 8); + mod_l(scalar, tmp); + load32_le_buf(m_scl, scalar, 8); + WIPE_BUFFER(tmp); // Wipe ASAP to save stack space + } + + // Compute the inverse + u32 product[16]; + for (int i = 252; i >= 0; i--) { + ZERO(product, 16); + multiply(product, m_inv, m_inv); + redc(m_inv, product); + if (scalar_bit(Lm2, i)) { + ZERO(product, 16); + multiply(product, m_inv, m_scl); + redc(m_inv, product); + } + } + // Convert the inverse *out* of Montgomery form + // scalar = m_inv / 2^256 (modulo L) + COPY(product, m_inv, 8); + ZERO(product + 8, 8); + redc(m_inv, product); + store32_le_buf(scalar, m_inv, 8); // the *inverse* of the scalar + + // Clear the cofactor of scalar: + // cleared = scalar * (3*L + 1) (modulo 8*L) + // cleared = scalar + scalar * 3 * L (modulo 8*L) + // Note that (scalar * 3) is reduced modulo 8, so we only need the + // first byte. + add_xl(scalar, scalar[0] * 3); + + // Recall that 8*L < 2^256. However it is also very close to + // 2^255. If we spanned the ladder over 255 bits, random tests + // wouldn't catch the off-by-one error. + scalarmult(blind_salt, scalar, curve_point, 256); + + WIPE_BUFFER(scalar); WIPE_BUFFER(m_scl); + WIPE_BUFFER(product); WIPE_BUFFER(m_inv); +} + +//////////////////////////////// +/// Authenticated encryption /// +//////////////////////////////// +static void lock_auth(u8 mac[16], const u8 auth_key[32], + const u8 *ad , size_t ad_size, + const u8 *cipher_text, size_t text_size) +{ + u8 sizes[16]; // Not secret, not wiped + store64_le(sizes + 0, ad_size); + store64_le(sizes + 8, text_size); + crypto_poly1305_ctx poly_ctx; // auto wiped... + crypto_poly1305_init (&poly_ctx, auth_key); + crypto_poly1305_update(&poly_ctx, ad , ad_size); + crypto_poly1305_update(&poly_ctx, zero , align(ad_size, 16)); + crypto_poly1305_update(&poly_ctx, cipher_text, text_size); + crypto_poly1305_update(&poly_ctx, zero , align(text_size, 16)); + crypto_poly1305_update(&poly_ctx, sizes , 16); + crypto_poly1305_final (&poly_ctx, mac); // ...here +} + +void crypto_aead_init_x(crypto_aead_ctx *ctx, + u8 const key[32], const u8 nonce[24]) +{ + crypto_chacha20_h(ctx->key, key, nonce); + COPY(ctx->nonce, nonce + 16, 8); + ctx->counter = 0; +} + +void crypto_aead_init_djb(crypto_aead_ctx *ctx, + const u8 key[32], const u8 nonce[8]) +{ + COPY(ctx->key , key , 32); + COPY(ctx->nonce, nonce, 8); + ctx->counter = 0; +} + +void crypto_aead_init_ietf(crypto_aead_ctx *ctx, + const u8 key[32], const u8 nonce[12]) +{ + COPY(ctx->key , key , 32); + COPY(ctx->nonce, nonce + 4, 8); + ctx->counter = (u64)load32_le(nonce) << 32; +} + +void crypto_aead_write(crypto_aead_ctx *ctx, u8 *cipher_text, u8 mac[16], + const u8 *ad, size_t ad_size, + const u8 *plain_text, size_t text_size) +{ + u8 auth_key[64]; // the last 32 bytes are used for rekeying. + crypto_chacha20_djb(auth_key, 0, 64, ctx->key, ctx->nonce, ctx->counter); + crypto_chacha20_djb(cipher_text, plain_text, text_size, + ctx->key, ctx->nonce, ctx->counter + 1); + lock_auth(mac, auth_key, ad, ad_size, cipher_text, text_size); + COPY(ctx->key, auth_key + 32, 32); + WIPE_BUFFER(auth_key); +} + +int crypto_aead_read(crypto_aead_ctx *ctx, u8 *plain_text, const u8 mac[16], + const u8 *ad, size_t ad_size, + const u8 *cipher_text, size_t text_size) +{ + u8 auth_key[64]; // the last 32 bytes are used for rekeying. + u8 real_mac[16]; + crypto_chacha20_djb(auth_key, 0, 64, ctx->key, ctx->nonce, ctx->counter); + lock_auth(real_mac, auth_key, ad, ad_size, cipher_text, text_size); + int mismatch = crypto_verify16(mac, real_mac); + if (!mismatch) { + crypto_chacha20_djb(plain_text, cipher_text, text_size, + ctx->key, ctx->nonce, ctx->counter + 1); + COPY(ctx->key, auth_key + 32, 32); + } + WIPE_BUFFER(auth_key); + WIPE_BUFFER(real_mac); + return mismatch; +} + +void crypto_aead_lock(u8 *cipher_text, u8 mac[16], const u8 key[32], + const u8 nonce[24], const u8 *ad, size_t ad_size, + const u8 *plain_text, size_t text_size) +{ + crypto_aead_ctx ctx; + crypto_aead_init_x(&ctx, key, nonce); + crypto_aead_write(&ctx, cipher_text, mac, ad, ad_size, + plain_text, text_size); + crypto_wipe(&ctx, sizeof(ctx)); +} + +int crypto_aead_unlock(u8 *plain_text, const u8 mac[16], const u8 key[32], + const u8 nonce[24], const u8 *ad, size_t ad_size, + const u8 *cipher_text, size_t text_size) +{ + crypto_aead_ctx ctx; + crypto_aead_init_x(&ctx, key, nonce); + int mismatch = crypto_aead_read(&ctx, plain_text, mac, ad, ad_size, + cipher_text, text_size); + crypto_wipe(&ctx, sizeof(ctx)); + return mismatch; +} + +#ifdef MONOCYPHER_CPP_NAMESPACE +} +#endif diff --git a/src/monocypher/monocypher.h b/src/monocypher/monocypher.h new file mode 100644 index 000000000..d0afddc03 --- /dev/null +++ b/src/monocypher/monocypher.h @@ -0,0 +1,321 @@ +// Monocypher version 4.0.0 +// +// This file is dual-licensed. Choose whichever licence you want from +// the two licences listed below. +// +// The first licence is a regular 2-clause BSD licence. The second licence +// is the CC-0 from Creative Commons. It is intended to release Monocypher +// to the public domain. The BSD licence serves as a fallback option. +// +// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0 +// +// ------------------------------------------------------------------------ +// +// Copyright (c) 2017-2019, Loup Vaillant +// All rights reserved. +// +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// 1. Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright +// notice, this list of conditions and the following disclaimer in the +// documentation and/or other materials provided with the +// distribution. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// ------------------------------------------------------------------------ +// +// Written in 2017-2019 by Loup Vaillant +// +// To the extent possible under law, the author(s) have dedicated all copyright +// and related neighboring rights to this software to the public domain +// worldwide. This software is distributed without any warranty. +// +// You should have received a copy of the CC0 Public Domain Dedication along +// with this software. If not, see +// + +#ifndef MONOCYPHER_H +#define MONOCYPHER_H + +#include +#include + +#ifdef MONOCYPHER_CPP_NAMESPACE +namespace MONOCYPHER_CPP_NAMESPACE { +#elif defined(__cplusplus) +extern "C" { +#endif + +// Constant time comparisons +// ------------------------- + +// Return 0 if a and b are equal, -1 otherwise +int crypto_verify16(const uint8_t a[16], const uint8_t b[16]); +int crypto_verify32(const uint8_t a[32], const uint8_t b[32]); +int crypto_verify64(const uint8_t a[64], const uint8_t b[64]); + + +// Erase sensitive data +// -------------------- +void crypto_wipe(void *secret, size_t size); + + +// Authenticated encryption +// ------------------------ +void crypto_aead_lock(uint8_t *cipher_text, + uint8_t mac [16], + const uint8_t key [32], + const uint8_t nonce[24], + const uint8_t *ad, size_t ad_size, + const uint8_t *plain_text, size_t text_size); +int crypto_aead_unlock(uint8_t *plain_text, + const uint8_t mac [16], + const uint8_t key [32], + const uint8_t nonce[24], + const uint8_t *ad, size_t ad_size, + const uint8_t *cipher_text, size_t text_size); + +// Authenticated stream +// -------------------- +typedef struct { + uint64_t counter; + uint8_t key[32]; + uint8_t nonce[8]; +} crypto_aead_ctx; + +void crypto_aead_init_x(crypto_aead_ctx *ctx, + const uint8_t key[32], const uint8_t nonce[24]); +void crypto_aead_init_djb(crypto_aead_ctx *ctx, + const uint8_t key[32], const uint8_t nonce[8]); +void crypto_aead_init_ietf(crypto_aead_ctx *ctx, + const uint8_t key[32], const uint8_t nonce[12]); + +void crypto_aead_write(crypto_aead_ctx *ctx, + uint8_t *cipher_text, + uint8_t mac[16], + const uint8_t *ad , size_t ad_size, + const uint8_t *plain_text, size_t text_size); +int crypto_aead_read(crypto_aead_ctx *ctx, + uint8_t *plain_text, + const uint8_t mac[16], + const uint8_t *ad , size_t ad_size, + const uint8_t *cipher_text, size_t text_size); + + +// General purpose hash (BLAKE2b) +// ------------------------------ + +// Direct interface +void crypto_blake2b(uint8_t *hash, size_t hash_size, + const uint8_t *message, size_t message_size); + +void crypto_blake2b_keyed(uint8_t *hash, size_t hash_size, + const uint8_t *key, size_t key_size, + const uint8_t *message, size_t message_size); + +// Incremental interface +typedef struct { + // Do not rely on the size or contents of this type, + // for they may change without notice. + uint64_t hash[8]; + uint64_t input_offset[2]; + uint64_t input[16]; + size_t input_idx; + size_t hash_size; +} crypto_blake2b_ctx; + +void crypto_blake2b_init(crypto_blake2b_ctx *ctx, size_t hash_size); +void crypto_blake2b_keyed_init(crypto_blake2b_ctx *ctx, size_t hash_size, + const uint8_t *key, size_t key_size); +void crypto_blake2b_update(crypto_blake2b_ctx *ctx, + const uint8_t *message, size_t message_size); +void crypto_blake2b_final(crypto_blake2b_ctx *ctx, uint8_t *hash); + + +// Password key derivation (Argon2) +// -------------------------------- +#define CRYPTO_ARGON2_D 0 +#define CRYPTO_ARGON2_I 1 +#define CRYPTO_ARGON2_ID 2 + +typedef struct { + uint32_t algorithm; // Argon2d, Argon2i, Argon2id + uint32_t nb_blocks; // memory hardness, >= 8 * nb_lanes + uint32_t nb_passes; // CPU hardness, >= 1 (>= 3 recommended for Argon2i) + uint32_t nb_lanes; // parallelism level (single threaded anyway) +} crypto_argon2_config; + +typedef struct { + const uint8_t *pass; + const uint8_t *salt; + uint32_t pass_size; + uint32_t salt_size; // 16 bytes recommended +} crypto_argon2_inputs; + +typedef struct { + const uint8_t *key; // may be NULL if no key + const uint8_t *ad; // may be NULL if no additional data + uint32_t key_size; // 0 if no key (32 bytes recommended otherwise) + uint32_t ad_size; // 0 if no additional data +} crypto_argon2_extras; + +extern const crypto_argon2_extras crypto_argon2_no_extras; + +void crypto_argon2(uint8_t *hash, uint32_t hash_size, void *work_area, + crypto_argon2_config config, + crypto_argon2_inputs inputs, + crypto_argon2_extras extras); + + +// Key exchange (X-25519) +// ---------------------- + +// Shared secrets are not quite random. +// Hash them to derive an actual shared key. +void crypto_x25519_public_key(uint8_t public_key[32], + const uint8_t secret_key[32]); +void crypto_x25519(uint8_t raw_shared_secret[32], + const uint8_t your_secret_key [32], + const uint8_t their_public_key [32]); + +// Conversion to EdDSA +void crypto_x25519_to_eddsa(uint8_t eddsa[32], const uint8_t x25519[32]); + +// scalar "division" +// Used for OPRF. Be aware that exponential blinding is less secure +// than Diffie-Hellman key exchange. +void crypto_x25519_inverse(uint8_t blind_salt [32], + const uint8_t private_key[32], + const uint8_t curve_point[32]); + +// "Dirty" versions of x25519_public_key(). +// Use with crypto_elligator_rev(). +// Leaks 3 bits of the private key. +void crypto_x25519_dirty_small(uint8_t pk[32], const uint8_t sk[32]); +void crypto_x25519_dirty_fast (uint8_t pk[32], const uint8_t sk[32]); + + +// Signatures +// ---------- + +// EdDSA with curve25519 + BLAKE2b +void crypto_eddsa_key_pair(uint8_t secret_key[64], + uint8_t public_key[32], + uint8_t seed[32]); +void crypto_eddsa_sign(uint8_t signature [64], + const uint8_t secret_key[64], + const uint8_t *message, size_t message_size); +int crypto_eddsa_check(const uint8_t signature [64], + const uint8_t public_key[32], + const uint8_t *message, size_t message_size); + +// Conversion to X25519 +void crypto_eddsa_to_x25519(uint8_t x25519[32], const uint8_t eddsa[32]); + +// EdDSA building blocks +void crypto_eddsa_trim_scalar(uint8_t out[32], const uint8_t in[32]); +void crypto_eddsa_reduce(uint8_t reduced[32], const uint8_t expanded[64]); +void crypto_eddsa_mul_add(uint8_t r[32], + const uint8_t a[32], + const uint8_t b[32], + const uint8_t c[32]); +void crypto_eddsa_scalarbase(uint8_t point[32], const uint8_t scalar[32]); +int crypto_eddsa_check_equation(const uint8_t signature[64], + const uint8_t public_key[32], + const uint8_t h_ram[32]); + + +// Chacha20 +// -------- + +// Specialised hash. +// Used to hash X25519 shared secrets. +void crypto_chacha20_h(uint8_t out[32], + const uint8_t key[32], + const uint8_t in [16]); + +// Unauthenticated stream cipher. +// Don't forget to add authentication. +uint64_t crypto_chacha20_djb(uint8_t *cipher_text, + const uint8_t *plain_text, + size_t text_size, + const uint8_t key[32], + const uint8_t nonce[8], + uint64_t ctr); +uint32_t crypto_chacha20_ietf(uint8_t *cipher_text, + const uint8_t *plain_text, + size_t text_size, + const uint8_t key[32], + const uint8_t nonce[12], + uint32_t ctr); +uint64_t crypto_chacha20_x(uint8_t *cipher_text, + const uint8_t *plain_text, + size_t text_size, + const uint8_t key[32], + const uint8_t nonce[24], + uint64_t ctr); + + +// Poly 1305 +// --------- + +// This is a *one time* authenticator. +// Disclosing the mac reveals the key. +// See crypto_lock() on how to use it properly. + +// Direct interface +void crypto_poly1305(uint8_t mac[16], + const uint8_t *message, size_t message_size, + const uint8_t key[32]); + +// Incremental interface +typedef struct { + // Do not rely on the size or contents of this type, + // for they may change without notice. + uint8_t c[16]; // chunk of the message + size_t c_idx; // How many bytes are there in the chunk. + uint32_t r [4]; // constant multiplier (from the secret key) + uint32_t pad[4]; // random number added at the end (from the secret key) + uint32_t h [5]; // accumulated hash +} crypto_poly1305_ctx; + +void crypto_poly1305_init (crypto_poly1305_ctx *ctx, const uint8_t key[32]); +void crypto_poly1305_update(crypto_poly1305_ctx *ctx, + const uint8_t *message, size_t message_size); +void crypto_poly1305_final (crypto_poly1305_ctx *ctx, uint8_t mac[16]); + + +// Elligator 2 +// ----------- + +// Elligator mappings proper +void crypto_elligator_map(uint8_t curve [32], const uint8_t hidden[32]); +int crypto_elligator_rev(uint8_t hidden[32], const uint8_t curve [32], + uint8_t tweak); + +// Easy to use key pair generation +void crypto_elligator_key_pair(uint8_t hidden[32], uint8_t secret_key[32], + uint8_t seed[32]); + +#ifdef __cplusplus +} +#endif + +#endif // MONOCYPHER_H diff --git a/src/stun.c b/src/stun.c index 722d32906..9845900af 100644 --- a/src/stun.c +++ b/src/stun.c @@ -84,7 +84,7 @@ STUN_node (void) return node; } -static void +void csprng ( void * const buffer, diff --git a/src/stun.h b/src/stun.h index 7fe6bf42a..17cfafa31 100644 --- a/src/stun.h +++ b/src/stun.h @@ -18,6 +18,8 @@ extern "C" { typedef void (*stun_callback_t)(UINT32 address); +void csprng (void * const buffer, const size_t size); + void STUN_bind (stun_callback_t); boolean STUN_got_response (const char * const buffer, const size_t size); diff --git a/src/typedef.h b/src/typedef.h index 0615e7034..3927d1fab 100644 --- a/src/typedef.h +++ b/src/typedef.h @@ -71,6 +71,8 @@ TYPEDEF (filesneededconfig_pak); TYPEDEF (doomdata_t); TYPEDEF (serverelem_t); TYPEDEF (rewind_t); +TYPEDEF (clientkey_pak); +TYPEDEF (serverchallenge_pak); // d_event.h TYPEDEF (event_t); From 568dc59aa50b59e03318124bafaa792f704727cb Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 01:24:13 -0700 Subject: [PATCH 04/70] State scaffolding for challenge-response --- src/d_clisrv.c | 29 +++++++++++++++++++++++++++-- src/d_clisrv.h | 1 + src/d_main.h | 3 +++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index ffcafc46f..49770182f 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -161,6 +161,8 @@ char lastReceivedKey[MAXNETNODES][32]; boolean serverisfull = false; //lets us be aware if the server was full after we check files, but before downloading, so we can ask if the user still wants to download or not tic_t firstconnectattempttime = 0; +char awaitingChallenge[32]; + // engine // Must be a power of two @@ -833,6 +835,14 @@ static boolean CL_SendJoin(void) return HSendPacket(servernode, false, 0, sizeof (clientconfig_pak)); } +static boolean CL_SendKey(void) +{ + netbuffer->packettype = PT_CLIENTKEY; + + memcpy(netbuffer->u.clientkey.key, public_key, sizeof(public_key)); + return HSendPacket(servernode, false, 0, sizeof (clientkey_pak) ); +} + static void CopyCaretColors (char *p, const char *s, int n) { @@ -1883,6 +1893,7 @@ static boolean CL_ServerConnectionTicker(const char *tmpsave, tic_t *oldtic, tic return false; } case CL_LOADFILES: + CONS_Printf("loadfiles\n"); if (CL_LoadServerFiles()) cl_mode = CL_SETUPFILES; @@ -1892,7 +1903,7 @@ static boolean CL_ServerConnectionTicker(const char *tmpsave, tic_t *oldtic, tic { *asksent = 0; //This ensure the first join ask is right away firstconnectattempttime = I_GetTime(); - cl_mode = CL_ASKJOIN; + cl_mode = CL_SENDKEY; } break; case CL_ASKJOIN: @@ -1929,8 +1940,19 @@ static boolean CL_ServerConnectionTicker(const char *tmpsave, tic_t *oldtic, tic } break; case CL_SENDKEY: + CONS_Printf("sendkey\n"); + if (I_GetTime() >= *asksent && CL_SendKey()) + { + *asksent = I_GetTime() + NEWTICRATE*3; + cl_mode = CL_WAITCHALLENGE; + } break; case CL_WAITCHALLENGE: + CONS_Printf("waitchallenge\n"); + if (I_GetTime() >= *asksent) + { + cl_mode = CL_SENDKEY; + } break; case CL_DOWNLOADSAVEGAME: // At this state, the first (and only) needed file is the gamestate @@ -4501,11 +4523,14 @@ static void HandlePacketFromAwayNode(SINT8 node) if (node == servernode) break; /* FALLTHRU */ - case PT_CLIENTKEY: if (server) PT_ClientKey(node); break; + case PT_SERVERCHALLENGE: + memset(awaitingChallenge, 0, 32); // TODO: ACTUALLY COMPUTE CHALLENGE RESPONSE IDIOT + cl_mode = CL_ASKJOIN; + break; default: DEBFILE(va("unknown packet received (%d) from unknown host\n",netbuffer->packettype)); Net_CloseConnection(node); diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 0b1529fbd..897cee81c 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -256,6 +256,7 @@ struct clientconfig_pak UINT8 mode; char names[MAXSPLITSCREENPLAYERS][MAXPLAYERNAME]; UINT8 availabilities[MAXAVAILABILITY]; + char challengeResponse[32]; } ATTRPACK; #define SV_SPEEDMASK 0x03 // used to send kartspeed diff --git a/src/d_main.h b/src/d_main.h index cdfee4e0c..f6962e25c 100644 --- a/src/d_main.h +++ b/src/d_main.h @@ -31,6 +31,9 @@ extern const char *pandf; //Alam: how to path? extern char srb2path[256]; //Alam: SRB2's Home extern char addonsdir[MAX_WADPATH]; // Where addons are stored +extern uint8_t public_key[32]; +extern uint8_t secret_key[32]; + // the infinite loop of D_SRB2Loop() called from win_main for windows version void D_SRB2Loop(void) FUNCNORETURN; From 9b77d953571db0432d8aa05c46c53c3e676e669f Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 02:01:45 -0700 Subject: [PATCH 05/70] Pass key into player_t for other stuff to work with it --- src/d_clisrv.c | 8 ++++++++ src/d_clisrv.h | 1 + src/d_netfil.c | 6 ++++-- src/d_player.h | 2 ++ 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 49770182f..48ef2d6bd 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -157,6 +157,7 @@ char connectedservername[MAXSERVERNAME]; boolean acceptnewnode = true; char lastReceivedKey[MAXNETNODES][32]; +char lastComputedChallenge[MAXNETNODES][32]; boolean serverisfull = false; //lets us be aware if the server was full after we check files, but before downloading, so we can ask if the user still wants to download or not tic_t firstconnectattempttime = 0; @@ -832,6 +833,8 @@ static boolean CL_SendJoin(void) memcpy(&netbuffer->u.clientcfg.availabilities, R_GetSkinAvailabilities(false, false), MAXAVAILABILITY*sizeof(UINT8)); + memcpy(&netbuffer->u.clientcfg.challengeResponse, awaitingChallenge, 32); + return HSendPacket(servernode, false, 0, sizeof (clientconfig_pak)); } @@ -3684,6 +3687,7 @@ static void Got_AddPlayer(UINT8 **p, INT32 playernum) players[newplayernum].splitscreenindex = splitscreenplayer; players[newplayernum].bot = false; + memcpy(players[newplayernum].public_key, lastReceivedKey[node], sizeof(public_key)); playerconsole[newplayernum] = console; splitscreen_original_party_size[console] = @@ -4136,6 +4140,10 @@ static void HandleConnect(SINT8 node) SV_SendRefuse(node, va(M_GetText("Too many people are connecting.\nPlease wait %d seconds and then\ntry rejoining."), (joindelay - 2 * cv_joindelay.value * TICRATE) / TICRATE)); } + else if (netgame && node != 0 && !memcmp(netbuffer->u.clientcfg.challengeResponse, lastComputedChallenge[node], 32)) + { + SV_SendRefuse(node, M_GetText("Failed to validate key exchange.")); + } else { boolean newnode = false; diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 897cee81c..c400bb8a1 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -461,6 +461,7 @@ extern boolean acceptnewnode; extern SINT8 servernode; extern char connectedservername[MAXSERVERNAME]; extern char lastReceivedKey[MAXNETNODES][32]; +extern char lastComputedChallenge[MAXNETNODES][32]; void Command_Ping_f(void); extern tic_t connectiontimeout; diff --git a/src/d_netfil.c b/src/d_netfil.c index a23f688d1..cf57195cf 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -1319,13 +1319,15 @@ void PT_ClientKey(INT32 node) clientkey_pak *packet = (void*)&netbuffer->u.clientkey; // TODO - // Stage 1: Exchange packets with no verification of their contents (YOU ARE HERE) - // Stage 2: Exchange packets with a check, but no crypto + // Stage 1: Exchange packets with no verification of their contents + // Stage 2: Exchange packets with a check, but no crypto (YOU ARE HERE) // Stage 3: The crypto part memcpy(lastReceivedKey[node], packet->key, 32); netbuffer->packettype = PT_SERVERCHALLENGE; + csprng(lastComputedChallenge[node], sizeof(serverchallenge_pak)); + memcpy(&netbuffer->u.serverchallenge, lastComputedChallenge[node], sizeof(serverchallenge_pak)); HSendPacket(node, false, 0, sizeof (serverchallenge_pak)); } diff --git a/src/d_player.h b/src/d_player.h index e362687fb..8d09a5d2d 100644 --- a/src/d_player.h +++ b/src/d_player.h @@ -713,6 +713,8 @@ struct player_t mobj_t *stumbleIndicator; mobj_t *sliptideZipIndicator; + char public_key[32]; + #ifdef HWRENDER fixed_t fovadd; // adjust FOV for hw rendering #endif From 138663bf5a9c28052c689deeec8887a9ce2541af Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 05:18:04 -0700 Subject: [PATCH 06/70] Literally, unironically, draw the rest of the owl --- src/d_clisrv.c | 29 ++++++++++++++++++++++------- src/d_clisrv.h | 6 +++--- src/d_main.c | 26 +++++++++++++++----------- src/d_main.h | 2 +- src/d_netfil.c | 9 +++++---- src/d_player.h | 2 +- 6 files changed, 47 insertions(+), 27 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 48ef2d6bd..4ba2fdcea 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -47,6 +47,7 @@ #include "lua_hook.h" #include "md5.h" #include "m_perfstats.h" +#include "monocypher/monocypher.h" // SRB2Kart #include "k_kart.h" @@ -156,13 +157,13 @@ char connectedservername[MAXSERVERNAME]; /// \todo WORK! boolean acceptnewnode = true; -char lastReceivedKey[MAXNETNODES][32]; -char lastComputedChallenge[MAXNETNODES][32]; +uint8_t lastReceivedKey[MAXNETNODES][32]; +uint8_t lastSentChallenge[MAXNETNODES][32]; boolean serverisfull = false; //lets us be aware if the server was full after we check files, but before downloading, so we can ask if the user still wants to download or not tic_t firstconnectattempttime = 0; -char awaitingChallenge[32]; +uint8_t awaitingChallenge[32]; // engine @@ -833,7 +834,16 @@ static boolean CL_SendJoin(void) memcpy(&netbuffer->u.clientcfg.availabilities, R_GetSkinAvailabilities(false, false), MAXAVAILABILITY*sizeof(UINT8)); - memcpy(&netbuffer->u.clientcfg.challengeResponse, awaitingChallenge, 32); + uint8_t signature[64]; + crypto_eddsa_sign(signature, secret_key, awaitingChallenge, 32); + + if (crypto_eddsa_check(signature, public_key, awaitingChallenge, 32) != 0) + I_Error("Couldn't verify own key?"); + + // Testing + // memset(signature, 0, sizeof(signature)); + + memcpy(&netbuffer->u.clientcfg.challengeResponse, signature, sizeof(signature)); return HSendPacket(servernode, false, 0, sizeof (clientconfig_pak)); } @@ -4059,6 +4069,11 @@ static void HandleConnect(SINT8 node) if (playernode[i] != UINT8_MAX) // We use this to count players because it is affected by SV_AddWaitingPlayers when more than one client joins on the same tic, unlike playeringame and D_NumPlayers. UINT8_MAX denotes no node for that player connectedplayers++; + // Testing + // memset(netbuffer->u.clientcfg.challengeResponse, 0, sizeof(netbuffer->u.clientcfg.challengeResponse)); + + int sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse, lastReceivedKey[node], lastSentChallenge[node], 32); + if (bannednode && bannednode[node].banid != SIZE_MAX) { const char *reason = NULL; @@ -4140,9 +4155,9 @@ static void HandleConnect(SINT8 node) SV_SendRefuse(node, va(M_GetText("Too many people are connecting.\nPlease wait %d seconds and then\ntry rejoining."), (joindelay - 2 * cv_joindelay.value * TICRATE) / TICRATE)); } - else if (netgame && node != 0 && !memcmp(netbuffer->u.clientcfg.challengeResponse, lastComputedChallenge[node], 32)) + else if (netgame && node != 0 && sigcheck != 0) { - SV_SendRefuse(node, M_GetText("Failed to validate key exchange.")); + SV_SendRefuse(node, M_GetText("Signature verification failed.")); } else { @@ -4536,7 +4551,7 @@ static void HandlePacketFromAwayNode(SINT8 node) PT_ClientKey(node); break; case PT_SERVERCHALLENGE: - memset(awaitingChallenge, 0, 32); // TODO: ACTUALLY COMPUTE CHALLENGE RESPONSE IDIOT + memcpy(awaitingChallenge, netbuffer->u.serverchallenge.secret, sizeof(awaitingChallenge)); cl_mode = CL_ASKJOIN; break; default: diff --git a/src/d_clisrv.h b/src/d_clisrv.h index c400bb8a1..43e9bf540 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -256,7 +256,7 @@ struct clientconfig_pak UINT8 mode; char names[MAXSPLITSCREENPLAYERS][MAXPLAYERNAME]; UINT8 availabilities[MAXAVAILABILITY]; - char challengeResponse[32]; + uint8_t challengeResponse[64]; } ATTRPACK; #define SV_SPEEDMASK 0x03 // used to send kartspeed @@ -460,8 +460,8 @@ extern UINT16 software_MAXPACKETLENGTH; extern boolean acceptnewnode; extern SINT8 servernode; extern char connectedservername[MAXSERVERNAME]; -extern char lastReceivedKey[MAXNETNODES][32]; -extern char lastComputedChallenge[MAXNETNODES][32]; +extern uint8_t lastReceivedKey[MAXNETNODES][32]; +extern uint8_t lastSentChallenge[MAXNETNODES][32]; void Command_Ping_f(void); extern tic_t connectiontimeout; diff --git a/src/d_main.c b/src/d_main.c index d1aacefd2..8bfe889cb 100644 --- a/src/d_main.c +++ b/src/d_main.c @@ -161,7 +161,7 @@ boolean dedicated = false; // For identity negotiation with netgame servers uint8_t public_key[32]; -uint8_t secret_key[32]; +uint8_t secret_key[64]; // // D_PostEvent @@ -1715,32 +1715,36 @@ void D_SRB2Main(void) ACS_Init(); CON_SetLoadingProgress(LOADED_ACSINIT); - // -- IT'S HOMEGROWN CRYPTO TIME -- - // TODO: This file should probably give a fuck about command line params, // or not be stored next to the EXE in a way that allows people to unknowingly send it to others. static char keyfile[16] = "rrid.dat"; - csprng(secret_key, 32); + static uint8_t seed[32]; + csprng(seed, 32); + crypto_eddsa_key_pair(secret_key, public_key, seed); + + int sk_size = sizeof(secret_key); + int pk_size = sizeof(public_key); + int totalsize = sk_size + pk_size; if (FIL_ReadFileOK(keyfile)) { UINT8 *readbuffer = NULL; UINT16 lengthRead = FIL_ReadFile(keyfile, &readbuffer); - if (readbuffer == NULL || lengthRead != 32) + if (readbuffer == NULL || lengthRead != totalsize) I_Error("Malformed keyfile"); - memcpy(secret_key, readbuffer, 32); + memcpy(secret_key, readbuffer, sk_size); + memcpy(public_key, readbuffer + sk_size, pk_size); } else { - if (!FIL_WriteFile(keyfile, secret_key, 32)) + uint8_t keybuffer[totalsize]; + memcpy(keybuffer, secret_key, sk_size); + memcpy(keybuffer + sk_size, public_key, pk_size); + if (!FIL_WriteFile(keyfile, keybuffer, totalsize)) I_Error("Couldn't open keyfile"); } - crypto_x25519_public_key(public_key, secret_key); - - // -- END HOMEGROWN CRYPTO TIME -- - //------------------------------------------------ COMMAND LINE PARAMS // this must be done after loading gamedata, diff --git a/src/d_main.h b/src/d_main.h index f6962e25c..199166c9e 100644 --- a/src/d_main.h +++ b/src/d_main.h @@ -32,7 +32,7 @@ extern char srb2path[256]; //Alam: SRB2's Home extern char addonsdir[MAX_WADPATH]; // Where addons are stored extern uint8_t public_key[32]; -extern uint8_t secret_key[32]; +extern uint8_t secret_key[64]; // the infinite loop of D_SRB2Loop() called from win_main for windows version void D_SRB2Loop(void) FUNCNORETURN; diff --git a/src/d_netfil.c b/src/d_netfil.c index cf57195cf..ee686f230 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -1320,14 +1320,15 @@ void PT_ClientKey(INT32 node) // TODO // Stage 1: Exchange packets with no verification of their contents - // Stage 2: Exchange packets with a check, but no crypto (YOU ARE HERE) - // Stage 3: The crypto part + // Stage 2: Exchange packets with a check, but no crypto + // Stage 3: The crypto part (YOU ARE HERE) memcpy(lastReceivedKey[node], packet->key, 32); netbuffer->packettype = PT_SERVERCHALLENGE; - csprng(lastComputedChallenge[node], sizeof(serverchallenge_pak)); - memcpy(&netbuffer->u.serverchallenge, lastComputedChallenge[node], sizeof(serverchallenge_pak)); + + csprng(lastSentChallenge[node], sizeof(serverchallenge_pak)); + memcpy(&netbuffer->u.serverchallenge, lastSentChallenge[node], sizeof(serverchallenge_pak)); HSendPacket(node, false, 0, sizeof (serverchallenge_pak)); } diff --git a/src/d_player.h b/src/d_player.h index 8d09a5d2d..e7e3603cf 100644 --- a/src/d_player.h +++ b/src/d_player.h @@ -713,7 +713,7 @@ struct player_t mobj_t *stumbleIndicator; mobj_t *sliptideZipIndicator; - char public_key[32]; + uint8_t public_key[32]; #ifdef HWRENDER fixed_t fovadd; // adjust FOV for hw rendering From 7218c225ec19711e5ae7fe3215ab3f4942271b44 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 05:31:06 -0700 Subject: [PATCH 07/70] Remove state trace debug print --- src/d_clisrv.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 4ba2fdcea..c2d078b34 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -1906,7 +1906,6 @@ static boolean CL_ServerConnectionTicker(const char *tmpsave, tic_t *oldtic, tic return false; } case CL_LOADFILES: - CONS_Printf("loadfiles\n"); if (CL_LoadServerFiles()) cl_mode = CL_SETUPFILES; @@ -1953,7 +1952,6 @@ static boolean CL_ServerConnectionTicker(const char *tmpsave, tic_t *oldtic, tic } break; case CL_SENDKEY: - CONS_Printf("sendkey\n"); if (I_GetTime() >= *asksent && CL_SendKey()) { *asksent = I_GetTime() + NEWTICRATE*3; @@ -1961,7 +1959,6 @@ static boolean CL_ServerConnectionTicker(const char *tmpsave, tic_t *oldtic, tic } break; case CL_WAITCHALLENGE: - CONS_Printf("waitchallenge\n"); if (I_GetTime() >= *asksent) { cl_mode = CL_SENDKEY; From cacb4f453fe912e083055fe97da703d42b605306 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 13:24:55 -0700 Subject: [PATCH 08/70] Scramble keys and challenges when init/closing node --- src/d_net.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/d_net.c b/src/d_net.c index 3799ecd13..171e5f483 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -29,6 +29,7 @@ #include "z_zone.h" #include "i_tcp.h" #include "d_main.h" // srb2home +#include "stun.h" // // NETWORKING @@ -629,7 +630,12 @@ static void InitAck(void) ackpak[i].acknum = 0; for (i = 0; i < MAXNETNODES; i++) + { InitNode(&nodes[i]); + + csprng(lastSentChallenge[i], sizeof(lastSentChallenge[i])); + csprng(lastReceivedKey[i], sizeof(lastReceivedKey[i])); + } } /** Removes all acks of a given packet type @@ -699,6 +705,9 @@ void Net_CloseConnection(INT32 node) if (server) SV_AbortLuaFileTransfer(node); I_NetFreeNodenum(node); + + csprng(lastSentChallenge[node], sizeof(lastSentChallenge[node])); + csprng(lastReceivedKey[node], sizeof(lastReceivedKey[node])); } // From 4ffae5d862346bec5726ab5eccbfbf819870472b Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 18:05:46 -0700 Subject: [PATCH 09/70] Store keypairs in profiles, do signature verification for all splitscreen players --- src/d_clisrv.c | 62 +++++++++++++++++++++++++++++++++++------------- src/d_clisrv.h | 10 ++++---- src/d_main.c | 34 -------------------------- src/d_netfil.c | 7 +----- src/k_profiles.c | 27 +++++++++++++++++++-- src/k_profiles.h | 5 ++++ src/p_saveg.c | 4 ++++ 7 files changed, 85 insertions(+), 64 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index c2d078b34..29501d37c 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -157,8 +157,8 @@ char connectedservername[MAXSERVERNAME]; /// \todo WORK! boolean acceptnewnode = true; -uint8_t lastReceivedKey[MAXNETNODES][32]; -uint8_t lastSentChallenge[MAXNETNODES][32]; +uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; +uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; boolean serverisfull = false; //lets us be aware if the server was full after we check files, but before downloading, so we can ask if the user still wants to download or not tic_t firstconnectattempttime = 0; @@ -834,25 +834,45 @@ static boolean CL_SendJoin(void) memcpy(&netbuffer->u.clientcfg.availabilities, R_GetSkinAvailabilities(false, false), MAXAVAILABILITY*sizeof(UINT8)); - uint8_t signature[64]; - crypto_eddsa_sign(signature, secret_key, awaitingChallenge, 32); + // Don't leak old signatures from prior sessions. + memset(&netbuffer->u.clientcfg.challengeResponse, 0, sizeof(((clientconfig_pak *)0)->challengeResponse)); - if (crypto_eddsa_check(signature, public_key, awaitingChallenge, 32) != 0) - I_Error("Couldn't verify own key?"); + for (i = 0; i <= splitscreen; i++) + { + uint8_t signature[64]; + profile_t *localProfile = PR_GetLocalPlayerProfile(i); - // Testing - // memset(signature, 0, sizeof(signature)); + if (cv_lastprofile[0].value == 0) // GUESTS don't have keys + { + memset(signature, 0, 64); + } + else + { + crypto_eddsa_sign(signature, localProfile->secret_key, awaitingChallenge, 32); + if (crypto_eddsa_check(signature, localProfile->public_key, awaitingChallenge, 32) != 0) + I_Error("Couldn't self-verify key associated with player %d, profile %d.\nProfile data may be corrupted.", i, cv_lastprofile[i].value); // I guess this is the most reasonable way to catch a malformed key. + } - memcpy(&netbuffer->u.clientcfg.challengeResponse, signature, sizeof(signature)); + // Testing + // memset(signature, 0, sizeof(signature)); + + memcpy(&netbuffer->u.clientcfg.challengeResponse[i], signature, sizeof(signature)); + } return HSendPacket(servernode, false, 0, sizeof (clientconfig_pak)); } static boolean CL_SendKey(void) { + int i; netbuffer->packettype = PT_CLIENTKEY; - memcpy(netbuffer->u.clientkey.key, public_key, sizeof(public_key)); + memset(netbuffer->u.clientkey.key, 0, sizeof(((clientkey_pak *)0)->key)); + for (i = 0; i <= splitscreen; i++) + { + // GUEST profiles have all-zero keys. This will be handled at the end of the challenge process, don't worry about it. + memcpy(netbuffer->u.clientkey.key[i], PR_GetProfile(cv_lastprofile[i].value)->public_key, 32); + } return HSendPacket(servernode, false, 0, sizeof (clientkey_pak) ); } @@ -3694,7 +3714,7 @@ static void Got_AddPlayer(UINT8 **p, INT32 playernum) players[newplayernum].splitscreenindex = splitscreenplayer; players[newplayernum].bot = false; - memcpy(players[newplayernum].public_key, lastReceivedKey[node], sizeof(public_key)); + memcpy(players[newplayernum].public_key, lastReceivedKey[node][splitscreenplayer], sizeof(players[newplayernum].public_key)); playerconsole[newplayernum] = console; splitscreen_original_party_size[console] = @@ -4069,8 +4089,6 @@ static void HandleConnect(SINT8 node) // Testing // memset(netbuffer->u.clientcfg.challengeResponse, 0, sizeof(netbuffer->u.clientcfg.challengeResponse)); - int sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse, lastReceivedKey[node], lastSentChallenge[node], 32); - if (bannednode && bannednode[node].banid != SIZE_MAX) { const char *reason = NULL; @@ -4152,13 +4170,12 @@ static void HandleConnect(SINT8 node) SV_SendRefuse(node, va(M_GetText("Too many people are connecting.\nPlease wait %d seconds and then\ntry rejoining."), (joindelay - 2 * cv_joindelay.value * TICRATE) / TICRATE)); } - else if (netgame && node != 0 && sigcheck != 0) - { - SV_SendRefuse(node, M_GetText("Signature verification failed.")); - } else { + int sigcheck; boolean newnode = false; + char allZero[32]; + memset(allZero, 0, 32); for (i = 0; i < netbuffer->u.clientcfg.localplayers - playerpernode[node]; i++) { @@ -4168,6 +4185,17 @@ static void HandleConnect(SINT8 node) SV_SendRefuse(node, "Bad player name"); return; } + + if (memcmp(lastReceivedKey[node], allZero, 32)) // We're a GUEST and the server throws out our keys anyway. + sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O + else + sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node][i], 32); + + if (netgame && node != 0 && sigcheck != 0) + { + SV_SendRefuse(node, M_GetText("Signature verification failed.")); + return; + } } memcpy(availabilitiesbuffer, netbuffer->u.clientcfg.availabilities, sizeof(availabilitiesbuffer)); diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 43e9bf540..2c2ffaef0 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -256,7 +256,7 @@ struct clientconfig_pak UINT8 mode; char names[MAXSPLITSCREENPLAYERS][MAXPLAYERNAME]; UINT8 availabilities[MAXAVAILABILITY]; - uint8_t challengeResponse[64]; + uint8_t challengeResponse[MAXSPLITSCREENPLAYERS][64]; } ATTRPACK; #define SV_SPEEDMASK 0x03 // used to send kartspeed @@ -353,12 +353,12 @@ struct filesneededconfig_pak struct clientkey_pak { - char key[32]; + char key[MAXSPLITSCREENPLAYERS][32]; } ATTRPACK; struct serverchallenge_pak { - char secret[32]; + char secret[MAXSPLITSCREENPLAYERS][32]; } ATTRPACK; // @@ -460,8 +460,8 @@ extern UINT16 software_MAXPACKETLENGTH; extern boolean acceptnewnode; extern SINT8 servernode; extern char connectedservername[MAXSERVERNAME]; -extern uint8_t lastReceivedKey[MAXNETNODES][32]; -extern uint8_t lastSentChallenge[MAXNETNODES][32]; +extern uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; +extern uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; void Command_Ping_f(void); extern tic_t connectiontimeout; diff --git a/src/d_main.c b/src/d_main.c index 8bfe889cb..a33125acd 100644 --- a/src/d_main.c +++ b/src/d_main.c @@ -159,10 +159,6 @@ INT32 eventhead, eventtail; boolean dedicated = false; -// For identity negotiation with netgame servers -uint8_t public_key[32]; -uint8_t secret_key[64]; - // // D_PostEvent // Called by the I/O functions when input is detected @@ -1715,36 +1711,6 @@ void D_SRB2Main(void) ACS_Init(); CON_SetLoadingProgress(LOADED_ACSINIT); - // TODO: This file should probably give a fuck about command line params, - // or not be stored next to the EXE in a way that allows people to unknowingly send it to others. - static char keyfile[16] = "rrid.dat"; - - static uint8_t seed[32]; - csprng(seed, 32); - crypto_eddsa_key_pair(secret_key, public_key, seed); - - int sk_size = sizeof(secret_key); - int pk_size = sizeof(public_key); - int totalsize = sk_size + pk_size; - - if (FIL_ReadFileOK(keyfile)) - { - UINT8 *readbuffer = NULL; - UINT16 lengthRead = FIL_ReadFile(keyfile, &readbuffer); - if (readbuffer == NULL || lengthRead != totalsize) - I_Error("Malformed keyfile"); - memcpy(secret_key, readbuffer, sk_size); - memcpy(public_key, readbuffer + sk_size, pk_size); - } - else - { - uint8_t keybuffer[totalsize]; - memcpy(keybuffer, secret_key, sk_size); - memcpy(keybuffer + sk_size, public_key, pk_size); - if (!FIL_WriteFile(keyfile, keybuffer, totalsize)) - I_Error("Couldn't open keyfile"); - } - //------------------------------------------------ COMMAND LINE PARAMS // this must be done after loading gamedata, diff --git a/src/d_netfil.c b/src/d_netfil.c index ee686f230..5b693b59a 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -1318,12 +1318,7 @@ void PT_ClientKey(INT32 node) { clientkey_pak *packet = (void*)&netbuffer->u.clientkey; - // TODO - // Stage 1: Exchange packets with no verification of their contents - // Stage 2: Exchange packets with a check, but no crypto - // Stage 3: The crypto part (YOU ARE HERE) - - memcpy(lastReceivedKey[node], packet->key, 32); + memcpy(lastReceivedKey[node], packet->key, sizeof(lastReceivedKey[node])); netbuffer->packettype = PT_SERVERCHALLENGE; diff --git a/src/k_profiles.c b/src/k_profiles.c index 75f2e77b4..acb993414 100644 --- a/src/k_profiles.c +++ b/src/k_profiles.c @@ -18,6 +18,8 @@ #include "k_profiles.h" #include "z_zone.h" #include "r_skins.h" +#include "monocypher/monocypher.h" +#include "stun.h" // List of all the profiles. static profile_t *profilesList[MAXPROFILES+1]; // +1 because we're gonna add a default "GUEST' profile. @@ -41,6 +43,16 @@ profile_t* PR_MakeProfile( new->version = PROFILEVER; + memset(new->secret_key, 0, sizeof(secret_key)); + memset(new->public_key, 0, sizeof(public_key)); + + if (!guest) + { + static uint8_t seed[32]; + csprng(seed, 32); + crypto_eddsa_key_pair(new->secret_key, new->public_key, seed); + } + strcpy(new->profilename, prname); new->profilename[sizeof new->profilename - 1] = '\0'; @@ -238,8 +250,10 @@ void PR_SaveProfiles(void) for (i = 1; i < numprofiles; i++) { - // Names. + // Names and keys, all the string data up front WRITESTRINGN(save.p, profilesList[i]->profilename, PROFILENAMELEN); + WRITESTRINGN(save.p, profilesList[i]->public_key, sizeof(((profile_t *)0)->public_key)); + WRITESTRINGN(save.p, profilesList[i]->secret_key, sizeof(((profile_t *)0)->secret_key)); WRITESTRINGN(save.p, profilesList[i]->playername, MAXPLAYERNAME); // Character and colour. @@ -329,8 +343,10 @@ void PR_LoadProfiles(void) // Version. (We always update this on successful forward step) profilesList[i]->version = PROFILEVER; - // Names. + // Names and keys, all the identity stuff up front READSTRINGN(save.p, profilesList[i]->profilename, PROFILENAMELEN); + READSTRINGN(save.p, profilesList[i]->public_key, sizeof(((profile_t *)0)->public_key)); + READSTRINGN(save.p, profilesList[i]->secret_key, sizeof(((profile_t *)0)->secret_key)); READSTRINGN(save.p, profilesList[i]->playername, MAXPLAYERNAME); // Character and colour. @@ -550,3 +566,10 @@ profile_t *PR_GetPlayerProfile(player_t *player) return NULL; } + +profile_t *PR_GetLocalPlayerProfile(INT32 player) +{ + if (player >= MAXSPLITSCREENPLAYERS) + return NULL; + return PR_GetProfile(cv_lastprofile[player].value); +} \ No newline at end of file diff --git a/src/k_profiles.h b/src/k_profiles.h index f0ae7e287..16af39687 100644 --- a/src/k_profiles.h +++ b/src/k_profiles.h @@ -59,6 +59,9 @@ struct profile_t // Profile header char profilename[PROFILENAMELEN+1]; // Profile name (not to be confused with player name) + uint8_t public_key[32]; // Netgame authentication + uint8_t secret_key[64]; // TODO: Is it a potential vuln to have keys in memory? + // Player data char playername[MAXPLAYERNAME+1]; // Player name char skinname[SKINNAMESIZE+1]; // Default Skin @@ -156,6 +159,8 @@ SINT8 PR_ProfileUsedBy(profile_t *p); profile_t *PR_GetPlayerProfile(player_t *player); +profile_t *PR_GetLocalPlayerProfile(INT32 player); + #ifdef __cplusplus } // extern "C" #endif diff --git a/src/p_saveg.c b/src/p_saveg.c index fdbcb48de..3781925ca 100644 --- a/src/p_saveg.c +++ b/src/p_saveg.c @@ -407,6 +407,8 @@ static void P_NetArchivePlayers(savebuffer_t *save) WRITEUINT8(save->p, players[i].sliptideZipDelay); WRITEUINT16(save->p, players[i].sliptideZipBoost); + WRITESTRINGN(save->p, players[i].public_key, 32); + // respawnvars_t WRITEUINT8(save->p, players[i].respawn.state); WRITEUINT32(save->p, K_GetWaypointHeapIndex(players[i].respawn.wp)); @@ -787,6 +789,8 @@ static void P_NetUnArchivePlayers(savebuffer_t *save) players[i].sliptideZipDelay = READUINT8(save->p); players[i].sliptideZipBoost = READUINT16(save->p); + READSTRINGN(save->p, players[i].public_key, 32); + // respawnvars_t players[i].respawn.state = READUINT8(save->p); players[i].respawn.wp = (waypoint_t *)(size_t)READUINT32(save->p); From 66c6ba125dfa47ede946a9643c10c1ad00df6e08 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 19:28:45 -0700 Subject: [PATCH 10/70] Final fixup for profile-level keys and passing to player_t --- src/d_clisrv.c | 29 +++++++++++++++++++++-------- src/d_main.h | 3 --- src/d_netfil.c | 2 ++ src/d_player.h | 3 +++ src/g_game.c | 5 +++++ src/k_menudraw.c | 3 ++- src/k_profiles.c | 28 ++++++++++++++++++++++++++++ src/k_profiles.h | 2 ++ 8 files changed, 63 insertions(+), 12 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 29501d37c..2d470b551 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -2818,6 +2818,8 @@ static void Command_Nodes(void) CONS_Printf(" - %s", address); } + CONS_Printf(" [RRID-%s] ", GetPrettyRRID(players[i].public_key, true)); + if (IsPlayerAdmin(i)) CONS_Printf(M_GetText(" (verified admin)")); @@ -3714,7 +3716,9 @@ static void Got_AddPlayer(UINT8 **p, INT32 playernum) players[newplayernum].splitscreenindex = splitscreenplayer; players[newplayernum].bot = false; + CONS_Printf("Adding player from node %d with ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][splitscreenplayer], true)); memcpy(players[newplayernum].public_key, lastReceivedKey[node][splitscreenplayer], sizeof(players[newplayernum].public_key)); + CONS_Printf("Node %d now has ID %s\n", node, GetPrettyRRID(players[newplayernum].public_key, true)); playerconsole[newplayernum] = console; splitscreen_original_party_size[console] = @@ -4186,15 +4190,24 @@ static void HandleConnect(SINT8 node) return; } - if (memcmp(lastReceivedKey[node], allZero, 32)) // We're a GUEST and the server throws out our keys anyway. - sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O - else - sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node][i], 32); - - if (netgame && node != 0 && sigcheck != 0) + if (node == 0) // Server { - SV_SendRefuse(node, M_GetText("Signature verification failed.")); - return; + memcpy(lastReceivedKey[node][i], PR_GetLocalPlayerProfile(i)->public_key, sizeof(lastReceivedKey[node][i])); + CONS_Printf("We're SERVER! Setting lastReceivedKey on node %d to %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); + } + else + { + CONS_Printf("We're a client. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); + if (memcmp(lastReceivedKey[node], allZero, 32)) // We're a GUEST and the server throws out our keys anyway. + sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O + else + sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node][i], 32); + + if (netgame && sigcheck != 0) + { + SV_SendRefuse(node, M_GetText("Signature verification failed.")); + return; + } } } diff --git a/src/d_main.h b/src/d_main.h index 199166c9e..cdfee4e0c 100644 --- a/src/d_main.h +++ b/src/d_main.h @@ -31,9 +31,6 @@ extern const char *pandf; //Alam: how to path? extern char srb2path[256]; //Alam: SRB2's Home extern char addonsdir[MAX_WADPATH]; // Where addons are stored -extern uint8_t public_key[32]; -extern uint8_t secret_key[64]; - // the infinite loop of D_SRB2Loop() called from win_main for windows version void D_SRB2Loop(void) FUNCNORETURN; diff --git a/src/d_netfil.c b/src/d_netfil.c index 5b693b59a..20403b87a 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -1320,6 +1320,8 @@ void PT_ClientKey(INT32 node) memcpy(lastReceivedKey[node], packet->key, sizeof(lastReceivedKey[node])); + CONS_Printf("Got keys from node %d, %s / %s / %s / %s\n", node, GetPrettyRRID(lastReceivedKey[node][0], true), GetPrettyRRID(lastReceivedKey[node][1], true), GetPrettyRRID(lastReceivedKey[node][2], true), GetPrettyRRID(lastReceivedKey[node][3], true)); + netbuffer->packettype = PT_SERVERCHALLENGE; csprng(lastSentChallenge[node], sizeof(serverchallenge_pak)); diff --git a/src/d_player.h b/src/d_player.h index e7e3603cf..455db72f3 100644 --- a/src/d_player.h +++ b/src/d_player.h @@ -723,6 +723,9 @@ struct player_t roundconditions_t roundconditions; }; +// WARNING FOR ANYONE ABOUT TO ADD SOMETHING TO THE PLAYER STRUCT, G_PlayerReborn WANTS YOU TO SUFFER +// If data on player_t needs to persist between rounds or during the join process, modify G_PlayerReborn to preserve it. + #ifdef __cplusplus } // extern "C" #endif diff --git a/src/g_game.c b/src/g_game.c index 9d250f120..606999924 100644 --- a/src/g_game.c +++ b/src/g_game.c @@ -2436,6 +2436,8 @@ void G_PlayerReborn(INT32 player, boolean betweenmaps) SINT8 xtralife; + uint8_t public_key[32]; + // SRB2kart itemroulette_t itemRoulette; respawnvars_t respawn; @@ -2509,6 +2511,7 @@ void G_PlayerReborn(INT32 player, boolean betweenmaps) // SRB2kart memcpy(&itemRoulette, &players[player].itemRoulette, sizeof (itemRoulette)); memcpy(&respawn, &players[player].respawn, sizeof (respawn)); + memcpy(&public_key, &players[player].public_key, sizeof(public_key)); if (betweenmaps || leveltime < introtime) { @@ -2678,6 +2681,8 @@ void G_PlayerReborn(INT32 player, boolean betweenmaps) memcpy(&p->itemRoulette, &itemRoulette, sizeof (p->itemRoulette)); memcpy(&p->respawn, &respawn, sizeof (p->respawn)); + memcpy(&p->public_key, &public_key, sizeof(p->public_key)); + if (saveroundconditions) memcpy(&p->roundconditions, &roundconditions, sizeof (p->roundconditions)); diff --git a/src/k_menudraw.c b/src/k_menudraw.c index 39144a6d8..5ad042eaa 100644 --- a/src/k_menudraw.c +++ b/src/k_menudraw.c @@ -1768,7 +1768,8 @@ static void M_DrawProfileCard(INT32 x, INT32 y, boolean greyedout, profile_t *p) if (p != NULL) { V_DrawProfileNum(x + 37 + 10, y + 131, 0, PR_GetProfileNum(p)); - V_DrawCenteredThinString(x, y + 151, V_GRAYMAP|V_6WIDTHSPACE, p->playername); + V_DrawCenteredThinString(x, y + 141, V_GRAYMAP|V_6WIDTHSPACE, p->playername); + V_DrawCenteredThinString(x, y + 151, V_GRAYMAP|V_6WIDTHSPACE, GetPrettyRRID(p->public_key, true)); } } diff --git a/src/k_profiles.c b/src/k_profiles.c index acb993414..940a388c1 100644 --- a/src/k_profiles.c +++ b/src/k_profiles.c @@ -43,6 +43,9 @@ profile_t* PR_MakeProfile( new->version = PROFILEVER; + uint8_t secret_key[64]; + uint8_t public_key[32]; + memset(new->secret_key, 0, sizeof(secret_key)); memset(new->public_key, 0, sizeof(public_key)); @@ -572,4 +575,29 @@ profile_t *PR_GetLocalPlayerProfile(INT32 player) if (player >= MAXSPLITSCREENPLAYERS) return NULL; return PR_GetProfile(cv_lastprofile[player].value); +} + +char *GetPrettyRRID(const unsigned char *bin, boolean brief) +{ + char *out; + size_t i; + size_t len = 32; + + if (brief) + len = 8; + + if (bin == NULL || len == 0) + return NULL; + + out = malloc(len*2 + 1); + + for (i=0; i> 4]; + out[i*2+1] = "0123456789ABCDEF"[bin[i] & 0x0F]; + } + + out[len*2] = '\0'; + + return out; } \ No newline at end of file diff --git a/src/k_profiles.h b/src/k_profiles.h index 16af39687..16f30adda 100644 --- a/src/k_profiles.h +++ b/src/k_profiles.h @@ -161,6 +161,8 @@ profile_t *PR_GetPlayerProfile(player_t *player); profile_t *PR_GetLocalPlayerProfile(INT32 player); +char *GetPrettyRRID(const unsigned char *bin, boolean brief); + #ifdef __cplusplus } // extern "C" #endif From f2c66a2171980afb6fe703331dd4f856f9e24d96 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 19:40:05 -0700 Subject: [PATCH 11/70] Expose public_key to Lua --- src/d_clisrv.c | 5 ++++- src/d_player.h | 2 +- src/lua_playerlib.c | 2 ++ src/p_saveg.c | 4 ++-- 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 2d470b551..bd7f5f335 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -3716,8 +3716,11 @@ static void Got_AddPlayer(UINT8 **p, INT32 playernum) players[newplayernum].splitscreenindex = splitscreenplayer; players[newplayernum].bot = false; + + // player_t is the only place in the game that a key is null-terminated, for ease of Lua push. + memset(players[newplayernum].public_key, 0, 32 + 1); CONS_Printf("Adding player from node %d with ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][splitscreenplayer], true)); - memcpy(players[newplayernum].public_key, lastReceivedKey[node][splitscreenplayer], sizeof(players[newplayernum].public_key)); + memcpy(players[newplayernum].public_key, lastReceivedKey[node][splitscreenplayer], 32); CONS_Printf("Node %d now has ID %s\n", node, GetPrettyRRID(players[newplayernum].public_key, true)); playerconsole[newplayernum] = console; diff --git a/src/d_player.h b/src/d_player.h index 455db72f3..aedbb06b3 100644 --- a/src/d_player.h +++ b/src/d_player.h @@ -713,7 +713,7 @@ struct player_t mobj_t *stumbleIndicator; mobj_t *sliptideZipIndicator; - uint8_t public_key[32]; + uint8_t public_key[32 + 1]; #ifdef HWRENDER fixed_t fovadd; // adjust FOV for hw rendering diff --git a/src/lua_playerlib.c b/src/lua_playerlib.c index 76325ebc9..62efe43d5 100644 --- a/src/lua_playerlib.c +++ b/src/lua_playerlib.c @@ -507,6 +507,8 @@ static int player_get(lua_State *L) #endif else if (fastcmp(field,"ping")) lua_pushinteger(L, playerpingtable[( plr - players )]); + else if (fastcmp(field, "public_key")) + lua_pushstring(L, plr->public_key); else { lua_getfield(L, LUA_REGISTRYINDEX, LREG_EXTVARS); I_Assert(lua_istable(L, -1)); diff --git a/src/p_saveg.c b/src/p_saveg.c index 3781925ca..6daf025fc 100644 --- a/src/p_saveg.c +++ b/src/p_saveg.c @@ -407,7 +407,7 @@ static void P_NetArchivePlayers(savebuffer_t *save) WRITEUINT8(save->p, players[i].sliptideZipDelay); WRITEUINT16(save->p, players[i].sliptideZipBoost); - WRITESTRINGN(save->p, players[i].public_key, 32); + WRITESTRINGN(save->p, players[i].public_key, 32 + 1); // respawnvars_t WRITEUINT8(save->p, players[i].respawn.state); @@ -789,7 +789,7 @@ static void P_NetUnArchivePlayers(savebuffer_t *save) players[i].sliptideZipDelay = READUINT8(save->p); players[i].sliptideZipBoost = READUINT16(save->p); - READSTRINGN(save->p, players[i].public_key, 32); + READSTRINGN(save->p, players[i].public_key, 32 + 1); // respawnvars_t players[i].respawn.state = READUINT8(save->p); From c46ad8d52b773e4456d15dc79a6d129357cf75da Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 20:11:00 -0700 Subject: [PATCH 12/70] Fix GUESTs trying to sign --- src/d_clisrv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index bd7f5f335..ca0e27bfb 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -842,7 +842,10 @@ static boolean CL_SendJoin(void) uint8_t signature[64]; profile_t *localProfile = PR_GetLocalPlayerProfile(i); - if (cv_lastprofile[0].value == 0) // GUESTS don't have keys + char allZero[32]; + memset(allZero, 0, 32); + + if (cv_lastprofile[i].value == 0) // GUESTS don't have keys { memset(signature, 0, 64); } From cc0390cc6405e1a65464b8878916b943f23d97e4 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 22:13:19 -0700 Subject: [PATCH 13/70] Don't respond to challenges out of sequence --- src/d_clisrv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index ca0e27bfb..b1dbb870b 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4595,6 +4595,8 @@ static void HandlePacketFromAwayNode(SINT8 node) PT_ClientKey(node); break; case PT_SERVERCHALLENGE: + if (cl_mode != CL_WAITCHALLENGE) + break; memcpy(awaitingChallenge, netbuffer->u.serverchallenge.secret, sizeof(awaitingChallenge)); cl_mode = CL_ASKJOIN; break; From 0f3d740fd4cb52e9d56919df118ff0af8e78e59d Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 18 Mar 2023 22:37:03 -0700 Subject: [PATCH 14/70] Correctly populate local keys as a netgame client --- src/d_clisrv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index b1dbb870b..aed74e55f 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -3715,6 +3715,8 @@ static void Got_AddPlayer(UINT8 **p, INT32 playernum) D_SendPlayerConfig(splitscreenplayer); addedtogame = true; + CONS_Printf("It's me, node %d, with ID %s! (This is uninitialized memory because Tyron is a dumbass!)\n", node, GetPrettyRRID(lastReceivedKey[node][splitscreenplayer], true)); + memcpy(lastReceivedKey[node][splitscreenplayer], PR_GetLocalPlayerProfile(splitscreenplayer)->public_key, 32); } players[newplayernum].splitscreenindex = splitscreenplayer; From 3747ba6cbd6c781d6ffd28813a492d27e6ce5b1b Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sun, 19 Mar 2023 05:41:25 -0700 Subject: [PATCH 15/70] Sign game traffic that could be used to cause problems --- src/d_clisrv.c | 29 +++++++++++++++++++++++++++++ src/d_clisrv.h | 2 ++ src/d_net.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ src/d_net.h | 2 ++ 4 files changed, 81 insertions(+) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index aed74e55f..2e264b5f9 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4661,6 +4661,35 @@ static void HandlePacketFromPlayer(SINT8 node) if (netconsole >= MAXPLAYERS) I_Error("bad table nodetoplayer: node %d player %d", doomcom->remotenode, netconsole); #endif + + uint8_t allzero[32]; + memset(allzero, 0, sizeof(allzero)); + + int splitnodes; + if (IsPacketSigned(netbuffer->packettype)) + { + for (splitnodes = 0; splitnodes < MAXSPLITSCREENPLAYERS; splitnodes++) + { + const void* message = &netbuffer->u; + if (memcmp(allzero, lastReceivedKey[node][splitnodes], sizeof(allzero)) == 0) + { + //CONS_Printf("Throwing out a guest signature from node %d player %d\n", node, splitnodes); + } + else + { + if (crypto_eddsa_check(netbuffer->signature[splitnodes], lastReceivedKey[node][splitnodes], message, doomcom->datalength - BASEPACKETSIZE)) + { + //CONS_Printf("Failed signature check on packet type %d from node %d player %d\nkey %s size %d\n", + netbuffer->packettype, node, splitnodes, + GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE); + SendKick(netconsole, KICK_MSG_CON_FAIL); + return; + } + } + + } + } + switch (netbuffer->packettype) { diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 2c2ffaef0..c1c8afd0a 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -371,6 +371,8 @@ struct doomdata_t UINT8 ackreturn; // The return of the ack number UINT8 packettype; + uint8_t signature[MAXSPLITSCREENPLAYERS][64]; + UINT16 payloadsize; UINT8 reserved; // Padding union { diff --git a/src/d_net.c b/src/d_net.c index 171e5f483..17e9c4a27 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -30,6 +30,7 @@ #include "i_tcp.h" #include "d_main.h" // srb2home #include "stun.h" +#include "monocypher/monocypher.h" // // NETWORKING @@ -992,12 +993,59 @@ static boolean ShouldDropPacket(void) } #endif +boolean IsPacketSigned(int packettype) +{ + switch (packettype) + { + case PT_CLIENTCMD: + case PT_CLIENT2CMD: + case PT_CLIENT3CMD: + case PT_CLIENT4CMD: + case PT_CLIENTMIS: + case PT_CLIENT2MIS: + case PT_CLIENT3MIS: + case PT_CLIENT4MIS: + case PT_TEXTCMD: + case PT_TEXTCMD2: + case PT_TEXTCMD3: + case PT_TEXTCMD4: + case PT_LOGIN: + case PT_ASKLUAFILE: + case PT_SENDINGLUAFILE: + return true; + default: + return false; + } +} + // // HSendPacket // boolean HSendPacket(INT32 node, boolean reliable, UINT8 acknum, size_t packetlength) { doomcom->datalength = (INT16)(packetlength + BASEPACKETSIZE); + + if (IsPacketSigned(netbuffer->packettype)) + { + int i; + netbuffer->payloadsize = packetlength; + + for (i = 0; i < MAXSPLITSCREENPLAYERS; i++) + { + const void* message = &netbuffer->u; + //CONS_Printf("Signing packet type %d of length %d\n", netbuffer->packettype, packetlength); + if (cv_lastprofile[i].value == 0) + memset(netbuffer->signature[i], 0, sizeof(netbuffer->signature[i])); + else + crypto_eddsa_sign(netbuffer->signature[i], PR_GetLocalPlayerProfile(i)->secret_key, message, packetlength); + } + } + else + { + //CONS_Printf("NOT signing PT_%d of length %d, it doesn't need to be\n", netbuffer->packettype, packetlength); + memset(netbuffer->signature, 0, sizeof(netbuffer->signature)); + } + if (node == 0) // Packet is to go back to us { if ((rebound_head+1) % MAXREBOUND == rebound_tail) diff --git a/src/d_net.h b/src/d_net.h index 12ab72693..192c889cc 100644 --- a/src/d_net.h +++ b/src/d_net.h @@ -68,6 +68,8 @@ void Net_AbortPacketType(UINT8 packettype); void Net_SendAcks(INT32 node); void Net_WaitAllAckReceived(UINT32 timeout); +boolean IsPacketSigned(int packettype); + #ifdef __cplusplus } // extern "C" #endif From b7580016614ff89eeb65c05c15f1c88150c439d0 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sun, 19 Mar 2023 05:42:40 -0700 Subject: [PATCH 16/70] We don't need payloadsize, we don't trust it anyway --- src/d_clisrv.h | 1 - src/d_net.c | 1 - 2 files changed, 2 deletions(-) diff --git a/src/d_clisrv.h b/src/d_clisrv.h index c1c8afd0a..63afedf9e 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -372,7 +372,6 @@ struct doomdata_t UINT8 packettype; uint8_t signature[MAXSPLITSCREENPLAYERS][64]; - UINT16 payloadsize; UINT8 reserved; // Padding union { diff --git a/src/d_net.c b/src/d_net.c index 17e9c4a27..28a1ed190 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -1028,7 +1028,6 @@ boolean HSendPacket(INT32 node, boolean reliable, UINT8 acknum, size_t packetlen if (IsPacketSigned(netbuffer->packettype)) { int i; - netbuffer->payloadsize = packetlength; for (i = 0; i < MAXSPLITSCREENPLAYERS; i++) { From baedcc6adebda98aba93735f832dd837434f7df3 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sun, 19 Mar 2023 06:03:44 -0700 Subject: [PATCH 17/70] Add allowguests cvar --- src/d_clisrv.c | 16 ++++++++++++++-- src/d_clisrv.h | 2 ++ src/d_netcmd.c | 2 ++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 2e264b5f9..cb2505619 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -164,6 +164,8 @@ boolean serverisfull = false; //lets us be aware if the server was full after we tic_t firstconnectattempttime = 0; uint8_t awaitingChallenge[32]; +consvar_t cv_allowguests = CVAR_INIT ("allowguests", "On", CV_SAVE, CV_OnOff, NULL); + // engine @@ -4207,9 +4209,19 @@ static void HandleConnect(SINT8 node) { CONS_Printf("We're a client. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); if (memcmp(lastReceivedKey[node], allZero, 32)) // We're a GUEST and the server throws out our keys anyway. + { sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O + if (!cv_allowguests.value) + { + SV_SendRefuse(node, M_GetText("The server doesn't allow GUESTs.\nCreate a profile to join!")); + return; + } + } else + { sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node][i], 32); + } + if (netgame && sigcheck != 0) { @@ -4680,8 +4692,8 @@ static void HandlePacketFromPlayer(SINT8 node) if (crypto_eddsa_check(netbuffer->signature[splitnodes], lastReceivedKey[node][splitnodes], message, doomcom->datalength - BASEPACKETSIZE)) { //CONS_Printf("Failed signature check on packet type %d from node %d player %d\nkey %s size %d\n", - netbuffer->packettype, node, splitnodes, - GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE); + // netbuffer->packettype, node, splitnodes, + // GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE); SendKick(netconsole, KICK_MSG_CON_FAIL); return; } diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 63afedf9e..d61740ae6 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -485,6 +485,8 @@ extern consvar_t cv_joinnextround; extern consvar_t cv_discordinvites; +extern consvar_t cv_allowguests; + // Used in d_net, the only dependence tic_t ExpandTics(INT32 low, tic_t basetic); void D_ClientServerInit(void); diff --git a/src/d_netcmd.c b/src/d_netcmd.c index 7b1991652..27229929e 100644 --- a/src/d_netcmd.c +++ b/src/d_netcmd.c @@ -946,6 +946,8 @@ void D_RegisterClientCommands(void) CV_RegisterVar(&cv_netticbuffer); CV_RegisterVar(&cv_mindelay); + CV_RegisterVar(&cv_allowguests); + // HUD CV_RegisterVar(&cv_alttitle); CV_RegisterVar(&cv_itemfinder); From 936da9870ca6776de8ef9ae22d77f1db2dcb1a4f Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sun, 19 Mar 2023 17:50:44 -0700 Subject: [PATCH 18/70] Move guest profile checks into dedicated method --- src/d_clisrv.c | 9 +++------ src/d_net.c | 2 +- src/k_profiles.c | 5 +++++ src/k_profiles.h | 2 ++ 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index cb2505619..00bc4188a 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -844,10 +844,7 @@ static boolean CL_SendJoin(void) uint8_t signature[64]; profile_t *localProfile = PR_GetLocalPlayerProfile(i); - char allZero[32]; - memset(allZero, 0, 32); - - if (cv_lastprofile[i].value == 0) // GUESTS don't have keys + if (PR_IsLocalPlayerGuest(i)) // GUESTS don't have keys { memset(signature, 0, 64); } @@ -4203,11 +4200,11 @@ static void HandleConnect(SINT8 node) if (node == 0) // Server { memcpy(lastReceivedKey[node][i], PR_GetLocalPlayerProfile(i)->public_key, sizeof(lastReceivedKey[node][i])); - CONS_Printf("We're SERVER! Setting lastReceivedKey on node %d to %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); + CONS_Printf("Adding SERVER. Setting lastReceivedKey on node %d to %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); } else { - CONS_Printf("We're a client. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); + CONS_Printf("Adding clients. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); if (memcmp(lastReceivedKey[node], allZero, 32)) // We're a GUEST and the server throws out our keys anyway. { sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O diff --git a/src/d_net.c b/src/d_net.c index 28a1ed190..6956a9cb8 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -1033,7 +1033,7 @@ boolean HSendPacket(INT32 node, boolean reliable, UINT8 acknum, size_t packetlen { const void* message = &netbuffer->u; //CONS_Printf("Signing packet type %d of length %d\n", netbuffer->packettype, packetlength); - if (cv_lastprofile[i].value == 0) + if (PR_IsLocalPlayerGuest(i)) memset(netbuffer->signature[i], 0, sizeof(netbuffer->signature[i])); else crypto_eddsa_sign(netbuffer->signature[i], PR_GetLocalPlayerProfile(i)->secret_key, message, packetlength); diff --git a/src/k_profiles.c b/src/k_profiles.c index 940a388c1..82aec0a8d 100644 --- a/src/k_profiles.c +++ b/src/k_profiles.c @@ -577,6 +577,11 @@ profile_t *PR_GetLocalPlayerProfile(INT32 player) return PR_GetProfile(cv_lastprofile[player].value); } +boolean PR_IsLocalPlayerGuest(INT32 player) +{ + return !(cv_lastprofile[player].value); +} + char *GetPrettyRRID(const unsigned char *bin, boolean brief) { char *out; diff --git a/src/k_profiles.h b/src/k_profiles.h index 16f30adda..c648fc3a7 100644 --- a/src/k_profiles.h +++ b/src/k_profiles.h @@ -161,6 +161,8 @@ profile_t *PR_GetPlayerProfile(player_t *player); profile_t *PR_GetLocalPlayerProfile(INT32 player); +boolean PR_IsLocalPlayerGuest(INT32 player); + char *GetPrettyRRID(const unsigned char *bin, boolean brief); #ifdef __cplusplus From 2925843ea251c82c0d51f6bb1440d60de4ebdebb Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sun, 19 Mar 2023 20:48:45 -0700 Subject: [PATCH 19/70] Sigfail command for testing, fix guest join sigcheck, scaffolding for sigfail kick reason --- src/d_clisrv.c | 32 ++++++++++++++++++++++++++++---- src/d_clisrv.h | 5 +++++ src/d_net.c | 8 ++++++++ src/d_netcmd.c | 4 ++++ 4 files changed, 45 insertions(+), 4 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 00bc4188a..6d1b00f07 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -166,6 +166,9 @@ tic_t firstconnectattempttime = 0; uint8_t awaitingChallenge[32]; consvar_t cv_allowguests = CVAR_INIT ("allowguests", "On", CV_SAVE, CV_OnOff, NULL); +#ifdef DEVELOP + consvar_t cv_sigfail = CVAR_INIT ("sigfail", "Off", CV_SAVE, CV_OnOff, NULL); +#endif // engine @@ -855,6 +858,14 @@ static boolean CL_SendJoin(void) I_Error("Couldn't self-verify key associated with player %d, profile %d.\nProfile data may be corrupted.", i, cv_lastprofile[i].value); // I guess this is the most reasonable way to catch a malformed key. } + #ifdef DEVELOP + if (cv_sigfail.value) + { + CONS_Alert(CONS_WARNING, "SIGFAIL enabled, scrubbing signature from CL_SendJoin\n"); + memset(signature, 0, 64); + } + #endif + // Testing // memset(signature, 0, sizeof(signature)); @@ -3177,6 +3188,10 @@ static void Got_KickCmd(UINT8 **p, INT32 playernum) HU_AddChatText(va("\x82*%s left the game (Connection timeout)", player_names[pnum]), false); kickreason = KR_TIMEOUT; break; + case KICK_MSG_SIGFAIL: + HU_AddChatText(va("\x82*%s left the game (Invalid signature)", player_names[pnum]), false); + kickreason = KR_TIMEOUT; + break; case KICK_MSG_PLAYER_QUIT: if (netgame) // not splitscreen/bots HU_AddChatText(va("\x82*%s left the game", player_names[pnum]), false); @@ -4205,7 +4220,7 @@ static void HandleConnect(SINT8 node) else { CONS_Printf("Adding clients. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); - if (memcmp(lastReceivedKey[node], allZero, 32)) // We're a GUEST and the server throws out our keys anyway. + if (memcmp(lastReceivedKey[node][i], allZero, 32) == 0) // We're a GUEST and the server throws out our keys anyway. { sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O if (!cv_allowguests.value) @@ -4215,8 +4230,9 @@ static void HandleConnect(SINT8 node) } } else - { + { sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node][i], 32); + CONS_Printf("Sigcheck result: %d\n", sigcheck); } @@ -4679,6 +4695,14 @@ static void HandlePacketFromPlayer(SINT8 node) { for (splitnodes = 0; splitnodes < MAXSPLITSCREENPLAYERS; splitnodes++) { + // Don't try to enforce signatures for players that aren't present. + if (splitnodes > 0 && nodetoplayer2[node] <= 0) + break; + if (splitnodes > 1 && nodetoplayer3[node] <= 0) + break; + if (splitnodes > 2 && nodetoplayer4[node] <= 0) + break; + const void* message = &netbuffer->u; if (memcmp(allzero, lastReceivedKey[node][splitnodes], sizeof(allzero)) == 0) { @@ -4688,10 +4712,10 @@ static void HandlePacketFromPlayer(SINT8 node) { if (crypto_eddsa_check(netbuffer->signature[splitnodes], lastReceivedKey[node][splitnodes], message, doomcom->datalength - BASEPACKETSIZE)) { - //CONS_Printf("Failed signature check on packet type %d from node %d player %d\nkey %s size %d\n", + //CONS_Alert(CONS_ERROR, "SIGFAIL! Packet type %d from node %d player %d\nkey %s size %d\n", // netbuffer->packettype, node, splitnodes, // GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE); - SendKick(netconsole, KICK_MSG_CON_FAIL); + //SendKick(netconsole, KICK_MSG_SIGFAIL); return; } } diff --git a/src/d_clisrv.h b/src/d_clisrv.h index d61740ae6..757106b43 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -437,6 +437,7 @@ extern consvar_t cv_playbackspeed; #define KICK_MSG_PING_HIGH 6 #define KICK_MSG_CUSTOM_KICK 7 #define KICK_MSG_CUSTOM_BAN 8 +#define KICK_MSG_SIGFAIL 9 typedef enum { @@ -487,6 +488,10 @@ extern consvar_t cv_discordinvites; extern consvar_t cv_allowguests; +#ifdef DEVELOP +extern consvar_t cv_sigfail; +#endif + // Used in d_net, the only dependence tic_t ExpandTics(INT32 low, tic_t basetic); void D_ClientServerInit(void); diff --git a/src/d_net.c b/src/d_net.c index 6956a9cb8..1c3165a6b 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -1038,6 +1038,14 @@ boolean HSendPacket(INT32 node, boolean reliable, UINT8 acknum, size_t packetlen else crypto_eddsa_sign(netbuffer->signature[i], PR_GetLocalPlayerProfile(i)->secret_key, message, packetlength); } + + #ifdef DEVELOP + if (cv_sigfail.value) + { + CONS_Alert(CONS_WARNING, "SIGFAIL enabled, scrubbing signature from HSendPacket\n"); + memset(netbuffer->signature, 0, sizeof(netbuffer->signature)); + } + #endif } else { diff --git a/src/d_netcmd.c b/src/d_netcmd.c index 27229929e..5c87fd5fd 100644 --- a/src/d_netcmd.c +++ b/src/d_netcmd.c @@ -948,6 +948,10 @@ void D_RegisterClientCommands(void) CV_RegisterVar(&cv_allowguests); + #ifdef DEVELOP + CV_RegisterVar(&cv_sigfail); + #endif + // HUD CV_RegisterVar(&cv_alttitle); CV_RegisterVar(&cv_itemfinder); From 7889ffd93b37b7e44ba9f5634a1b6be629e73027 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sun, 19 Mar 2023 21:07:04 -0700 Subject: [PATCH 20/70] Instantly destroy anyone who sigfails --- src/d_clisrv.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 6d1b00f07..1e8938dbb 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4712,10 +4712,12 @@ static void HandlePacketFromPlayer(SINT8 node) { if (crypto_eddsa_check(netbuffer->signature[splitnodes], lastReceivedKey[node][splitnodes], message, doomcom->datalength - BASEPACKETSIZE)) { - //CONS_Alert(CONS_ERROR, "SIGFAIL! Packet type %d from node %d player %d\nkey %s size %d\n", - // netbuffer->packettype, node, splitnodes, - // GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE); - //SendKick(netconsole, KICK_MSG_SIGFAIL); + CONS_Alert(CONS_ERROR, "SIGFAIL! Packet type %d from node %d player %d\nkey %s size %d\n", + netbuffer->packettype, node, splitnodes, + GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE); + SendKick(netconsole, KICK_MSG_SIGFAIL); + Net_CloseConnection(node); + nodeingame[node] = false; return; } } From ca767a554bac60e7c194483d77929a3b8e99268d Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sun, 19 Mar 2023 21:24:56 -0700 Subject: [PATCH 21/70] Let people know when they're kicked for sigfail --- src/d_clisrv.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 1e8938dbb..dd6110ac7 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -3248,6 +3248,8 @@ static void Got_KickCmd(UINT8 **p, INT32 playernum) M_StartMessage(va(M_GetText("You have been kicked\n(%s)\nPress (B)\n"), reason), NULL, MM_NOTHING); else if (msg == KICK_MSG_CUSTOM_BAN) M_StartMessage(va(M_GetText("You have been banned\n(%s)\nPress (B)\n"), reason), NULL, MM_NOTHING); + else if (msg == KICK_MSG_SIGFAIL) + M_StartMessage(M_GetText("Server closed connection\n(Invalid signature)\nPress (B)\n"), NULL, MM_NOTHING); else M_StartMessage(M_GetText("You have been kicked by the server\n\nPress (B)\n"), NULL, MM_NOTHING); } @@ -4712,12 +4714,13 @@ static void HandlePacketFromPlayer(SINT8 node) { if (crypto_eddsa_check(netbuffer->signature[splitnodes], lastReceivedKey[node][splitnodes], message, doomcom->datalength - BASEPACKETSIZE)) { - CONS_Alert(CONS_ERROR, "SIGFAIL! Packet type %d from node %d player %d\nkey %s size %d\n", + CONS_Alert(CONS_ERROR, "SIGFAIL! Packet type %d from node %d player %d\nkey %s size %d netconsole %d\n", netbuffer->packettype, node, splitnodes, - GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE); - SendKick(netconsole, KICK_MSG_SIGFAIL); - Net_CloseConnection(node); - nodeingame[node] = false; + GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE, netconsole); + if (netconsole != -1) // NO IDEA. + SendKick(netconsole, KICK_MSG_SIGFAIL); + // Net_CloseConnection(node); + // nodeingame[node] = false; return; } } From a1b0625f665a6903f589b4bd31d29ff5414d6416 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sun, 19 Mar 2023 21:28:10 -0700 Subject: [PATCH 22/70] Don't sigcheck game traffic if you're not the server, you can't do anything with it --- src/d_clisrv.c | 63 ++++++++++++++++++++++++++------------------------ 1 file changed, 33 insertions(+), 30 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index dd6110ac7..28e6c947c 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4689,42 +4689,45 @@ static void HandlePacketFromPlayer(SINT8 node) I_Error("bad table nodetoplayer: node %d player %d", doomcom->remotenode, netconsole); #endif - uint8_t allzero[32]; - memset(allzero, 0, sizeof(allzero)); - - int splitnodes; - if (IsPacketSigned(netbuffer->packettype)) + if (server) { - for (splitnodes = 0; splitnodes < MAXSPLITSCREENPLAYERS; splitnodes++) - { - // Don't try to enforce signatures for players that aren't present. - if (splitnodes > 0 && nodetoplayer2[node] <= 0) - break; - if (splitnodes > 1 && nodetoplayer3[node] <= 0) - break; - if (splitnodes > 2 && nodetoplayer4[node] <= 0) - break; + uint8_t allzero[32]; + memset(allzero, 0, sizeof(allzero)); - const void* message = &netbuffer->u; - if (memcmp(allzero, lastReceivedKey[node][splitnodes], sizeof(allzero)) == 0) + int splitnodes; + if (IsPacketSigned(netbuffer->packettype)) + { + for (splitnodes = 0; splitnodes < MAXSPLITSCREENPLAYERS; splitnodes++) { - //CONS_Printf("Throwing out a guest signature from node %d player %d\n", node, splitnodes); - } - else - { - if (crypto_eddsa_check(netbuffer->signature[splitnodes], lastReceivedKey[node][splitnodes], message, doomcom->datalength - BASEPACKETSIZE)) + // Don't try to enforce signatures for players that aren't present. + if (splitnodes > 0 && nodetoplayer2[node] <= 0) + break; + if (splitnodes > 1 && nodetoplayer3[node] <= 0) + break; + if (splitnodes > 2 && nodetoplayer4[node] <= 0) + break; + + const void* message = &netbuffer->u; + if (memcmp(allzero, lastReceivedKey[node][splitnodes], sizeof(allzero)) == 0) { - CONS_Alert(CONS_ERROR, "SIGFAIL! Packet type %d from node %d player %d\nkey %s size %d netconsole %d\n", - netbuffer->packettype, node, splitnodes, - GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE, netconsole); - if (netconsole != -1) // NO IDEA. - SendKick(netconsole, KICK_MSG_SIGFAIL); - // Net_CloseConnection(node); - // nodeingame[node] = false; - return; + //CONS_Printf("Throwing out a guest signature from node %d player %d\n", node, splitnodes); } + else + { + if (crypto_eddsa_check(netbuffer->signature[splitnodes], lastReceivedKey[node][splitnodes], message, doomcom->datalength - BASEPACKETSIZE)) + { + CONS_Alert(CONS_ERROR, "SIGFAIL! Packet type %d from node %d player %d\nkey %s size %d netconsole %d\n", + netbuffer->packettype, node, splitnodes, + GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE, netconsole); + if (netconsole != -1) // NO IDEA. + SendKick(netconsole, KICK_MSG_SIGFAIL); + // Net_CloseConnection(node); + // nodeingame[node] = false; + return; + } + } + } - } } From 33760dec519f82d97b0a141afeabafc4d69cacb5 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 20 Mar 2023 23:07:38 -0700 Subject: [PATCH 23/70] I don't even know, unfuck everything --- src/d_clisrv.c | 339 +++++++++++++++++++++++++++++++++++++++----- src/d_clisrv.h | 22 +++ src/d_net.c | 9 +- src/d_player.h | 2 +- src/lua_playerlib.c | 2 +- src/typedef.h | 3 + 6 files changed, 342 insertions(+), 35 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 28e6c947c..0fd0d3d95 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -48,6 +48,7 @@ #include "md5.h" #include "m_perfstats.h" #include "monocypher/monocypher.h" +#include "stun.h" // SRB2Kart #include "k_kart.h" @@ -157,8 +158,18 @@ char connectedservername[MAXSERVERNAME]; /// \todo WORK! boolean acceptnewnode = true; -uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; -uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; +// We give clients a chance to verify each other once per race. +// When is that challenge sent, and when should clients bail if they don't receive the responses? +#define CHALLENGEALL_START (TICRATE*10) +#define CHALLENGEALL_SERVERCUTOFF (TICRATE*12) +#define CHALLENGEALL_CLIENTCUTOFF (TICRATE*14) + +uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // Player's public key (join process only! active players have it on player_t) +uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN +uint8_t lastChallengeAll[32]; // The message we asked EVERYONE to sign for client-to-client identity proofs +uint8_t lastReceivedSignature[MAXPLAYERS][64]; // Everyone's response to lastChallengeAll +uint8_t involvedInChallenge[MAXPLAYERS][32]; +uint8_t knownWhenChallenged[MAXPLAYERS][32]; boolean serverisfull = false; //lets us be aware if the server was full after we check files, but before downloading, so we can ask if the user still wants to download or not tic_t firstconnectattempttime = 0; @@ -3695,6 +3706,7 @@ static void Got_AddPlayer(UINT8 **p, INT32 playernum) newplayer->jointime = 0; READSTRINGN(*p, player_names[newplayernum], MAXPLAYERNAME); + READSTRINGN(*p, players[newplayernum].public_key, 32); console = READUINT8(*p); splitscreenplayer = READUINT8(*p); @@ -3731,19 +3743,11 @@ static void Got_AddPlayer(UINT8 **p, INT32 playernum) D_SendPlayerConfig(splitscreenplayer); addedtogame = true; - CONS_Printf("It's me, node %d, with ID %s! (This is uninitialized memory because Tyron is a dumbass!)\n", node, GetPrettyRRID(lastReceivedKey[node][splitscreenplayer], true)); - memcpy(lastReceivedKey[node][splitscreenplayer], PR_GetLocalPlayerProfile(splitscreenplayer)->public_key, 32); } players[newplayernum].splitscreenindex = splitscreenplayer; players[newplayernum].bot = false; - // player_t is the only place in the game that a key is null-terminated, for ease of Lua push. - memset(players[newplayernum].public_key, 0, 32 + 1); - CONS_Printf("Adding player from node %d with ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][splitscreenplayer], true)); - memcpy(players[newplayernum].public_key, lastReceivedKey[node][splitscreenplayer], 32); - CONS_Printf("Node %d now has ID %s\n", node, GetPrettyRRID(players[newplayernum].public_key, true)); - playerconsole[newplayernum] = console; splitscreen_original_party_size[console] = ++splitscreen_party_size[console]; @@ -3862,7 +3866,9 @@ static void Got_AddBot(UINT8 **p, INT32 playernum) LUA_HookInt(newplayernum, HOOK(PlayerJoin)); } -static boolean SV_AddWaitingPlayers(SINT8 node, UINT8 *availabilities, const char *name, const char *name2, const char *name3, const char *name4) +static boolean SV_AddWaitingPlayers(SINT8 node, UINT8 *availabilities, +const char *name, uint8_t *key, const char *name2, uint8_t *key2, +const char *name3, uint8_t *key3, const char *name4, uint8_t *key4) { INT32 n, newplayernum, i; UINT8 buf[4 + MAXPLAYERNAME + MAXAVAILABILITY]; @@ -3928,21 +3934,25 @@ static boolean SV_AddWaitingPlayers(SINT8 node, UINT8 *availabilities, const cha { nodetoplayer[node] = newplayernum; WRITESTRINGN(buf_p, name, MAXPLAYERNAME); + WRITESTRINGN(buf_p, key, 32); } else if (playerpernode[node] < 2) { nodetoplayer2[node] = newplayernum; WRITESTRINGN(buf_p, name2, MAXPLAYERNAME); + WRITESTRINGN(buf_p, key2, 32); } else if (playerpernode[node] < 3) { nodetoplayer3[node] = newplayernum; WRITESTRINGN(buf_p, name3, MAXPLAYERNAME); + WRITESTRINGN(buf_p, key3, 32); } else if (playerpernode[node] < 4) { nodetoplayer4[node] = newplayernum; WRITESTRINGN(buf_p, name4, MAXPLAYERNAME); + WRITESTRINGN(buf_p, key4, 32); } WRITEUINT8(buf_p, nodetoplayer[node]); // consoleplayer @@ -4019,7 +4029,8 @@ boolean SV_SpawnServer(void) UINT8 *availabilitiesbuffer = R_GetSkinAvailabilities(false, false); SINT8 node = 0; for (; node < MAXNETNODES; node++) - result |= SV_AddWaitingPlayers(node, availabilitiesbuffer, cv_playername[0].zstring, cv_playername[1].zstring, cv_playername[2].zstring, cv_playername[3].zstring); + result |= SV_AddWaitingPlayers(node, availabilitiesbuffer, cv_playername[0].zstring, &PR_GetLocalPlayerProfile(0)->public_key, cv_playername[1].zstring, &PR_GetLocalPlayerProfile(1)->public_key, + cv_playername[2].zstring, &PR_GetLocalPlayerProfile(2)->public_key, cv_playername[3].zstring, &PR_GetLocalPlayerProfile(3)->public_key); } return result; #endif @@ -4093,6 +4104,32 @@ static size_t TotalTextCmdPerTic(tic_t tic) return total; } +static boolean IsSplitPlayerOnNodeGuest(int node, int split) +{ + char allZero[32]; + memset(allZero, 0, 32); + + if (split == 0) + return (memcmp(players[nodetoplayer[node]].public_key, allZero, 32) == 0); + else if (split == 1) + return (memcmp(players[nodetoplayer2[node]].public_key, allZero, 32) == 0); + else if (split == 2) + return (memcmp(players[nodetoplayer3[node]].public_key, allZero, 32) == 0); + else if (split == 3) + return (memcmp(players[nodetoplayer4[node]].public_key, allZero, 32) == 0); + else + I_Error("IsSplitPlayerOnNodeGuest: Out of bounds"); + return false; // unreachable +} + +static boolean IsPlayerGuest(int player) +{ + char allZero[32]; + memset(allZero, 0, 32); + + return (memcmp(players[player].public_key, allZero, 32) == 0); +} + /** Called when a PT_CLIENTJOIN packet is received * * \param node The packet sender @@ -4202,8 +4239,6 @@ static void HandleConnect(SINT8 node) { int sigcheck; boolean newnode = false; - char allZero[32]; - memset(allZero, 0, 32); for (i = 0; i < netbuffer->u.clientcfg.localplayers - playerpernode[node]; i++) { @@ -4214,15 +4249,14 @@ static void HandleConnect(SINT8 node) return; } - if (node == 0) // Server + if (node == 0) { memcpy(lastReceivedKey[node][i], PR_GetLocalPlayerProfile(i)->public_key, sizeof(lastReceivedKey[node][i])); - CONS_Printf("Adding SERVER. Setting lastReceivedKey on node %d to %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); } else { - CONS_Printf("Adding clients. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); - if (memcmp(lastReceivedKey[node][i], allZero, 32) == 0) // We're a GUEST and the server throws out our keys anyway. + CONS_Printf("Adding remote. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); + if (IsSplitPlayerOnNodeGuest(node, i)) // We're a GUEST and the server throws out our keys anyway. { sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O if (!cv_allowguests.value) @@ -4234,7 +4268,6 @@ static void HandleConnect(SINT8 node) else { sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node][i], 32); - CONS_Printf("Sigcheck result: %d\n", sigcheck); } @@ -4283,7 +4316,8 @@ static void HandleConnect(SINT8 node) DEBFILE("send savegame\n"); } - SV_AddWaitingPlayers(node, availabilitiesbuffer, names[0], names[1], names[2], names[3]); + SV_AddWaitingPlayers(node, availabilitiesbuffer, names[0], lastReceivedKey[node][0], names[1], lastReceivedKey[node][1], + names[2], lastReceivedKey[node][2], names[3], lastReceivedKey[node][3]); joindelay += cv_joindelay.value * TICRATE; player_joining = true; } @@ -4661,6 +4695,19 @@ static boolean CheckForSpeedHacks(UINT8 p) return false; } +static char NodeToSplitPlayer(int node, int split) +{ + if (split == 0) + return nodetoplayer[node]; + else if (split == 1) + return nodetoplayer2[node]; + else if (split == 2) + return nodetoplayer3[node]; + else if (split == 3) + return nodetoplayer4[node]; + return -1; +} + /** Handles a packet received from a node that is in game * * \param node The packet sender @@ -4691,39 +4738,35 @@ static void HandlePacketFromPlayer(SINT8 node) if (server) { - uint8_t allzero[32]; - memset(allzero, 0, sizeof(allzero)); int splitnodes; if (IsPacketSigned(netbuffer->packettype)) { for (splitnodes = 0; splitnodes < MAXSPLITSCREENPLAYERS; splitnodes++) { - // Don't try to enforce signatures for players that aren't present. - if (splitnodes > 0 && nodetoplayer2[node] <= 0) - break; - if (splitnodes > 1 && nodetoplayer3[node] <= 0) - break; - if (splitnodes > 2 && nodetoplayer4[node] <= 0) - break; + int targetplayer = NodeToSplitPlayer(node, splitnodes); + if (targetplayer == -1) + continue; const void* message = &netbuffer->u; - if (memcmp(allzero, lastReceivedKey[node][splitnodes], sizeof(allzero)) == 0) + if (IsSplitPlayerOnNodeGuest(node, splitnodes)) { //CONS_Printf("Throwing out a guest signature from node %d player %d\n", node, splitnodes); } else { - if (crypto_eddsa_check(netbuffer->signature[splitnodes], lastReceivedKey[node][splitnodes], message, doomcom->datalength - BASEPACKETSIZE)) + if (crypto_eddsa_check(netbuffer->signature[splitnodes], players[targetplayer].public_key, message, doomcom->datalength - BASEPACKETSIZE)) { CONS_Alert(CONS_ERROR, "SIGFAIL! Packet type %d from node %d player %d\nkey %s size %d netconsole %d\n", netbuffer->packettype, node, splitnodes, - GetPrettyRRID(lastReceivedKey[node][splitnodes], true), doomcom->datalength - BASEPACKETSIZE, netconsole); + GetPrettyRRID(players[targetplayer].public_key, true), doomcom->datalength - BASEPACKETSIZE, netconsole); + /* if (netconsole != -1) // NO IDEA. SendKick(netconsole, KICK_MSG_SIGFAIL); // Net_CloseConnection(node); // nodeingame[node] = false; return; + */ } } @@ -5150,6 +5193,135 @@ static void HandlePacketFromPlayer(SINT8 node) if (client) CL_PrepareDownloadLuaFile(); break; + case PT_CHALLENGEALL: ; // -Wpedantic + int challengeplayers; + memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); + + //CONS_Printf("Got PT_CHALLENGEALL from node %d\n", node); + + if (node != servernode) + break; + + netbuffer->packettype = PT_RESPONSEALL; + + memset(&netbuffer->u.responseall, 0, sizeof(netbuffer->u.responseall)); + + for (challengeplayers = 0; challengeplayers <= splitscreen; challengeplayers++) + { + uint8_t signature[64]; + profile_t *localProfile = PR_GetLocalPlayerProfile(challengeplayers); + if (PR_IsLocalPlayerGuest(challengeplayers)) // GUESTS don't have keys + { + memset(signature, 0, 64); + } + else + { + CONS_Printf("signing %s pk %s\n", GetPrettyRRID(lastChallengeAll, true), GetPrettyRRID(localProfile->public_key, true)); + crypto_eddsa_sign(signature, localProfile->secret_key, lastChallengeAll, sizeof(lastChallengeAll)); + if (crypto_eddsa_check(signature, localProfile->public_key, lastChallengeAll, sizeof(lastChallengeAll)) != 0) + I_Error("Couldn't self-verify key associated with player %d, profile %d.\nProfile data may be corrupted.", challengeplayers, cv_lastprofile[challengeplayers].value); // I guess this is the most reasonable way to catch a malformed key. + } + + #ifdef DEVELOP + if (cv_sigfail.value) + { + CONS_Alert(CONS_WARNING, "SIGFAIL enabled, scrubbing signature from PT_RESPONSEALL\n"); + memset(signature, 0, 64); + } + #endif + + memcpy(netbuffer->u.responseall.signature[challengeplayers], signature, sizeof(signature)); + } + + HSendPacket(servernode, true, 0, sizeof(netbuffer->u.responseall)); + break; + case PT_RESPONSEALL: + if (server) + { + int responseplayer; + //CONS_Printf("Got PT_RESPONSEALL from node %d, player %d\n", node, nodetoplayer[node]); + for (responseplayer = 0; responseplayer < MAXSPLITSCREENPLAYERS; responseplayer++) + { + int targetplayer = NodeToSplitPlayer(node, responseplayer); + if (targetplayer == -1) + continue; + + if (IsSplitPlayerOnNodeGuest(node, responseplayer)) + { + CONS_Printf("GUEST on node %d player %d split %d, leaving blank\n", node, targetplayer, responseplayer); + } + else + { + CONS_Printf("receiving %s pk %s\n", GetPrettyRRID(lastChallengeAll, true), GetPrettyRRID(players[targetplayer].public_key, true)); + if (crypto_eddsa_check(netbuffer->u.responseall.signature[responseplayer], + players[targetplayer].public_key, lastChallengeAll, sizeof(lastChallengeAll))) + { + CONS_Alert(CONS_WARNING, "Invalid PT_RESPONSEALL from node %d player %d split %d\n", node, targetplayer, responseplayer); + if (node != -1 && node != 0) // NO IDEA. + { + //SendKick(node, KICK_MSG_SIGFAIL); + } + break; + } + else + { + CONS_Printf("Writing signature for node %d player %d split %d\n", node, targetplayer, responseplayer); + memcpy(lastReceivedSignature[targetplayer], netbuffer->u.responseall.signature[responseplayer], sizeof(lastReceivedSignature[targetplayer])); + } + } + } + } + break; + case PT_RESULTSALL: ; // -Wpedantic + int resultsplayer; + uint8_t allzero[64]; + memset(allzero, 0, sizeof(allzero)); + + if (server) + { + CONS_Printf("Got PT_RESULTSALL, but what the fuck are you going to do with that?\n"); + break; + } + + for (resultsplayer = 0; resultsplayer < MAXPLAYERS; resultsplayer++) + { + if (!playeringame[resultsplayer]) + { + //CONS_Printf("Player %d isn't in the game, excluded from checkall\n", resultsplayer); + continue; + } + else if (IsPlayerGuest(resultsplayer)) + { + //CONS_Printf("GUEST on node %d player %d split %d, not enforcing\n", playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); + continue; + } + else if (memcmp(knownWhenChallenged[resultsplayer], allzero, sizeof(allzero)) == 0) + { + CONS_Printf("That motherfucker wasn't here for the challenge - node %d player %d split %d, not enforcing\n", playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); + continue; + } + else if (memcmp(knownWhenChallenged[resultsplayer], players[resultsplayer].public_key, sizeof(knownWhenChallenged[resultsplayer])) != 0) + { + CONS_Printf("Has key %s but I remember key %s - node %d player %d split %d, not enforcing\n", + GetPrettyRRID(knownWhenChallenged[resultsplayer], true), GetPrettyRRID(players[resultsplayer].public_key, true), + playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); + continue; + } + else + { + if (crypto_eddsa_check(netbuffer->u.resultsall.signature[resultsplayer], + knownWhenChallenged[resultsplayer], lastChallengeAll, sizeof(lastChallengeAll))) + { + CONS_Alert(CONS_WARNING, "PT_RESULTSALL had invalid signature for node %d player %d split %d, something doesn't add up!\nhas key %s, maybe fucked?\n", + playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex, GetPrettyRRID(knownWhenChallenged[resultsplayer], true)); + } + else + { + CONS_Printf("Checkall client-pass for node %d player %d split %d\n", playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); + } + } + } + break; default: DEBFILE(va("UNKNOWN PACKET TYPE RECEIVED %d from host %d\n", netbuffer->packettype, node)); @@ -5964,6 +6136,105 @@ static void UpdatePingTable(void) } } +static void UpdateChallenges(void) +{ + int i; + if (server) + { + if (Playing() && (leveltime == CHALLENGEALL_START)) + { + netbuffer->packettype = PT_CHALLENGEALL; + + // Random noise so it's difficult to reuse the response + // Current time so that difficult to reuse the challenge (TODO: ACTUALLY DO THIS) + csprng(netbuffer->u.serverchallenge.secret, sizeof(netbuffer->u.serverchallenge.secret)); + // Why the fuck doesn't this work + // memcpy(netbuffer->u.serverchallenge.secret, time(NULL), sizeof(int)); + + memcpy(lastChallengeAll, netbuffer->u.serverchallenge.secret, sizeof(lastChallengeAll)); + + memset(lastReceivedSignature, 0, sizeof(lastReceivedSignature)); + + for (i = 0; i < MAXNETNODES; i++) + { + if (nodeingame[i]) + { + CONS_Printf("challenge to node %d, player %d\n", i, nodetoplayer[i]); + HSendPacket(i, true, 0, sizeof(serverchallenge_pak)); + } + } + } + + if (Playing() && (leveltime == CHALLENGEALL_SERVERCUTOFF)) + { + netbuffer->packettype = PT_RESULTSALL; + + uint8_t allZero[64]; + memset(allZero, 0, sizeof(allZero)); + memset(&netbuffer->u.resultsall, 0, sizeof(netbuffer->u.resultsall)); + + for (i = 0; i < MAXPLAYERS; i++) + { + if (!playeringame[i]) + continue; + if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! + { + if (!IsPlayerGuest(i)) + { + CONS_Printf("We never got a response from player %d, goodbye\n", i); + //SendKick(i, KICK_MSG_SIGFAIL); + } + } + else + { + CONS_Printf("Player %d passed checkall and has key %s, adding...\n", i, GetPrettyRRID(players[i].public_key, true)); + memcpy(netbuffer->u.resultsall.signature[i], lastReceivedSignature[i], sizeof(netbuffer->u.resultsall.signature[i])); + } + } + + for (i = 0; i < MAXNETNODES; i++) + { + if (nodeingame[i]) + { + CONS_Printf("results to node %d, player %d\n", i, nodetoplayer[i]); + HSendPacket(i, true, 0, sizeof(resultsall_pak)); + } + } + } + } + else + { + if (Playing() && (leveltime == CHALLENGEALL_START)) + { + // Who should we try to verify when results come in? + // Store a public key for every active slot, so if players shuffle during challenge leniency, + // we don't incorrectly try to verify someone who didn't even get a challenge, throw a tantrum, and bail. + + memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); + + for (i = 0; i < MAXPLAYERS; i++) + { + if (!playeringame[i]) + { + //CONS_Printf("Player %i isn't present for checkall\n", i); + continue; + } + else if (IsPlayerGuest(i)) + { + //CONS_Printf("Player %i is present for checkall, but is a guest\n", i); + continue; + } + else + { + CONS_Printf("Player %d (node %d split %d) is present for checkall, make a note of their key %s...\n", i, playernode[i], players[i].splitscreenindex, + GetPrettyRRID(players[i].public_key, true)); + memcpy(knownWhenChallenged[i], players[i].public_key, sizeof(knownWhenChallenged[i])); + } + } + } + } +} + static void RenewHolePunch(void) { static time_t past; @@ -6009,6 +6280,8 @@ void NetKeepAlive(void) UpdatePingTable(); + UpdateChallenges(); + GetPackets(); #ifdef MASTERSERVER @@ -6115,6 +6388,8 @@ void NetUpdate(void) UpdatePingTable(); + UpdateChallenges(); + if (client) maketic = neededtic; diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 757106b43..c0026e949 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -123,6 +123,10 @@ typedef enum PT_CLIENTKEY, // "Here's my public key" PT_SERVERCHALLENGE, // "Prove it" + PT_CHALLENGEALL, // Prove to the other clients you are who you say you are, sign this random bullshit! + PT_RESPONSEALL, // OK, here is my signature on that random bullshit + PT_RESULTSALL, // Here's what everyone responded to PT_CHALLENGEALL with, if this is wrong or you don't receive it disconnect + NUMPACKETTYPE } packettype_t; @@ -361,6 +365,21 @@ struct serverchallenge_pak char secret[MAXSPLITSCREENPLAYERS][32]; } ATTRPACK; +struct challengeall_pak +{ + uint8_t secret[64]; +} ATTRPACK; + +struct responseall_pak +{ + uint8_t signature[MAXSPLITSCREENPLAYERS][64]; +} ATTRPACK; + +struct resultsall_pak +{ + uint8_t signature[MAXPLAYERS][64]; +} ATTRPACK; + // // Network packet data // @@ -398,6 +417,9 @@ struct doomdata_t UINT32 pingtable[MAXPLAYERS+1]; // 68 bytes clientkey_pak clientkey; // TODO: Tyron, does anyone take any of these sizes even remotely seriously serverchallenge_pak serverchallenge; // Are you even going to update this shit, are you even going to remove this comment + challengeall_pak challengeall; + responseall_pak responseall; + resultsall_pak resultsall; } u; // This is needed to pack diff packet types data together } ATTRPACK; diff --git a/src/d_net.c b/src/d_net.c index 1c3165a6b..2b2827722 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -813,7 +813,14 @@ static const char *packettypename[NUMPACKETTYPE] = "LOGIN", - "PING" + "PING", + + "CLIENTKEY", + "SERVERCHALLENGE", + + "CHALLENGEALL", + "RESPONSEALL", + "RESULTSALL" }; static void DebugPrintpacket(const char *header) diff --git a/src/d_player.h b/src/d_player.h index aedbb06b3..455db72f3 100644 --- a/src/d_player.h +++ b/src/d_player.h @@ -713,7 +713,7 @@ struct player_t mobj_t *stumbleIndicator; mobj_t *sliptideZipIndicator; - uint8_t public_key[32 + 1]; + uint8_t public_key[32]; #ifdef HWRENDER fixed_t fovadd; // adjust FOV for hw rendering diff --git a/src/lua_playerlib.c b/src/lua_playerlib.c index 62efe43d5..db740ec12 100644 --- a/src/lua_playerlib.c +++ b/src/lua_playerlib.c @@ -878,7 +878,7 @@ static int player_set(lua_State *L) else if (fastcmp(field,"bot")) return NOSET; else if (fastcmp(field,"jointime")) - plr->jointime = (tic_t)luaL_checkinteger(L, 3); + return NOSET; else if (fastcmp(field,"splitscreenindex")) return NOSET; #ifdef HWRENDER diff --git a/src/typedef.h b/src/typedef.h index 3927d1fab..9857a77c7 100644 --- a/src/typedef.h +++ b/src/typedef.h @@ -73,6 +73,9 @@ TYPEDEF (serverelem_t); TYPEDEF (rewind_t); TYPEDEF (clientkey_pak); TYPEDEF (serverchallenge_pak); +TYPEDEF (challengeall_pak); +TYPEDEF (responseall_pak); +TYPEDEF (resultsall_pak); // d_event.h TYPEDEF (event_t); From 25e9207fa29e100017852f9660ae8f94b2406eb5 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 20 Mar 2023 23:23:20 -0700 Subject: [PATCH 24/70] Check for pubkey modifiation when gamestate is resent --- src/d_clisrv.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 0fd0d3d95..4865a543b 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -168,8 +168,9 @@ uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // Player's pub uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN uint8_t lastChallengeAll[32]; // The message we asked EVERYONE to sign for client-to-client identity proofs uint8_t lastReceivedSignature[MAXPLAYERS][64]; // Everyone's response to lastChallengeAll -uint8_t involvedInChallenge[MAXPLAYERS][32]; -uint8_t knownWhenChallenged[MAXPLAYERS][32]; +uint8_t knownWhenChallenged[MAXPLAYERS][32]; // Everyone a client saw at the moment a challenge should be initiated + +uint8_t priorGamestateKeySave[MAXPLAYERS][32]; // Make a note of keys before consuming a new gamestate, and if the server tries to send us a gamestate where keys differ, assume shenanigans boolean serverisfull = false; //lets us be aware if the server was full after we check files, but before downloading, so we can ask if the user still wants to download or not tic_t firstconnectattempttime = 0; @@ -1383,6 +1384,17 @@ static void CL_LoadReceivedSavegame(boolean reloading) // so they know they can resume the game netbuffer->packettype = PT_RECEIVEDGAMESTATE; HSendPacket(servernode, true, 0, 0); + + int i; + for (i = 0; i < MAXPLAYERS; i++) + { + if (memcmp(priorGamestateKeySave[i], players[i].public_key, sizeof(priorGamestateKeySave[i])) != 0) + { + CONS_Printf("New gamestate has different public keys, shenanigans afoot?"); + // TODO: Actually do something in this situation + break; + } + } } static void CL_ReloadReceivedSavegame(void) @@ -4388,6 +4400,12 @@ static void PT_WillResendGamestate(void) if (server || cl_redownloadinggamestate) return; + int i; + for (i = 0; i < MAXPLAYERS; i++) + { + memcpy(priorGamestateKeySave[i], players[i].public_key, sizeof(priorGamestateKeySave[i])); + } + // Send back a PT_CANRECEIVEGAMESTATE packet to the server // so they know they can start sending the game state netbuffer->packettype = PT_CANRECEIVEGAMESTATE; From 59c4086ffce0d2599054fc9f7f81e2fcd4ad9796 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 20 Mar 2023 23:28:41 -0700 Subject: [PATCH 25/70] Missing newline --- src/d_clisrv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 4865a543b..39fd78bdd 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -1390,7 +1390,7 @@ static void CL_LoadReceivedSavegame(boolean reloading) { if (memcmp(priorGamestateKeySave[i], players[i].public_key, sizeof(priorGamestateKeySave[i])) != 0) { - CONS_Printf("New gamestate has different public keys, shenanigans afoot?"); + CONS_Printf("New gamestate has different public keys, shenanigans afoot?\n"); // TODO: Actually do something in this situation break; } From 15ec5ee90b020b7bf6e00cf098801e2177f6bc93 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 21 Mar 2023 00:46:27 -0700 Subject: [PATCH 26/70] Client bails if server doesn't verify, first pass --- src/d_clisrv.c | 54 +++++++++++++++++++++++++++++++------------------- src/d_clisrv.h | 12 +++++++++++ src/p_tick.c | 9 +++++++++ 3 files changed, 55 insertions(+), 20 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 39fd78bdd..e661b2de1 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -158,17 +158,12 @@ char connectedservername[MAXSERVERNAME]; /// \todo WORK! boolean acceptnewnode = true; -// We give clients a chance to verify each other once per race. -// When is that challenge sent, and when should clients bail if they don't receive the responses? -#define CHALLENGEALL_START (TICRATE*10) -#define CHALLENGEALL_SERVERCUTOFF (TICRATE*12) -#define CHALLENGEALL_CLIENTCUTOFF (TICRATE*14) - uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // Player's public key (join process only! active players have it on player_t) uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN uint8_t lastChallengeAll[32]; // The message we asked EVERYONE to sign for client-to-client identity proofs uint8_t lastReceivedSignature[MAXPLAYERS][64]; // Everyone's response to lastChallengeAll uint8_t knownWhenChallenged[MAXPLAYERS][32]; // Everyone a client saw at the moment a challenge should be initiated +boolean expectChallenge = false; // Were we in-game before a client-to-client challenge should have been sent? uint8_t priorGamestateKeySave[MAXPLAYERS][32]; // Make a note of keys before consuming a new gamestate, and if the server tries to send us a gamestate where keys differ, assume shenanigans @@ -2771,6 +2766,8 @@ void CL_Reset(void) serverisfull = false; connectiontimeout = (tic_t)cv_nettimeout.value; //reset this temporary hack + expectChallenge = false; + #ifdef HAVE_CURL curl_failedwebdownload = false; curl_transfers = 0; @@ -3593,6 +3590,8 @@ void SV_ResetServer(void) for (i = 0; i < MAXUNLOCKABLES; i++) netUnlocked[i] = (dedicated || gamedata->unlocked[i]); + expectChallenge = false; + DEBFILE("\n-=-=-=-=-=-=-= Server Reset =-=-=-=-=-=-=-\n\n"); } @@ -4163,9 +4162,6 @@ static void HandleConnect(SINT8 node) if (playernode[i] != UINT8_MAX) // We use this to count players because it is affected by SV_AddWaitingPlayers when more than one client joins on the same tic, unlike playeringame and D_NumPlayers. UINT8_MAX denotes no node for that player connectedplayers++; - // Testing - // memset(netbuffer->u.clientcfg.challengeResponse, 0, sizeof(netbuffer->u.clientcfg.challengeResponse)); - if (bannednode && bannednode[node].banid != SIZE_MAX) { const char *reason = NULL; @@ -4368,6 +4364,17 @@ static void HandleTimeout(SINT8 node) M_StartMessage(M_GetText("Server Timeout\n\nPress (B)\n"), NULL, MM_NOTHING); } +// Called when a signature check fails and we suspect the server is playing games. +void HandleSigfail(const char *string) +{ + LUA_HookBool(false, HOOK(GameQuit)); + D_QuitNetGame(); + CL_Reset(); + D_ClearState(); + M_StartControlPanel(); + M_StartMessage(va(M_GetText("Signature check failed.\n(%s)\nPress (B)\n"), string), NULL, MM_NOTHING); +} + /** Called when a PT_SERVERINFO packet is received * * \param node The packet sender @@ -4767,7 +4774,7 @@ static void HandlePacketFromPlayer(SINT8 node) continue; const void* message = &netbuffer->u; - if (IsSplitPlayerOnNodeGuest(node, splitnodes)) + if (IsSplitPlayerOnNodeGuest(node, splitnodes) || demo.playback) { //CONS_Printf("Throwing out a guest signature from node %d player %d\n", node, splitnodes); } @@ -4778,13 +4785,12 @@ static void HandlePacketFromPlayer(SINT8 node) CONS_Alert(CONS_ERROR, "SIGFAIL! Packet type %d from node %d player %d\nkey %s size %d netconsole %d\n", netbuffer->packettype, node, splitnodes, GetPrettyRRID(players[targetplayer].public_key, true), doomcom->datalength - BASEPACKETSIZE, netconsole); - /* + if (netconsole != -1) // NO IDEA. SendKick(netconsole, KICK_MSG_SIGFAIL); // Net_CloseConnection(node); // nodeingame[node] = false; return; - */ } } @@ -5215,7 +5221,8 @@ static void HandlePacketFromPlayer(SINT8 node) int challengeplayers; memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); - //CONS_Printf("Got PT_CHALLENGEALL from node %d\n", node); + if (demo.playback) + break; if (node != servernode) break; @@ -5254,6 +5261,9 @@ static void HandlePacketFromPlayer(SINT8 node) HSendPacket(servernode, true, 0, sizeof(netbuffer->u.responseall)); break; case PT_RESPONSEALL: + if (demo.playback) + break; + if (server) { int responseplayer; @@ -5277,7 +5287,7 @@ static void HandlePacketFromPlayer(SINT8 node) CONS_Alert(CONS_WARNING, "Invalid PT_RESPONSEALL from node %d player %d split %d\n", node, targetplayer, responseplayer); if (node != -1 && node != 0) // NO IDEA. { - //SendKick(node, KICK_MSG_SIGFAIL); + SendKick(node, KICK_MSG_SIGFAIL); } break; } @@ -5295,11 +5305,14 @@ static void HandlePacketFromPlayer(SINT8 node) uint8_t allzero[64]; memset(allzero, 0, sizeof(allzero)); - if (server) - { - CONS_Printf("Got PT_RESULTSALL, but what the fuck are you going to do with that?\n"); + if (demo.playback) + break; + + if (server) + break; + + if (!expectChallenge) break; - } for (resultsplayer = 0; resultsplayer < MAXPLAYERS; resultsplayer++) { @@ -5330,8 +5343,9 @@ static void HandlePacketFromPlayer(SINT8 node) if (crypto_eddsa_check(netbuffer->u.resultsall.signature[resultsplayer], knownWhenChallenged[resultsplayer], lastChallengeAll, sizeof(lastChallengeAll))) { - CONS_Alert(CONS_WARNING, "PT_RESULTSALL had invalid signature for node %d player %d split %d, something doesn't add up!\nhas key %s, maybe fucked?\n", - playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex, GetPrettyRRID(knownWhenChallenged[resultsplayer], true)); + CONS_Alert(CONS_WARNING, "PT_RESULTSALL had invalid signature for node %d player %d split %d, something doesn't add up!\n", + playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); + HandleSigfail("Server sent invalid client signature."); } else { diff --git a/src/d_clisrv.h b/src/d_clisrv.h index c0026e949..28e5eb7af 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -486,6 +486,16 @@ extern SINT8 servernode; extern char connectedservername[MAXSERVERNAME]; extern uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; extern uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; +extern uint8_t lastChallengeAll[32]; +extern uint8_t lastReceivedSignature[MAXPLAYERS][64]; +extern uint8_t knownWhenChallenged[MAXPLAYERS][32]; +extern boolean expectChallenge; + +// We give clients a chance to verify each other once per race. +// When is that challenge sent, and when should clients bail if they don't receive the responses? +#define CHALLENGEALL_START (TICRATE*10) +#define CHALLENGEALL_SERVERCUTOFF (TICRATE*12) +#define CHALLENGEALL_CLIENTCUTOFF (TICRATE*14) void Command_Ping_f(void); extern tic_t connectiontimeout; @@ -598,6 +608,8 @@ void CL_ClearRewinds(void); rewind_t *CL_SaveRewindPoint(size_t demopos); rewind_t *CL_RewindToTime(tic_t time); +void HandleSigfail(const char *string); + #ifdef __cplusplus } // extern "C" #endif diff --git a/src/p_tick.c b/src/p_tick.c index 1b88faa2f..6ad4caf8c 100644 --- a/src/p_tick.c +++ b/src/p_tick.c @@ -971,6 +971,15 @@ void P_Ticker(boolean run) G_CopyTiccmd(&players[i].oldcmd, &players[i].cmd, 1); } + if (leveltime <= CHALLENGEALL_START && client) + expectChallenge = true; + + if (leveltime >= CHALLENGEALL_CLIENTCUTOFF && client) + { + HandleSigfail("Didn't receive client signatures."); + return; + } + // Z_CheckMemCleanup(); } From 72d2249e1f565eaee0362d34393b36d0c4ab6e6b Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 21 Mar 2023 00:52:46 -0700 Subject: [PATCH 27/70] Don't freak out and sigfail if we weren't even expecting a challenge --- src/d_clisrv.c | 1 + src/p_tick.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index e661b2de1..83aef5447 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -5353,6 +5353,7 @@ static void HandlePacketFromPlayer(SINT8 node) } } } + expectChallenge = false; break; default: DEBFILE(va("UNKNOWN PACKET TYPE RECEIVED %d from host %d\n", diff --git a/src/p_tick.c b/src/p_tick.c index 6ad4caf8c..3ce65d79a 100644 --- a/src/p_tick.c +++ b/src/p_tick.c @@ -974,7 +974,7 @@ void P_Ticker(boolean run) if (leveltime <= CHALLENGEALL_START && client) expectChallenge = true; - if (leveltime >= CHALLENGEALL_CLIENTCUTOFF && client) + if (leveltime > CHALLENGEALL_CLIENTCUTOFF && expectChallenge && client) { HandleSigfail("Didn't receive client signatures."); return; From 44f2ce7288c2c35b1c57ae10aaf08183142eeace Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 21 Mar 2023 01:12:05 -0700 Subject: [PATCH 28/70] Expand XD_ADDPLAYER buffer --- src/d_clisrv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 83aef5447..ad3405ce9 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -3882,7 +3882,7 @@ const char *name, uint8_t *key, const char *name2, uint8_t *key2, const char *name3, uint8_t *key3, const char *name4, uint8_t *key4) { INT32 n, newplayernum, i; - UINT8 buf[4 + MAXPLAYERNAME + MAXAVAILABILITY]; + UINT8 buf[4 + MAXPLAYERNAME + 32 + MAXAVAILABILITY]; UINT8 *buf_p = buf; boolean newplayer = false; From a8c129321a12de0a7aad2bce0c18a5e1cc7f8c85 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 21 Mar 2023 02:11:56 -0700 Subject: [PATCH 29/70] Block nodes while an auth challenge is taking place (jart) --- src/d_clisrv.c | 13 ++++++++++++- src/d_net.h | 1 + src/i_tcp.c | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index ad3405ce9..946ee66fb 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -123,6 +123,7 @@ SINT8 nodetoplayer3[MAXNETNODES]; // say the numplayer for this node if any (spl SINT8 nodetoplayer4[MAXNETNODES]; // say the numplayer for this node if any (splitscreen == 3) UINT8 playerpernode[MAXNETNODES]; // used specialy for splitscreen boolean nodeingame[MAXNETNODES]; // set false as nodes leave game +boolean nodeneedsauth[MAXNETNODES]; tic_t servermaxping = 20; // server's max delay, in frames. Defaults to 20 static tic_t nettics[MAXNETNODES]; // what tic the client have received @@ -3510,6 +3511,7 @@ static void ResetNode(INT32 node) { nodeingame[node] = false; nodewaiting[node] = 0; + nodeneedsauth[node] = false; nettics[node] = gametic; supposedtics[node] = gametic; @@ -3676,6 +3678,8 @@ static inline void SV_AddNode(INT32 node) // nodeingame when connected not here if (node) nodeingame[node] = true; + + nodeneedsauth[node] = false; } // Xcmd XD_ADDPLAYER @@ -4158,6 +4162,8 @@ static void HandleConnect(SINT8 node) UINT8 maxplayers = min((dedicated ? MAXPLAYERS-1 : MAXPLAYERS), cv_maxconnections.value); UINT8 connectedplayers = 0; + CONS_Printf(">>>> node %d (%s)\n", node, I_GetNodeAddress(node)); + for (i = dedicated ? 1 : 0; i < MAXPLAYERS; i++) if (playernode[i] != UINT8_MAX) // We use this to count players because it is affected by SV_AddWaitingPlayers when more than one client joins on the same tic, unlike playeringame and D_NumPlayers. UINT8_MAX denotes no node for that player connectedplayers++; @@ -4680,7 +4686,12 @@ static void HandlePacketFromAwayNode(SINT8 node) /* FALLTHRU */ case PT_CLIENTKEY: if (server) + { PT_ClientKey(node); + + nodeneedsauth[node] = true; + freezetimeout[node] = I_GetTime() + jointimeout; + } break; case PT_SERVERCHALLENGE: if (cl_mode != CL_WAITCHALLENGE) @@ -6289,7 +6300,7 @@ static void HandleNodeTimeouts(void) if (server) { for (i = 1; i < MAXNETNODES; i++) - if (nodeingame[i] && freezetimeout[i] < I_GetTime()) + if ((nodeingame[i] || nodeneedsauth[i]) && freezetimeout[i] < I_GetTime()) Net_ConnectionTimeout(i); // In case the cvar value was lowered diff --git a/src/d_net.h b/src/d_net.h index 192c889cc..5cf4b9f77 100644 --- a/src/d_net.h +++ b/src/d_net.h @@ -46,6 +46,7 @@ extern SINT8 nodetoplayer3[MAXNETNODES]; // Say the numplayer for this node if a extern SINT8 nodetoplayer4[MAXNETNODES]; // Say the numplayer for this node if any (splitscreen == 3) extern UINT8 playerpernode[MAXNETNODES]; // Used specially for splitscreen extern boolean nodeingame[MAXNETNODES]; // Set false as nodes leave game +extern boolean nodeneedsauth[MAXNETNODES]; extern boolean serverrunning; diff --git a/src/i_tcp.c b/src/i_tcp.c index d99029b44..db5cf06d1 100644 --- a/src/i_tcp.c +++ b/src/i_tcp.c @@ -459,7 +459,7 @@ static void cleanupnodes(void) // Why can't I start at zero? for (j = 1; j < MAXNETNODES; j++) - if (!(nodeingame[j] || SendingFile(j))) + if (!(nodeingame[j] || nodeneedsauth[j] || SendingFile(j))) nodeconnected[j] = false; } From 2afc43383e60fc1d6c763e8466cd571c3a42c10f Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 21 Mar 2023 02:39:25 -0700 Subject: [PATCH 30/70] Jart node deadlock fixup part 2 --- src/d_clisrv.c | 19 ++++++++++++++----- src/d_clisrv.h | 2 -- src/i_tcp.c | 2 -- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 946ee66fb..d3e99e2e0 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -3484,9 +3484,7 @@ void D_ClientServerInit(void) COM_AddCommand("drop", Command_Drop); COM_AddCommand("droprate", Command_Droprate); #endif -#ifdef _DEBUG COM_AddCommand("numnodes", Command_Numnodes); -#endif RegisterNetXCmd(XD_KICK, Got_KickCmd); RegisterNetXCmd(XD_ADDPLAYER, Got_AddPlayer); @@ -3512,6 +3510,7 @@ static void ResetNode(INT32 node) nodeingame[node] = false; nodewaiting[node] = 0; nodeneedsauth[node] = false; + CONS_Printf("2: node %d -> %d\n", node, nodeneedsauth[node]); nettics[node] = gametic; supposedtics[node] = gametic; @@ -3680,6 +3679,7 @@ static inline void SV_AddNode(INT32 node) nodeingame[node] = true; nodeneedsauth[node] = false; + CONS_Printf("3: node %d -> %d\n", node, nodeneedsauth[node]); } // Xcmd XD_ADDPLAYER @@ -4673,7 +4673,10 @@ static void HandlePacketFromAwayNode(SINT8 node) case PT_NODETIMEOUT: case PT_CLIENTQUIT: if (server) + { Net_CloseConnection(node); + nodeneedsauth[node] = false; + } break; case PT_CLIENTCMD: @@ -4689,15 +4692,19 @@ static void HandlePacketFromAwayNode(SINT8 node) { PT_ClientKey(node); - nodeneedsauth[node] = true; - freezetimeout[node] = I_GetTime() + jointimeout; + CONS_Printf("4: node %d -> %d\n", node, nodeneedsauth[node]); + if (nodeneedsauth[node] == false) + { + freezetimeout[node] = I_GetTime() + jointimeout; + nodeneedsauth[node] = true; + } } break; case PT_SERVERCHALLENGE: if (cl_mode != CL_WAITCHALLENGE) break; memcpy(awaitingChallenge, netbuffer->u.serverchallenge.secret, sizeof(awaitingChallenge)); - cl_mode = CL_ASKJOIN; + //cl_mode = CL_ASKJOIN; break; default: DEBFILE(va("unknown packet received (%d) from unknown host\n",netbuffer->packettype)); @@ -5099,6 +5106,8 @@ static void HandlePacketFromPlayer(SINT8 node) } Net_CloseConnection(node); nodeingame[node] = false; + nodeneedsauth[node] = false; + CONS_Printf("1: node %d -> %d\n", node, nodeneedsauth[node]); break; case PT_CANRECEIVEGAMESTATE: PT_CanReceiveGamestate(node); diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 28e5eb7af..e3b68c3d0 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -134,9 +134,7 @@ typedef enum void Command_Drop(void); void Command_Droprate(void); #endif -#ifdef _DEBUG void Command_Numnodes(void); -#endif #if defined(_MSC_VER) #pragma pack(1) diff --git a/src/i_tcp.c b/src/i_tcp.c index db5cf06d1..784a555cd 100644 --- a/src/i_tcp.c +++ b/src/i_tcp.c @@ -489,7 +489,6 @@ static SINT8 getfreenode(void) return -1; } -#ifdef _DEBUG void Command_Numnodes(void) { INT32 connected = 0; @@ -527,7 +526,6 @@ void Command_Numnodes(void) "Ingame: %d\n", connected, ingame); } -#endif static boolean hole_punch(ssize_t c) { From f5b7238ba9c46d102caff1d16216682a14dfeb81 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 21 Mar 2023 02:47:55 -0700 Subject: [PATCH 31/70] I will never understand why the VSCode diff editor does this to me --- src/d_clisrv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index d3e99e2e0..07d49e621 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4704,7 +4704,7 @@ static void HandlePacketFromAwayNode(SINT8 node) if (cl_mode != CL_WAITCHALLENGE) break; memcpy(awaitingChallenge, netbuffer->u.serverchallenge.secret, sizeof(awaitingChallenge)); - //cl_mode = CL_ASKJOIN; + cl_mode = CL_ASKJOIN; break; default: DEBFILE(va("unknown packet received (%d) from unknown host\n",netbuffer->packettype)); From 7f479d14c2bc28dfb4a382d38122563d5284105f Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 21 Mar 2023 02:48:54 -0700 Subject: [PATCH 32/70] I do not understand version control and no one can make me learn --- src/d_clisrv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 07d49e621..aafbf3e4c 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4692,6 +4692,9 @@ static void HandlePacketFromAwayNode(SINT8 node) { PT_ClientKey(node); + nodeneedsauth[node] = true; + freezetimeout[node] = I_GetTime() + jointimeout; + CONS_Printf("4: node %d -> %d\n", node, nodeneedsauth[node]); if (nodeneedsauth[node] == false) { From 137f166043d9ef44e2d01a20a094527778275b56 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 21 Mar 2023 23:19:21 -0700 Subject: [PATCH 33/70] Cvars to do bad network things in DEVELOP, fixes to bad network things --- src/d_clisrv.c | 90 ++++++++++++++++++++++++++++++++++++++++++-------- src/d_clisrv.h | 13 ++++++-- src/d_net.c | 5 +-- src/d_netcmd.c | 8 ++++- 4 files changed, 97 insertions(+), 19 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index aafbf3e4c..0a9abd3d0 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -175,7 +175,13 @@ uint8_t awaitingChallenge[32]; consvar_t cv_allowguests = CVAR_INIT ("allowguests", "On", CV_SAVE, CV_OnOff, NULL); #ifdef DEVELOP - consvar_t cv_sigfail = CVAR_INIT ("sigfail", "Off", CV_SAVE, CV_OnOff, NULL); + consvar_t cv_badjoin = CVAR_INIT ("badjoin", "0", 0, CV_Unsigned, NULL); + consvar_t cv_badtraffic = CVAR_INIT ("badtraffic", "0", 0, CV_Unsigned, NULL); + consvar_t cv_badresponse = CVAR_INIT ("badresponse", "0", 0, CV_Unsigned, NULL); + consvar_t cv_noresponse = CVAR_INIT ("noresponse", "0", 0, CV_Unsigned, NULL); + consvar_t cv_nochallenge = CVAR_INIT ("nochallenge", "0", 0, CV_Unsigned, NULL); + consvar_t cv_badresults = CVAR_INIT ("badresults", "0", 0, CV_Unsigned, NULL); + consvar_t cv_noresults = CVAR_INIT ("noresults", "0", 0, CV_Unsigned, NULL); #endif // engine @@ -867,9 +873,10 @@ static boolean CL_SendJoin(void) } #ifdef DEVELOP - if (cv_sigfail.value) + if (cv_badjoin.value) { - CONS_Alert(CONS_WARNING, "SIGFAIL enabled, scrubbing signature from CL_SendJoin\n"); + CV_AddValue(&cv_badjoin, -1); + CONS_Alert(CONS_WARNING, "cv_badjoin enabled, scrubbing signature from CL_SendJoin\n"); memset(signature, 0, 64); } #endif @@ -5252,6 +5259,15 @@ static void HandlePacketFromPlayer(SINT8 node) netbuffer->packettype = PT_RESPONSEALL; + #ifdef DEVELOP + if (cv_noresponse.value) + { + CV_AddValue(&cv_noresponse, -1); + CONS_Alert(CONS_WARNING, "cv_noresponse enabled, not sending PT_RESPONSEALL\n"); + break; + } + #endif + memset(&netbuffer->u.responseall, 0, sizeof(netbuffer->u.responseall)); for (challengeplayers = 0; challengeplayers <= splitscreen; challengeplayers++) @@ -5271,9 +5287,10 @@ static void HandlePacketFromPlayer(SINT8 node) } #ifdef DEVELOP - if (cv_sigfail.value) + if (cv_badresponse.value) { - CONS_Alert(CONS_WARNING, "SIGFAIL enabled, scrubbing signature from PT_RESPONSEALL\n"); + CV_AddValue(&cv_badresponse, -1); + CONS_Alert(CONS_WARNING, "cv_badresponse enabled, scrubbing signature from PT_RESPONSEALL\n"); memset(signature, 0, 64); } #endif @@ -5308,9 +5325,9 @@ static void HandlePacketFromPlayer(SINT8 node) players[targetplayer].public_key, lastChallengeAll, sizeof(lastChallengeAll))) { CONS_Alert(CONS_WARNING, "Invalid PT_RESPONSEALL from node %d player %d split %d\n", node, targetplayer, responseplayer); - if (node != -1 && node != 0) // NO IDEA. + if (playernode[targetplayer] != 0) // NO IDEA. { - SendKick(node, KICK_MSG_SIGFAIL); + SendKick(targetplayer, KICK_MSG_SIGFAIL); } break; } @@ -5328,6 +5345,8 @@ static void HandlePacketFromPlayer(SINT8 node) uint8_t allzero[64]; memset(allzero, 0, sizeof(allzero)); + CONS_Printf("Got PT_RESULTSALL\n"); + if (demo.playback) break; @@ -5337,6 +5356,8 @@ static void HandlePacketFromPlayer(SINT8 node) if (!expectChallenge) break; + CONS_Printf("Checking PT_RESULTSALL\n"); + for (resultsplayer = 0; resultsplayer < MAXPLAYERS; resultsplayer++) { if (!playeringame[resultsplayer]) @@ -5376,6 +5397,7 @@ static void HandlePacketFromPlayer(SINT8 node) } } } + csprng(lastChallengeAll, sizeof(lastChallengeAll)); expectChallenge = false; break; default: @@ -6201,6 +6223,15 @@ static void UpdateChallenges(void) { netbuffer->packettype = PT_CHALLENGEALL; + #ifdef DEVELOP + if (cv_nochallenge.value) + { + CV_AddValue(&cv_nochallenge, -1); + CONS_Alert(CONS_WARNING, "cv_nochallenge enabled, not sending PT_CHALLENGEALL\n"); + return; + } + #endif + // Random noise so it's difficult to reuse the response // Current time so that difficult to reuse the challenge (TODO: ACTUALLY DO THIS) csprng(netbuffer->u.serverchallenge.secret, sizeof(netbuffer->u.serverchallenge.secret)); @@ -6221,10 +6252,39 @@ static void UpdateChallenges(void) } } - if (Playing() && (leveltime == CHALLENGEALL_SERVERCUTOFF)) + if (Playing() && (leveltime == CHALLENGEALL_KICKUNRESPONSIVE)) + { + uint8_t allZero[64]; + memset(allZero, 0, sizeof(allZero)); + + for (i = 0; i < MAXPLAYERS; i++) + { + if (!playeringame[i]) + continue; + if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! + { + if (!IsPlayerGuest(i)) + { + CONS_Printf("We never got a response from player %d, goodbye\n", i); + SendKick(i, KICK_MSG_SIGFAIL); + } + } + } + } + + if (Playing() && (leveltime == CHALLENGEALL_SENDRESULTS)) { netbuffer->packettype = PT_RESULTSALL; + #ifdef DEVELOP + if (cv_noresults.value) + { + CV_AddValue(&cv_noresults, -1); + CONS_Alert(CONS_WARNING, "cv_noresults enabled, not sending PT_RESULTSALL\n"); + return; + } + #endif + uint8_t allZero[64]; memset(allZero, 0, sizeof(allZero)); memset(&netbuffer->u.resultsall, 0, sizeof(netbuffer->u.resultsall)); @@ -6235,16 +6295,20 @@ static void UpdateChallenges(void) continue; if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! { - if (!IsPlayerGuest(i)) - { - CONS_Printf("We never got a response from player %d, goodbye\n", i); - //SendKick(i, KICK_MSG_SIGFAIL); - } + CONS_Alert(CONS_WARNING, "Unreceived signature for player %d, who is still in-game\n", i); } else { CONS_Printf("Player %d passed checkall and has key %s, adding...\n", i, GetPrettyRRID(players[i].public_key, true)); memcpy(netbuffer->u.resultsall.signature[i], lastReceivedSignature[i], sizeof(netbuffer->u.resultsall.signature[i])); + #ifdef DEVELOP + if (cv_badresults.value) + { + CV_AddValue(&cv_badresults, -1); + CONS_Alert(CONS_WARNING, "cv_badresults enabled, scrubbing signature from PT_RESULTSALL\n"); + memset(netbuffer->u.resultsall.signature[i], 0, sizeof(netbuffer->u.resultsall.signature[i])); + } + #endif } } diff --git a/src/d_clisrv.h b/src/d_clisrv.h index e3b68c3d0..0a2f04315 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -492,8 +492,9 @@ extern boolean expectChallenge; // We give clients a chance to verify each other once per race. // When is that challenge sent, and when should clients bail if they don't receive the responses? #define CHALLENGEALL_START (TICRATE*10) -#define CHALLENGEALL_SERVERCUTOFF (TICRATE*12) -#define CHALLENGEALL_CLIENTCUTOFF (TICRATE*14) +#define CHALLENGEALL_KICKUNRESPONSIVE (TICRATE*12) +#define CHALLENGEALL_SENDRESULTS (TICRATE*14) +#define CHALLENGEALL_CLIENTCUTOFF (TICRATE*16) void Command_Ping_f(void); extern tic_t connectiontimeout; @@ -519,7 +520,13 @@ extern consvar_t cv_discordinvites; extern consvar_t cv_allowguests; #ifdef DEVELOP -extern consvar_t cv_sigfail; + extern consvar_t cv_badjoin; + extern consvar_t cv_badtraffic; + extern consvar_t cv_badresponse; + extern consvar_t cv_noresponse; + extern consvar_t cv_nochallenge; + extern consvar_t cv_badresults; + extern consvar_t cv_noresults; #endif // Used in d_net, the only dependence diff --git a/src/d_net.c b/src/d_net.c index 2b2827722..ae2dc395f 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -1047,9 +1047,10 @@ boolean HSendPacket(INT32 node, boolean reliable, UINT8 acknum, size_t packetlen } #ifdef DEVELOP - if (cv_sigfail.value) + if (cv_badtraffic.value) { - CONS_Alert(CONS_WARNING, "SIGFAIL enabled, scrubbing signature from HSendPacket\n"); + CV_AddValue(&cv_badtraffic, -1); + CONS_Alert(CONS_WARNING, "cv_badtraffic enabled, scrubbing signature from HSendPacket\n"); memset(netbuffer->signature, 0, sizeof(netbuffer->signature)); } #endif diff --git a/src/d_netcmd.c b/src/d_netcmd.c index 5c87fd5fd..c3fd3cf72 100644 --- a/src/d_netcmd.c +++ b/src/d_netcmd.c @@ -949,7 +949,13 @@ void D_RegisterClientCommands(void) CV_RegisterVar(&cv_allowguests); #ifdef DEVELOP - CV_RegisterVar(&cv_sigfail); + CV_RegisterVar(&cv_badjoin); // implemented + CV_RegisterVar(&cv_badtraffic); // implemented + CV_RegisterVar(&cv_badresponse); // implemented + CV_RegisterVar(&cv_noresponse); + CV_RegisterVar(&cv_nochallenge); // implemented + CV_RegisterVar(&cv_badresults); // implemented + CV_RegisterVar(&cv_noresults); // implemented #endif // HUD From f9832eb77f4b22d21a0a7b73df5e1226307839f8 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 21 Mar 2023 23:34:56 -0700 Subject: [PATCH 34/70] Give gamestate resend integrity check some teeth --- src/d_clisrv.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 0a9abd3d0..8184588d9 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -1388,14 +1388,16 @@ static void CL_LoadReceivedSavegame(boolean reloading) netbuffer->packettype = PT_RECEIVEDGAMESTATE; HSendPacket(servernode, true, 0, 0); - int i; - for (i = 0; i < MAXPLAYERS; i++) + if (reloading) { - if (memcmp(priorGamestateKeySave[i], players[i].public_key, sizeof(priorGamestateKeySave[i])) != 0) + int i; + for (i = 0; i < MAXPLAYERS; i++) { - CONS_Printf("New gamestate has different public keys, shenanigans afoot?\n"); - // TODO: Actually do something in this situation - break; + if (memcmp(priorGamestateKeySave[i], players[i].public_key, sizeof(priorGamestateKeySave[i])) != 0) + { + HandleSigfail("Gamestate reload contained new keys"); + break; + } } } } From a57901babfd4fc997bb01acf75d891bd344fb52b Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Wed, 22 Mar 2023 00:45:01 -0700 Subject: [PATCH 35/70] It's mediocre security fixup time --- src/d_clisrv.c | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 8184588d9..8eecdedab 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4713,6 +4713,11 @@ static void HandlePacketFromAwayNode(SINT8 node) } break; case PT_SERVERCHALLENGE: + if (server && serverrunning && node != servernode) + { + Net_CloseConnection(node); + break; + } if (cl_mode != CL_WAITCHALLENGE) break; memcpy(awaitingChallenge, netbuffer->u.serverchallenge.secret, sizeof(awaitingChallenge)); @@ -5250,14 +5255,17 @@ static void HandlePacketFromPlayer(SINT8 node) CL_PrepareDownloadLuaFile(); break; case PT_CHALLENGEALL: ; // -Wpedantic - int challengeplayers; - memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); + if (server) + break; if (demo.playback) break; if (node != servernode) break; + + int challengeplayers; + memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); netbuffer->packettype = PT_RESPONSEALL; @@ -5355,6 +5363,9 @@ static void HandlePacketFromPlayer(SINT8 node) if (server) break; + if (node != servernode) + break; + if (!expectChallenge) break; @@ -6234,11 +6245,13 @@ static void UpdateChallenges(void) } #endif + memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); + // Random noise so it's difficult to reuse the response // Current time so that difficult to reuse the challenge (TODO: ACTUALLY DO THIS) + const time_t now = time(NULL); + CONS_Printf("now: %d\n", now); csprng(netbuffer->u.serverchallenge.secret, sizeof(netbuffer->u.serverchallenge.secret)); - // Why the fuck doesn't this work - // memcpy(netbuffer->u.serverchallenge.secret, time(NULL), sizeof(int)); memcpy(lastChallengeAll, netbuffer->u.serverchallenge.secret, sizeof(lastChallengeAll)); @@ -6250,6 +6263,7 @@ static void UpdateChallenges(void) { CONS_Printf("challenge to node %d, player %d\n", i, nodetoplayer[i]); HSendPacket(i, true, 0, sizeof(serverchallenge_pak)); + memcpy(knownWhenChallenged[nodetoplayer[i]], players[nodetoplayer[i]].public_key, sizeof(knownWhenChallenged[nodetoplayer[i]])); } } } @@ -6265,10 +6279,13 @@ static void UpdateChallenges(void) continue; if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! { - if (!IsPlayerGuest(i)) + if (!IsPlayerGuest(i) && memcmp(knownWhenChallenged[i], players[i].public_key, sizeof(knownWhenChallenged[i]) == 0)) { - CONS_Printf("We never got a response from player %d, goodbye\n", i); - SendKick(i, KICK_MSG_SIGFAIL); + if (playernode[i] != servernode) + { + CONS_Printf("We never got a response from player %d, goodbye\n", i); + SendKick(i, KICK_MSG_SIGFAIL); + } } } } From 32b1ff3d3e6e4aff4a85147711c2e1e09f00c0bb Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Wed, 22 Mar 2023 01:10:08 -0700 Subject: [PATCH 36/70] SERVER needs to respond to PT_CHALLENGEALL, dummy --- src/d_clisrv.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 8eecdedab..6deca6f87 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -3519,7 +3519,7 @@ static void ResetNode(INT32 node) nodeingame[node] = false; nodewaiting[node] = 0; nodeneedsauth[node] = false; - CONS_Printf("2: node %d -> %d\n", node, nodeneedsauth[node]); + //CONS_Printf("2: node %d -> %d\n", node, nodeneedsauth[node]); nettics[node] = gametic; supposedtics[node] = gametic; @@ -5255,9 +5255,6 @@ static void HandlePacketFromPlayer(SINT8 node) CL_PrepareDownloadLuaFile(); break; case PT_CHALLENGEALL: ; // -Wpedantic - if (server) - break; - if (demo.playback) break; @@ -5343,8 +5340,8 @@ static void HandlePacketFromPlayer(SINT8 node) } else { - CONS_Printf("Writing signature for node %d player %d split %d\n", node, targetplayer, responseplayer); memcpy(lastReceivedSignature[targetplayer], netbuffer->u.responseall.signature[responseplayer], sizeof(lastReceivedSignature[targetplayer])); + CONS_Printf("Writing signature %s for node %d player %d split %d\n", GetPrettyRRID(lastReceivedSignature[targetplayer], true), node, targetplayer, responseplayer); } } } @@ -5375,12 +5372,12 @@ static void HandlePacketFromPlayer(SINT8 node) { if (!playeringame[resultsplayer]) { - //CONS_Printf("Player %d isn't in the game, excluded from checkall\n", resultsplayer); + CONS_Printf("Player %d isn't in the game, excluded from checkall\n", resultsplayer); continue; } else if (IsPlayerGuest(resultsplayer)) { - //CONS_Printf("GUEST on node %d player %d split %d, not enforcing\n", playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); + CONS_Printf("GUEST on node %d player %d split %d, not enforcing\n", playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); continue; } else if (memcmp(knownWhenChallenged[resultsplayer], allzero, sizeof(allzero)) == 0) @@ -5400,9 +5397,10 @@ static void HandlePacketFromPlayer(SINT8 node) if (crypto_eddsa_check(netbuffer->u.resultsall.signature[resultsplayer], knownWhenChallenged[resultsplayer], lastChallengeAll, sizeof(lastChallengeAll))) { - CONS_Alert(CONS_WARNING, "PT_RESULTSALL had invalid signature for node %d player %d split %d, something doesn't add up!\n", - playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); + CONS_Alert(CONS_WARNING, "PT_RESULTSALL had invalid signature %s for node %d player %d split %d, something doesn't add up!\n", + GetPrettyRRID(netbuffer->u.resultsall.signature[resultsplayer], true), playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); HandleSigfail("Server sent invalid client signature."); + break; } else { @@ -6314,11 +6312,12 @@ static void UpdateChallenges(void) continue; if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! { - CONS_Alert(CONS_WARNING, "Unreceived signature for player %d, who is still in-game\n", i); + if (!IsPlayerGuest(i)) + CONS_Alert(CONS_WARNING, "Unreceived signature for player %d, who is still in-game\n", i); } else { - CONS_Printf("Player %d passed checkall and has key %s, adding...\n", i, GetPrettyRRID(players[i].public_key, true)); + CONS_Printf("Player %d passed with key %s sig %s, adding...\n", i, GetPrettyRRID(players[i].public_key, true), GetPrettyRRID(lastReceivedSignature[i], true)); memcpy(netbuffer->u.resultsall.signature[i], lastReceivedSignature[i], sizeof(netbuffer->u.resultsall.signature[i])); #ifdef DEVELOP if (cv_badresults.value) @@ -6331,6 +6330,11 @@ static void UpdateChallenges(void) } } + for (i = 0; i < MAXPLAYERS; i++) + { + CONS_Printf("SIG %d: %s\n", i, GetPrettyRRID(netbuffer->u.resultsall.signature[i], true)); + } + for (i = 0; i < MAXNETNODES; i++) { if (nodeingame[i]) From f873df764e763fe58e55b7df76408ce50ce6d7e4 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Wed, 22 Mar 2023 03:02:45 -0700 Subject: [PATCH 37/70] USE THE ENTIRE 64 BYTES OF THE CHALLENGE YOU IDIOT also check time/gamemap --- src/d_clisrv.c | 36 ++++++++++++++++++++++++++++++------ src/d_clisrv.h | 6 +++--- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 6deca6f87..e85a0977c 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -161,7 +161,7 @@ boolean acceptnewnode = true; uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // Player's public key (join process only! active players have it on player_t) uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN -uint8_t lastChallengeAll[32]; // The message we asked EVERYONE to sign for client-to-client identity proofs +uint8_t lastChallengeAll[64]; // The message we asked EVERYONE to sign for client-to-client identity proofs uint8_t lastReceivedSignature[MAXPLAYERS][64]; // Everyone's response to lastChallengeAll uint8_t knownWhenChallenged[MAXPLAYERS][32]; // Everyone a client saw at the moment a challenge should be initiated boolean expectChallenge = false; // Were we in-game before a client-to-client challenge should have been sent? @@ -5262,8 +5262,30 @@ static void HandlePacketFromPlayer(SINT8 node) break; int challengeplayers; + time_t now, then; + INT16 sentmap; // if gamemap ever needs to change type, god forbid, change this too + memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); + now = time(NULL); + memcpy(&then, lastChallengeAll, sizeof(then)); + + CONS_Printf("Time offset: %d\n", abs(now - then)); + + if (abs(now - then) > 300) + { + HandleSigfail("Bad challenge - time difference, check clocks"); + break; + } + + memcpy(&sentmap, lastChallengeAll + sizeof(then), sizeof(sentmap)); + CONS_Printf("Got map %hd, current map %hd\n", sentmap, gamemap); + if (sentmap != gamemap) + { + HandleSigfail("Bad challenge - wrong gamemap"); + break; + } + netbuffer->packettype = PT_RESPONSEALL; #ifdef DEVELOP @@ -6246,12 +6268,14 @@ static void UpdateChallenges(void) memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); // Random noise so it's difficult to reuse the response - // Current time so that difficult to reuse the challenge (TODO: ACTUALLY DO THIS) + // Current time so that difficult to reuse the challenge const time_t now = time(NULL); - CONS_Printf("now: %d\n", now); - csprng(netbuffer->u.serverchallenge.secret, sizeof(netbuffer->u.serverchallenge.secret)); + CONS_Printf("now: %ld, gamemap: %hd\n", now, gamemap); + csprng(netbuffer->u.challengeall.secret, sizeof(netbuffer->u.challengeall.secret)); + memcpy(netbuffer->u.challengeall.secret, &now, sizeof(now)); // First few bytes are the timestamp... + memcpy(netbuffer->u.challengeall.secret + sizeof(now), &gamemap, sizeof(gamemap)); // And the next two are the current map. (TODO: This works but I don't think it's doing what I think it's doing, pointers suck.) - memcpy(lastChallengeAll, netbuffer->u.serverchallenge.secret, sizeof(lastChallengeAll)); + memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); memset(lastReceivedSignature, 0, sizeof(lastReceivedSignature)); @@ -6260,7 +6284,7 @@ static void UpdateChallenges(void) if (nodeingame[i]) { CONS_Printf("challenge to node %d, player %d\n", i, nodetoplayer[i]); - HSendPacket(i, true, 0, sizeof(serverchallenge_pak)); + HSendPacket(i, true, 0, sizeof(challengeall_pak)); memcpy(knownWhenChallenged[nodetoplayer[i]], players[nodetoplayer[i]].public_key, sizeof(knownWhenChallenged[nodetoplayer[i]])); } } diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 0a2f04315..e042350d5 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -355,12 +355,12 @@ struct filesneededconfig_pak struct clientkey_pak { - char key[MAXSPLITSCREENPLAYERS][32]; + uint8_t key[MAXSPLITSCREENPLAYERS][32]; } ATTRPACK; struct serverchallenge_pak { - char secret[MAXSPLITSCREENPLAYERS][32]; + uint8_t secret[MAXSPLITSCREENPLAYERS][32]; } ATTRPACK; struct challengeall_pak @@ -484,7 +484,7 @@ extern SINT8 servernode; extern char connectedservername[MAXSERVERNAME]; extern uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; extern uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; -extern uint8_t lastChallengeAll[32]; +extern uint8_t lastChallengeAll[64]; extern uint8_t lastReceivedSignature[MAXPLAYERS][64]; extern uint8_t knownWhenChallenged[MAXPLAYERS][32]; extern boolean expectChallenge; From a1f82b2a3781aa0494ef1dfe62239c80abc2e489 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Thu, 23 Mar 2023 00:33:39 -0700 Subject: [PATCH 38/70] Use server IP and timestamp in PT_SERVERCHALLENGE to avoid signature reuse --- src/d_clisrv.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++--- src/d_clisrv.h | 5 ++-- src/d_net.c | 1 + src/d_netfil.c | 5 ++++ src/i_net.h | 1 + src/i_tcp.c | 15 +++++++++++ 6 files changed, 88 insertions(+), 6 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index e85a0977c..7d52b19d0 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -159,8 +159,9 @@ char connectedservername[MAXSERVERNAME]; /// \todo WORK! boolean acceptnewnode = true; +UINT32 ourIP; // Used when populating PT_SERVERCHALLENGE (guards against signature reuse) uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // Player's public key (join process only! active players have it on player_t) -uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN +uint8_t lastSentChallenge[MAXNETNODES][32]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN uint8_t lastChallengeAll[64]; // The message we asked EVERYONE to sign for client-to-client identity proofs uint8_t lastReceivedSignature[MAXPLAYERS][64]; // Everyone's response to lastChallengeAll uint8_t knownWhenChallenged[MAXPLAYERS][32]; // Everyone a client saw at the moment a challenge should be initiated @@ -811,6 +812,31 @@ static boolean CL_AskFileList(INT32 firstfile) return HSendPacket(servernode, false, 0, sizeof (INT32)); } +// https://github.com/jameds/holepunch/blob/master/holepunch.c#L75 +static int IsExternalAddress (const void *p) +{ + const int a = ((const unsigned char*)p)[0]; + const int b = ((const unsigned char*)p)[1]; + + if (*(const int*)p == ~0)/* 255.255.255.255 */ + return 0; + + switch (a) + { + case 0: + case 10: + case 127: + return 0; + case 172: + return (b & ~15) != 16;/* 16 - 31 */ + case 192: + return b != 168; + default: + return 1; + } +} + + /** Sends a special packet to declare how many players in local * Used only in arbitratrenetstart() * Sends a PT_CLIENTJOIN packet to the server @@ -856,6 +882,27 @@ static boolean CL_SendJoin(void) // Don't leak old signatures from prior sessions. memset(&netbuffer->u.clientcfg.challengeResponse, 0, sizeof(((clientconfig_pak *)0)->challengeResponse)); + UINT32 claimedIP; + UINT32 realIP = *I_GetNodeAddressInt(servernode); + time_t receivedTime; + time_t now = time(NULL); + + memcpy(&claimedIP, awaitingChallenge, sizeof(claimedIP)); + memcpy(&receivedTime, awaitingChallenge + sizeof(claimedIP), sizeof(receivedTime)); + + if (client && netgame) + { + if (realIP != claimedIP && IsExternalAddress(&realIP)) + { + I_Error("External server IP didn't match the message it sent.\nSomething is very wrong here."); + } + + if (abs(now - receivedTime) > 60*5) + { + I_Error("External server sent a message with an unusual timestamp.\nReceived: %ld\nNow: %ld\nCheck your clocks!", receivedTime, now); + } + } + for (i = 0; i <= splitscreen; i++) { uint8_t signature[64]; @@ -4011,6 +4058,15 @@ void CL_RemoveSplitscreenPlayer(UINT8 p) SendKick(p, KICK_MSG_PLAYER_QUIT); } +static void GotOurIP(UINT32 address) +{ + const unsigned char * p = (const unsigned char *)&address; + #ifdef DEVELOP + CONS_Printf("Got IP of %u.%u.%u.%u\n", p[0], p[1], p[2], p[3]); + #endif + ourIP = address; +} + // is there a game running boolean Playing(void) { @@ -4047,14 +4103,17 @@ boolean SV_SpawnServer(void) else doomcom->numslots = 1; } + ourIP = 0; + STUN_bind(GotOurIP); + // strictly speaking, i'm not convinced the following is necessary // but I'm not confident enough to remove it entirely in case it breaks something { UINT8 *availabilitiesbuffer = R_GetSkinAvailabilities(false, false); SINT8 node = 0; for (; node < MAXNETNODES; node++) - result |= SV_AddWaitingPlayers(node, availabilitiesbuffer, cv_playername[0].zstring, &PR_GetLocalPlayerProfile(0)->public_key, cv_playername[1].zstring, &PR_GetLocalPlayerProfile(1)->public_key, - cv_playername[2].zstring, &PR_GetLocalPlayerProfile(2)->public_key, cv_playername[3].zstring, &PR_GetLocalPlayerProfile(3)->public_key); + result |= SV_AddWaitingPlayers(node, availabilitiesbuffer, cv_playername[0].zstring, PR_GetLocalPlayerProfile(0)->public_key, cv_playername[1].zstring, PR_GetLocalPlayerProfile(1)->public_key, + cv_playername[2].zstring, PR_GetLocalPlayerProfile(2)->public_key, cv_playername[3].zstring, PR_GetLocalPlayerProfile(3)->public_key); } return result; #endif @@ -4290,7 +4349,7 @@ static void HandleConnect(SINT8 node) } else { - sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node][i], 32); + sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node], 32); } diff --git a/src/d_clisrv.h b/src/d_clisrv.h index e042350d5..ad73842d0 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -360,7 +360,7 @@ struct clientkey_pak struct serverchallenge_pak { - uint8_t secret[MAXSPLITSCREENPLAYERS][32]; + uint8_t secret[32]; } ATTRPACK; struct challengeall_pak @@ -482,8 +482,9 @@ extern UINT16 software_MAXPACKETLENGTH; extern boolean acceptnewnode; extern SINT8 servernode; extern char connectedservername[MAXSERVERNAME]; +extern UINT32 ourIP; extern uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; -extern uint8_t lastSentChallenge[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; +extern uint8_t lastSentChallenge[MAXNETNODES][32]; extern uint8_t lastChallengeAll[64]; extern uint8_t lastReceivedSignature[MAXPLAYERS][64]; extern uint8_t knownWhenChallenged[MAXPLAYERS][32]; diff --git a/src/d_net.c b/src/d_net.c index ae2dc395f..b613c056f 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -83,6 +83,7 @@ boolean (*I_NetOpenSocket)(void) = NULL; boolean (*I_Ban) (INT32 node) = NULL; void (*I_ClearBans)(void) = NULL; const char *(*I_GetNodeAddress) (INT32 node) = NULL; +UINT32 *(*I_GetNodeAddressInt) (INT32 node) = NULL; const char *(*I_GetBanAddress) (size_t ban) = NULL; const char *(*I_GetBanMask) (size_t ban) = NULL; const char *(*I_GetBanUsername) (size_t ban) = NULL; diff --git a/src/d_netfil.c b/src/d_netfil.c index 20403b87a..9d2f3d4ce 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -1323,8 +1323,13 @@ void PT_ClientKey(INT32 node) CONS_Printf("Got keys from node %d, %s / %s / %s / %s\n", node, GetPrettyRRID(lastReceivedKey[node][0], true), GetPrettyRRID(lastReceivedKey[node][1], true), GetPrettyRRID(lastReceivedKey[node][2], true), GetPrettyRRID(lastReceivedKey[node][3], true)); netbuffer->packettype = PT_SERVERCHALLENGE; + time_t now = time(NULL); + // Include our IP and current time in the message to be signed, to guard against signature reuse. csprng(lastSentChallenge[node], sizeof(serverchallenge_pak)); + memcpy(lastSentChallenge[node], &ourIP, sizeof(ourIP)); + memcpy(lastSentChallenge[node] + sizeof(ourIP), &now, sizeof(time_t)); + memcpy(&netbuffer->u.serverchallenge, lastSentChallenge[node], sizeof(serverchallenge_pak)); HSendPacket(node, false, 0, sizeof (serverchallenge_pak)); } diff --git a/src/i_net.h b/src/i_net.h index bcd07eb17..6760916f3 100644 --- a/src/i_net.h +++ b/src/i_net.h @@ -166,6 +166,7 @@ extern void (*I_NetRegisterHolePunch)(void); extern boolean (*I_Ban) (INT32 node); extern void (*I_ClearBans)(void); extern const char *(*I_GetNodeAddress) (INT32 node); +extern UINT32 *(*I_GetNodeAddressInt) (INT32 node); extern const char *(*I_GetBanAddress) (size_t ban); extern const char *(*I_GetBanMask) (size_t ban); extern const char *(*I_GetBanUsername) (size_t ban); diff --git a/src/i_tcp.c b/src/i_tcp.c index 784a555cd..eb4521928 100644 --- a/src/i_tcp.c +++ b/src/i_tcp.c @@ -387,6 +387,20 @@ static const char *SOCK_GetNodeAddress(INT32 node) return SOCK_AddrToStr(&clientaddress[node]); } +static UINT32 SOCK_GetNodeAddressInt(INT32 node) +{ + if (nodeconnected[node] && clientaddress[node].any.sa_family == AF_INET) + { + return clientaddress[node].ip4.sin_addr.s_addr; + } + else + { + I_Error("SOCK_GetNodeAddressInt: Node %d is not IPv4!\n", node); + } + + return 0; +} + static const char *SOCK_GetBanAddress(size_t ban) { if (ban >= numbans) @@ -1598,6 +1612,7 @@ boolean I_InitTcpNetwork(void) I_Ban = SOCK_Ban; I_ClearBans = SOCK_ClearBans; I_GetNodeAddress = SOCK_GetNodeAddress; + I_GetNodeAddressInt = SOCK_GetNodeAddressInt; I_GetBanAddress = SOCK_GetBanAddress; I_GetBanMask = SOCK_GetBanMask; I_GetBanUsername = SOCK_GetBanUsername; From 30ca69e51dc281c130c87bb4e28cc51e637b5e83 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Thu, 23 Mar 2023 00:52:23 -0700 Subject: [PATCH 39/70] Don't sign game traffic, we shouldn't need it anymore --- src/d_clisrv.c | 4 +++- src/d_clisrv.h | 2 ++ src/d_net.c | 49 +++++++++++++++++++++++++++---------------------- 3 files changed, 32 insertions(+), 23 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 7d52b19d0..2f6b52142 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4855,6 +4855,8 @@ static void HandlePacketFromPlayer(SINT8 node) I_Error("bad table nodetoplayer: node %d player %d", doomcom->remotenode, netconsole); #endif + +#ifdef SIGNGAMETRAFFIC if (server) { @@ -4891,7 +4893,7 @@ static void HandlePacketFromPlayer(SINT8 node) } } } - +#endif switch (netbuffer->packettype) { diff --git a/src/d_clisrv.h b/src/d_clisrv.h index ad73842d0..68e889eab 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -388,7 +388,9 @@ struct doomdata_t UINT8 ackreturn; // The return of the ack number UINT8 packettype; +#ifdef SIGNGAMETRAFFIC uint8_t signature[MAXSPLITSCREENPLAYERS][64]; +#endif UINT8 reserved; // Padding union { diff --git a/src/d_net.c b/src/d_net.c index b613c056f..d7838d4a3 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -1001,30 +1001,33 @@ static boolean ShouldDropPacket(void) } #endif -boolean IsPacketSigned(int packettype) -{ - switch (packettype) +// Unused because Eidolon correctly pointed out that +512b on every packet was scary. +#ifdef SIGNGAMETRAFFIC + boolean IsPacketSigned(int packettype) { - case PT_CLIENTCMD: - case PT_CLIENT2CMD: - case PT_CLIENT3CMD: - case PT_CLIENT4CMD: - case PT_CLIENTMIS: - case PT_CLIENT2MIS: - case PT_CLIENT3MIS: - case PT_CLIENT4MIS: - case PT_TEXTCMD: - case PT_TEXTCMD2: - case PT_TEXTCMD3: - case PT_TEXTCMD4: - case PT_LOGIN: - case PT_ASKLUAFILE: - case PT_SENDINGLUAFILE: - return true; - default: - return false; + switch (packettype) + { + case PT_CLIENTCMD: + case PT_CLIENT2CMD: + case PT_CLIENT3CMD: + case PT_CLIENT4CMD: + case PT_CLIENTMIS: + case PT_CLIENT2MIS: + case PT_CLIENT3MIS: + case PT_CLIENT4MIS: + case PT_TEXTCMD: + case PT_TEXTCMD2: + case PT_TEXTCMD3: + case PT_TEXTCMD4: + case PT_LOGIN: + case PT_ASKLUAFILE: + case PT_SENDINGLUAFILE: + return true; + default: + return false; + } } -} +#endif // // HSendPacket @@ -1033,6 +1036,7 @@ boolean HSendPacket(INT32 node, boolean reliable, UINT8 acknum, size_t packetlen { doomcom->datalength = (INT16)(packetlength + BASEPACKETSIZE); +#ifdef SIGNGAMETRAFFIC if (IsPacketSigned(netbuffer->packettype)) { int i; @@ -1061,6 +1065,7 @@ boolean HSendPacket(INT32 node, boolean reliable, UINT8 acknum, size_t packetlen //CONS_Printf("NOT signing PT_%d of length %d, it doesn't need to be\n", netbuffer->packettype, packetlength); memset(netbuffer->signature, 0, sizeof(netbuffer->signature)); } +#endif if (node == 0) // Packet is to go back to us { From 630555ca51f3b3c26f235d50e8455bedebaa5d7e Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Thu, 23 Mar 2023 01:08:36 -0700 Subject: [PATCH 40/70] More bad actor cvars --- src/d_clisrv.c | 13 ++++++++++++- src/d_clisrv.h | 3 +++ src/d_netcmd.c | 15 +++++++++------ src/d_netfil.c | 18 ++++++++++++++++++ 4 files changed, 42 insertions(+), 7 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 2f6b52142..ee39653c4 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -183,6 +183,9 @@ consvar_t cv_allowguests = CVAR_INIT ("allowguests", "On", CV_SAVE, CV_OnOff, NU consvar_t cv_nochallenge = CVAR_INIT ("nochallenge", "0", 0, CV_Unsigned, NULL); consvar_t cv_badresults = CVAR_INIT ("badresults", "0", 0, CV_Unsigned, NULL); consvar_t cv_noresults = CVAR_INIT ("noresults", "0", 0, CV_Unsigned, NULL); + consvar_t cv_badjointime = CVAR_INIT ("badjointime", "0", 0, CV_Unsigned, NULL); + consvar_t cv_badip = CVAR_INIT ("badip", "0", 0, CV_Unsigned, NULL); + consvar_t cv_badchallengetime = CVAR_INIT ("badchallengetime", "0", 0, CV_Unsigned, NULL); #endif // engine @@ -6330,7 +6333,15 @@ static void UpdateChallenges(void) // Random noise so it's difficult to reuse the response // Current time so that difficult to reuse the challenge - const time_t now = time(NULL); + time_t now = time(NULL); + #ifdef DEVELOP + if (cv_badchallengetime.value) + { + CV_AddValue(&cv_badchallengetime, -1); + CONS_Alert(CONS_WARNING, "cv_badchallengetime enabled, scrubbing time from PT_CHALLENGEALL\n"); + now = 0; + } + #endif CONS_Printf("now: %ld, gamemap: %hd\n", now, gamemap); csprng(netbuffer->u.challengeall.secret, sizeof(netbuffer->u.challengeall.secret)); memcpy(netbuffer->u.challengeall.secret, &now, sizeof(now)); // First few bytes are the timestamp... diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 68e889eab..3913f0182 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -530,6 +530,9 @@ extern consvar_t cv_allowguests; extern consvar_t cv_nochallenge; extern consvar_t cv_badresults; extern consvar_t cv_noresults; + extern consvar_t cv_badjointime; + extern consvar_t cv_badip; + extern consvar_t cv_badchallengetime; #endif // Used in d_net, the only dependence diff --git a/src/d_netcmd.c b/src/d_netcmd.c index c3fd3cf72..b30f3ffe3 100644 --- a/src/d_netcmd.c +++ b/src/d_netcmd.c @@ -949,13 +949,16 @@ void D_RegisterClientCommands(void) CV_RegisterVar(&cv_allowguests); #ifdef DEVELOP - CV_RegisterVar(&cv_badjoin); // implemented - CV_RegisterVar(&cv_badtraffic); // implemented - CV_RegisterVar(&cv_badresponse); // implemented + CV_RegisterVar(&cv_badjoin); + CV_RegisterVar(&cv_badtraffic); + CV_RegisterVar(&cv_badresponse); CV_RegisterVar(&cv_noresponse); - CV_RegisterVar(&cv_nochallenge); // implemented - CV_RegisterVar(&cv_badresults); // implemented - CV_RegisterVar(&cv_noresults); // implemented + CV_RegisterVar(&cv_nochallenge); + CV_RegisterVar(&cv_badresults); + CV_RegisterVar(&cv_noresults); + CV_RegisterVar(&cv_badjointime); + CV_RegisterVar(&cv_badip); + CV_RegisterVar(&cv_badchallengetime); #endif // HUD diff --git a/src/d_netfil.c b/src/d_netfil.c index 9d2f3d4ce..67759d677 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -1325,11 +1325,29 @@ void PT_ClientKey(INT32 node) netbuffer->packettype = PT_SERVERCHALLENGE; time_t now = time(NULL); + #ifdef DEVELOP + if (cv_badjointime.value) + { + CV_AddValue(&cv_badjointime, -1); + CONS_Alert(CONS_WARNING, "cv_badjointime enabled, scrubbing time from PT_SERVERCHALLENGE\n"); + now = 0; + } + #endif + // Include our IP and current time in the message to be signed, to guard against signature reuse. csprng(lastSentChallenge[node], sizeof(serverchallenge_pak)); memcpy(lastSentChallenge[node], &ourIP, sizeof(ourIP)); memcpy(lastSentChallenge[node] + sizeof(ourIP), &now, sizeof(time_t)); + #ifdef DEVELOP + if (cv_badip.value) + { + CV_AddValue(&cv_badip, -1); + CONS_Alert(CONS_WARNING, "cv_badip enabled, scrubbing IP from PT_SERVERCHALLENGE\n"); + memset(lastSentChallenge[node], 0, sizeof(ourIP)); + } + #endif + memcpy(&netbuffer->u.serverchallenge, lastSentChallenge[node], sizeof(serverchallenge_pak)); HSendPacket(node, false, 0, sizeof (serverchallenge_pak)); } From 96a71bb60d00e0b1e8326778a25bed2d3504e204 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Thu, 23 Mar 2023 02:05:34 -0700 Subject: [PATCH 41/70] Don't try to do netgame shit in singleplayer and crash --- src/d_clisrv.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index ee39653c4..e6e3a5dc6 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -885,16 +885,16 @@ static boolean CL_SendJoin(void) // Don't leak old signatures from prior sessions. memset(&netbuffer->u.clientcfg.challengeResponse, 0, sizeof(((clientconfig_pak *)0)->challengeResponse)); - UINT32 claimedIP; - UINT32 realIP = *I_GetNodeAddressInt(servernode); - time_t receivedTime; - time_t now = time(NULL); - - memcpy(&claimedIP, awaitingChallenge, sizeof(claimedIP)); - memcpy(&receivedTime, awaitingChallenge + sizeof(claimedIP), sizeof(receivedTime)); - if (client && netgame) { + UINT32 claimedIP; + UINT32 realIP = *I_GetNodeAddressInt(servernode); + time_t receivedTime; + time_t now = time(NULL); + + memcpy(&claimedIP, awaitingChallenge, sizeof(claimedIP)); + memcpy(&receivedTime, awaitingChallenge + sizeof(claimedIP), sizeof(receivedTime)); + if (realIP != claimedIP && IsExternalAddress(&realIP)) { I_Error("External server IP didn't match the message it sent.\nSomething is very wrong here."); @@ -4107,7 +4107,8 @@ boolean SV_SpawnServer(void) } ourIP = 0; - STUN_bind(GotOurIP); + if (netgame && server) + STUN_bind(GotOurIP); // strictly speaking, i'm not convinced the following is necessary // but I'm not confident enough to remove it entirely in case it breaks something @@ -6519,7 +6520,8 @@ void NetKeepAlive(void) UpdatePingTable(); - UpdateChallenges(); + if (netgame) + UpdateChallenges(); GetPackets(); From f0e6e5c962a841e70c77f5844e2b2b4a84f48a3d Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Thu, 23 Mar 2023 04:28:17 -0700 Subject: [PATCH 42/70] Instead of using gamemap, make client-client challenges more resistant by including IP --- src/d_clisrv.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index e6e3a5dc6..7faeef953 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -5328,7 +5328,7 @@ static void HandlePacketFromPlayer(SINT8 node) int challengeplayers; time_t now, then; - INT16 sentmap; // if gamemap ever needs to change type, god forbid, change this too + UINT32 claimedIP; memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); @@ -5343,11 +5343,14 @@ static void HandlePacketFromPlayer(SINT8 node) break; } - memcpy(&sentmap, lastChallengeAll + sizeof(then), sizeof(sentmap)); - CONS_Printf("Got map %hd, current map %hd\n", sentmap, gamemap); - if (sentmap != gamemap) + memcpy(&claimedIP, lastChallengeAll + sizeof(then), sizeof(claimedIP)); + UINT32 realIP = *I_GetNodeAddressInt(servernode); + + CONS_Printf("Got IP %u, known IP %u\n", claimedIP, gamemap); + + if (realIP != claimedIP && IsExternalAddress(&realIP)) { - HandleSigfail("Bad challenge - wrong gamemap"); + HandleSigfail("Bad challenge - server claimed wrong IP"); break; } @@ -6332,8 +6335,6 @@ static void UpdateChallenges(void) memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); - // Random noise so it's difficult to reuse the response - // Current time so that difficult to reuse the challenge time_t now = time(NULL); #ifdef DEVELOP if (cv_badchallengetime.value) @@ -6343,10 +6344,10 @@ static void UpdateChallenges(void) now = 0; } #endif - CONS_Printf("now: %ld, gamemap: %hd\n", now, gamemap); - csprng(netbuffer->u.challengeall.secret, sizeof(netbuffer->u.challengeall.secret)); - memcpy(netbuffer->u.challengeall.secret, &now, sizeof(now)); // First few bytes are the timestamp... - memcpy(netbuffer->u.challengeall.secret + sizeof(now), &gamemap, sizeof(gamemap)); // And the next two are the current map. (TODO: This works but I don't think it's doing what I think it's doing, pointers suck.) + CONS_Printf("now: %ld, ip: %u\n", now, ourIP); + csprng(netbuffer->u.challengeall.secret, sizeof(netbuffer->u.challengeall.secret)); // Random noise so the client can't guess... + memcpy(netbuffer->u.challengeall.secret, &now, sizeof(now)); // ...timestamp... + memcpy(netbuffer->u.challengeall.secret + sizeof(now), &ourIP, sizeof(ourIP)); // ...and server IP so the server can't reuse it. memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); From 5a52199dc888c1079dfa1044c563f018e15225e6 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Thu, 23 Mar 2023 22:02:50 -0700 Subject: [PATCH 43/70] Refactor challenge creation, no more duplicated memory shenanigans --- src/d_clisrv.c | 244 +++++++++++++++++++++++++------------------------ src/d_clisrv.h | 13 ++- src/d_netcmd.c | 3 +- src/d_netfil.c | 24 +---- 4 files changed, 140 insertions(+), 144 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 7faeef953..082674c1f 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -183,9 +183,8 @@ consvar_t cv_allowguests = CVAR_INIT ("allowguests", "On", CV_SAVE, CV_OnOff, NU consvar_t cv_nochallenge = CVAR_INIT ("nochallenge", "0", 0, CV_Unsigned, NULL); consvar_t cv_badresults = CVAR_INIT ("badresults", "0", 0, CV_Unsigned, NULL); consvar_t cv_noresults = CVAR_INIT ("noresults", "0", 0, CV_Unsigned, NULL); - consvar_t cv_badjointime = CVAR_INIT ("badjointime", "0", 0, CV_Unsigned, NULL); + consvar_t cv_badtime = CVAR_INIT ("badtime", "0", 0, CV_Unsigned, NULL); consvar_t cv_badip = CVAR_INIT ("badip", "0", 0, CV_Unsigned, NULL); - consvar_t cv_badchallengetime = CVAR_INIT ("badchallengetime", "0", 0, CV_Unsigned, NULL); #endif // engine @@ -220,6 +219,74 @@ consvar_t cv_httpsource = CVAR_INIT ("http_source", "", CV_SAVE, NULL, NULL); consvar_t cv_kicktime = CVAR_INIT ("kicktime", "10", CV_SAVE, CV_Unsigned, NULL); +// https://github.com/jameds/holepunch/blob/master/holepunch.c#L75 +static int IsExternalAddress (const void *p) +{ + const int a = ((const unsigned char*)p)[0]; + const int b = ((const unsigned char*)p)[1]; + + if (*(const int*)p == ~0)/* 255.255.255.255 */ + return 0; + + switch (a) + { + case 0: + case 10: + case 127: + return 0; + case 172: + return (b & ~15) != 16;/* 16 - 31 */ + case 192: + return b != 168; + default: + return 1; + } +} + + +void GenerateChallenge(uint8_t *buf) +{ + time_t now = time(NULL); + csprng(buf, sizeof(&buf)); // Random noise so the client can't guess... + memcpy(buf, &now, sizeof(now)); // ...timestamp so we can't reuse it... + memcpy(buf + sizeof(now), &ourIP, sizeof(ourIP)); // ...and server IP so others can't reuse it. + + #ifdef DEVELOP + if (cv_badtime.value) + { + CV_AddValue(&cv_badtime, -1); + CONS_Alert(CONS_WARNING, "cv_badtime enabled, trashing time in auth message\n"); + memset(buf, 0, sizeof(now)); + } + + if (cv_badip.value) + { + CV_AddValue(&cv_badip, -1); + CONS_Alert(CONS_WARNING, "cv_badip enabled, trashing IP in auth message\n"); + memset(buf + sizeof(now), 0, sizeof(ourIP)); + } + #endif +} + +shouldsign_t ShouldSignChallenge(uint8_t *message) +{ + time_t then, now; + UINT32 claimedIP, realIP; + + now = time(NULL); + memcpy(&then, message, sizeof(then)); + memcpy(&claimedIP, message + sizeof(then), sizeof(claimedIP)); + realIP = *I_GetNodeAddressInt(servernode); + + if (abs(now - then) > 60*5) + return SIGN_BADTIME; + + if (realIP != claimedIP && IsExternalAddress(&realIP)) + return SIGN_BADIP; + + return SIGN_OK; +} + static inline void *G_DcpyTiccmd(void* dest, const ticcmd_t* src, const size_t n) { const size_t d = n / sizeof(ticcmd_t); @@ -815,31 +882,6 @@ static boolean CL_AskFileList(INT32 firstfile) return HSendPacket(servernode, false, 0, sizeof (INT32)); } -// https://github.com/jameds/holepunch/blob/master/holepunch.c#L75 -static int IsExternalAddress (const void *p) -{ - const int a = ((const unsigned char*)p)[0]; - const int b = ((const unsigned char*)p)[1]; - - if (*(const int*)p == ~0)/* 255.255.255.255 */ - return 0; - - switch (a) - { - case 0: - case 10: - case 127: - return 0; - case 172: - return (b & ~15) != 16;/* 16 - 31 */ - case 192: - return b != 168; - default: - return 1; - } -} - - /** Sends a special packet to declare how many players in local * Used only in arbitratrenetstart() * Sends a PT_CLIENTJOIN packet to the server @@ -887,22 +929,23 @@ static boolean CL_SendJoin(void) if (client && netgame) { - UINT32 claimedIP; - UINT32 realIP = *I_GetNodeAddressInt(servernode); - time_t receivedTime; - time_t now = time(NULL); + shouldsign_t safe = ShouldSignChallenge(awaitingChallenge); - memcpy(&claimedIP, awaitingChallenge, sizeof(claimedIP)); - memcpy(&receivedTime, awaitingChallenge + sizeof(claimedIP), sizeof(receivedTime)); - - if (realIP != claimedIP && IsExternalAddress(&realIP)) + if (safe != SIGN_OK) { - I_Error("External server IP didn't match the message it sent.\nSomething is very wrong here."); - } - - if (abs(now - receivedTime) > 60*5) - { - I_Error("External server sent a message with an unusual timestamp.\nReceived: %ld\nNow: %ld\nCheck your clocks!", receivedTime, now); + if (safe == SIGN_BADIP) + { + I_Error("External server IP didn't match the message it sent."); + } + else if (safe == SIGN_BADTIME) + { + I_Error("External server sent a message with an unusual timestamp.\nCheck your clocks!"); + } + else + { + I_Error("External server asked for a signature on something strange.\nPlease notify a developer if you've seen this more than once."); + } + return; } } @@ -4342,6 +4385,7 @@ static void HandleConnect(SINT8 node) else { CONS_Printf("Adding remote. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); + if (IsSplitPlayerOnNodeGuest(node, i)) // We're a GUEST and the server throws out our keys anyway. { sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O @@ -4356,7 +4400,6 @@ static void HandleConnect(SINT8 node) sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node], 32); } - if (netgame && sigcheck != 0) { SV_SendRefuse(node, M_GetText("Signature verification failed.")); @@ -5320,37 +5363,29 @@ static void HandlePacketFromPlayer(SINT8 node) CL_PrepareDownloadLuaFile(); break; case PT_CHALLENGEALL: ; // -Wpedantic - if (demo.playback) + if (demo.playback || node != servernode) // SERVER should still respond to this to prove its own identity, just not from clients. break; - if (node != servernode) - break; - int challengeplayers; - time_t now, then; - UINT32 claimedIP; memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); - now = time(NULL); - memcpy(&then, lastChallengeAll, sizeof(then)); + shouldsign_t safe = ShouldSignChallenge(lastChallengeAll); - CONS_Printf("Time offset: %d\n", abs(now - then)); - - if (abs(now - then) > 300) + if (safe != SIGN_OK) { - HandleSigfail("Bad challenge - time difference, check clocks"); - break; - } - - memcpy(&claimedIP, lastChallengeAll + sizeof(then), sizeof(claimedIP)); - UINT32 realIP = *I_GetNodeAddressInt(servernode); - - CONS_Printf("Got IP %u, known IP %u\n", claimedIP, gamemap); - - if (realIP != claimedIP && IsExternalAddress(&realIP)) - { - HandleSigfail("Bad challenge - server claimed wrong IP"); + if (safe == SIGN_BADIP) + { + HandleSigfail("External server sent the wrong IP"); + } + else if (safe == SIGN_BADTIME) + { + HandleSigfail("Bad timestamp - check your clocks"); + } + else + { + HandleSigfail("Unknown auth error - contact a developer"); + } break; } @@ -5398,41 +5433,38 @@ static void HandlePacketFromPlayer(SINT8 node) HSendPacket(servernode, true, 0, sizeof(netbuffer->u.responseall)); break; case PT_RESPONSEALL: - if (demo.playback) + if (demo.playback || client) break; - if (server) + int responseplayer; + //CONS_Printf("Got PT_RESPONSEALL from node %d, player %d\n", node, nodetoplayer[node]); + for (responseplayer = 0; responseplayer < MAXSPLITSCREENPLAYERS; responseplayer++) { - int responseplayer; - //CONS_Printf("Got PT_RESPONSEALL from node %d, player %d\n", node, nodetoplayer[node]); - for (responseplayer = 0; responseplayer < MAXSPLITSCREENPLAYERS; responseplayer++) - { - int targetplayer = NodeToSplitPlayer(node, responseplayer); - if (targetplayer == -1) - continue; + int targetplayer = NodeToSplitPlayer(node, responseplayer); + if (targetplayer == -1) + continue; - if (IsSplitPlayerOnNodeGuest(node, responseplayer)) + if (IsSplitPlayerOnNodeGuest(node, responseplayer)) + { + CONS_Printf("GUEST on node %d player %d split %d, leaving blank\n", node, targetplayer, responseplayer); + } + else + { + CONS_Printf("receiving %s pk %s\n", GetPrettyRRID(lastChallengeAll, true), GetPrettyRRID(players[targetplayer].public_key, true)); + if (crypto_eddsa_check(netbuffer->u.responseall.signature[responseplayer], + players[targetplayer].public_key, lastChallengeAll, sizeof(lastChallengeAll))) { - CONS_Printf("GUEST on node %d player %d split %d, leaving blank\n", node, targetplayer, responseplayer); + CONS_Alert(CONS_WARNING, "Invalid PT_RESPONSEALL from node %d player %d split %d\n", node, targetplayer, responseplayer); + if (playernode[targetplayer] != 0) // NO IDEA. + { + SendKick(targetplayer, KICK_MSG_SIGFAIL); + } + break; } - else + else { - CONS_Printf("receiving %s pk %s\n", GetPrettyRRID(lastChallengeAll, true), GetPrettyRRID(players[targetplayer].public_key, true)); - if (crypto_eddsa_check(netbuffer->u.responseall.signature[responseplayer], - players[targetplayer].public_key, lastChallengeAll, sizeof(lastChallengeAll))) - { - CONS_Alert(CONS_WARNING, "Invalid PT_RESPONSEALL from node %d player %d split %d\n", node, targetplayer, responseplayer); - if (playernode[targetplayer] != 0) // NO IDEA. - { - SendKick(targetplayer, KICK_MSG_SIGFAIL); - } - break; - } - else - { - memcpy(lastReceivedSignature[targetplayer], netbuffer->u.responseall.signature[responseplayer], sizeof(lastReceivedSignature[targetplayer])); - CONS_Printf("Writing signature %s for node %d player %d split %d\n", GetPrettyRRID(lastReceivedSignature[targetplayer], true), node, targetplayer, responseplayer); - } + memcpy(lastReceivedSignature[targetplayer], netbuffer->u.responseall.signature[responseplayer], sizeof(lastReceivedSignature[targetplayer])); + CONS_Printf("Writing signature %s for node %d player %d split %d\n", GetPrettyRRID(lastReceivedSignature[targetplayer], true), node, targetplayer, responseplayer); } } } @@ -5444,16 +5476,7 @@ static void HandlePacketFromPlayer(SINT8 node) CONS_Printf("Got PT_RESULTSALL\n"); - if (demo.playback) - break; - - if (server) - break; - - if (node != servernode) - break; - - if (!expectChallenge) + if (demo.playback || server || node != servernode || !expectChallenge) break; CONS_Printf("Checking PT_RESULTSALL\n"); @@ -6335,20 +6358,7 @@ static void UpdateChallenges(void) memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); - time_t now = time(NULL); - #ifdef DEVELOP - if (cv_badchallengetime.value) - { - CV_AddValue(&cv_badchallengetime, -1); - CONS_Alert(CONS_WARNING, "cv_badchallengetime enabled, scrubbing time from PT_CHALLENGEALL\n"); - now = 0; - } - #endif - CONS_Printf("now: %ld, ip: %u\n", now, ourIP); - csprng(netbuffer->u.challengeall.secret, sizeof(netbuffer->u.challengeall.secret)); // Random noise so the client can't guess... - memcpy(netbuffer->u.challengeall.secret, &now, sizeof(now)); // ...timestamp... - memcpy(netbuffer->u.challengeall.secret + sizeof(now), &ourIP, sizeof(ourIP)); // ...and server IP so the server can't reuse it. - + GenerateChallenge(netbuffer->u.challengeall.secret); memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); memset(lastReceivedSignature, 0, sizeof(lastReceivedSignature)); diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 3913f0182..0f32f0e64 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -130,6 +130,13 @@ typedef enum NUMPACKETTYPE } packettype_t; +typedef enum +{ + SIGN_OK, + SIGN_BADTIME, + SIGN_BADIP +} shouldsign_t; + #ifdef PACKETDROP void Command_Drop(void); void Command_Droprate(void); @@ -530,15 +537,17 @@ extern consvar_t cv_allowguests; extern consvar_t cv_nochallenge; extern consvar_t cv_badresults; extern consvar_t cv_noresults; - extern consvar_t cv_badjointime; + extern consvar_t cv_badtime; extern consvar_t cv_badip; - extern consvar_t cv_badchallengetime; #endif // Used in d_net, the only dependence tic_t ExpandTics(INT32 low, tic_t basetic); void D_ClientServerInit(void); +void GenerateChallenge(uint8_t *buf); +shouldsign_t ShouldSignChallenge(uint8_t *message); + // Initialise the other field void RegisterNetXCmd(netxcmd_t id, void (*cmd_f)(UINT8 **p, INT32 playernum)); void SendNetXCmdForPlayer(UINT8 playerid, netxcmd_t id, const void *param, size_t nparam); diff --git a/src/d_netcmd.c b/src/d_netcmd.c index b30f3ffe3..12716287a 100644 --- a/src/d_netcmd.c +++ b/src/d_netcmd.c @@ -956,9 +956,8 @@ void D_RegisterClientCommands(void) CV_RegisterVar(&cv_nochallenge); CV_RegisterVar(&cv_badresults); CV_RegisterVar(&cv_noresults); - CV_RegisterVar(&cv_badjointime); + CV_RegisterVar(&cv_badtime); CV_RegisterVar(&cv_badip); - CV_RegisterVar(&cv_badchallengetime); #endif // HUD diff --git a/src/d_netfil.c b/src/d_netfil.c index 67759d677..ba051f2be 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -1323,30 +1323,8 @@ void PT_ClientKey(INT32 node) CONS_Printf("Got keys from node %d, %s / %s / %s / %s\n", node, GetPrettyRRID(lastReceivedKey[node][0], true), GetPrettyRRID(lastReceivedKey[node][1], true), GetPrettyRRID(lastReceivedKey[node][2], true), GetPrettyRRID(lastReceivedKey[node][3], true)); netbuffer->packettype = PT_SERVERCHALLENGE; - time_t now = time(NULL); - #ifdef DEVELOP - if (cv_badjointime.value) - { - CV_AddValue(&cv_badjointime, -1); - CONS_Alert(CONS_WARNING, "cv_badjointime enabled, scrubbing time from PT_SERVERCHALLENGE\n"); - now = 0; - } - #endif - - // Include our IP and current time in the message to be signed, to guard against signature reuse. - csprng(lastSentChallenge[node], sizeof(serverchallenge_pak)); - memcpy(lastSentChallenge[node], &ourIP, sizeof(ourIP)); - memcpy(lastSentChallenge[node] + sizeof(ourIP), &now, sizeof(time_t)); - - #ifdef DEVELOP - if (cv_badip.value) - { - CV_AddValue(&cv_badip, -1); - CONS_Alert(CONS_WARNING, "cv_badip enabled, scrubbing IP from PT_SERVERCHALLENGE\n"); - memset(lastSentChallenge[node], 0, sizeof(ourIP)); - } - #endif + GenerateChallenge(lastSentChallenge[node]); memcpy(&netbuffer->u.serverchallenge, lastSentChallenge[node], sizeof(serverchallenge_pak)); HSendPacket(node, false, 0, sizeof (serverchallenge_pak)); From ecc2c65742d347f1da2cc3ecbf1f951e8e50aa79 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Thu, 23 Mar 2023 23:05:22 -0700 Subject: [PATCH 44/70] Cleanup and comments --- src/d_clisrv.c | 362 ++++++++++++++++++++++++++----------------------- src/d_clisrv.h | 18 +-- src/d_netfil.c | 2 + src/p_tick.c | 9 -- 4 files changed, 203 insertions(+), 188 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 082674c1f..c6c9eb58a 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -167,7 +167,7 @@ uint8_t lastReceivedSignature[MAXPLAYERS][64]; // Everyone's response to lastCha uint8_t knownWhenChallenged[MAXPLAYERS][32]; // Everyone a client saw at the moment a challenge should be initiated boolean expectChallenge = false; // Were we in-game before a client-to-client challenge should have been sent? -uint8_t priorGamestateKeySave[MAXPLAYERS][32]; // Make a note of keys before consuming a new gamestate, and if the server tries to send us a gamestate where keys differ, assume shenanigans +uint8_t priorKeys[MAXPLAYERS][32]; // Make a note of keys before consuming a new gamestate, and if the server tries to send us a gamestate where keys differ, assume shenanigans boolean serverisfull = false; //lets us be aware if the server was full after we check files, but before downloading, so we can ask if the user still wants to download or not tic_t firstconnectattempttime = 0; @@ -244,12 +244,13 @@ static int IsExternalAddress (const void *p) } +// Generate a message for an authenticating client to sign, with some guarantees about who we are. void GenerateChallenge(uint8_t *buf) { time_t now = time(NULL); - csprng(buf, sizeof(&buf)); // Random noise so the client can't guess... - memcpy(buf, &now, sizeof(now)); // ...timestamp so we can't reuse it... - memcpy(buf + sizeof(now), &ourIP, sizeof(ourIP)); // ...and server IP so others can't reuse it. + csprng(buf, sizeof(&buf)); // Random noise as a baseline, but... + memcpy(buf, &now, sizeof(now)); // Timestamp limits the reuse window. + memcpy(buf + sizeof(now), &ourIP, sizeof(ourIP)); // IP prevents captured signatures from being used elsewhere. #ifdef DEVELOP if (cv_badtime.value) @@ -268,6 +269,8 @@ void GenerateChallenge(uint8_t *buf) #endif } +// Modified servers can throw softballs or reuse challenges. +// Don't sign anything that wasn't generated just for us! shouldsign_t ShouldSignChallenge(uint8_t *message) { time_t then, now; @@ -945,7 +948,7 @@ static boolean CL_SendJoin(void) { I_Error("External server asked for a signature on something strange.\nPlease notify a developer if you've seen this more than once."); } - return; + return false; } } @@ -1486,7 +1489,7 @@ static void CL_LoadReceivedSavegame(boolean reloading) int i; for (i = 0; i < MAXPLAYERS; i++) { - if (memcmp(priorGamestateKeySave[i], players[i].public_key, sizeof(priorGamestateKeySave[i])) != 0) + if (memcmp(priorKeys[i], players[i].public_key, sizeof(priorKeys[i])) != 0) { HandleSigfail("Gamestate reload contained new keys"); break; @@ -4378,22 +4381,23 @@ static void HandleConnect(SINT8 node) return; } - if (node == 0) + if (node == 0) // Hey, that's us. We're always allowed to do what we want. { memcpy(lastReceivedKey[node][i], PR_GetLocalPlayerProfile(i)->public_key, sizeof(lastReceivedKey[node][i])); } - else + else // Remote player, gotta check their signature. { CONS_Printf("Adding remote. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); if (IsSplitPlayerOnNodeGuest(node, i)) // We're a GUEST and the server throws out our keys anyway. { - sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O if (!cv_allowguests.value) { SV_SendRefuse(node, M_GetText("The server doesn't allow GUESTs.\nCreate a profile to join!")); return; } + + sigcheck = 0; // Always succeeds. Yes, this is a success response. C R Y P T O } else { @@ -4488,6 +4492,12 @@ static void HandleTimeout(SINT8 node) // Called when a signature check fails and we suspect the server is playing games. void HandleSigfail(const char *string) { + if (server) // This situation is basically guaranteed to be nonsense. + { + CONS_Alert(CONS_ERROR, "Auth error! %s\n", string); + return; // Keep the game running, you're probably testing. + } + LUA_HookBool(false, HOOK(GameQuit)); D_QuitNetGame(); CL_Reset(); @@ -4528,10 +4538,12 @@ static void PT_WillResendGamestate(void) if (server || cl_redownloadinggamestate) return; + // Don't let the server pull a fast one with everyone's identity! + // Save the public keys we see, so if the server tries to swap one, we'll know. int i; for (i = 0; i < MAXPLAYERS; i++) { - memcpy(priorGamestateKeySave[i], players[i].public_key, sizeof(priorGamestateKeySave[i])); + memcpy(priorKeys[i], players[i].public_key, sizeof(priorKeys[i])); } // Send back a PT_CANRECEIVEGAMESTATE packet to the server @@ -4807,6 +4819,8 @@ static void HandlePacketFromAwayNode(SINT8 node) { PT_ClientKey(node); + // Client's not in the server yet, but we still need to lock up the node. + // Otherwise, someone else could request a challenge on the same node and trash it. nodeneedsauth[node] = true; freezetimeout[node] = I_GetTime() + jointimeout; @@ -5371,27 +5385,20 @@ static void HandlePacketFromPlayer(SINT8 node) memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); shouldsign_t safe = ShouldSignChallenge(lastChallengeAll); - if (safe != SIGN_OK) { if (safe == SIGN_BADIP) - { HandleSigfail("External server sent the wrong IP"); - } else if (safe == SIGN_BADTIME) - { HandleSigfail("Bad timestamp - check your clocks"); - } else - { HandleSigfail("Unknown auth error - contact a developer"); - } break; } netbuffer->packettype = PT_RESPONSEALL; - #ifdef DEVELOP + #ifdef DEVELOP if (cv_noresponse.value) { CV_AddValue(&cv_noresponse, -1); @@ -5400,22 +5407,21 @@ static void HandlePacketFromPlayer(SINT8 node) } #endif + // Don't leak uninitialized memory. memset(&netbuffer->u.responseall, 0, sizeof(netbuffer->u.responseall)); for (challengeplayers = 0; challengeplayers <= splitscreen; challengeplayers++) { uint8_t signature[64]; profile_t *localProfile = PR_GetLocalPlayerProfile(challengeplayers); - if (PR_IsLocalPlayerGuest(challengeplayers)) // GUESTS don't have keys - { - memset(signature, 0, 64); - } - else + if (!PR_IsLocalPlayerGuest(challengeplayers)) // GUESTS don't have keys { CONS_Printf("signing %s pk %s\n", GetPrettyRRID(lastChallengeAll, true), GetPrettyRRID(localProfile->public_key, true)); crypto_eddsa_sign(signature, localProfile->secret_key, lastChallengeAll, sizeof(lastChallengeAll)); + + // If our keys are garbage (corrupted profile?), fail here instead of when the server boots us, so the player knows what's going on. if (crypto_eddsa_check(signature, localProfile->public_key, lastChallengeAll, sizeof(lastChallengeAll)) != 0) - I_Error("Couldn't self-verify key associated with player %d, profile %d.\nProfile data may be corrupted.", challengeplayers, cv_lastprofile[challengeplayers].value); // I guess this is the most reasonable way to catch a malformed key. + I_Error("Couldn't self-verify key associated with player %d, profile %d.\nProfile data may be corrupted.", challengeplayers, cv_lastprofile[challengeplayers].value); } #ifdef DEVELOP @@ -5437,28 +5443,20 @@ static void HandlePacketFromPlayer(SINT8 node) break; int responseplayer; - //CONS_Printf("Got PT_RESPONSEALL from node %d, player %d\n", node, nodetoplayer[node]); for (responseplayer = 0; responseplayer < MAXSPLITSCREENPLAYERS; responseplayer++) { int targetplayer = NodeToSplitPlayer(node, responseplayer); if (targetplayer == -1) continue; - if (IsSplitPlayerOnNodeGuest(node, responseplayer)) - { - CONS_Printf("GUEST on node %d player %d split %d, leaving blank\n", node, targetplayer, responseplayer); - } - else + if (!IsPlayerGuest(targetplayer)) { CONS_Printf("receiving %s pk %s\n", GetPrettyRRID(lastChallengeAll, true), GetPrettyRRID(players[targetplayer].public_key, true)); - if (crypto_eddsa_check(netbuffer->u.responseall.signature[responseplayer], - players[targetplayer].public_key, lastChallengeAll, sizeof(lastChallengeAll))) + if (crypto_eddsa_check(netbuffer->u.responseall.signature[responseplayer], players[targetplayer].public_key, lastChallengeAll, sizeof(lastChallengeAll))) { CONS_Alert(CONS_WARNING, "Invalid PT_RESPONSEALL from node %d player %d split %d\n", node, targetplayer, responseplayer); if (playernode[targetplayer] != 0) // NO IDEA. - { SendKick(targetplayer, KICK_MSG_SIGFAIL); - } break; } else @@ -5500,6 +5498,8 @@ static void HandlePacketFromPlayer(SINT8 node) } else if (memcmp(knownWhenChallenged[resultsplayer], players[resultsplayer].public_key, sizeof(knownWhenChallenged[resultsplayer])) != 0) { + // A player left after the challenge process started, and someone else took their place. + // That means haven't received a challenge either. CONS_Printf("Has key %s but I remember key %s - node %d player %d split %d, not enforcing\n", GetPrettyRRID(knownWhenChallenged[resultsplayer], true), GetPrettyRRID(players[resultsplayer].public_key, true), playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); @@ -5511,7 +5511,7 @@ static void HandlePacketFromPlayer(SINT8 node) knownWhenChallenged[resultsplayer], lastChallengeAll, sizeof(lastChallengeAll))) { CONS_Alert(CONS_WARNING, "PT_RESULTSALL had invalid signature %s for node %d player %d split %d, something doesn't add up!\n", - GetPrettyRRID(netbuffer->u.resultsall.signature[resultsplayer], true), playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); + GetPrettyRRID(netbuffer->u.resultsall.signature[resultsplayer], true), playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); HandleSigfail("Server sent invalid client signature."); break; } @@ -6338,151 +6338,174 @@ static void UpdatePingTable(void) } } -static void UpdateChallenges(void) +// It's that time again! Send everyone a safe message to sign, so we can show off their signature and prove we're playing fair. +static void SendChallenges(void) { int i; - if (server) + netbuffer->packettype = PT_CHALLENGEALL; + + #ifdef DEVELOP + if (cv_nochallenge.value) + { + CV_AddValue(&cv_nochallenge, -1); + CONS_Alert(CONS_WARNING, "cv_nochallenge enabled, not sending PT_CHALLENGEALL\n"); + return; + } + #endif + + memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); + + GenerateChallenge(netbuffer->u.challengeall.secret); + memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); + + memset(lastReceivedSignature, 0, sizeof(lastReceivedSignature)); + + for (i = 0; i < MAXNETNODES; i++) { - if (Playing() && (leveltime == CHALLENGEALL_START)) + if (nodeingame[i]) { - netbuffer->packettype = PT_CHALLENGEALL; - - #ifdef DEVELOP - if (cv_nochallenge.value) - { - CV_AddValue(&cv_nochallenge, -1); - CONS_Alert(CONS_WARNING, "cv_nochallenge enabled, not sending PT_CHALLENGEALL\n"); - return; - } - #endif - - memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); - - GenerateChallenge(netbuffer->u.challengeall.secret); - memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); - - memset(lastReceivedSignature, 0, sizeof(lastReceivedSignature)); - - for (i = 0; i < MAXNETNODES; i++) - { - if (nodeingame[i]) - { - CONS_Printf("challenge to node %d, player %d\n", i, nodetoplayer[i]); - HSendPacket(i, true, 0, sizeof(challengeall_pak)); - memcpy(knownWhenChallenged[nodetoplayer[i]], players[nodetoplayer[i]].public_key, sizeof(knownWhenChallenged[nodetoplayer[i]])); - } - } - } - - if (Playing() && (leveltime == CHALLENGEALL_KICKUNRESPONSIVE)) - { - uint8_t allZero[64]; - memset(allZero, 0, sizeof(allZero)); - - for (i = 0; i < MAXPLAYERS; i++) - { - if (!playeringame[i]) - continue; - if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! - { - if (!IsPlayerGuest(i) && memcmp(knownWhenChallenged[i], players[i].public_key, sizeof(knownWhenChallenged[i]) == 0)) - { - if (playernode[i] != servernode) - { - CONS_Printf("We never got a response from player %d, goodbye\n", i); - SendKick(i, KICK_MSG_SIGFAIL); - } - } - } - } - } - - if (Playing() && (leveltime == CHALLENGEALL_SENDRESULTS)) - { - netbuffer->packettype = PT_RESULTSALL; - - #ifdef DEVELOP - if (cv_noresults.value) - { - CV_AddValue(&cv_noresults, -1); - CONS_Alert(CONS_WARNING, "cv_noresults enabled, not sending PT_RESULTSALL\n"); - return; - } - #endif - - uint8_t allZero[64]; - memset(allZero, 0, sizeof(allZero)); - memset(&netbuffer->u.resultsall, 0, sizeof(netbuffer->u.resultsall)); - - for (i = 0; i < MAXPLAYERS; i++) - { - if (!playeringame[i]) - continue; - if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! - { - if (!IsPlayerGuest(i)) - CONS_Alert(CONS_WARNING, "Unreceived signature for player %d, who is still in-game\n", i); - } - else - { - CONS_Printf("Player %d passed with key %s sig %s, adding...\n", i, GetPrettyRRID(players[i].public_key, true), GetPrettyRRID(lastReceivedSignature[i], true)); - memcpy(netbuffer->u.resultsall.signature[i], lastReceivedSignature[i], sizeof(netbuffer->u.resultsall.signature[i])); - #ifdef DEVELOP - if (cv_badresults.value) - { - CV_AddValue(&cv_badresults, -1); - CONS_Alert(CONS_WARNING, "cv_badresults enabled, scrubbing signature from PT_RESULTSALL\n"); - memset(netbuffer->u.resultsall.signature[i], 0, sizeof(netbuffer->u.resultsall.signature[i])); - } - #endif - } - } - - for (i = 0; i < MAXPLAYERS; i++) - { - CONS_Printf("SIG %d: %s\n", i, GetPrettyRRID(netbuffer->u.resultsall.signature[i], true)); - } - - for (i = 0; i < MAXNETNODES; i++) - { - if (nodeingame[i]) - { - CONS_Printf("results to node %d, player %d\n", i, nodetoplayer[i]); - HSendPacket(i, true, 0, sizeof(resultsall_pak)); - } - } + CONS_Printf("challenge to node %d, player %d\n", i, nodetoplayer[i]); + HSendPacket(i, true, 0, sizeof(challengeall_pak)); + memcpy(knownWhenChallenged[nodetoplayer[i]], players[nodetoplayer[i]].public_key, sizeof(knownWhenChallenged[nodetoplayer[i]])); } } - else +} + +// Before we start sending out the results, we need to kick everyone who didn't respond. +// (If we try to do both at once, clients will still see players who failled in-game when the results arrive...) +static void KickUnverifiedPlayers(void) +{ + int i; + uint8_t allZero[64]; + memset(allZero, 0, sizeof(allZero)); + + for (i = 0; i < MAXPLAYERS; i++) { - if (Playing() && (leveltime == CHALLENGEALL_START)) + if (!playeringame[i]) + continue; + if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! { - // Who should we try to verify when results come in? - // Store a public key for every active slot, so if players shuffle during challenge leniency, - // we don't incorrectly try to verify someone who didn't even get a challenge, throw a tantrum, and bail. - - memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); - - for (i = 0; i < MAXPLAYERS; i++) + if (!IsPlayerGuest(i) && memcmp(knownWhenChallenged[i], players[i].public_key, sizeof(knownWhenChallenged[i]) == 0)) { - if (!playeringame[i]) + if (playernode[i] != servernode) { - //CONS_Printf("Player %i isn't present for checkall\n", i); - continue; - } - else if (IsPlayerGuest(i)) - { - //CONS_Printf("Player %i is present for checkall, but is a guest\n", i); - continue; - } - else - { - CONS_Printf("Player %d (node %d split %d) is present for checkall, make a note of their key %s...\n", i, playernode[i], players[i].splitscreenindex, - GetPrettyRRID(players[i].public_key, true)); - memcpy(knownWhenChallenged[i], players[i].public_key, sizeof(knownWhenChallenged[i])); - } + CONS_Printf("We never got a response from player %d, goodbye\n", i); + SendKick(i, KICK_MSG_SIGFAIL); + } } } + } +} + +// +static void SendChallengeResults(void) +{ + int i; + netbuffer->packettype = PT_RESULTSALL; + + #ifdef DEVELOP + if (cv_noresults.value) + { + CV_AddValue(&cv_noresults, -1); + CONS_Alert(CONS_WARNING, "cv_noresults enabled, not sending PT_RESULTSALL\n"); + return; + } + #endif + + uint8_t allZero[64]; + memset(allZero, 0, sizeof(allZero)); + + memset(&netbuffer->u.resultsall, 0, sizeof(netbuffer->u.resultsall)); + + for (i = 0; i < MAXPLAYERS; i++) + { + if (!playeringame[i]) + continue; + + // Don't try to transmit signatures for players who didn't get here in time to send one. + // (Everyone who had their chance should have been kicked by KickUnverifiedPlayers by now.) + if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) + continue; + + CONS_Printf("Player %d passed with key %s sig %s, adding...\n", i, GetPrettyRRID(players[i].public_key, true), GetPrettyRRID(lastReceivedSignature[i], true)); + memcpy(netbuffer->u.resultsall.signature[i], lastReceivedSignature[i], sizeof(netbuffer->u.resultsall.signature[i])); + #ifdef DEVELOP + if (cv_badresults.value) + { + CV_AddValue(&cv_badresults, -1); + CONS_Alert(CONS_WARNING, "cv_badresults enabled, scrubbing signature from PT_RESULTSALL\n"); + memset(netbuffer->u.resultsall.signature[i], 0, sizeof(netbuffer->u.resultsall.signature[i])); + } + #endif + } + + for (i = 0; i < MAXNETNODES; i++) + { + if (nodeingame[i]) + { + CONS_Printf("results to node %d, player %d\n", i, nodetoplayer[i]); + HSendPacket(i, true, 0, sizeof(resultsall_pak)); + } + } +} + +// Who should we try to verify when results come in? +// Store a public key for every active slot, so if players shuffle during challenge leniency, +// we don't incorrectly try to verify someone who didn't even get a challenge, throw a tantrum, and bail. +static void CheckPresentPlayers(void) +{ + int i; + memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); + + for (i = 0; i < MAXPLAYERS; i++) + { + if (!playeringame[i]) + { + //CONS_Printf("Player %i isn't present for checkall\n", i); + continue; + } + else if (IsPlayerGuest(i)) + { + //CONS_Printf("Player %i is present for checkall, but is a guest\n", i); + continue; + } + else + { + CONS_Printf("Player %d (node %d split %d) is present for checkall, make a note of their key %s...\n", i, playernode[i], players[i].splitscreenindex, + GetPrettyRRID(players[i].public_key, true)); + memcpy(knownWhenChallenged[i], players[i].public_key, sizeof(knownWhenChallenged[i])); + } + } +} + +// Handle "client-to-client" auth challenge flow. +static void UpdateChallenges(void) +{ + if (!(Playing() && netgame)) + return; + + if (server) + { + if (leveltime == CHALLENGEALL_START) + SendChallenges(); + + if (leveltime == CHALLENGEALL_KICKUNRESPONSIVE) + KickUnverifiedPlayers(); + + if (leveltime == CHALLENGEALL_SENDRESULTS) + SendChallengeResults(); + + } + else // client + { + if (leveltime <= CHALLENGEALL_START) + expectChallenge = true; + + if (leveltime == CHALLENGEALL_START) + CheckPresentPlayers(); + + if (leveltime > CHALLENGEALL_CLIENTCUTOFF && expectChallenge) + HandleSigfail("Didn't receive client signatures."); } } @@ -6531,8 +6554,7 @@ void NetKeepAlive(void) UpdatePingTable(); - if (netgame) - UpdateChallenges(); + UpdateChallenges(); GetPackets(); diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 0f32f0e64..01ea0e431 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -422,11 +422,11 @@ struct doomdata_t INT32 filesneedednum; // 4 bytes filesneededconfig_pak filesneededcfg; // ??? bytes UINT32 pingtable[MAXPLAYERS+1]; // 68 bytes - clientkey_pak clientkey; // TODO: Tyron, does anyone take any of these sizes even remotely seriously - serverchallenge_pak serverchallenge; // Are you even going to update this shit, are you even going to remove this comment - challengeall_pak challengeall; - responseall_pak responseall; - resultsall_pak resultsall; + clientkey_pak clientkey; // 32 bytes + serverchallenge_pak serverchallenge; // 64 bytes + challengeall_pak challengeall; // 256 bytes + responseall_pak responseall; // 256 bytes + resultsall_pak resultsall; // 1024 bytes. Also, you really shouldn't trust anything here. } u; // This is needed to pack diff packet types data together } ATTRPACK; @@ -501,10 +501,10 @@ extern boolean expectChallenge; // We give clients a chance to verify each other once per race. // When is that challenge sent, and when should clients bail if they don't receive the responses? -#define CHALLENGEALL_START (TICRATE*10) -#define CHALLENGEALL_KICKUNRESPONSIVE (TICRATE*12) -#define CHALLENGEALL_SENDRESULTS (TICRATE*14) -#define CHALLENGEALL_CLIENTCUTOFF (TICRATE*16) +#define CHALLENGEALL_START (TICRATE*5) +#define CHALLENGEALL_KICKUNRESPONSIVE (TICRATE*10) +#define CHALLENGEALL_SENDRESULTS (TICRATE*15) +#define CHALLENGEALL_CLIENTCUTOFF (TICRATE*20) void Command_Ping_f(void); extern tic_t connectiontimeout; diff --git a/src/d_netfil.c b/src/d_netfil.c index ba051f2be..edcdb1030 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -1314,6 +1314,8 @@ void PT_FileReceived(void) SV_EndFileSend(doomcom->remotenode); } +// Someone knocked on the door with their public key. +// Give them a challenge to sign in their PT_CLIENTJOIN. void PT_ClientKey(INT32 node) { clientkey_pak *packet = (void*)&netbuffer->u.clientkey; diff --git a/src/p_tick.c b/src/p_tick.c index 3ce65d79a..1b88faa2f 100644 --- a/src/p_tick.c +++ b/src/p_tick.c @@ -971,15 +971,6 @@ void P_Ticker(boolean run) G_CopyTiccmd(&players[i].oldcmd, &players[i].cmd, 1); } - if (leveltime <= CHALLENGEALL_START && client) - expectChallenge = true; - - if (leveltime > CHALLENGEALL_CLIENTCUTOFF && expectChallenge && client) - { - HandleSigfail("Didn't receive client signatures."); - return; - } - // Z_CheckMemCleanup(); } From b990669212f59170380eed2c830d0e8bf5854b41 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Thu, 23 Mar 2023 23:26:53 -0700 Subject: [PATCH 45/70] Tyop --- src/d_clisrv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index c6c9eb58a..3a79d7a13 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -963,6 +963,7 @@ static boolean CL_SendJoin(void) } else { + // If our keys are garbage (corrupted profile?), fail here instead of when the server boots us, so the player knows what's going on. crypto_eddsa_sign(signature, localProfile->secret_key, awaitingChallenge, 32); if (crypto_eddsa_check(signature, localProfile->public_key, awaitingChallenge, 32) != 0) I_Error("Couldn't self-verify key associated with player %d, profile %d.\nProfile data may be corrupted.", i, cv_lastprofile[i].value); // I guess this is the most reasonable way to catch a malformed key. @@ -5499,7 +5500,7 @@ static void HandlePacketFromPlayer(SINT8 node) else if (memcmp(knownWhenChallenged[resultsplayer], players[resultsplayer].public_key, sizeof(knownWhenChallenged[resultsplayer])) != 0) { // A player left after the challenge process started, and someone else took their place. - // That means haven't received a challenge either. + // That means they haven't received a challenge either. CONS_Printf("Has key %s but I remember key %s - node %d player %d split %d, not enforcing\n", GetPrettyRRID(knownWhenChallenged[resultsplayer], true), GetPrettyRRID(players[resultsplayer].public_key, true), playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); From 05f8b2196c17f5f0f043ac23d30846eeafa88e36 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Fri, 24 Mar 2023 15:41:44 -0700 Subject: [PATCH 46/70] Push pretty RRID to Lua instead of unsanitized madness --- src/lua_playerlib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lua_playerlib.c b/src/lua_playerlib.c index db740ec12..6e93fd974 100644 --- a/src/lua_playerlib.c +++ b/src/lua_playerlib.c @@ -22,6 +22,7 @@ #include "lua_libs.h" #include "lua_hud.h" // hud_running errors #include "lua_hook.h" // hook_cmd_running errors +#include "k_profiles.h" // GetPrettyRRID static int lib_iteratePlayers(lua_State *L) { @@ -508,7 +509,7 @@ static int player_get(lua_State *L) else if (fastcmp(field,"ping")) lua_pushinteger(L, playerpingtable[( plr - players )]); else if (fastcmp(field, "public_key")) - lua_pushstring(L, plr->public_key); + lua_pushstring(L, GetPrettyRRID(plr->public_key, false)); else { lua_getfield(L, LUA_REGISTRYINDEX, LREG_EXTVARS); I_Assert(lua_istable(L, -1)); From c46612329ee7c5bfbd642be73266815bfeeab474 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Fri, 24 Mar 2023 15:59:10 -0700 Subject: [PATCH 47/70] Don't UpdateChallenges during NetKeepAlive, could lead to challenge spam --- src/d_clisrv.c | 2 -- src/d_clisrv.h | 12 ++++++------ 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 3a79d7a13..66684907f 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -6555,8 +6555,6 @@ void NetKeepAlive(void) UpdatePingTable(); - UpdateChallenges(); - GetPackets(); #ifdef MASTERSERVER diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 01ea0e431..446a582d6 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -133,8 +133,8 @@ typedef enum typedef enum { SIGN_OK, - SIGN_BADTIME, - SIGN_BADIP + SIGN_BADTIME, // Timestamp differs by too much, suspect reuse of an old challenge. + SIGN_BADIP // Asked to sign the wrong IP by an external host, suspect reuse of another server's challenge. } shouldsign_t; #ifdef PACKETDROP @@ -501,10 +501,10 @@ extern boolean expectChallenge; // We give clients a chance to verify each other once per race. // When is that challenge sent, and when should clients bail if they don't receive the responses? -#define CHALLENGEALL_START (TICRATE*5) -#define CHALLENGEALL_KICKUNRESPONSIVE (TICRATE*10) -#define CHALLENGEALL_SENDRESULTS (TICRATE*15) -#define CHALLENGEALL_CLIENTCUTOFF (TICRATE*20) +#define CHALLENGEALL_START (TICRATE*5) // Server sends challenges here. +#define CHALLENGEALL_KICKUNRESPONSIVE (TICRATE*10) // Server kicks players that haven't submitted signatures here. +#define CHALLENGEALL_SENDRESULTS (TICRATE*15) // Server waits for kicks to process until here. (Failing players shouldn't be in-game when results are received, or clients get spooked.) +#define CHALLENGEALL_CLIENTCUTOFF (TICRATE*20) // If challenge process hasn't completed by now, clients who were in-game for CHALLENGEALL_START should leave. void Command_Ping_f(void); extern tic_t connectiontimeout; From 694c094fac0a324aace8986b2c2008d40196c87c Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Fri, 24 Mar 2023 20:00:44 -0700 Subject: [PATCH 48/70] C is a morally incorrect programming language --- src/d_clisrv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 66684907f..4883cf1da 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -279,7 +279,8 @@ shouldsign_t ShouldSignChallenge(uint8_t *message) now = time(NULL); memcpy(&then, message, sizeof(then)); memcpy(&claimedIP, message + sizeof(then), sizeof(claimedIP)); - realIP = *I_GetNodeAddressInt(servernode); + CONS_Printf("servernode: %d\n", servernode); + realIP = I_GetNodeAddressInt(servernode); if (abs(now - then) > 60*5) return SIGN_BADTIME; From cdf7a7a2ce4555c5db65a20bfa45df8230267151 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Fri, 24 Mar 2023 20:26:33 -0700 Subject: [PATCH 49/70] Fix old key comparison in KickUnverifiedPlayers --- src/d_clisrv.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 4883cf1da..896ce4f23 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -6381,13 +6381,17 @@ static void KickUnverifiedPlayers(void) uint8_t allZero[64]; memset(allZero, 0, sizeof(allZero)); + CONS_Printf("KickUnverifiedPlayers start\n"); + for (i = 0; i < MAXPLAYERS; i++) { if (!playeringame[i]) continue; if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! { - if (!IsPlayerGuest(i) && memcmp(knownWhenChallenged[i], players[i].public_key, sizeof(knownWhenChallenged[i]) == 0)) + CONS_Printf("No sig from %d\n", i); + CONS_Printf("pk then %s, pk now %s\n", GetPrettyRRID(knownWhenChallenged[i], true), GetPrettyRRID(players[i].public_key, true)); + if (!IsPlayerGuest(i) && memcmp(&knownWhenChallenged[i], &players[i].public_key, sizeof(knownWhenChallenged[i])) == 0) { if (playernode[i] != servernode) { From 5a17bcc2512359a4588ddfce790835c9c45d8c05 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Fri, 24 Mar 2023 21:00:34 -0700 Subject: [PATCH 50/70] Fix all remote players being considered GUESTs --- src/d_clisrv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 896ce4f23..232c20bc4 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4390,8 +4390,11 @@ static void HandleConnect(SINT8 node) else // Remote player, gotta check their signature. { CONS_Printf("Adding remote. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); + + char allZero[32]; + memset(allZero, 0, sizeof(allZero)); - if (IsSplitPlayerOnNodeGuest(node, i)) // We're a GUEST and the server throws out our keys anyway. + if (memcmp(lastReceivedKey[node][i], allZero, sizeof(allZero)) == 0) // IsSplitPlayerOnNodeGuest isn't appropriate here, they're not in-game yet! { if (!cv_allowguests.value) { From 78b30802bb9f24a58d173abf895d36fc20c73cb0 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Fri, 24 Mar 2023 21:03:39 -0700 Subject: [PATCH 51/70] Let's try fixing potential UB on GetNodeAddressInt --- src/d_net.c | 2 +- src/i_net.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/d_net.c b/src/d_net.c index d7838d4a3..effc48eb3 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -83,7 +83,7 @@ boolean (*I_NetOpenSocket)(void) = NULL; boolean (*I_Ban) (INT32 node) = NULL; void (*I_ClearBans)(void) = NULL; const char *(*I_GetNodeAddress) (INT32 node) = NULL; -UINT32 *(*I_GetNodeAddressInt) (INT32 node) = NULL; +UINT32 (*I_GetNodeAddressInt) (INT32 node) = NULL; const char *(*I_GetBanAddress) (size_t ban) = NULL; const char *(*I_GetBanMask) (size_t ban) = NULL; const char *(*I_GetBanUsername) (size_t ban) = NULL; diff --git a/src/i_net.h b/src/i_net.h index 6760916f3..9433b89fb 100644 --- a/src/i_net.h +++ b/src/i_net.h @@ -166,7 +166,7 @@ extern void (*I_NetRegisterHolePunch)(void); extern boolean (*I_Ban) (INT32 node); extern void (*I_ClearBans)(void); extern const char *(*I_GetNodeAddress) (INT32 node); -extern UINT32 *(*I_GetNodeAddressInt) (INT32 node); +extern UINT32 (*I_GetNodeAddressInt) (INT32 node); extern const char *(*I_GetBanAddress) (size_t ban); extern const char *(*I_GetBanMask) (size_t ban); extern const char *(*I_GetBanUsername) (size_t ban); From 056355d8ed15659371af76ff2c4c55d249078ea9 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Fri, 24 Mar 2023 21:40:35 -0700 Subject: [PATCH 52/70] C is portable, they lied lyingly like a liar --- src/d_clisrv.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 232c20bc4..a3542269e 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -247,7 +247,7 @@ static int IsExternalAddress (const void *p) // Generate a message for an authenticating client to sign, with some guarantees about who we are. void GenerateChallenge(uint8_t *buf) { - time_t now = time(NULL); + UINT64 now = time(NULL); csprng(buf, sizeof(&buf)); // Random noise as a baseline, but... memcpy(buf, &now, sizeof(now)); // Timestamp limits the reuse window. memcpy(buf + sizeof(now), &ourIP, sizeof(ourIP)); // IP prevents captured signatures from being used elsewhere. @@ -273,16 +273,15 @@ void GenerateChallenge(uint8_t *buf) // Don't sign anything that wasn't generated just for us! shouldsign_t ShouldSignChallenge(uint8_t *message) { - time_t then, now; + UINT64 then, now; UINT32 claimedIP, realIP; now = time(NULL); memcpy(&then, message, sizeof(then)); memcpy(&claimedIP, message + sizeof(then), sizeof(claimedIP)); - CONS_Printf("servernode: %d\n", servernode); realIP = I_GetNodeAddressInt(servernode); - if (abs(now - then) > 60*5) + if ((max(now, then) - min(now, then)) > 60*5) return SIGN_BADTIME; if (realIP != claimedIP && IsExternalAddress(&realIP)) From 5a475c78881e6421749925fc4daed7311c115b8b Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Fri, 24 Mar 2023 22:04:56 -0700 Subject: [PATCH 53/70] Cleanup + fix off-by-one in gamestate --- src/d_clisrv.c | 48 +----------------------------------------------- src/k_profiles.h | 2 +- src/p_saveg.c | 4 ++-- 3 files changed, 4 insertions(+), 50 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index a3542269e..9cbb177d1 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -3616,7 +3616,6 @@ static void ResetNode(INT32 node) nodeingame[node] = false; nodewaiting[node] = 0; nodeneedsauth[node] = false; - //CONS_Printf("2: node %d -> %d\n", node, nodeneedsauth[node]); nettics[node] = gametic; supposedtics[node] = gametic; @@ -3785,7 +3784,6 @@ static inline void SV_AddNode(INT32 node) nodeingame[node] = true; nodeneedsauth[node] = false; - CONS_Printf("3: node %d -> %d\n", node, nodeneedsauth[node]); } // Xcmd XD_ADDPLAYER @@ -4281,7 +4279,6 @@ static void HandleConnect(SINT8 node) UINT8 maxplayers = min((dedicated ? MAXPLAYERS-1 : MAXPLAYERS), cv_maxconnections.value); UINT8 connectedplayers = 0; - CONS_Printf(">>>> node %d (%s)\n", node, I_GetNodeAddress(node)); for (i = dedicated ? 1 : 0; i < MAXPLAYERS; i++) if (playernode[i] != UINT8_MAX) // We use this to count players because it is affected by SV_AddWaitingPlayers when more than one client joins on the same tic, unlike playeringame and D_NumPlayers. UINT8_MAX denotes no node for that player @@ -4388,8 +4385,6 @@ static void HandleConnect(SINT8 node) } else // Remote player, gotta check their signature. { - CONS_Printf("Adding remote. Doing sigcheck for node %d, ID %s\n", node, GetPrettyRRID(lastReceivedKey[node][i], true)); - char allZero[32]; memset(allZero, 0, sizeof(allZero)); @@ -4827,13 +4822,6 @@ static void HandlePacketFromAwayNode(SINT8 node) // Otherwise, someone else could request a challenge on the same node and trash it. nodeneedsauth[node] = true; freezetimeout[node] = I_GetTime() + jointimeout; - - CONS_Printf("4: node %d -> %d\n", node, nodeneedsauth[node]); - if (nodeneedsauth[node] == false) - { - freezetimeout[node] = I_GetTime() + jointimeout; - nodeneedsauth[node] = true; - } } break; case PT_SERVERCHALLENGE: @@ -5250,7 +5238,6 @@ static void HandlePacketFromPlayer(SINT8 node) Net_CloseConnection(node); nodeingame[node] = false; nodeneedsauth[node] = false; - CONS_Printf("1: node %d -> %d\n", node, nodeneedsauth[node]); break; case PT_CANRECEIVEGAMESTATE: PT_CanReceiveGamestate(node); @@ -5420,7 +5407,6 @@ static void HandlePacketFromPlayer(SINT8 node) profile_t *localProfile = PR_GetLocalPlayerProfile(challengeplayers); if (!PR_IsLocalPlayerGuest(challengeplayers)) // GUESTS don't have keys { - CONS_Printf("signing %s pk %s\n", GetPrettyRRID(lastChallengeAll, true), GetPrettyRRID(localProfile->public_key, true)); crypto_eddsa_sign(signature, localProfile->secret_key, lastChallengeAll, sizeof(lastChallengeAll)); // If our keys are garbage (corrupted profile?), fail here instead of when the server boots us, so the player knows what's going on. @@ -5455,10 +5441,8 @@ static void HandlePacketFromPlayer(SINT8 node) if (!IsPlayerGuest(targetplayer)) { - CONS_Printf("receiving %s pk %s\n", GetPrettyRRID(lastChallengeAll, true), GetPrettyRRID(players[targetplayer].public_key, true)); if (crypto_eddsa_check(netbuffer->u.responseall.signature[responseplayer], players[targetplayer].public_key, lastChallengeAll, sizeof(lastChallengeAll))) { - CONS_Alert(CONS_WARNING, "Invalid PT_RESPONSEALL from node %d player %d split %d\n", node, targetplayer, responseplayer); if (playernode[targetplayer] != 0) // NO IDEA. SendKick(targetplayer, KICK_MSG_SIGFAIL); break; @@ -5466,7 +5450,6 @@ static void HandlePacketFromPlayer(SINT8 node) else { memcpy(lastReceivedSignature[targetplayer], netbuffer->u.responseall.signature[responseplayer], sizeof(lastReceivedSignature[targetplayer])); - CONS_Printf("Writing signature %s for node %d player %d split %d\n", GetPrettyRRID(lastReceivedSignature[targetplayer], true), node, targetplayer, responseplayer); } } } @@ -5476,37 +5459,28 @@ static void HandlePacketFromPlayer(SINT8 node) uint8_t allzero[64]; memset(allzero, 0, sizeof(allzero)); - CONS_Printf("Got PT_RESULTSALL\n"); - if (demo.playback || server || node != servernode || !expectChallenge) break; - CONS_Printf("Checking PT_RESULTSALL\n"); - for (resultsplayer = 0; resultsplayer < MAXPLAYERS; resultsplayer++) { if (!playeringame[resultsplayer]) { - CONS_Printf("Player %d isn't in the game, excluded from checkall\n", resultsplayer); continue; } else if (IsPlayerGuest(resultsplayer)) { - CONS_Printf("GUEST on node %d player %d split %d, not enforcing\n", playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); continue; } else if (memcmp(knownWhenChallenged[resultsplayer], allzero, sizeof(allzero)) == 0) { - CONS_Printf("That motherfucker wasn't here for the challenge - node %d player %d split %d, not enforcing\n", playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); + // Wasn't here for the challenge. continue; } else if (memcmp(knownWhenChallenged[resultsplayer], players[resultsplayer].public_key, sizeof(knownWhenChallenged[resultsplayer])) != 0) { // A player left after the challenge process started, and someone else took their place. // That means they haven't received a challenge either. - CONS_Printf("Has key %s but I remember key %s - node %d player %d split %d, not enforcing\n", - GetPrettyRRID(knownWhenChallenged[resultsplayer], true), GetPrettyRRID(players[resultsplayer].public_key, true), - playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); continue; } else @@ -5519,10 +5493,6 @@ static void HandlePacketFromPlayer(SINT8 node) HandleSigfail("Server sent invalid client signature."); break; } - else - { - CONS_Printf("Checkall client-pass for node %d player %d split %d\n", playernode[resultsplayer], resultsplayer, players[resultsplayer].splitscreenindex); - } } } csprng(lastChallengeAll, sizeof(lastChallengeAll)); @@ -6368,7 +6338,6 @@ static void SendChallenges(void) { if (nodeingame[i]) { - CONS_Printf("challenge to node %d, player %d\n", i, nodetoplayer[i]); HSendPacket(i, true, 0, sizeof(challengeall_pak)); memcpy(knownWhenChallenged[nodetoplayer[i]], players[nodetoplayer[i]].public_key, sizeof(knownWhenChallenged[nodetoplayer[i]])); } @@ -6383,23 +6352,16 @@ static void KickUnverifiedPlayers(void) uint8_t allZero[64]; memset(allZero, 0, sizeof(allZero)); - CONS_Printf("KickUnverifiedPlayers start\n"); - for (i = 0; i < MAXPLAYERS; i++) { if (!playeringame[i]) continue; if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! { - CONS_Printf("No sig from %d\n", i); - CONS_Printf("pk then %s, pk now %s\n", GetPrettyRRID(knownWhenChallenged[i], true), GetPrettyRRID(players[i].public_key, true)); if (!IsPlayerGuest(i) && memcmp(&knownWhenChallenged[i], &players[i].public_key, sizeof(knownWhenChallenged[i])) == 0) { if (playernode[i] != servernode) - { - CONS_Printf("We never got a response from player %d, goodbye\n", i); SendKick(i, KICK_MSG_SIGFAIL); - } } } } @@ -6435,7 +6397,6 @@ static void SendChallengeResults(void) if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) continue; - CONS_Printf("Player %d passed with key %s sig %s, adding...\n", i, GetPrettyRRID(players[i].public_key, true), GetPrettyRRID(lastReceivedSignature[i], true)); memcpy(netbuffer->u.resultsall.signature[i], lastReceivedSignature[i], sizeof(netbuffer->u.resultsall.signature[i])); #ifdef DEVELOP if (cv_badresults.value) @@ -6450,10 +6411,7 @@ static void SendChallengeResults(void) for (i = 0; i < MAXNETNODES; i++) { if (nodeingame[i]) - { - CONS_Printf("results to node %d, player %d\n", i, nodetoplayer[i]); HSendPacket(i, true, 0, sizeof(resultsall_pak)); - } } } @@ -6469,18 +6427,14 @@ static void CheckPresentPlayers(void) { if (!playeringame[i]) { - //CONS_Printf("Player %i isn't present for checkall\n", i); continue; } else if (IsPlayerGuest(i)) { - //CONS_Printf("Player %i is present for checkall, but is a guest\n", i); continue; } else { - CONS_Printf("Player %d (node %d split %d) is present for checkall, make a note of their key %s...\n", i, playernode[i], players[i].splitscreenindex, - GetPrettyRRID(players[i].public_key, true)); memcpy(knownWhenChallenged[i], players[i].public_key, sizeof(knownWhenChallenged[i])); } } diff --git a/src/k_profiles.h b/src/k_profiles.h index c648fc3a7..2bd715d87 100644 --- a/src/k_profiles.h +++ b/src/k_profiles.h @@ -60,7 +60,7 @@ struct profile_t char profilename[PROFILENAMELEN+1]; // Profile name (not to be confused with player name) uint8_t public_key[32]; // Netgame authentication - uint8_t secret_key[64]; // TODO: Is it a potential vuln to have keys in memory? + uint8_t secret_key[64]; // Player data char playername[MAXPLAYERNAME+1]; // Player name diff --git a/src/p_saveg.c b/src/p_saveg.c index 6daf025fc..3781925ca 100644 --- a/src/p_saveg.c +++ b/src/p_saveg.c @@ -407,7 +407,7 @@ static void P_NetArchivePlayers(savebuffer_t *save) WRITEUINT8(save->p, players[i].sliptideZipDelay); WRITEUINT16(save->p, players[i].sliptideZipBoost); - WRITESTRINGN(save->p, players[i].public_key, 32 + 1); + WRITESTRINGN(save->p, players[i].public_key, 32); // respawnvars_t WRITEUINT8(save->p, players[i].respawn.state); @@ -789,7 +789,7 @@ static void P_NetUnArchivePlayers(savebuffer_t *save) players[i].sliptideZipDelay = READUINT8(save->p); players[i].sliptideZipBoost = READUINT16(save->p); - READSTRINGN(save->p, players[i].public_key, 32 + 1); + READSTRINGN(save->p, players[i].public_key, 32); // respawnvars_t players[i].respawn.state = READUINT8(save->p); From 551c9af0fc5ecfb1652b5246c96cfa295f93eec7 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Fri, 24 Mar 2023 22:27:25 -0700 Subject: [PATCH 54/70] Fix -Wunused in SIGNGAMETRAFFIC --- src/d_clisrv.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 9cbb177d1..a744a487e 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4236,23 +4236,25 @@ static size_t TotalTextCmdPerTic(tic_t tic) return total; } -static boolean IsSplitPlayerOnNodeGuest(int node, int split) -{ - char allZero[32]; - memset(allZero, 0, 32); +#ifdef SIGNGAMETRAFFIC + static boolean IsSplitPlayerOnNodeGuest(int node, int split) + { + char allZero[32]; + memset(allZero, 0, 32); - if (split == 0) - return (memcmp(players[nodetoplayer[node]].public_key, allZero, 32) == 0); - else if (split == 1) - return (memcmp(players[nodetoplayer2[node]].public_key, allZero, 32) == 0); - else if (split == 2) - return (memcmp(players[nodetoplayer3[node]].public_key, allZero, 32) == 0); - else if (split == 3) - return (memcmp(players[nodetoplayer4[node]].public_key, allZero, 32) == 0); - else - I_Error("IsSplitPlayerOnNodeGuest: Out of bounds"); - return false; // unreachable -} + if (split == 0) + return (memcmp(players[nodetoplayer[node]].public_key, allZero, 32) == 0); + else if (split == 1) + return (memcmp(players[nodetoplayer2[node]].public_key, allZero, 32) == 0); + else if (split == 2) + return (memcmp(players[nodetoplayer3[node]].public_key, allZero, 32) == 0); + else if (split == 3) + return (memcmp(players[nodetoplayer4[node]].public_key, allZero, 32) == 0); + else + I_Error("IsSplitPlayerOnNodeGuest: Out of bounds"); + return false; // unreachable + } +#endif static boolean IsPlayerGuest(int player) { From 6c98dd0de2991e49a71781686e36469c25e75afe Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Sat, 25 Mar 2023 03:54:45 -0700 Subject: [PATCH 55/70] Strip more debug print --- src/d_netfil.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/d_netfil.c b/src/d_netfil.c index edcdb1030..93d7e8eba 100644 --- a/src/d_netfil.c +++ b/src/d_netfil.c @@ -1322,8 +1322,6 @@ void PT_ClientKey(INT32 node) memcpy(lastReceivedKey[node], packet->key, sizeof(lastReceivedKey[node])); - CONS_Printf("Got keys from node %d, %s / %s / %s / %s\n", node, GetPrettyRRID(lastReceivedKey[node][0], true), GetPrettyRRID(lastReceivedKey[node][1], true), GetPrettyRRID(lastReceivedKey[node][2], true), GetPrettyRRID(lastReceivedKey[node][3], true)); - netbuffer->packettype = PT_SERVERCHALLENGE; GenerateChallenge(lastSentChallenge[node]); From b5cfc22a0a9c9d583c64895bdd15c8e4301ef060 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 15:52:32 -0700 Subject: [PATCH 56/70] Fix splitscreen handling in SendChallenges --- src/d_clisrv.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index a744a487e..fb6480436 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -6330,19 +6330,22 @@ static void SendChallenges(void) #endif memset(knownWhenChallenged, 0, sizeof(knownWhenChallenged)); + memset(lastReceivedSignature, 0, sizeof(lastReceivedSignature)); GenerateChallenge(netbuffer->u.challengeall.secret); memcpy(lastChallengeAll, netbuffer->u.challengeall.secret, sizeof(lastChallengeAll)); - memset(lastReceivedSignature, 0, sizeof(lastReceivedSignature)); + // Take note of everyone's current key, so that players who disconnect and are replaced aren't held to the old player's challenge. + for (i = 0; i < MAXPLAYERS; i++) + { + if (playeringame[i]) + memcpy(knownWhenChallenged[i], players[i].public_key, sizeof(knownWhenChallenged[i])); + } for (i = 0; i < MAXNETNODES; i++) { if (nodeingame[i]) - { HSendPacket(i, true, 0, sizeof(challengeall_pak)); - memcpy(knownWhenChallenged[nodetoplayer[i]], players[nodetoplayer[i]].public_key, sizeof(knownWhenChallenged[nodetoplayer[i]])); - } } } From 119f23bd7bded838dafd86901b8fa7a37259daa6 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 23:06:03 -0700 Subject: [PATCH 57/70] More consistent break convention in HandlePacketFromPlayer --- src/d_clisrv.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index fb6480436..5d7325b5b 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -5369,7 +5369,7 @@ static void HandlePacketFromPlayer(SINT8 node) if (client) CL_PrepareDownloadLuaFile(); break; - case PT_CHALLENGEALL: ; // -Wpedantic + case PT_CHALLENGEALL: if (demo.playback || node != servernode) // SERVER should still respond to this to prove its own identity, just not from clients. break; @@ -5456,14 +5456,14 @@ static void HandlePacketFromPlayer(SINT8 node) } } break; - case PT_RESULTSALL: ; // -Wpedantic + case PT_RESULTSALL: + if (demo.playback || server || node != servernode || !expectChallenge) + break; + int resultsplayer; uint8_t allzero[64]; memset(allzero, 0, sizeof(allzero)); - if (demo.playback || server || node != servernode || !expectChallenge) - break; - for (resultsplayer = 0; resultsplayer < MAXPLAYERS; resultsplayer++) { if (!playeringame[resultsplayer]) From 6510628586bd68d6d61aee5004ba236a7a2c76ad Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 23:12:27 -0700 Subject: [PATCH 58/70] Fail loudly on big-endian systems --- src/d_clisrv.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 5d7325b5b..d8e9a62c4 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -247,6 +247,10 @@ static int IsExternalAddress (const void *p) // Generate a message for an authenticating client to sign, with some guarantees about who we are. void GenerateChallenge(uint8_t *buf) { + #ifndef SRB2_LITTLE_ENDIAN + #error "FIXME: 64-bit timestamp field is not supported on Big Endian" + #endif + UINT64 now = time(NULL); csprng(buf, sizeof(&buf)); // Random noise as a baseline, but... memcpy(buf, &now, sizeof(now)); // Timestamp limits the reuse window. @@ -273,6 +277,10 @@ void GenerateChallenge(uint8_t *buf) // Don't sign anything that wasn't generated just for us! shouldsign_t ShouldSignChallenge(uint8_t *message) { + #ifndef SRB2_LITTLE_ENDIAN + #error "FIXME: 64-bit timestamp field is not supported on Big Endian" + #endif + UINT64 then, now; UINT32 claimedIP, realIP; From bf4781d26c0520d1948fcd0ca562f2cdd09a64ba Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 23:18:38 -0700 Subject: [PATCH 59/70] Use READ/WRITEMEM instead of STRINGN for data that can contain 0s, dummy! --- src/d_clisrv.c | 4 ++-- src/k_profiles.c | 8 ++++---- src/p_saveg.c | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index d8e9a62c4..a05b7b01b 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -280,7 +280,7 @@ shouldsign_t ShouldSignChallenge(uint8_t *message) #ifndef SRB2_LITTLE_ENDIAN #error "FIXME: 64-bit timestamp field is not supported on Big Endian" #endif - + UINT64 then, now; UINT32 claimedIP, realIP; @@ -3833,7 +3833,7 @@ static void Got_AddPlayer(UINT8 **p, INT32 playernum) newplayer->jointime = 0; READSTRINGN(*p, player_names[newplayernum], MAXPLAYERNAME); - READSTRINGN(*p, players[newplayernum].public_key, 32); + READMEM(*p, players[newplayernum].public_key, 32); console = READUINT8(*p); splitscreenplayer = READUINT8(*p); diff --git a/src/k_profiles.c b/src/k_profiles.c index 82aec0a8d..9e5fd208d 100644 --- a/src/k_profiles.c +++ b/src/k_profiles.c @@ -255,8 +255,8 @@ void PR_SaveProfiles(void) { // Names and keys, all the string data up front WRITESTRINGN(save.p, profilesList[i]->profilename, PROFILENAMELEN); - WRITESTRINGN(save.p, profilesList[i]->public_key, sizeof(((profile_t *)0)->public_key)); - WRITESTRINGN(save.p, profilesList[i]->secret_key, sizeof(((profile_t *)0)->secret_key)); + WRITEMEM(save.p, profilesList[i]->public_key, sizeof(((profile_t *)0)->public_key)); + WRITEMEM(save.p, profilesList[i]->secret_key, sizeof(((profile_t *)0)->secret_key)); WRITESTRINGN(save.p, profilesList[i]->playername, MAXPLAYERNAME); // Character and colour. @@ -348,8 +348,8 @@ void PR_LoadProfiles(void) // Names and keys, all the identity stuff up front READSTRINGN(save.p, profilesList[i]->profilename, PROFILENAMELEN); - READSTRINGN(save.p, profilesList[i]->public_key, sizeof(((profile_t *)0)->public_key)); - READSTRINGN(save.p, profilesList[i]->secret_key, sizeof(((profile_t *)0)->secret_key)); + READMEM(save.p, profilesList[i]->public_key, sizeof(((profile_t *)0)->public_key)); + READMEM(save.p, profilesList[i]->secret_key, sizeof(((profile_t *)0)->secret_key)); READSTRINGN(save.p, profilesList[i]->playername, MAXPLAYERNAME); // Character and colour. diff --git a/src/p_saveg.c b/src/p_saveg.c index 3781925ca..bdc6bfda4 100644 --- a/src/p_saveg.c +++ b/src/p_saveg.c @@ -407,7 +407,7 @@ static void P_NetArchivePlayers(savebuffer_t *save) WRITEUINT8(save->p, players[i].sliptideZipDelay); WRITEUINT16(save->p, players[i].sliptideZipBoost); - WRITESTRINGN(save->p, players[i].public_key, 32); + WRITEMEM(save->p, players[i].public_key, 32); // respawnvars_t WRITEUINT8(save->p, players[i].respawn.state); From bc9b4ef6a501980b325fd33b457eb617e9b756f9 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 23:22:10 -0700 Subject: [PATCH 60/70] Explain evil wizard kick redirect behavior better --- src/d_clisrv.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index a05b7b01b..015e2c0ca 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -280,7 +280,7 @@ shouldsign_t ShouldSignChallenge(uint8_t *message) #ifndef SRB2_LITTLE_ENDIAN #error "FIXME: 64-bit timestamp field is not supported on Big Endian" #endif - + UINT64 then, now; UINT32 claimedIP, realIP; @@ -4945,7 +4945,10 @@ static void HandlePacketFromPlayer(SINT8 node) netbuffer->packettype, node, splitnodes, GetPrettyRRID(players[targetplayer].public_key, true), doomcom->datalength - BASEPACKETSIZE, netconsole); - if (netconsole != -1) // NO IDEA. + // Something scary can happen when multiple kicks that resolve to the same node are processed in quick succession. + // Sometimes, a kick will still be left to process after the player's been disposed, and that causes the kick to resolve on the server instead! + // This sucks, so we check for a stale/misfiring kick beforehand. + if (netconsole != -1) SendKick(netconsole, KICK_MSG_SIGFAIL); // Net_CloseConnection(node); // nodeingame[node] = false; @@ -5453,7 +5456,10 @@ static void HandlePacketFromPlayer(SINT8 node) { if (crypto_eddsa_check(netbuffer->u.responseall.signature[responseplayer], players[targetplayer].public_key, lastChallengeAll, sizeof(lastChallengeAll))) { - if (playernode[targetplayer] != 0) // NO IDEA. + // Something scary can happen when multiple kicks that resolve to the same node are processed in quick succession. + // Sometimes, a kick will still be left to process after the player's been disposed, and that causes the kick to resolve on the server instead! + // This sucks, so we check for a stale/misfiring kick beforehand. + if (playernode[targetplayer] != 0) SendKick(targetplayer, KICK_MSG_SIGFAIL); break; } From 0df4251bc7150db4953e1392387f93df8ca33fd2 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 23:32:16 -0700 Subject: [PATCH 61/70] No, seriously, don't use STRINGN for pubkeys --- src/d_clisrv.c | 8 ++++---- src/p_saveg.c | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 015e2c0ca..787ff3d9e 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -4061,25 +4061,25 @@ const char *name3, uint8_t *key3, const char *name4, uint8_t *key4) { nodetoplayer[node] = newplayernum; WRITESTRINGN(buf_p, name, MAXPLAYERNAME); - WRITESTRINGN(buf_p, key, 32); + WRITEMEM(buf_p, key, 32); } else if (playerpernode[node] < 2) { nodetoplayer2[node] = newplayernum; WRITESTRINGN(buf_p, name2, MAXPLAYERNAME); - WRITESTRINGN(buf_p, key2, 32); + WRITEMEM(buf_p, key2, 32); } else if (playerpernode[node] < 3) { nodetoplayer3[node] = newplayernum; WRITESTRINGN(buf_p, name3, MAXPLAYERNAME); - WRITESTRINGN(buf_p, key3, 32); + WRITEMEM(buf_p, key3, 32); } else if (playerpernode[node] < 4) { nodetoplayer4[node] = newplayernum; WRITESTRINGN(buf_p, name4, MAXPLAYERNAME); - WRITESTRINGN(buf_p, key4, 32); + WRITEMEM(buf_p, key4, 32); } WRITEUINT8(buf_p, nodetoplayer[node]); // consoleplayer diff --git a/src/p_saveg.c b/src/p_saveg.c index bdc6bfda4..31bfa868d 100644 --- a/src/p_saveg.c +++ b/src/p_saveg.c @@ -789,7 +789,7 @@ static void P_NetUnArchivePlayers(savebuffer_t *save) players[i].sliptideZipDelay = READUINT8(save->p); players[i].sliptideZipBoost = READUINT16(save->p); - READSTRINGN(save->p, players[i].public_key, 32); + READMEM(save->p, players[i].public_key, 32); // respawnvars_t players[i].respawn.state = READUINT8(save->p); From e09b21ddae0e88429176b080231983ae965e5a5b Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 23:44:24 -0700 Subject: [PATCH 62/70] IsExternalAddress type fixup, move into i_tcp.c / SOCK_ abstraction --- src/d_clisrv.c | 27 +-------------------------- src/d_net.c | 1 + src/i_net.h | 1 + src/i_tcp.c | 27 +++++++++++++++++++++++++++ 4 files changed, 30 insertions(+), 26 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 787ff3d9e..c8092b151 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -219,31 +219,6 @@ consvar_t cv_httpsource = CVAR_INIT ("http_source", "", CV_SAVE, NULL, NULL); consvar_t cv_kicktime = CVAR_INIT ("kicktime", "10", CV_SAVE, CV_Unsigned, NULL); -// https://github.com/jameds/holepunch/blob/master/holepunch.c#L75 -static int IsExternalAddress (const void *p) -{ - const int a = ((const unsigned char*)p)[0]; - const int b = ((const unsigned char*)p)[1]; - - if (*(const int*)p == ~0)/* 255.255.255.255 */ - return 0; - - switch (a) - { - case 0: - case 10: - case 127: - return 0; - case 172: - return (b & ~15) != 16;/* 16 - 31 */ - case 192: - return b != 168; - default: - return 1; - } -} - - // Generate a message for an authenticating client to sign, with some guarantees about who we are. void GenerateChallenge(uint8_t *buf) { @@ -292,7 +267,7 @@ shouldsign_t ShouldSignChallenge(uint8_t *message) if ((max(now, then) - min(now, then)) > 60*5) return SIGN_BADTIME; - if (realIP != claimedIP && IsExternalAddress(&realIP)) + if (realIP != claimedIP && I_IsExternalAddress(&realIP)) return SIGN_BADIP; return SIGN_OK; diff --git a/src/d_net.c b/src/d_net.c index effc48eb3..917b181fe 100644 --- a/src/d_net.c +++ b/src/d_net.c @@ -93,6 +93,7 @@ boolean (*I_SetBanAddress) (const char *address, const char *mask) = NULL; boolean (*I_SetBanUsername) (const char *username) = NULL; boolean (*I_SetBanReason) (const char *reason) = NULL; boolean (*I_SetUnbanTime) (time_t timestamp) = NULL; +boolean (*I_IsExternalAddress) (const void *p) = NULL; bannednode_t *bannednode = NULL; diff --git a/src/i_net.h b/src/i_net.h index 9433b89fb..5755f6169 100644 --- a/src/i_net.h +++ b/src/i_net.h @@ -176,6 +176,7 @@ extern boolean (*I_SetBanAddress) (const char *address,const char *mask); extern boolean (*I_SetBanUsername) (const char *username); extern boolean (*I_SetBanReason) (const char *reason); extern boolean (*I_SetUnbanTime) (time_t timestamp); +extern boolean (*I_IsExternalAddress) (const void *p); struct bannednode_t { diff --git a/src/i_tcp.c b/src/i_tcp.c index eb4521928..18e79fbd6 100644 --- a/src/i_tcp.c +++ b/src/i_tcp.c @@ -1522,6 +1522,31 @@ static void SOCK_ClearBans(void) banned = NULL; } +// https://github.com/jameds/holepunch/blob/master/holepunch.c#L75 +static int SOCK_IsExternalAddress (const void *p) +{ + const int a = ((const unsigned char*)p)[0]; + const int b = ((const unsigned char*)p)[1]; + + if (*(const UINT32*)p == (UINT32)~0)/* 255.255.255.255 */ + return 0; + + switch (a) + { + case 0: + case 10: + case 127: + return 0; + case 172: + return (b & ~15) != 16;/* 16 - 31 */ + case 192: + return b != 168; + default: + return 1; + } +} + + boolean I_InitTcpNetwork(void) { char serverhostname[255]; @@ -1622,6 +1647,8 @@ boolean I_InitTcpNetwork(void) I_SetBanUsername = SOCK_SetBanUsername; I_SetBanReason = SOCK_SetBanReason; I_SetUnbanTime = SOCK_SetUnbanTime; + I_IsExternalAddress = SOCK_IsExternalAddress; + bannednode = SOCK_bannednode; return ret; From 3c561c564e745f207652ebc94ca831dc71b5787b Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 23:57:30 -0700 Subject: [PATCH 63/70] Use 64-byte challenges consistently --- src/d_clisrv.c | 8 ++++---- src/d_clisrv.h | 13 ++++++++----- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index c8092b151..0bdcae223 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -161,8 +161,8 @@ boolean acceptnewnode = true; UINT32 ourIP; // Used when populating PT_SERVERCHALLENGE (guards against signature reuse) uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // Player's public key (join process only! active players have it on player_t) -uint8_t lastSentChallenge[MAXNETNODES][32]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN -uint8_t lastChallengeAll[64]; // The message we asked EVERYONE to sign for client-to-client identity proofs +uint8_t lastSentChallenge[MAXNETNODES][CHALLENGELENGTH]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN +uint8_t lastChallengeAll[CHALLENGELENGTH]; // The message we asked EVERYONE to sign for client-to-client identity proofs uint8_t lastReceivedSignature[MAXPLAYERS][64]; // Everyone's response to lastChallengeAll uint8_t knownWhenChallenged[MAXPLAYERS][32]; // Everyone a client saw at the moment a challenge should be initiated boolean expectChallenge = false; // Were we in-game before a client-to-client challenge should have been sent? @@ -227,7 +227,7 @@ void GenerateChallenge(uint8_t *buf) #endif UINT64 now = time(NULL); - csprng(buf, sizeof(&buf)); // Random noise as a baseline, but... + csprng(buf, CHALLENGELENGTH); // Random noise as a baseline, but... memcpy(buf, &now, sizeof(now)); // Timestamp limits the reuse window. memcpy(buf + sizeof(now), &ourIP, sizeof(ourIP)); // IP prevents captured signatures from being used elsewhere. @@ -4385,7 +4385,7 @@ static void HandleConnect(SINT8 node) } else { - sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node], 32); + sigcheck = crypto_eddsa_check(netbuffer->u.clientcfg.challengeResponse[i], lastReceivedKey[node][i], lastSentChallenge[node], CHALLENGELENGTH); } if (netgame && sigcheck != 0) diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 446a582d6..8de7959f4 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -54,6 +54,9 @@ applications may follow different packet versions. // This just works as a quick implementation. #define MAXGENTLEMENDELAY TICRATE +// Servers verify client identity by giving them messages to sign. How long are these messages? +#define CHALLENGELENGTH 64 + // // Packet structure // @@ -367,12 +370,12 @@ struct clientkey_pak struct serverchallenge_pak { - uint8_t secret[32]; + uint8_t secret[CHALLENGELENGTH]; } ATTRPACK; struct challengeall_pak { - uint8_t secret[64]; + uint8_t secret[CHALLENGELENGTH]; } ATTRPACK; struct responseall_pak @@ -423,7 +426,7 @@ struct doomdata_t filesneededconfig_pak filesneededcfg; // ??? bytes UINT32 pingtable[MAXPLAYERS+1]; // 68 bytes clientkey_pak clientkey; // 32 bytes - serverchallenge_pak serverchallenge; // 64 bytes + serverchallenge_pak serverchallenge; // 256 bytes challengeall_pak challengeall; // 256 bytes responseall_pak responseall; // 256 bytes resultsall_pak resultsall; // 1024 bytes. Also, you really shouldn't trust anything here. @@ -493,8 +496,8 @@ extern SINT8 servernode; extern char connectedservername[MAXSERVERNAME]; extern UINT32 ourIP; extern uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; -extern uint8_t lastSentChallenge[MAXNETNODES][32]; -extern uint8_t lastChallengeAll[64]; +extern uint8_t lastSentChallenge[MAXNETNODES][CHALLENGELENGTH]; +extern uint8_t lastChallengeAll[CHALLENGELENGTH]; extern uint8_t lastReceivedSignature[MAXPLAYERS][64]; extern uint8_t knownWhenChallenged[MAXPLAYERS][32]; extern boolean expectChallenge; From 4413939e8589ba393f1a2880f88a7a965b81c428 Mon Sep 17 00:00:00 2001 From: James R Date: Tue, 28 Mar 2023 01:08:21 -0700 Subject: [PATCH 64/70] RRID: generate keys for old profiles Bump PROFILEVER to 3 --- src/k_profiles.c | 35 ++++++++++++++++++++++++----------- src/k_profiles.h | 2 +- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/src/k_profiles.c b/src/k_profiles.c index 9e5fd208d..e2c2b3401 100644 --- a/src/k_profiles.c +++ b/src/k_profiles.c @@ -30,6 +30,13 @@ INT32 PR_GetNumProfiles(void) return numprofiles; } +static void PR_GenerateProfileKeys(profile_t *new) +{ + static uint8_t seed[32]; + csprng(seed, 32); + crypto_eddsa_key_pair(new->secret_key, new->public_key, seed); +} + profile_t* PR_MakeProfile( const char *prname, const char *pname, @@ -43,17 +50,12 @@ profile_t* PR_MakeProfile( new->version = PROFILEVER; - uint8_t secret_key[64]; - uint8_t public_key[32]; - - memset(new->secret_key, 0, sizeof(secret_key)); - memset(new->public_key, 0, sizeof(public_key)); + memset(new->secret_key, 0, sizeof(new->secret_key)); + memset(new->public_key, 0, sizeof(new->public_key)); if (!guest) { - static uint8_t seed[32]; - csprng(seed, 32); - crypto_eddsa_key_pair(new->secret_key, new->public_key, seed); + PR_GenerateProfileKeys(new); } strcpy(new->profilename, prname); @@ -348,8 +350,19 @@ void PR_LoadProfiles(void) // Names and keys, all the identity stuff up front READSTRINGN(save.p, profilesList[i]->profilename, PROFILENAMELEN); - READMEM(save.p, profilesList[i]->public_key, sizeof(((profile_t *)0)->public_key)); - READMEM(save.p, profilesList[i]->secret_key, sizeof(((profile_t *)0)->secret_key)); + + // Profile update 2-->3: Add profile keys. + if (version < 3) + { + // Generate missing keys. + PR_GenerateProfileKeys(profilesList[i]); + } + else + { + READMEM(save.p, profilesList[i]->public_key, sizeof(((profile_t *)0)->public_key)); + READMEM(save.p, profilesList[i]->secret_key, sizeof(((profile_t *)0)->secret_key)); + } + READSTRINGN(save.p, profilesList[i]->playername, MAXPLAYERNAME); // Character and colour. @@ -605,4 +618,4 @@ char *GetPrettyRRID(const unsigned char *bin, boolean brief) out[len*2] = '\0'; return out; -} \ No newline at end of file +} diff --git a/src/k_profiles.h b/src/k_profiles.h index 2bd715d87..51dfbbd82 100644 --- a/src/k_profiles.h +++ b/src/k_profiles.h @@ -31,7 +31,7 @@ extern "C" { #define SKINNAMESIZE 16 #define PROFILENAMELEN 6 -#define PROFILEVER 2 +#define PROFILEVER 3 #define MAXPROFILES 16 #define PROFILESFILE "ringprofiles.prf" #define PROFILE_GUEST 0 From 412bd076093168d22e2d0c4edcc6339005abd27f Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Mon, 27 Mar 2023 16:07:18 -0700 Subject: [PATCH 65/70] Monocypher license compliance --- LICENSE-3RD-PARTY.txt | 34 +++++++++++++++++++++++++++++++++- src/monocypher/monocypher.c | 23 ----------------------- 2 files changed, 33 insertions(+), 24 deletions(-) diff --git a/LICENSE-3RD-PARTY.txt b/LICENSE-3RD-PARTY.txt index 8a839cf94..226afef99 100644 --- a/LICENSE-3RD-PARTY.txt +++ b/LICENSE-3RD-PARTY.txt @@ -1594,6 +1594,38 @@ freely, subject to the following restrictions: misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. +-------------------------------------------------------------------------------- + 2-Clause BSD License + applies to: + - monocypher + Copyright (c) 2017-2020, Loup Vaillant + All rights reserved. + https://monocypher.org/ +-------------------------------------------------------------------------------- + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + -------------------------------------------------------------------------------- MIT License applies to: @@ -1652,4 +1684,4 @@ FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER -DEALINGS IN THE SOFTWARE. +DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/src/monocypher/monocypher.c b/src/monocypher/monocypher.c index b01a4b728..0d0fa5495 100644 --- a/src/monocypher/monocypher.c +++ b/src/monocypher/monocypher.c @@ -1,16 +1,5 @@ // Monocypher version 4.0.0 // -// This file is dual-licensed. Choose whichever licence you want from -// the two licences listed below. -// -// The first licence is a regular 2-clause BSD licence. The second licence -// is the CC-0 from Creative Commons. It is intended to release Monocypher -// to the public domain. The BSD licence serves as a fallback option. -// -// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0 -// -// ------------------------------------------------------------------------ -// // Copyright (c) 2017-2020, Loup Vaillant // All rights reserved. // @@ -38,18 +27,6 @@ // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -// ------------------------------------------------------------------------ -// -// Written in 2017-2020 by Loup Vaillant -// -// To the extent possible under law, the author(s) have dedicated all copyright -// and related neighboring rights to this software to the public domain -// worldwide. This software is distributed without any warranty. -// -// You should have received a copy of the CC0 Public Domain Dedication along -// with this software. If not, see -// #include "monocypher.h" From 86b6b2b1cdd892c3e3d88d5e8f9a0918e8d13fdf Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 28 Mar 2023 03:03:00 -0700 Subject: [PATCH 66/70] Clean up some mismatched and hardcoded sizes, use defines for crypto primitive size --- src/d_clisrv.c | 52 +++++++++++++++++++++++++------------------------- src/d_clisrv.h | 6 ++++-- 2 files changed, 30 insertions(+), 28 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 0bdcae223..983df1622 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -160,19 +160,19 @@ char connectedservername[MAXSERVERNAME]; boolean acceptnewnode = true; UINT32 ourIP; // Used when populating PT_SERVERCHALLENGE (guards against signature reuse) -uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; // Player's public key (join process only! active players have it on player_t) +uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][PUBKEYLENGTH]; // Player's public key (join process only! active players have it on player_t) uint8_t lastSentChallenge[MAXNETNODES][CHALLENGELENGTH]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN +uint8_t awaitingChallenge[SIGNATURELENGTH]; // The message the server asked our client to sign when joining uint8_t lastChallengeAll[CHALLENGELENGTH]; // The message we asked EVERYONE to sign for client-to-client identity proofs -uint8_t lastReceivedSignature[MAXPLAYERS][64]; // Everyone's response to lastChallengeAll -uint8_t knownWhenChallenged[MAXPLAYERS][32]; // Everyone a client saw at the moment a challenge should be initiated +uint8_t lastReceivedSignature[MAXPLAYERS][SIGNATURELENGTH]; // Everyone's response to lastChallengeAll +uint8_t knownWhenChallenged[MAXPLAYERS][PUBKEYLENGTH]; // Everyone a client saw at the moment a challenge should be initiated boolean expectChallenge = false; // Were we in-game before a client-to-client challenge should have been sent? -uint8_t priorKeys[MAXPLAYERS][32]; // Make a note of keys before consuming a new gamestate, and if the server tries to send us a gamestate where keys differ, assume shenanigans +uint8_t priorKeys[MAXPLAYERS][PUBKEYLENGTH]; // Make a note of keys before consuming a new gamestate, and if the server tries to send us a gamestate where keys differ, assume shenanigans boolean serverisfull = false; //lets us be aware if the server was full after we check files, but before downloading, so we can ask if the user still wants to download or not tic_t firstconnectattempttime = 0; -uint8_t awaitingChallenge[32]; consvar_t cv_allowguests = CVAR_INIT ("allowguests", "On", CV_SAVE, CV_OnOff, NULL); #ifdef DEVELOP @@ -947,8 +947,8 @@ static boolean CL_SendJoin(void) else { // If our keys are garbage (corrupted profile?), fail here instead of when the server boots us, so the player knows what's going on. - crypto_eddsa_sign(signature, localProfile->secret_key, awaitingChallenge, 32); - if (crypto_eddsa_check(signature, localProfile->public_key, awaitingChallenge, 32) != 0) + crypto_eddsa_sign(signature, localProfile->secret_key, awaitingChallenge, sizeof(awaitingChallenge)); + if (crypto_eddsa_check(signature, localProfile->public_key, awaitingChallenge, sizeof(awaitingChallenge)) != 0) I_Error("Couldn't self-verify key associated with player %d, profile %d.\nProfile data may be corrupted.", i, cv_lastprofile[i].value); // I guess this is the most reasonable way to catch a malformed key. } @@ -4222,17 +4222,17 @@ static size_t TotalTextCmdPerTic(tic_t tic) #ifdef SIGNGAMETRAFFIC static boolean IsSplitPlayerOnNodeGuest(int node, int split) { - char allZero[32]; - memset(allZero, 0, 32); + char allZero[PUBKEYLENGTH]; + memset(allZero, 0, PUBKEYLENGTH); if (split == 0) - return (memcmp(players[nodetoplayer[node]].public_key, allZero, 32) == 0); + return (memcmp(players[nodetoplayer[node]].public_key, allZero, PUBKEYLENGTH) == 0); else if (split == 1) - return (memcmp(players[nodetoplayer2[node]].public_key, allZero, 32) == 0); + return (memcmp(players[nodetoplayer2[node]].public_key, allZero, PUBKEYLENGTH) == 0); else if (split == 2) - return (memcmp(players[nodetoplayer3[node]].public_key, allZero, 32) == 0); + return (memcmp(players[nodetoplayer3[node]].public_key, allZero, PUBKEYLENGTH) == 0); else if (split == 3) - return (memcmp(players[nodetoplayer4[node]].public_key, allZero, 32) == 0); + return (memcmp(players[nodetoplayer4[node]].public_key, allZero, PUBKEYLENGTH) == 0); else I_Error("IsSplitPlayerOnNodeGuest: Out of bounds"); return false; // unreachable @@ -4241,10 +4241,10 @@ static size_t TotalTextCmdPerTic(tic_t tic) static boolean IsPlayerGuest(int player) { - char allZero[32]; - memset(allZero, 0, 32); + char allZero[PUBKEYLENGTH]; + memset(allZero, 0, PUBKEYLENGTH); - return (memcmp(players[player].public_key, allZero, 32) == 0); + return (memcmp(players[player].public_key, allZero, PUBKEYLENGTH) == 0); } /** Called when a PT_CLIENTJOIN packet is received @@ -4370,10 +4370,10 @@ static void HandleConnect(SINT8 node) } else // Remote player, gotta check their signature. { - char allZero[32]; + char allZero[PUBKEYLENGTH]; memset(allZero, 0, sizeof(allZero)); - if (memcmp(lastReceivedKey[node][i], allZero, sizeof(allZero)) == 0) // IsSplitPlayerOnNodeGuest isn't appropriate here, they're not in-game yet! + if (memcmp(lastReceivedKey[node][i], allZero, PUBKEYLENGTH) == 0) // IsSplitPlayerOnNodeGuest isn't appropriate here, they're not in-game yet! { if (!cv_allowguests.value) { @@ -5450,8 +5450,8 @@ static void HandlePacketFromPlayer(SINT8 node) break; int resultsplayer; - uint8_t allzero[64]; - memset(allzero, 0, sizeof(allzero)); + uint8_t allZero[PUBKEYLENGTH]; + memset(allZero, 0, sizeof(PUBKEYLENGTH)); for (resultsplayer = 0; resultsplayer < MAXPLAYERS; resultsplayer++) { @@ -5463,7 +5463,7 @@ static void HandlePacketFromPlayer(SINT8 node) { continue; } - else if (memcmp(knownWhenChallenged[resultsplayer], allzero, sizeof(allzero)) == 0) + else if (memcmp(knownWhenChallenged[resultsplayer], allZero, sizeof(PUBKEYLENGTH)) == 0) { // Wasn't here for the challenge. continue; @@ -6343,14 +6343,14 @@ static void SendChallenges(void) static void KickUnverifiedPlayers(void) { int i; - uint8_t allZero[64]; - memset(allZero, 0, sizeof(allZero)); + uint8_t allZero[SIGNATURELENGTH]; + memset(allZero, 0, SIGNATURELENGTH); for (i = 0; i < MAXPLAYERS; i++) { if (!playeringame[i]) continue; - if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) // We never got a response! + if (memcmp(lastReceivedSignature[i], allZero, SIGNATURELENGTH) == 0) // We never got a response! { if (!IsPlayerGuest(i) && memcmp(&knownWhenChallenged[i], &players[i].public_key, sizeof(knownWhenChallenged[i])) == 0) { @@ -6376,7 +6376,7 @@ static void SendChallengeResults(void) } #endif - uint8_t allZero[64]; + uint8_t allZero[SIGNATURELENGTH]; memset(allZero, 0, sizeof(allZero)); memset(&netbuffer->u.resultsall, 0, sizeof(netbuffer->u.resultsall)); @@ -6388,7 +6388,7 @@ static void SendChallengeResults(void) // Don't try to transmit signatures for players who didn't get here in time to send one. // (Everyone who had their chance should have been kicked by KickUnverifiedPlayers by now.) - if (memcmp(lastReceivedSignature[i], allZero, sizeof(allZero)) == 0) + if (memcmp(lastReceivedSignature[i], allZero, SIGNATURELENGTH) == 0) continue; memcpy(netbuffer->u.resultsall.signature[i], lastReceivedSignature[i], sizeof(netbuffer->u.resultsall.signature[i])); diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 8de7959f4..f4bc96aab 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -54,8 +54,10 @@ applications may follow different packet versions. // This just works as a quick implementation. #define MAXGENTLEMENDELAY TICRATE -// Servers verify client identity by giving them messages to sign. How long are these messages? -#define CHALLENGELENGTH 64 +#define PUBKEYLENGTH 32 // Enforced by Monocypher EdDSA +#define PRIVKEYLENGTH 64 // Enforced by Monocypher EdDSA +#define SIGNATURELENGTH 64 // Enforced by Monocypher EdDSA +#define CHALLENGELENGTH 64 // Servers verify client identity by giving them messages to sign. How long are these messages? // // Packet structure From 9a1de18491fbb437cca091ef92c0360559aa27b8 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 28 Mar 2023 03:07:52 -0700 Subject: [PATCH 67/70] Fix memory leak in GetPrettyRRID --- src/k_profiles.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/k_profiles.c b/src/k_profiles.c index e2c2b3401..a97ca1ae9 100644 --- a/src/k_profiles.c +++ b/src/k_profiles.c @@ -595,9 +595,10 @@ boolean PR_IsLocalPlayerGuest(INT32 player) return !(cv_lastprofile[player].value); } +static char rrid_buf[256]; + char *GetPrettyRRID(const unsigned char *bin, boolean brief) { - char *out; size_t i; size_t len = 32; @@ -607,15 +608,13 @@ char *GetPrettyRRID(const unsigned char *bin, boolean brief) if (bin == NULL || len == 0) return NULL; - out = malloc(len*2 + 1); - for (i=0; i> 4]; - out[i*2+1] = "0123456789ABCDEF"[bin[i] & 0x0F]; + rrid_buf[i*2] = "0123456789ABCDEF"[bin[i] >> 4]; + rrid_buf[i*2+1] = "0123456789ABCDEF"[bin[i] & 0x0F]; } - out[len*2] = '\0'; + rrid_buf[len*2] = '\0'; - return out; + return rrid_buf; } From afe3220415342131c0e1a801e419d5aef5a5e14f Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Tue, 28 Mar 2023 03:27:51 -0700 Subject: [PATCH 68/70] awaitingChallenge is, uh, a challenge, not a signature --- src/d_clisrv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 983df1622..58bddd8ed 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -162,7 +162,7 @@ boolean acceptnewnode = true; UINT32 ourIP; // Used when populating PT_SERVERCHALLENGE (guards against signature reuse) uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][PUBKEYLENGTH]; // Player's public key (join process only! active players have it on player_t) uint8_t lastSentChallenge[MAXNETNODES][CHALLENGELENGTH]; // The random message we asked them to sign in PT_SERVERCHALLENGE, check it in PT_CLIENTJOIN -uint8_t awaitingChallenge[SIGNATURELENGTH]; // The message the server asked our client to sign when joining +uint8_t awaitingChallenge[CHALLENGELENGTH]; // The message the server asked our client to sign when joining uint8_t lastChallengeAll[CHALLENGELENGTH]; // The message we asked EVERYONE to sign for client-to-client identity proofs uint8_t lastReceivedSignature[MAXPLAYERS][SIGNATURELENGTH]; // Everyone's response to lastChallengeAll uint8_t knownWhenChallenged[MAXPLAYERS][PUBKEYLENGTH]; // Everyone a client saw at the moment a challenge should be initiated From 3b67f99d0d22bba749e10cf5603306b58f71790d Mon Sep 17 00:00:00 2001 From: James R Date: Tue, 28 Mar 2023 03:54:29 -0700 Subject: [PATCH 69/70] RRID: correct remaining instances of hardcoded sizes to defines --- src/d_clisrv.c | 24 ++++++++++++------------ src/d_clisrv.h | 16 ++++++++-------- src/d_player.h | 2 +- src/g_game.c | 2 +- src/k_profiles.c | 2 +- src/k_profiles.h | 4 ++-- src/p_saveg.c | 4 ++-- 7 files changed, 27 insertions(+), 27 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 58bddd8ed..48dc945a2 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -937,12 +937,12 @@ static boolean CL_SendJoin(void) for (i = 0; i <= splitscreen; i++) { - uint8_t signature[64]; + uint8_t signature[SIGNATURELENGTH]; profile_t *localProfile = PR_GetLocalPlayerProfile(i); if (PR_IsLocalPlayerGuest(i)) // GUESTS don't have keys { - memset(signature, 0, 64); + memset(signature, 0, sizeof(signature)); } else { @@ -957,7 +957,7 @@ static boolean CL_SendJoin(void) { CV_AddValue(&cv_badjoin, -1); CONS_Alert(CONS_WARNING, "cv_badjoin enabled, scrubbing signature from CL_SendJoin\n"); - memset(signature, 0, 64); + memset(signature, 0, sizeof(signature)); } #endif @@ -979,7 +979,7 @@ static boolean CL_SendKey(void) for (i = 0; i <= splitscreen; i++) { // GUEST profiles have all-zero keys. This will be handled at the end of the challenge process, don't worry about it. - memcpy(netbuffer->u.clientkey.key[i], PR_GetProfile(cv_lastprofile[i].value)->public_key, 32); + memcpy(netbuffer->u.clientkey.key[i], PR_GetProfile(cv_lastprofile[i].value)->public_key, PUBKEYLENGTH); } return HSendPacket(servernode, false, 0, sizeof (clientkey_pak) ); } @@ -3808,7 +3808,7 @@ static void Got_AddPlayer(UINT8 **p, INT32 playernum) newplayer->jointime = 0; READSTRINGN(*p, player_names[newplayernum], MAXPLAYERNAME); - READMEM(*p, players[newplayernum].public_key, 32); + READMEM(*p, players[newplayernum].public_key, PUBKEYLENGTH); console = READUINT8(*p); splitscreenplayer = READUINT8(*p); @@ -3973,7 +3973,7 @@ const char *name, uint8_t *key, const char *name2, uint8_t *key2, const char *name3, uint8_t *key3, const char *name4, uint8_t *key4) { INT32 n, newplayernum, i; - UINT8 buf[4 + MAXPLAYERNAME + 32 + MAXAVAILABILITY]; + UINT8 buf[4 + MAXPLAYERNAME + PUBKEYLENGTH + MAXAVAILABILITY]; UINT8 *buf_p = buf; boolean newplayer = false; @@ -4036,25 +4036,25 @@ const char *name3, uint8_t *key3, const char *name4, uint8_t *key4) { nodetoplayer[node] = newplayernum; WRITESTRINGN(buf_p, name, MAXPLAYERNAME); - WRITEMEM(buf_p, key, 32); + WRITEMEM(buf_p, key, PUBKEYLENGTH); } else if (playerpernode[node] < 2) { nodetoplayer2[node] = newplayernum; WRITESTRINGN(buf_p, name2, MAXPLAYERNAME); - WRITEMEM(buf_p, key2, 32); + WRITEMEM(buf_p, key2, PUBKEYLENGTH); } else if (playerpernode[node] < 3) { nodetoplayer3[node] = newplayernum; WRITESTRINGN(buf_p, name3, MAXPLAYERNAME); - WRITEMEM(buf_p, key3, 32); + WRITEMEM(buf_p, key3, PUBKEYLENGTH); } else if (playerpernode[node] < 4) { nodetoplayer4[node] = newplayernum; WRITESTRINGN(buf_p, name4, MAXPLAYERNAME); - WRITEMEM(buf_p, key4, 32); + WRITEMEM(buf_p, key4, PUBKEYLENGTH); } WRITEUINT8(buf_p, nodetoplayer[node]); // consoleplayer @@ -5391,7 +5391,7 @@ static void HandlePacketFromPlayer(SINT8 node) for (challengeplayers = 0; challengeplayers <= splitscreen; challengeplayers++) { - uint8_t signature[64]; + uint8_t signature[SIGNATURELENGTH]; profile_t *localProfile = PR_GetLocalPlayerProfile(challengeplayers); if (!PR_IsLocalPlayerGuest(challengeplayers)) // GUESTS don't have keys { @@ -5407,7 +5407,7 @@ static void HandlePacketFromPlayer(SINT8 node) { CV_AddValue(&cv_badresponse, -1); CONS_Alert(CONS_WARNING, "cv_badresponse enabled, scrubbing signature from PT_RESPONSEALL\n"); - memset(signature, 0, 64); + memset(signature, 0, sizeof(signature)); } #endif diff --git a/src/d_clisrv.h b/src/d_clisrv.h index f4bc96aab..c50dce4ba 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -270,7 +270,7 @@ struct clientconfig_pak UINT8 mode; char names[MAXSPLITSCREENPLAYERS][MAXPLAYERNAME]; UINT8 availabilities[MAXAVAILABILITY]; - uint8_t challengeResponse[MAXSPLITSCREENPLAYERS][64]; + uint8_t challengeResponse[MAXSPLITSCREENPLAYERS][SIGNATURELENGTH]; } ATTRPACK; #define SV_SPEEDMASK 0x03 // used to send kartspeed @@ -367,7 +367,7 @@ struct filesneededconfig_pak struct clientkey_pak { - uint8_t key[MAXSPLITSCREENPLAYERS][32]; + uint8_t key[MAXSPLITSCREENPLAYERS][PUBKEYLENGTH]; } ATTRPACK; struct serverchallenge_pak @@ -382,12 +382,12 @@ struct challengeall_pak struct responseall_pak { - uint8_t signature[MAXSPLITSCREENPLAYERS][64]; + uint8_t signature[MAXSPLITSCREENPLAYERS][SIGNATURELENGTH]; } ATTRPACK; struct resultsall_pak { - uint8_t signature[MAXPLAYERS][64]; + uint8_t signature[MAXPLAYERS][SIGNATURELENGTH]; } ATTRPACK; // @@ -401,7 +401,7 @@ struct doomdata_t UINT8 packettype; #ifdef SIGNGAMETRAFFIC - uint8_t signature[MAXSPLITSCREENPLAYERS][64]; + uint8_t signature[MAXSPLITSCREENPLAYERS][SIGNATURELENGTH]; #endif UINT8 reserved; // Padding union @@ -497,11 +497,11 @@ extern boolean acceptnewnode; extern SINT8 servernode; extern char connectedservername[MAXSERVERNAME]; extern UINT32 ourIP; -extern uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][32]; +extern uint8_t lastReceivedKey[MAXNETNODES][MAXSPLITSCREENPLAYERS][PUBKEYLENGTH]; extern uint8_t lastSentChallenge[MAXNETNODES][CHALLENGELENGTH]; extern uint8_t lastChallengeAll[CHALLENGELENGTH]; -extern uint8_t lastReceivedSignature[MAXPLAYERS][64]; -extern uint8_t knownWhenChallenged[MAXPLAYERS][32]; +extern uint8_t lastReceivedSignature[MAXPLAYERS][SIGNATURELENGTH]; +extern uint8_t knownWhenChallenged[MAXPLAYERS][PUBKEYLENGTH]; extern boolean expectChallenge; // We give clients a chance to verify each other once per race. diff --git a/src/d_player.h b/src/d_player.h index 455db72f3..f1638024d 100644 --- a/src/d_player.h +++ b/src/d_player.h @@ -713,7 +713,7 @@ struct player_t mobj_t *stumbleIndicator; mobj_t *sliptideZipIndicator; - uint8_t public_key[32]; + uint8_t public_key[PUBKEYLENGTH]; #ifdef HWRENDER fixed_t fovadd; // adjust FOV for hw rendering diff --git a/src/g_game.c b/src/g_game.c index 606999924..33ad53ac6 100644 --- a/src/g_game.c +++ b/src/g_game.c @@ -2436,7 +2436,7 @@ void G_PlayerReborn(INT32 player, boolean betweenmaps) SINT8 xtralife; - uint8_t public_key[32]; + uint8_t public_key[PUBKEYLENGTH]; // SRB2kart itemroulette_t itemRoulette; diff --git a/src/k_profiles.c b/src/k_profiles.c index a97ca1ae9..aad3fd221 100644 --- a/src/k_profiles.c +++ b/src/k_profiles.c @@ -600,7 +600,7 @@ static char rrid_buf[256]; char *GetPrettyRRID(const unsigned char *bin, boolean brief) { size_t i; - size_t len = 32; + size_t len = PUBKEYLENGTH; if (brief) len = 8; diff --git a/src/k_profiles.h b/src/k_profiles.h index 51dfbbd82..c5e49bab9 100644 --- a/src/k_profiles.h +++ b/src/k_profiles.h @@ -59,8 +59,8 @@ struct profile_t // Profile header char profilename[PROFILENAMELEN+1]; // Profile name (not to be confused with player name) - uint8_t public_key[32]; // Netgame authentication - uint8_t secret_key[64]; + uint8_t public_key[PUBKEYLENGTH]; // Netgame authentication + uint8_t secret_key[PRIVKEYLENGTH]; // Player data char playername[MAXPLAYERNAME+1]; // Player name diff --git a/src/p_saveg.c b/src/p_saveg.c index 31bfa868d..4770f0602 100644 --- a/src/p_saveg.c +++ b/src/p_saveg.c @@ -407,7 +407,7 @@ static void P_NetArchivePlayers(savebuffer_t *save) WRITEUINT8(save->p, players[i].sliptideZipDelay); WRITEUINT16(save->p, players[i].sliptideZipBoost); - WRITEMEM(save->p, players[i].public_key, 32); + WRITEMEM(save->p, players[i].public_key, PUBKEYLENGTH); // respawnvars_t WRITEUINT8(save->p, players[i].respawn.state); @@ -789,7 +789,7 @@ static void P_NetUnArchivePlayers(savebuffer_t *save) players[i].sliptideZipDelay = READUINT8(save->p); players[i].sliptideZipBoost = READUINT16(save->p); - READMEM(save->p, players[i].public_key, 32); + READMEM(save->p, players[i].public_key, PUBKEYLENGTH); // respawnvars_t players[i].respawn.state = READUINT8(save->p); From 9f8ed9c4eccbaacda060b3afa92190372de30c62 Mon Sep 17 00:00:00 2001 From: AJ Martinez Date: Wed, 29 Mar 2023 23:59:31 -0700 Subject: [PATCH 70/70] Update more third-party licenses --- LICENSE-3RD-PARTY.txt | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/LICENSE-3RD-PARTY.txt b/LICENSE-3RD-PARTY.txt index 226afef99..fb63dc59c 100644 --- a/LICENSE-3RD-PARTY.txt +++ b/LICENSE-3RD-PARTY.txt @@ -17,6 +17,9 @@ Copyright (c) 2010, The WebM Project authors. All rights reserved. All rights reserved. https://chromium.googlesource.com/webm/libvpx + - libvorbis + libvorbisenc + Copyright (c) 2002-2020 Xiph.org Foundation + https://github.com/xiph/vorbis -------------------------------------------------------------------------------- Redistribution and use in source and binary forms, with or without @@ -843,6 +846,10 @@ Public License instead of this License. But first, please read - libxmp https://github.com/libxmp/libxmp/blob/master/docs/CREDITS https://github.com/libxmp/libxmp + + - ACSVM + https://github.com/DavidPH/ACSVM + -------------------------------------------------------------------------------- GNU LESSER GENERAL PUBLIC LICENSE @@ -1635,6 +1642,9 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - imgui Copyright (c) 2014-2023 Omar Cornut https://github.com/ocornut/imgui + - stb_vorbis + stb_rect_pack + Copyright (c) 2017 Sean Barrett + https://github.com/nothings/stb -------------------------------------------------------------------------------- Permission is hereby granted, free of charge, to any person obtaining a copy @@ -1684,4 +1694,10 @@ FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER -DEALINGS IN THE SOFTWARE. \ No newline at end of file +DEALINGS IN THE SOFTWARE. + +------------------------------------------------------------------------------- + +In addition to the above, we make use of the following public-domain software: + +* glad - https://github.com/Dav1dde/glad \ No newline at end of file