static cvar_t rcon_restricted_commands = {0, "rcon_restricted_commands", "", "allowed commands for rcon when the restricted mode password was used"};
static cvar_t rcon_secure_maxdiff = {0, "rcon_secure_maxdiff", "5", "maximum time difference between rcon request and server system clock (to protect against replay attack)"};
extern cvar_t rcon_secure;
+extern cvar_t rcon_secure_challengetimeout;
/* statistic counters */
static int packetsSent = 0;
static int hostport = -1;
void NetConn_UpdateSockets(void)
{
+ int i, j;
+
if (cls.state != ca_dedicated)
{
if (clientport2 != cl_netport.integer)
if (sv.active)
Con_Print("Changing \"port\" will not take effect until \"map\" command is executed.\n");
}
+
+ for (j = 0;j < MAX_RCONS;j++)
+ {
+ i = (cls.rcon_ringpos + j + 1) % MAX_RCONS;
+ if(cls.rcon_commands[i][0])
+ {
+ if(realtime > cls.rcon_timeout[i])
+ {
+ char s[128];
+ LHNETADDRESS_ToString(&cls.rcon_addresses[i], s, sizeof(s), true);
+ Con_Printf("rcon to %s (for command %s) failed: challenge request timed out\n", s, cls.rcon_commands[i]);
+ cls.rcon_commands[i][0] = 0;
+ --cls.rcon_trying;
+ break;
+ }
+ }
+ }
}
static int NetConn_ReceivedMessage(netconn_t *conn, unsigned char *data, int length, protocolversion_t protocol, double newtimeout)
if (length > 10 && !memcmp(string, "challenge ", 10) && cls.rcon_trying)
{
- int i;
- for (i = 0;i < MAX_RCONS;i++)
+ int i, j;
+ for (j = 0;j < MAX_RCONS;j++)
+ {
+ i = (cls.rcon_ringpos + j) % MAX_RCONS;
if(cls.rcon_commands[i][0])
if (!LHNETADDRESS_Compare(peeraddress, &cls.rcon_addresses[i]))
break;
- if (i < MAX_RCONS)
+ }
+ if (j < MAX_RCONS)
{
char buf[1500];
char argbuf[1500];
NetConn_Write(mysocket, buf, 46 + strlen(buf + 46), peeraddress);
cls.rcon_commands[i][0] = 0;
--cls.rcon_trying;
+
+ for (i = 0;i < MAX_RCONS;i++)
+ if(cls.rcon_commands[i][0])
+ if (!LHNETADDRESS_Compare(peeraddress, &cls.rcon_addresses[i]))
+ break;
+ if(i < MAX_RCONS)
+ {
+ NetConn_WriteString(mysocket, "\377\377\377\377getchallenge", peeraddress);
+ // extend the timeout on other requests as we asked for a challenge
+ for (i = 0;i < MAX_RCONS;i++)
+ if(cls.rcon_commands[i][0])
+ if (!LHNETADDRESS_Compare(peeraddress, &cls.rcon_addresses[i]))
+ cls.rcon_timeout[i] = realtime + rcon_secure_challengetimeout.value;
+ }
+
return true; // we used up the challenge, so we can't use this oen for connecting now anyway
}
}
// validate the challenge
for (i = 0;i < MAX_CHALLENGES;i++)
- if (!LHNETADDRESS_Compare(peeraddress, &challenge[i].address) && !strncmp(challenge[i].string, s, sizeof(challenge[0].string) - 1))
- break;
+ if(challenge[i].time > 0)
+ if (!LHNETADDRESS_Compare(peeraddress, &challenge[i].address) && !strncmp(challenge[i].string, s, sizeof(challenge[0].string) - 1))
+ break;
// if the challenge is not recognized, drop the packet
if (i == MAX_CHALLENGES)
return false;
return false;
// unmark challenge to prevent replay attacks
- // FIXME as there is currently no unmark facility, let's invalidate it
- // as much as possible
- challenge[i].string[0] = '\\'; // not allowed in infostrings, so connects cannot match
- NetConn_BuildChallengeString(challenge[i].string + 1, sizeof(challenge[i].string) - 1);
challenge[i].time = 0;
- LHNETADDRESS_FromString(&challenge[i].address, "local:42", 42); // no rcon will come from there for sure
- challenge[i].address = *peeraddress;
return true;
}
{
for (i = 0, best = 0, besttime = realtime;i < MAX_CHALLENGES;i++)
{
- if (!LHNETADDRESS_Compare(peeraddress, &challenge[i].address))
- break;
+ if(challenge[i].time > 0)
+ if (!LHNETADDRESS_Compare(peeraddress, &challenge[i].address))
+ break;
if (besttime > challenge[i].time)
besttime = challenge[best = i].time;
}
return true;
// validate the challenge
for (i = 0;i < MAX_CHALLENGES;i++)
- if (!LHNETADDRESS_Compare(peeraddress, &challenge[i].address) && !strcmp(challenge[i].string, s))
- break;
+ if(challenge[i].time > 0)
+ if (!LHNETADDRESS_Compare(peeraddress, &challenge[i].address) && !strcmp(challenge[i].string, s))
+ break;
// if the challenge is not recognized, drop the packet
if (i == MAX_CHALLENGES)
return true;