X-Git-Url: http://git.xonotic.org/?a=blobdiff_plain;f=crypto.c;h=30b9bd86ab21cb384c5ffce3415d4e0ef8706829;hb=58c894a58d24891eacf7baca0b813a4941cb07aa;hp=f9cfbbb58693c728202c9208151389783af9c200;hpb=927bd7b13c9a18fb07a8681c7483f632c7ea32f3;p=xonotic%2Fdarkplaces.git diff --git a/crypto.c b/crypto.c index f9cfbbb5..30b9bd86 100644 --- a/crypto.c +++ b/crypto.c @@ -7,8 +7,6 @@ #include "hmac.h" #include "libcurl.h" -void *crypto_mutex = NULL; - cvar_t crypto_developer = {CVAR_SAVE, "crypto_developer", "0", "print extra info about crypto handshake"}; cvar_t crypto_servercpupercent = {CVAR_SAVE, "crypto_servercpupercent", "10", "allowed crypto CPU load in percent for server operation (0 = no limit, faster)"}; cvar_t crypto_servercpumaxtime = {CVAR_SAVE, "crypto_servercpumaxtime", "0.01", "maximum allowed crypto CPU time per frame (0 = no limit)"}; @@ -149,6 +147,8 @@ static size_t Crypto_UnParsePack(char *buf, size_t len, unsigned long header, co #define qd0_blind_id_sign_with_private_id_sign_detached d0_blind_id_sign_with_private_id_sign_detached #define qd0_blind_id_setmallocfuncs d0_blind_id_setmallocfuncs #define qd0_blind_id_setmutexfuncs d0_blind_id_setmutexfuncs +#define qd0_blind_id_verify_public_id d0_blind_id_verify_public_id +#define qd0_blind_id_verify_private_id d0_blind_id_verify_private_id #else @@ -207,6 +207,8 @@ static D0_EXPORT D0_WARN_UNUSED_RESULT D0_BOOL (*qd0_blind_id_sign_with_private_ static D0_EXPORT D0_WARN_UNUSED_RESULT D0_BOOL (*qd0_blind_id_sign_with_private_id_sign_detached) (d0_blind_id_t *ctx, D0_BOOL is_first, D0_BOOL send_modulus, const char *message, size_t msglen, char *outbuf, size_t *outbuflen); static D0_EXPORT void (*qd0_blind_id_setmallocfuncs)(d0_malloc_t *m, d0_free_t *f); static D0_EXPORT void (*qd0_blind_id_setmutexfuncs)(d0_createmutex_t *c, d0_destroymutex_t *d, d0_lockmutex_t *l, d0_unlockmutex_t *u); +static D0_EXPORT D0_WARN_UNUSED_RESULT D0_BOOL (*qd0_blind_id_verify_public_id)(const d0_blind_id_t *ctx, D0_BOOL *status); +static D0_EXPORT D0_WARN_UNUSED_RESULT D0_BOOL (*qd0_blind_id_verify_private_id)(const d0_blind_id_t *ctx); static dllfunction_t d0_blind_id_funcs[] = { {"d0_blind_id_new", (void **) &qd0_blind_id_new}, @@ -246,6 +248,8 @@ static dllfunction_t d0_blind_id_funcs[] = {"d0_blind_id_sign_with_private_id_sign_detached", (void **) &qd0_blind_id_sign_with_private_id_sign_detached}, {"d0_blind_id_setmallocfuncs", (void **) &qd0_blind_id_setmallocfuncs}, {"d0_blind_id_setmutexfuncs", (void **) &qd0_blind_id_setmutexfuncs}, + {"d0_blind_id_verify_public_id", (void **) &qd0_blind_id_verify_public_id}, + {"d0_blind_id_verify_private_id", (void **) &qd0_blind_id_verify_private_id}, {NULL, NULL} }; // end of d0_blind_id interface @@ -458,6 +462,7 @@ static qboolean Crypto_AddPrivateKey(d0_blind_id_t *pk, char *buf, size_t len) static d0_blind_id_t *pubkeys[MAX_PUBKEYS]; static char pubkeys_fp64[MAX_PUBKEYS][FP64_SIZE+1]; static qboolean pubkeys_havepriv[MAX_PUBKEYS]; +static qboolean pubkeys_havesig[MAX_PUBKEYS]; static char pubkeys_priv_fp64[MAX_PUBKEYS][FP64_SIZE+1]; static char challenge_append[1400]; static size_t challenge_append_length; @@ -540,7 +545,7 @@ qboolean Crypto_ServerFinishInstance(crypto_t *out, crypto_t *crypto) } CLEAR_CDATA; memcpy(out, crypto, sizeof(*out)); - memset(crypto, 0, sizeof(crypto)); + memset(crypto, 0, sizeof(*crypto)); return true; } @@ -716,7 +721,7 @@ qboolean Crypto_RetrieveHostKey(lhnetaddress_t *peeraddress, int *keyid, char *k return true; } -int Crypto_RetrieveLocalKey(int keyid, char *keyfp, size_t keyfplen, char *idfp, size_t idfplen) // return value: -1 if more to come, +1 if valid, 0 if end of list +int Crypto_RetrieveLocalKey(int keyid, char *keyfp, size_t keyfplen, char *idfp, size_t idfplen, qboolean *issigned) // return value: -1 if more to come, +1 if valid, 0 if end of list { if(keyid < 0 || keyid >= MAX_PUBKEYS) return 0; @@ -731,6 +736,8 @@ int Crypto_RetrieveLocalKey(int keyid, char *keyfp, size_t keyfplen, char *idfp, if(idfp) if(pubkeys_havepriv[keyid]) strlcpy(idfp, pubkeys_priv_fp64[keyid], keyfplen); + if(issigned) + *issigned = pubkeys_havesig[keyid]; return 1; } // end @@ -765,6 +772,34 @@ static void Crypto_BuildChallengeAppend(void) challenge_append_length = p - challenge_append; } +static qboolean Crypto_SavePubKeyTextFile(int i) +{ + qfile_t *f; + char vabuf[1024]; + + if(!pubkeys_havepriv[i]) + return false; + f = FS_SysOpen(va(vabuf, sizeof(vabuf), "%skey_%d-public-fp%s.txt", *fs_userdir ? fs_userdir : fs_basedir, i, sessionid.string), "w", false); + if(!f) + return false; + + // we ignore errors for this file, as it's not necessary to have + FS_Printf(f, "ID-Fingerprint: %s\n", pubkeys_priv_fp64[i]); + FS_Printf(f, "ID-Is-Signed: %s\n", pubkeys_havesig[i] ? "yes" : "no"); + FS_Printf(f, "ID-Is-For-Key: %s\n", pubkeys_fp64[i]); + FS_Printf(f, "\n"); + FS_Printf(f, "This is a PUBLIC ID file for DarkPlaces.\n"); + FS_Printf(f, "You are free to share this file or its contents.\n"); + FS_Printf(f, "\n"); + FS_Printf(f, "This file will be automatically generated again if deleted.\n"); + FS_Printf(f, "\n"); + FS_Printf(f, "However, NEVER share the accompanying SECRET ID file called\n"); + FS_Printf(f, "key_%d.d0si%s, as doing so would compromise security!\n", i, sessionid.string); + FS_Close(f); + + return true; +} + void Crypto_LoadKeys(void) { char buf[8192]; @@ -793,6 +828,7 @@ void Crypto_LoadKeys(void) memset(pubkeys_fp64[i], 0, sizeof(pubkeys_fp64[i])); memset(pubkeys_priv_fp64[i], 0, sizeof(pubkeys_fp64[i])); pubkeys_havepriv[i] = false; + pubkeys_havesig[i] = false; len = Crypto_LoadFile(va(vabuf, sizeof(vabuf), "key_%d.d0pk", i), buf, sizeof(buf), false); if((pubkeys[i] = Crypto_ReadPublicKey(buf, len))) { @@ -808,14 +844,36 @@ void Crypto_LoadKeys(void) len2 = FP64_SIZE; if(qd0_blind_id_fingerprint64_public_id(pubkeys[i], pubkeys_priv_fp64[i], &len2)) // keeps final NUL { + D0_BOOL status = 0; + Con_Printf("Loaded private ID key_%d.d0si%s for key_%d.d0pk (public key fingerprint: %s)\n", i, sessionid.string, i, pubkeys_priv_fp64[i]); - pubkeys_havepriv[i] = true; - strlcat(crypto_idstring_buf, va(vabuf, sizeof(vabuf), " %s@%s", pubkeys_priv_fp64[i], pubkeys_fp64[i]), sizeof(crypto_idstring_buf)); + + // verify the key we just loaded (just in case) + if(qd0_blind_id_verify_private_id(pubkeys[i]) && qd0_blind_id_verify_public_id(pubkeys[i], &status)) + { + pubkeys_havepriv[i] = true; + strlcat(crypto_idstring_buf, va(vabuf, sizeof(vabuf), " %s@%s", pubkeys_priv_fp64[i], pubkeys_fp64[i]), sizeof(crypto_idstring_buf)); + + // verify the key we just got (just in case) + if(status) + pubkeys_havesig[i] = true; + else + Con_Printf("NOTE: this ID has not yet been signed!\n"); + + Crypto_SavePubKeyTextFile(i); + } + else + { + Con_Printf("d0_blind_id_verify_private_id failed, this is not a valid key!\n"); + qd0_blind_id_free(pubkeys[i]); + pubkeys[i] = NULL; + } } else { - // can't really happen - // but nothing leaked here + Con_Printf("d0_blind_id_fingerprint64_public_id failed\n"); + qd0_blind_id_free(pubkeys[i]); + pubkeys[i] = NULL; } } } @@ -879,6 +937,7 @@ void Crypto_LoadKeys(void) static void Crypto_UnloadKeys(void) { int i; + keygen_i = -1; for(i = 0; i < MAX_PUBKEYS; ++i) { @@ -886,6 +945,7 @@ static void Crypto_UnloadKeys(void) qd0_blind_id_free(pubkeys[i]); pubkeys[i] = NULL; pubkeys_havepriv[i] = false; + pubkeys_havesig[i] = false; memset(pubkeys_fp64[i], 0, sizeof(pubkeys_fp64[i])); memset(pubkeys_priv_fp64[i], 0, sizeof(pubkeys_fp64[i])); challenge_append_length = 0; @@ -937,10 +997,6 @@ void Crypto_Shutdown(void) crypto_t *crypto; int i; - if (crypto_mutex) - Thread_DestroyMutex(crypto_mutex); - crypto_mutex = NULL; - Crypto_Rijndael_CloseLibrary(); if(d0_blind_id_dll) @@ -974,10 +1030,7 @@ void Crypto_Init(void) qd0_blind_id_setmallocfuncs(Crypto_d0_malloc, Crypto_d0_free); if (Thread_HasThreads()) - { - crypto_mutex = Thread_CreateMutex(); qd0_blind_id_setmutexfuncs(Crypto_d0_createmutex, Crypto_d0_destroymutex, Crypto_d0_lockmutex, Crypto_d0_unlockmutex); - } if(!qd0_blind_id_INITIALIZE()) { @@ -1007,20 +1060,18 @@ static void Crypto_KeyGen_Finished(int code, size_t length_received, unsigned ch size_t l[1]; static char buf[8192]; static char buf2[8192]; - size_t bufsize, buf2size; + size_t buf2size; qfile_t *f = NULL; - d0_blind_id_t *ctx, *ctx2; D0_BOOL status; - size_t len2; char vabuf[1024]; - if (crypto_mutex) Thread_LockMutex(crypto_mutex); + SV_LockThreadMutex(); if(!d0_blind_id_dll) { Con_Print("libd0_blind_id DLL not found, this command is inactive.\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } @@ -1028,14 +1079,14 @@ static void Crypto_KeyGen_Finished(int code, size_t length_received, unsigned ch { Con_Printf("overflow of keygen_i\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } if(keygen_i < 0) { Con_Printf("Unexpected response from keygen server:\n"); Com_HexDumpToConsole(buffer, length_received); - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } if(!Crypto_ParsePack((const char *) buffer, length_received, FOURCC_D0IR, p, l, 1)) @@ -1050,107 +1101,31 @@ static void Crypto_KeyGen_Finished(int code, size_t length_received, unsigned ch Com_HexDumpToConsole(buffer, length_received); } keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } if(!qd0_blind_id_finish_private_id_request(pubkeys[keygen_i], p[0], l[0])) { Con_Printf("d0_blind_id_finish_private_id_request failed\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } // verify the key we just got (just in case) - ctx = qd0_blind_id_new(); - if(!ctx) - { - Con_Printf("d0_blind_id_new failed\n"); - keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); - return; - } - ctx2 = qd0_blind_id_new(); - if(!ctx2) - { - Con_Printf("d0_blind_id_new failed\n"); - qd0_blind_id_free(ctx); - keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); - return; - } - if(!qd0_blind_id_copy(ctx, pubkeys[keygen_i])) - { - Con_Printf("d0_blind_id_copy failed\n"); - qd0_blind_id_free(ctx); - qd0_blind_id_free(ctx2); - keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); - return; - } - if(!qd0_blind_id_copy(ctx2, pubkeys[keygen_i])) + if(!qd0_blind_id_verify_public_id(pubkeys[keygen_i], &status) || !status) { - Con_Printf("d0_blind_id_copy failed\n"); - qd0_blind_id_free(ctx); - qd0_blind_id_free(ctx2); + Con_Printf("d0_blind_id_verify_public_id failed\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } - bufsize = sizeof(buf); - if(!qd0_blind_id_authenticate_with_private_id_start(ctx, 1, 1, "hello world", 11, buf, &bufsize)) - { - Con_Printf("d0_blind_id_authenticate_with_private_id_start failed\n"); - qd0_blind_id_free(ctx); - qd0_blind_id_free(ctx2); - keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); - return; - } - buf2size = sizeof(buf2); - if(!qd0_blind_id_authenticate_with_private_id_challenge(ctx2, 1, 1, buf, bufsize, buf2, &buf2size, &status) || !status) - { - Con_Printf("d0_blind_id_authenticate_with_private_id_challenge failed (server does not have the requested private key)\n"); - qd0_blind_id_free(ctx); - qd0_blind_id_free(ctx2); - keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); - return; - } - bufsize = sizeof(buf); - if(!qd0_blind_id_authenticate_with_private_id_response(ctx, buf2, buf2size, buf, &bufsize)) - { - Con_Printf("d0_blind_id_authenticate_with_private_id_response failed\n"); - qd0_blind_id_free(ctx); - qd0_blind_id_free(ctx2); - keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); - return; - } - buf2size = sizeof(buf2); - if(!qd0_blind_id_authenticate_with_private_id_verify(ctx2, buf, bufsize, buf2, &buf2size, &status) || !status) - { - Con_Printf("d0_blind_id_authenticate_with_private_id_verify failed (server does not have the requested private key)\n"); - qd0_blind_id_free(ctx); - qd0_blind_id_free(ctx2); - keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); - return; - } - qd0_blind_id_free(ctx); - qd0_blind_id_free(ctx2); // we have a valid key now! // make the rest of crypto.c know that - len2 = FP64_SIZE; - if(qd0_blind_id_fingerprint64_public_id(pubkeys[keygen_i], pubkeys_priv_fp64[keygen_i], &len2)) // keeps final NUL - { - Con_Printf("Received private ID key_%d.d0pk (public key fingerprint: %s)\n", keygen_i, pubkeys_priv_fp64[keygen_i]); - pubkeys_havepriv[keygen_i] = true; - strlcat(crypto_idstring_buf, va(vabuf, sizeof(vabuf), " %s@%s", pubkeys_priv_fp64[keygen_i], pubkeys_fp64[keygen_i]), sizeof(crypto_idstring_buf)); - crypto_idstring = crypto_idstring_buf; - Crypto_BuildChallengeAppend(); - } + Con_Printf("Received signature for private ID key_%d.d0pk (public key fingerprint: %s)\n", keygen_i, pubkeys_priv_fp64[keygen_i]); + pubkeys_havesig[keygen_i] = true; + // write the key to disk p[0] = buf; l[0] = sizeof(buf); @@ -1158,14 +1133,14 @@ static void Crypto_KeyGen_Finished(int code, size_t length_received, unsigned ch { Con_Printf("d0_blind_id_write_private_id failed\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } if(!(buf2size = Crypto_UnParsePack(buf2, sizeof(buf2), FOURCC_D0SI, p, l, 1))) { Con_Printf("Crypto_UnParsePack failed\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } @@ -1175,15 +1150,18 @@ static void Crypto_KeyGen_Finished(int code, size_t length_received, unsigned ch { Con_Printf("Cannot open key_%d.d0si%s\n", keygen_i, sessionid.string); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } FS_Write(f, buf2, buf2size); FS_Close(f); + Crypto_SavePubKeyTextFile(keygen_i); + Con_Printf("Saved to key_%d.d0si%s\n", keygen_i, sessionid.string); + keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); } static void Crypto_KeyGen_f(void) @@ -1193,7 +1171,12 @@ static void Crypto_KeyGen_f(void) size_t l[1]; static char buf[8192]; static char buf2[8192]; + size_t buf2size; size_t buf2l, buf2pos; + char vabuf[1024]; + size_t len2; + qfile_t *f = NULL; + if(!d0_blind_id_dll) { Con_Print("libd0_blind_id DLL not found, this command is inactive.\n"); @@ -1204,34 +1187,98 @@ static void Crypto_KeyGen_f(void) Con_Printf("usage:\n%s id url\n", Cmd_Argv(0)); return; } - if (crypto_mutex) Thread_LockMutex(crypto_mutex); + SV_LockThreadMutex(); Crypto_LoadKeys(); i = atoi(Cmd_Argv(1)); if(!pubkeys[i]) { Con_Printf("there is no public key %d\n", i); - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); - return; - } - if(pubkeys_havepriv[i]) - { - Con_Printf("there is already a private key for %d\n", i); - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } if(keygen_i >= 0) { Con_Printf("there is already a keygen run on the way\n"); - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } keygen_i = i; - if(!qd0_blind_id_generate_private_id_start(pubkeys[keygen_i])) + + // how to START the keygenning... + if(pubkeys_havepriv[keygen_i]) { - Con_Printf("d0_blind_id_start failed\n"); - keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); - return; + if(pubkeys_havesig[keygen_i]) + { + Con_Printf("there is already a signed private key for %d\n", i); + keygen_i = -1; + SV_UnlockThreadMutex(); + return; + } + // if we get here, we only need a signature, no new keygen run needed + Con_Printf("Only need a signature for an existing key...\n"); + } + else + { + // we also need a new ID itself + if(!qd0_blind_id_generate_private_id_start(pubkeys[keygen_i])) + { + Con_Printf("d0_blind_id_start failed\n"); + keygen_i = -1; + SV_UnlockThreadMutex(); + return; + } + // verify the key we just got (just in case) + if(!qd0_blind_id_verify_private_id(pubkeys[keygen_i])) + { + Con_Printf("d0_blind_id_verify_private_id failed\n"); + keygen_i = -1; + SV_UnlockThreadMutex(); + return; + } + // we have a valid key now! + // make the rest of crypto.c know that + len2 = FP64_SIZE; + if(qd0_blind_id_fingerprint64_public_id(pubkeys[keygen_i], pubkeys_priv_fp64[keygen_i], &len2)) // keeps final NUL + { + Con_Printf("Generated private ID key_%d.d0pk (public key fingerprint: %s)\n", keygen_i, pubkeys_priv_fp64[keygen_i]); + pubkeys_havepriv[keygen_i] = true; + strlcat(crypto_idstring_buf, va(vabuf, sizeof(vabuf), " %s@%s", pubkeys_priv_fp64[keygen_i], pubkeys_fp64[keygen_i]), sizeof(crypto_idstring_buf)); + crypto_idstring = crypto_idstring_buf; + Crypto_BuildChallengeAppend(); + } + // write the key to disk + p[0] = buf; + l[0] = sizeof(buf); + if(!qd0_blind_id_write_private_id(pubkeys[keygen_i], buf, &l[0])) + { + Con_Printf("d0_blind_id_write_private_id failed\n"); + keygen_i = -1; + SV_UnlockThreadMutex(); + return; + } + if(!(buf2size = Crypto_UnParsePack(buf2, sizeof(buf2), FOURCC_D0SI, p, l, 1))) + { + Con_Printf("Crypto_UnParsePack failed\n"); + keygen_i = -1; + SV_UnlockThreadMutex(); + return; + } + + FS_CreatePath(va(vabuf, sizeof(vabuf), "%skey_%d.d0si%s", *fs_userdir ? fs_userdir : fs_basedir, keygen_i, sessionid.string)); + f = FS_SysOpen(va(vabuf, sizeof(vabuf), "%skey_%d.d0si%s", *fs_userdir ? fs_userdir : fs_basedir, keygen_i, sessionid.string), "wb", false); + if(!f) + { + Con_Printf("Cannot open key_%d.d0si%s\n", keygen_i, sessionid.string); + keygen_i = -1; + SV_UnlockThreadMutex(); + return; + } + FS_Write(f, buf2, buf2size); + FS_Close(f); + + Crypto_SavePubKeyTextFile(keygen_i); + + Con_Printf("Saved unsigned key to key_%d.d0si%s\n", keygen_i, sessionid.string); } p[0] = buf; l[0] = sizeof(buf); @@ -1239,7 +1286,7 @@ static void Crypto_KeyGen_f(void) { Con_Printf("d0_blind_id_generate_private_id_request failed\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } buf2pos = strlen(Cmd_Argv(2)); @@ -1248,14 +1295,14 @@ static void Crypto_KeyGen_f(void) { Con_Printf("Crypto_UnParsePack failed\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } if(!(buf2l = base64_encode((unsigned char *) (buf2 + buf2pos), buf2l, sizeof(buf2) - buf2pos - 1))) { Con_Printf("base64_encode failed\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } buf2l += buf2pos; @@ -1264,11 +1311,11 @@ static void Crypto_KeyGen_f(void) { Con_Printf("curl failed\n"); keygen_i = -1; - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + SV_UnlockThreadMutex(); return; } - Con_Printf("key generation in progress\n"); - if (crypto_mutex) Thread_UnlockMutex(crypto_mutex); + Con_Printf("Signature generation in progress...\n"); + SV_UnlockThreadMutex(); } // end @@ -1294,7 +1341,11 @@ static void Crypto_Keys_f(void) { Con_Printf("%2d: public key key_%d.d0pk (fingerprint: %s)\n", i, i, pubkeys_fp64[i]); if(pubkeys_havepriv[i]) + { Con_Printf(" private ID key_%d.d0si%s (public key fingerprint: %s)\n", i, sessionid.string, pubkeys_priv_fp64[i]); + if(!pubkeys_havesig[i]) + Con_Printf(" NOTE: this ID has not yet been signed!\n"); + } } } } @@ -2025,7 +2076,7 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out, { int wantserverid = -1; Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, NULL, 0, NULL); - if(!crypto || !crypto->authenticated) + if(!crypto || !crypto->authenticated) // we ALSO get here if we are using an encrypted connection, so let's rule this out { if(wantserverid >= 0) return Crypto_ClientError(data_out, len_out, "Server tried an unauthenticated connection even though a host key is present"); @@ -2034,11 +2085,33 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out, } return CRYPTO_NOMATCH; } - else if (len_in >= 1 && string[0] == 'j' && cls.connect_trying && d0_rijndael_dll && crypto_aeslevel.integer >= 3) + else if (len_in >= 1 && string[0] == 'j' && cls.connect_trying && d0_rijndael_dll) { int wantserverid = -1; Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, NULL, 0, NULL); - if(!crypto || !crypto->authenticated) + //if(!crypto || !crypto->authenticated) + { + if(wantserverid >= 0) + return Crypto_ClientError(data_out, len_out, "Server tried an unauthenticated connection even though a host key is present"); + if(crypto_aeslevel.integer >= 3) + return Crypto_ClientError(data_out, len_out, "This server requires encryption to be not required (crypto_aeslevel <= 2)"); + } + return CRYPTO_NOMATCH; + } + else if (len_in >= 5 && BuffLittleLong((unsigned char *) string) == ((int)NETFLAG_CTL | (int)len_in)) + { + int wantserverid = -1; + + // these three are harmless + if(string[4] == CCREP_SERVER_INFO) + return CRYPTO_NOMATCH; + if(string[4] == CCREP_PLAYER_INFO) + return CRYPTO_NOMATCH; + if(string[4] == CCREP_RULE_INFO) + return CRYPTO_NOMATCH; + + Crypto_RetrieveHostKey(&cls.connect_address, &wantserverid, NULL, 0, NULL, 0, NULL); + //if(!crypto || !crypto->authenticated) { if(wantserverid >= 0) return Crypto_ClientError(data_out, len_out, "Server tried an unauthenticated connection even though a host key is present");