From 9e54c978a5227679a05f987ef37274b3ad976493 Mon Sep 17 00:00:00 2001 From: divverent Date: Tue, 13 Mar 2012 06:44:51 +0000 Subject: [PATCH] fix an unlikely crypto downgrade attack found during audit if DP3 and earlier protocols are active, a malicious client may intervene during connect with an authenticated player's connect and downgrade to unauthenticated NQ protocol git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@11758 d7cf8633-e32d-0410-b094-e92efae38249 ::stable-branch::merge=f8174044991f4ebf3a877716ef116e99e45916d6 --- netconn.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/netconn.c b/netconn.c index 2147926f..eaf5dbd6 100755 --- a/netconn.c +++ b/netconn.c @@ -3183,6 +3183,22 @@ static int NetConn_ServerParsePacket(lhnetsocket_t *mysocket, unsigned char *dat // or coming back from a timeout // (if so, keep their stuff intact) + crypto_t *crypto = Crypto_ServerGetInstance(peeraddress); + if((crypto && crypto->authenticated) || client->netconnection->crypto.authenticated) + { + if (developer_extra.integer) + Con_Printf("Datagram_ParseConnectionless: sending CCREP_REJECT \"Attempt to downgrade crypto.\" to %s.\n", addressstring2); + SZ_Clear(&sv_message); + // save space for the header, filled in later + MSG_WriteLong(&sv_message, 0); + MSG_WriteByte(&sv_message, CCREP_REJECT); + MSG_WriteString(&sv_message, "Attempt to downgrade crypto.\n"); + StoreBigLong(sv_message.data, NETFLAG_CTL | (sv_message.cursize & NETFLAG_LENGTH_MASK)); + NetConn_Write(mysocket, sv_message.data, sv_message.cursize, peeraddress); + SZ_Clear(&sv_message); + return true; + } + // send a reply if (developer_extra.integer) Con_DPrintf("Datagram_ParseConnectionless: sending duplicate CCREP_ACCEPT to %s.\n", addressstring2); -- 2.39.2