From f8174044991f4ebf3a877716ef116e99e45916d6 Mon Sep 17 00:00:00 2001
From: divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Tue, 13 Mar 2012 06:44:51 +0000
Subject: [PATCH] fix an unlikely crypto downgrade attack found during audit

if DP3 and earlier protocols are active, a malicious client may intervene
during connect with an authenticated player's connect and downgrade to
unauthenticated NQ protocol

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@11758 d7cf8633-e32d-0410-b094-e92efae38249
---
 netconn.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/netconn.c b/netconn.c
index 2147926f..eaf5dbd6 100755
--- a/netconn.c
+++ b/netconn.c
@@ -3183,6 +3183,22 @@ static int NetConn_ServerParsePacket(lhnetsocket_t *mysocket, unsigned char *dat
 					// or coming back from a timeout
 					// (if so, keep their stuff intact)
 
+					crypto_t *crypto = Crypto_ServerGetInstance(peeraddress);
+					if((crypto && crypto->authenticated) || client->netconnection->crypto.authenticated)
+					{
+						if (developer_extra.integer)
+							Con_Printf("Datagram_ParseConnectionless: sending CCREP_REJECT \"Attempt to downgrade crypto.\" to %s.\n", addressstring2);
+						SZ_Clear(&sv_message);
+						// save space for the header, filled in later
+						MSG_WriteLong(&sv_message, 0);
+						MSG_WriteByte(&sv_message, CCREP_REJECT);
+						MSG_WriteString(&sv_message, "Attempt to downgrade crypto.\n");
+						StoreBigLong(sv_message.data, NETFLAG_CTL | (sv_message.cursize & NETFLAG_LENGTH_MASK));
+						NetConn_Write(mysocket, sv_message.data, sv_message.cursize, peeraddress);
+						SZ_Clear(&sv_message);
+						return true;
+					}
+
 					// send a reply
 					if (developer_extra.integer)
 						Con_DPrintf("Datagram_ParseConnectionless: sending duplicate CCREP_ACCEPT to %s.\n", addressstring2);
-- 
2.39.2