From b23dab09fb20842485077315f3f95aff238ea40c Mon Sep 17 00:00:00 2001 From: Jeff Becker Date: Sun, 9 Sep 2018 07:23:21 -0400 Subject: [PATCH] don't overwrite our RC, hide parameter. --- Makefile | 2 +- include/llarp/dht/context.hpp | 9 +++- include/llarp/router_contact.hpp | 4 +- include/llarp/service/IntroSet.hpp | 4 +- llarp/address_info.cpp | 9 +--- llarp/dht/context.cpp | 87 +++++++++++++++++++++++++----- llarp/dht/find_router.cpp | 2 +- llarp/link/utp.cpp | 28 ++++++---- llarp/router.cpp | 38 +++++++------ llarp/router.hpp | 8 ++- llarp/router_contact.cpp | 10 ++-- 11 files changed, 136 insertions(+), 65 deletions(-) diff --git a/Makefile b/Makefile index 2b8c6a5c2..0074fad6a 100644 --- a/Makefile +++ b/Makefile @@ -97,7 +97,7 @@ shared: shared-configure testnet: cp $(EXE) $(TESTNET_EXE) mkdir -p $(TESTNET_ROOT) - python3 contrib/testnet/genconf.py --bin=$(TESTNET_EXE) --svc=$(TESTNET_SERVERS) --clients=$(TESTNET_CLIENTS) --dir=$(TESTNET_ROOT) --out $(TESTNET_CONF) + python3 contrib/testnet/genconf.py --bin=$(TESTNET_EXE) --svc=$(TESTNET_SERVERS) --clients=$(TESTNET_CLIENTS) --dir=$(TESTNET_ROOT) --out $(TESTNET_CONF) --connect=3 LLARP_DEBUG=$(TESTNET_DEBUG) supervisord -n -d $(TESTNET_ROOT) -l $(TESTNET_LOG) -c $(TESTNET_CONF) test: debug diff --git a/include/llarp/dht/context.hpp b/include/llarp/dht/context.hpp index 01f3e813e..2caed0d52 100644 --- a/include/llarp/dht/context.hpp +++ b/include/llarp/dht/context.hpp @@ -69,11 +69,15 @@ namespace llarp std::vector< V > valuesFound; TXOwner whoasked; + virtual bool + Validate(const V& value) const = 0; + void OnFound(const Key_t& askedPeer, const V& value) { peersAsked.insert(askedPeer); - valuesFound.push_back(value); + if(Validate(value)) + valuesFound.push_back(value); } virtual void @@ -116,6 +120,9 @@ namespace llarp Context(); ~Context(); + llarp_crypto* + Crypto(); + /// on behalf of whoasked request introset for target from dht router with /// key askpeer void diff --git a/include/llarp/router_contact.hpp b/include/llarp/router_contact.hpp index 43df59948..c07bb96a3 100644 --- a/include/llarp/router_contact.hpp +++ b/include/llarp/router_contact.hpp @@ -33,13 +33,13 @@ namespace llarp } // advertised addresses - std::vector< AddressInfo > addrs = {}; + std::vector< AddressInfo > addrs; // public encryption public key llarp::PubKey enckey; // public signing public key llarp::PubKey pubkey; // advertised exits - std::vector< ExitInfo > exits = {}; + std::vector< ExitInfo > exits; // signature llarp::Signature signature; /// node nickname, yw kee diff --git a/include/llarp/service/IntroSet.hpp b/include/llarp/service/IntroSet.hpp index 24347b801..3020bdd1a 100644 --- a/include/llarp/service/IntroSet.hpp +++ b/include/llarp/service/IntroSet.hpp @@ -28,7 +28,7 @@ namespace llarp IntroSet() = default; - IntroSet(const IntroSet&& other) + IntroSet(IntroSet&& other) { A = std::move(other.A); I = std::move(other.I); @@ -136,4 +136,4 @@ namespace llarp } // namespace service } // namespace llarp -#endif \ No newline at end of file +#endif diff --git a/llarp/address_info.cpp b/llarp/address_info.cpp index 699827c34..b7a830582 100644 --- a/llarp/address_info.cpp +++ b/llarp/address_info.cpp @@ -75,14 +75,7 @@ namespace llarp // encryption public key if(llarp_buffer_eq(key, "e")) { - if(!bencode_read_string(buf, &strbuf)) - return false; - - if(strbuf.sz != PUBKEYSIZE) - return false; - - pubkey = strbuf.base; - return true; + return pubkey.BDecode(buf); } // ip address diff --git a/llarp/dht/context.cpp b/llarp/dht/context.cpp index 4bdf4b6cb..03bb2652f 100644 --- a/llarp/dht/context.cpp +++ b/llarp/dht/context.cpp @@ -46,6 +46,13 @@ namespace llarp { } + bool + Validate(const RouterID &) const + { + // TODO: check with lokid + return true; + } + void Start(const TXOwner &peer) { @@ -70,13 +77,9 @@ namespace llarp llarp::LogInfo("got ", valuesFound.size(), " routers from exploration"); for(const auto &pk : valuesFound) { - RouterContact rc; - if(!llarp_nodedb_get_rc(parent->router->nodedb, pk, rc)) - { - // try connecting to it we don't know it - // this triggers a dht lookup - parent->router->TryEstablishTo(pk); - } + // try connecting to it we don't know it + // this triggers a dht lookup + parent->router->TryEstablishTo(pk); } } }; @@ -192,7 +195,7 @@ namespace llarp { // we are the target, give them our RC replies.emplace_back( - new GotRouterMessage(requester, txid, {router->rc}, false)); + new GotRouterMessage(requester, txid, {router->rc()}, false)); return; } Key_t next; @@ -322,6 +325,23 @@ namespace llarp peersAsked.insert(ctx->OurKey()); } + bool + Validate(const service::IntroSet &value) const + { + if(!value.VerifySignature(parent->Crypto())) + { + llarp::LogWarn( + "Got introset with invalid signature from service lookup"); + return false; + } + if(value.A.Addr() != target) + { + llarp::LogWarn("got introset with wrong target from service lookup"); + return false; + } + return true; + } + void DoNextRequest(const Key_t &nextPeer) { @@ -444,6 +464,18 @@ namespace llarp { } + bool + Validate(const service::IntroSet &introset) const + { + if(I.A != introset.A) + { + llarp::LogWarn( + "publish introset acknoledgement acked a different service"); + return false; + } + return true; + } + void Start(const TXOwner &peer) { @@ -522,6 +554,22 @@ namespace llarp { } + bool + Validate(const service::IntroSet &introset) const + { + if(!introset.VerifySignature(parent->Crypto())) + { + llarp::LogWarn("got introset from tag lookup with invalid signature"); + return false; + } + if(introset.topic != target) + { + llarp::LogWarn("got introset with missmatched topic in tag lookup"); + return false; + } + return true; + } + void Start(const TXOwner &peer) { @@ -611,6 +659,17 @@ namespace llarp peersAsked.insert(ctx->OurKey()); } + bool + Validate(const RouterContact &rc) const + { + if(!rc.VerifySignature(parent->Crypto())) + { + llarp::LogWarn("rc has invalid signature from lookup result"); + return false; + } + return true; + } + bool GetNextPeer(Key_t &next, const std::set< Key_t > &exclude) { @@ -631,12 +690,6 @@ namespace llarp new FindRouterMessage(parent->OurKey(), target, peer.txid)); } - void - SendTo(const Key_t &peer, IMessage *msg) const - { - return parent->DHTSendTo(peer, msg); - } - virtual void SendReply() { @@ -717,5 +770,11 @@ namespace llarp tx->Start(peer); } + llarp_crypto * + Context::Crypto() + { + return &router->crypto; + } + } // namespace dht } // namespace llarp diff --git a/llarp/dht/find_router.cpp b/llarp/dht/find_router.cpp index 74fb63d24..28e31a3b2 100644 --- a/llarp/dht/find_router.cpp +++ b/llarp/dht/find_router.cpp @@ -22,7 +22,7 @@ namespace llarp if(path) { replies.emplace_back( - new GotRouterMessage(K.data(), txid, {dht.router->rc}, false)); + new GotRouterMessage(K.data(), txid, {dht.router->rc()}, false)); return true; } return false; diff --git a/llarp/link/utp.cpp b/llarp/link/utp.cpp index db6f95b50..a2f1d54d9 100644 --- a/llarp/link/utp.cpp +++ b/llarp/link/utp.cpp @@ -167,14 +167,12 @@ namespace llarp OutboundLinkEstablished(LinkLayer* p) { OnLinkEstablished(p); - KeyExchangeNonce nonce; - nonce.Randomize(); - OutboundHandshake(nonce); + OutboundHandshake(); } // send first message void - OutboundHandshake(const KeyExchangeNonce& n); + OutboundHandshake(); // mix keys bool @@ -561,7 +559,7 @@ namespace llarp : BaseSession(p) { p->router->crypto.shorthash(sessionKey, - ConstBuffer(p->router->rc.pubkey)); + InitBuffer(p->router->pubkey(), PUBKEYSIZE)); remoteRC.Clear(); sock = s; assert(s == sock); @@ -602,16 +600,24 @@ namespace llarp } void - BaseSession::OutboundHandshake(const KeyExchangeNonce& n) + BaseSession::OutboundHandshake() { + // set session key Router()->crypto.shorthash(sessionKey, ConstBuffer(remoteRC.pubkey)); byte_t tmp[LinkIntroMessage::MaxSize]; auto buf = StackBuffer< decltype(tmp) >(tmp); + // build our RC LinkIntroMessage msg; - msg.rc = Router()->rc; - msg.N = n; - msg.P = DefaultLinkSessionLifetime; + msg.rc = Router()->rc(); + if(!msg.rc.VerifySignature(&Router()->crypto)) + { + llarp::LogError("our RC is invalid? closing session to", remoteAddr); + Close(); + return; + } + msg.N.Randomize(); + msg.P = DefaultLinkSessionLifetime; if(!msg.Sign(&Router()->crypto, Router()->identity)) { llarp::LogError("failed to sign LIM for outbound handshake to ", @@ -643,9 +649,9 @@ namespace llarp llarp::LogError("failed to mix keys for outbound session to ", remoteAddr); Close(); + return; } - else - EnterState(eSessionReady); + EnterState(eSessionReady); } llarp_router* diff --git a/llarp/router.cpp b/llarp/router.cpp index 8847f79b3..47c22c187 100644 --- a/llarp/router.cpp +++ b/llarp/router.cpp @@ -93,7 +93,7 @@ llarp_router_try_connect(struct llarp_router *router, std::make_unique< TryConnectJob >(remote, link, numretries, router))); TryConnectJob *job = itr.first->second.get(); // try establishing async - job->Attempt(); + llarp_logic_queue_job(router->logic, {job, &on_try_connecting}); return true; } @@ -175,11 +175,12 @@ llarp_router::SendToOrQueue(const llarp::RouterID &remote, q.emplace(buf.sz); memcpy(q.back().data(), buf.base, buf.sz); + llarp::RouterContact remoteRC; // we don't have an open session to that router right now - if(llarp_nodedb_get_rc(nodedb, remote, rc)) + if(llarp_nodedb_get_rc(nodedb, remote, remoteRC)) { // try connecting directly as the rc is loaded from disk - llarp_router_try_connect(this, rc, 10); + llarp_router_try_connect(this, remoteRC, 10); return true; } @@ -264,13 +265,13 @@ bool llarp_router::SaveRC() { llarp::LogDebug("verify RC signature"); - if(!rc.VerifySignature(&crypto)) + if(!rc().VerifySignature(&crypto)) { - rc.Dump< MAX_RC_SIZE >(); + rc().Dump< MAX_RC_SIZE >(); llarp::LogError("RC has bad signature not saving"); return false; } - return rc.Write(our_rc_file.string().c_str()); + return rc().Write(our_rc_file.string().c_str()); } void @@ -364,6 +365,7 @@ llarp_router::TryEstablishTo(const llarp::RouterID &remote) } else { + llarp::LogInfo("looking up router ", remote); // dht lookup as we don't know it dht->impl.LookupRouter( remote, @@ -377,7 +379,10 @@ llarp_router::HandleDHTLookupForTryEstablishTo( const std::vector< llarp::RouterContact > &results) { for(const auto &result : results) - async_verify_RC(result); + { + llarp_nodedb_put_rc(nodedb, result); + llarp_router_try_connect(this, result, 10); + } } size_t @@ -614,7 +619,7 @@ llarp_router::Run() if(!a.isPrivate()) { llarp::LogInfo("Loading Addr: ", a, " into our RC"); - rc.addrs.push_back(addr); + _rc.addrs.push_back(addr); } }; if(this->publicOverride) @@ -640,19 +645,18 @@ llarp_router::Run() this->addrInfo.ip = *publicAddr.addr6(); this->addrInfo.port = publicAddr.port(); llarp::LogInfo("Loaded our public ", publicAddr, " override into RC!"); - // we need the link to set the pubkey - rc.addrs.push_back(this->addrInfo); + _rc.addrs.push_back(this->addrInfo); } } // set public encryption key - rc.enckey = llarp::seckey_topublic(encryption); - llarp::LogInfo("Your Encryption pubkey ", rc.enckey); + _rc.enckey = llarp::seckey_topublic(encryption); + llarp::LogInfo("Your Encryption pubkey ", rc().enckey); // set public signing key - rc.pubkey = llarp::seckey_topublic(identity); - llarp::LogInfo("Your Identity pubkey ", rc.pubkey); + _rc.pubkey = llarp::seckey_topublic(identity); + llarp::LogInfo("Your Identity pubkey ", rc().pubkey); llarp::LogInfo("Signing rc..."); - if(!rc.Sign(&crypto, identity)) + if(!_rc.Sign(&crypto, identity)) { llarp::LogError("failed to sign rc"); return; @@ -971,9 +975,9 @@ namespace llarp { if(StrEq(key, "nickname")) { - self->rc.SetNick(val); + self->_rc.SetNick(val); // set logger name here - _glog.nodeName = self->rc.Nick(); + _glog.nodeName = self->rc().Nick(); } if(StrEq(key, "encryption-privkey")) { diff --git a/llarp/router.hpp b/llarp/router.hpp index 5d74aa061..e47dea373 100644 --- a/llarp/router.hpp +++ b/llarp/router.hpp @@ -47,7 +47,13 @@ struct llarp_router fs::path our_rc_file = "rc.signed"; // our router contact - llarp::RouterContact rc; + llarp::RouterContact _rc; + + const llarp::RouterContact & + rc() const + { + return _rc; + } // our ipv4 public setting bool publicOverride = false; diff --git a/llarp/router_contact.cpp b/llarp/router_contact.cpp index 32535fa4d..19c18e7a8 100644 --- a/llarp/router_contact.cpp +++ b/llarp/router_contact.cpp @@ -223,13 +223,9 @@ namespace llarp RouterContact & RouterContact::operator=(const RouterContact &other) { - addrs.clear(); - exits.clear(); - addrs = other.addrs; - exits = other.exits; - - signature = other.signature; - + addrs = other.addrs; + exits = other.exits; + signature = other.signature; last_updated = other.last_updated; enckey = other.enckey; pubkey = other.pubkey;