R5Reloaded/r5sdk
1
0
Fork 0
mirror of https://github.com/Mauler125/r5sdk.git synced 2025-02-09 19:15:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use SHA256 for password comparison

Browse Source 
Put debug logging under cvar to avoid abusing by attempting to slow down server.
This commit is contained in:
Amos 2022-02-14 03:02:38 +01:00
parent 04be5e0e64
commit 976e8d9a41
6 changed files with 47 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
r5dev/engine/sv_rcon.cpp
View File

@ -41,6 +41,7 @@ void CRConServer::Init(void)
m_pAdr2 = new CNetAdr2(rcon_address->GetString(), hostport->GetString());
m_pSocket->CreateListenSocket(*m_pAdr2, false);
m_svPasswordHash = sha256(rcon_password->GetString());
DevMsg(eDLL_T::SERVER, "Remote server access initialized\n");
m_bInitialized = true;
@ -233,8 +234,8 @@ void CRConServer::Authenticate(const cl_rcon::request& cl_request, CConnectedNet
}
else if (strcmp(cl_request.requestbuf().c_str(), "PASS") == 0)
{
if (strcmp(cl_request.requestval().c_str(), rcon_password->GetString()) == 0)
{// TODO: Hash and compare password with SHA256 instead!
if (this->Comparator(cl_request.requestval()))
{
pData->m_bAuthorized = true;
m_pSocket->CloseListenSocket();
this->CloseNonAuthConnection();
@ -242,9 +243,12 @@ void CRConServer::Authenticate(const cl_rcon::request& cl_request, CConnectedNet
else // Bad password.
{
CNetAdr2 netAdr2 = m_pSocket->GetAcceptedSocketAddress(m_nConnIndex);
DevMsg(eDLL_T::SERVER, "Bad RCON password attempt from '%s'\n", netAdr2.GetIPAndPort().c_str());
if (sv_rcon_debug->GetBool())
{
DevMsg(eDLL_T::SERVER, "Bad RCON password attempt from '%s'\n", netAdr2.GetIPAndPort().c_str());
}
std::string svWrongPass = this->Serialize(s_pszBannedMessage, "", sv_rcon::response_t::SERVERDATA_RESPONSE_AUTH);
std::string svWrongPass = this->Serialize(s_pszWrongPwMessage, "", sv_rcon::response_t::SERVERDATA_RESPONSE_AUTH);
::send(pData->m_hSocket, svWrongPass.c_str(), static_cast<int>(svWrongPass.size()), MSG_NOSIGNAL);
pData->m_bAuthorized = false;
@ -253,6 +257,28 @@ void CRConServer::Authenticate(const cl_rcon::request& cl_request, CConnectedNet
}
}
//-----------------------------------------------------------------------------
// Purpose: sha256 hashed password comparison
// Input : *svCompare -
// Output : true if matches, false otherwise
//-----------------------------------------------------------------------------
bool CRConServer::Comparator(std::string svPassword) const
{
svPassword = sha256(svPassword);
if (sv_rcon_debug->GetBool())
{
DevMsg(eDLL_T::SERVER, "+---------------------------------------------------------------------------+\n");
DevMsg(eDLL_T::SERVER, "] Server: '%s'[\n", m_svPasswordHash.c_str());
DevMsg(eDLL_T::SERVER, "] Client: '%s'[\n", svPassword.c_str());
DevMsg(eDLL_T::SERVER, "+---------------------------------------------------------------------------+\n");
}
if (memcmp(svPassword.c_str(), m_svPasswordHash.c_str(), SHA256::DIGEST_SIZE) == 0)
{
return true;
}
return false;
}
//-----------------------------------------------------------------------------
// Purpose: handles input command buffer
// Input : *pszIn -

4
r5dev/engine/sv_rcon.h
View File

@ -12,8 +12,8 @@ class CRConServer
{
public:
void Init(void);
void Think(void);
void Think(void);
void RunFrame(void);
void Send(const std::string& svMessage) const;
@ -23,6 +23,7 @@ public:
cl_rcon::request Deserialize(const std::string& svBuf) const;
void Authenticate(const cl_rcon::request& cl_request, CConnectedNetConsoleData* pData);
bool Comparator(std::string svPassword) const;
void ProcessBuffer(const char* pszIn, int nRecvLen, CConnectedNetConsoleData* pData);
void ProcessMessage(const cl_rcon::request& cl_request);
@ -40,5 +41,6 @@ private:
CNetAdr2* m_pAdr2 = new CNetAdr2();
CSocketCreator* m_pSocket = new CSocketCreator();
std::vector<std::string> m_vBannedAddress;
std::string m_svPasswordHash;
};
extern CRConServer* g_pRConServer;

11
r5dev/mathlib/sha256.cpp
View File

@ -27,8 +27,8 @@ void SHA256::transform(const unsigned char *message, unsigned int block_nb)
const unsigned char *sub_block;
int i;
int j;
for (i = 0; i < (int) block_nb; i++) {
sub_block = message + (i << 6);
for (i = 0; i < static_cast<int>(block_nb); i++) {
sub_block = message + (static_cast<uint64>(i) << 6);
for (j = 0; j < 16; j++) {
SHA2_PACK32(&sub_block[j << 2], &w[j]);
}
@ -104,7 +104,7 @@ void SHA256::final(unsigned char *digest)
< (m_len % SHA224_256_BLOCK_SIZE)));
len_b = (m_tot_len + m_len) << 3;
pm_len = block_nb << 6;
memset(m_block + m_len, 0, pm_len - m_len);
memset(m_block + m_len, '\0', static_cast<size_t>(pm_len) - m_len);
m_block[m_len] = 0x80;
SHA2_UNPACK32(len_b, m_block + pm_len - 4);
transform(m_block, block_nb);
@ -116,11 +116,12 @@ void SHA256::final(unsigned char *digest)
std::string sha256(std::string input)
{
unsigned char digest[SHA256::DIGEST_SIZE];
memset(digest,0,SHA256::DIGEST_SIZE);
memset(digest, '\0', SHA256::DIGEST_SIZE);
SHA256 ctx = SHA256();
ctx.init();
ctx.update( (unsigned char*)input.c_str(), input.length());
ctx.update(const_cast<unsigned char*>
(reinterpret_cast<const unsigned char*>(input.c_str())), input.length());
ctx.final(digest);
char buf[2*SHA256::DIGEST_SIZE+1]{};

11
r5dev/tier0/IConVar.cpp
View File

@ -55,18 +55,19 @@ void ConVar::Init(void)
r_debug_overlay_nodecay = new ConVar("r_debug_overlay_nodecay", "0", FCVAR_DEVELOPMENTONLY | FCVAR_CHEAT, "Keeps all debug overlays alive regardless of their lifetime. Use command 'clear_debug_overlays' to clear everything.", false, 0.f, false, 0.f, nullptr, nullptr);
// TODO: RconPasswordChanged_f
rcon_address = new ConVar("rcon_address", "::", FCVAR_SERVER_CANNOT_QUERY | FCVAR_DONTRECORD | FCVAR_RELEASE, "Remote console address.", false, 0.f, false, 0.f, nullptr, nullptr);
rcon_password = new ConVar("rcon_password", "", FCVAR_SERVER_CANNOT_QUERY | FCVAR_DONTRECORD | FCVAR_RELEASE, "Remote console password, RCON is disabled if empty.", false, 0.f, false, 0.f, nullptr, nullptr);
rcon_address = new ConVar("rcon_address", "::", FCVAR_SERVER_CANNOT_QUERY | FCVAR_DONTRECORD | FCVAR_RELEASE, "Remote server access address.", false, 0.f, false, 0.f, nullptr, nullptr);
rcon_password = new ConVar("rcon_password", "", FCVAR_SERVER_CANNOT_QUERY | FCVAR_DONTRECORD | FCVAR_RELEASE, "Remote server access password (rcon is disabled if empty).", false, 0.f, false, 0.f, nullptr, nullptr);
//-------------------------------------------------------------------------
// SERVER |
sv_showconnecting = new ConVar("sv_showconnecting", "1", FCVAR_RELEASE, "Logs information about the connecting client to the console.", false, 0.f, false, 0.f, nullptr, nullptr);
sv_pylonvisibility = new ConVar("sv_pylonvisibility", "0", FCVAR_RELEASE, "Determines the visiblity to the Pylon Master Server, 0 = Not visible, 1 = Visible, 2 = Hidden BUG BUG: not implemented yet.", false, 0.f, false, 0.f, nullptr, nullptr);
#ifdef DEDICATED
sv_rcon_banpenalty = new ConVar("sv_rcon_banpenalty", "10", FCVAR_RELEASE, "Number of minutes to ban users who fail rcon authentication.", false, 0.f, false, 0.f, nullptr, nullptr);
sv_rcon_debug = new ConVar("sv_rcon_debug", "0", FCVAR_RELEASE, "Show rcon debug information ( !slower! ).", false, 0.f, false, 0.f, nullptr, nullptr);
sv_rcon_banpenalty = new ConVar("sv_rcon_banpenalty", "10", FCVAR_RELEASE, "Number of minutes to ban users who fail rcon authentication.", false, 0.f, false, 0.f, nullptr, nullptr);
sv_rcon_maxfailures = new ConVar("sv_rcon_maxfailures", "10", FCVAR_RELEASE, "Max number of times a user can fail rcon authentication before being banned.", false, 0.f, false, 0.f, nullptr, nullptr);
sv_rcon_maxignores = new ConVar("sv_rcon_maxignores", "10", FCVAR_RELEASE, "Max number of times a user can ignore the no-auth message before being banned.", false, 0.f, false, 0.f, nullptr, nullptr);
sv_rcon_maxsockets = new ConVar("sv_rcon_maxsockets", "32", FCVAR_RELEASE, "Max number of accepted sockets before the server starts closing redundant sockets.", false, 0.f, false, 0.f, nullptr, nullptr);
sv_rcon_maxignores = new ConVar("sv_rcon_maxignores", "10", FCVAR_RELEASE, "Max number of times a user can ignore the no-auth message before being banned.", false, 0.f, false, 0.f, nullptr, nullptr);
sv_rcon_maxsockets = new ConVar("sv_rcon_maxsockets", "32", FCVAR_RELEASE, "Max number of accepted sockets before the server starts closing redundant sockets.", false, 0.f, false, 0.f, nullptr, nullptr);
sv_rcon_whitelist_address = new ConVar("sv_rcon_whitelist_address", "", FCVAR_RELEASE, "When set, rcon failed authentications will never ban this address, e.g. '127.0.0.1'.", false, 0.f, false, 0.f, nullptr, nullptr);
#endif // DEDICATED
//-------------------------------------------------------------------------

1
r5dev/tier0/cvar.cpp
View File

@ -18,6 +18,7 @@ ConVar* sv_showconnecting = new ConVar();
ConVar* sv_pylonvisibility = new ConVar();
#ifdef DEDICATED
ConVar* sv_rcon_debug = new ConVar();
ConVar* sv_rcon_banpenalty = new ConVar(); // TODO
ConVar* sv_rcon_maxfailures = new ConVar();
ConVar* sv_rcon_maxignores = new ConVar();

1
r5dev/tier0/cvar.h
View File

@ -29,6 +29,7 @@ extern ConVar* rcon_password;
extern ConVar* sv_showconnecting;
extern ConVar* sv_pylonvisibility;
#ifdef DEDICATED
extern ConVar* sv_rcon_debug;
extern ConVar* sv_rcon_banpenalty;
extern ConVar* sv_rcon_maxfailures;
extern ConVar* sv_rcon_maxignores;