Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-06-19 11:54:22 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

switch from rsDht to rsBanList to decide on adding friend IP

Browse source 
git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@8328 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
csoler 2015-05-31 19:52:51 +00:00
parent db40002dda
commit e65785e1bc
6 changed files with 109 additions and 92 deletions
Download patch file Download diff file Expand all files Collapse all files

17
libretroshare/src/pqi/p3linkmgr.cc
View file

@ -48,6 +48,7 @@ const int p3connectzone = 3431;
#include "retroshare/rsiface.h" #include "retroshare/rsiface.h"
#include "retroshare/rspeers.h" #include "retroshare/rspeers.h"
#include "retroshare/rsdht.h" #include "retroshare/rsdht.h"
#include "retroshare/rsbanlist.h"
/* Network setup States */ /* Network setup States */
@ -146,7 +147,7 @@ p3LinkMgrIMPL::p3LinkMgrIMPL(p3PeerMgrIMPL *peerMgr, p3NetMgrIMPL *netMgr)
struct sockaddr_storage bip; struct sockaddr_storage bip;
sockaddr_storage_clear(bip); sockaddr_storage_clear(bip);
struct sockaddr_in *addr = (struct sockaddr_in *) &bip; struct sockaddr_in *addr = (struct sockaddr_in *) &bip;
addr->sin_family = AF_INET; addr->sin_family = AF_INET;
addr->sin_addr.s_addr = 1; addr->sin_addr.s_addr = 1;
addr->sin_port = htons(0); addr->sin_port = htons(0);
@ -1726,10 +1727,7 @@ bool p3LinkMgrIMPL::locked_CheckPotentialAddr(const struct sockaddr_storage &ad
return false; return false;
} }
/* if it is on the ban list - ignore */ std::list<struct sockaddr_storage>::const_iterator it;
/* checks - is it the dreaded 1.0.0.0 */
std::list<struct sockaddr_storage>::const_iterator it;
for(it = mBannedIpList.begin(); it != mBannedIpList.end(); ++it) for(it = mBannedIpList.begin(); it != mBannedIpList.end(); ++it)
{ {
#ifdef LINKMGR_DEBUG #ifdef LINKMGR_DEBUG
@ -1746,14 +1744,13 @@ bool p3LinkMgrIMPL::locked_CheckPotentialAddr(const struct sockaddr_storage &ad
} }
} }
if(rsDht != NULL && rsDht->isAddressBanned(addr)) if(rsBanList != NULL && !rsBanList->isAddressAccepted(addr, RSBANLIST_CHECKING_FLAGS_BLACKLIST))
{ {
#ifdef LINKMGR_DEBUG #ifdef LINKMGR_DEBUG
std::cerr << "p3LinkMgrIMPL::locked_CheckPotentialAddr() adding to local Banned IPList"; std::cerr << "p3LinkMgrIMPL::locked_CheckPotentialAddr() adding to local Banned IPList";
std::cerr << std::endl; std::cerr << std::endl;
#endif #endif
mBannedIpList.push_back(addr) ; return false ;
return false ;
} }
/* if it is an external address, we'll accept it. /* if it is an external address, we'll accept it.

120
libretroshare/src/pqi/p3peermgr.cc
View file

@ -987,83 +987,81 @@ void p3PeerMgrIMPL::printPeerLists(std::ostream &out)
bool p3PeerMgrIMPL::UpdateOwnAddress(const struct sockaddr_storage &localAddr, const struct sockaddr_storage &extAddr) bool p3PeerMgrIMPL::UpdateOwnAddress(const struct sockaddr_storage &localAddr, const struct sockaddr_storage &extAddr)
{ {
#ifdef PEER_DEBUG #ifdef PEER_DEBUG
std::cerr << "p3PeerMgrIMPL::UpdateOwnAddress("; std::cerr << "p3PeerMgrIMPL::UpdateOwnAddress(";
std::cerr << sockaddr_storage_tostring(localAddr); std::cerr << sockaddr_storage_tostring(localAddr);
std::cerr << ", "; std::cerr << ", ";
std::cerr << sockaddr_storage_tostring(extAddr); std::cerr << sockaddr_storage_tostring(extAddr);
std::cerr << ")" << std::endl; std::cerr << ")" << std::endl;
#endif #endif
uint32_t banlist_response ; if(!rsBanList->isAddressAccepted(localAddr, RSBANLIST_CHECKING_FLAGS_BLACKLIST))
if(!rsBanList->isAddressAccepted(localAddr, RSBANLIST_CHECKING_FLAGS_BLACKLIST, banlist_response))
{ {
std::cerr << "(SS) Trying to set own IP to a banned IP " << sockaddr_storage_iptostring(localAddr) << ". Attack?" << std::endl; std::cerr << "(SS) Trying to set own IP to a banned IP " << sockaddr_storage_iptostring(localAddr) << ". This probably means that a friend in under traffic re-routing attack." << std::endl;
return false ; return false ;
} }
{ {
RsStackMutex stack(mPeerMtx); /****** STACK LOCK MUTEX *******/ RsStackMutex stack(mPeerMtx); /****** STACK LOCK MUTEX *******/
//update ip address list //update ip address list
pqiIpAddress ipAddressTimed; pqiIpAddress ipAddressTimed;
ipAddressTimed.mAddr = localAddr; ipAddressTimed.mAddr = localAddr;
ipAddressTimed.mSeenTime = time(NULL); ipAddressTimed.mSeenTime = time(NULL);
ipAddressTimed.mSrc = 0 ; ipAddressTimed.mSrc = 0 ;
mOwnState.ipAddrs.updateLocalAddrs(ipAddressTimed); mOwnState.ipAddrs.updateLocalAddrs(ipAddressTimed);
mOwnState.localaddr = localAddr; mOwnState.localaddr = localAddr;
} }
{ {
RsStackMutex stack(mPeerMtx); /****** STACK LOCK MUTEX *******/ RsStackMutex stack(mPeerMtx); /****** STACK LOCK MUTEX *******/
//update ip address list //update ip address list
pqiIpAddress ipAddressTimed; pqiIpAddress ipAddressTimed;
ipAddressTimed.mAddr = extAddr; ipAddressTimed.mAddr = extAddr;
ipAddressTimed.mSeenTime = time(NULL); ipAddressTimed.mSeenTime = time(NULL);
ipAddressTimed.mSrc = 0 ; ipAddressTimed.mSrc = 0 ;
mOwnState.ipAddrs.updateExtAddrs(ipAddressTimed); mOwnState.ipAddrs.updateExtAddrs(ipAddressTimed);
/* Attempted Fix to MANUAL FORWARD Mode.... /* Attempted Fix to MANUAL FORWARD Mode....
* don't update the server address - if we are in this mode * don't update the server address - if we are in this mode
* *
* It is okay - if they get it wrong, as we put the address in the address list anyway. * It is okay - if they get it wrong, as we put the address in the address list anyway.
* This should keep people happy, and allow for misconfiguration! * This should keep people happy, and allow for misconfiguration!
*/ */
if (mOwnState.netMode & RS_NET_MODE_TRY_EXT) if (mOwnState.netMode & RS_NET_MODE_TRY_EXT)
{ {
/**** THIS CASE SHOULD NOT BE TRIGGERED ****/ /**** THIS CASE SHOULD NOT BE TRIGGERED ****/
std::cerr << "p3PeerMgrIMPL::UpdateOwnAddress() Disabling Update of Server Port "; std::cerr << "p3PeerMgrIMPL::UpdateOwnAddress() Disabling Update of Server Port ";
std::cerr << " as MANUAL FORWARD Mode (ERROR - SHOULD NOT BE TRIGGERED: TRY_EXT_MODE)"; std::cerr << " as MANUAL FORWARD Mode (ERROR - SHOULD NOT BE TRIGGERED: TRY_EXT_MODE)";
std::cerr << std::endl; std::cerr << std::endl;
std::cerr << "Address is Now: "; std::cerr << "Address is Now: ";
std::cerr << sockaddr_storage_tostring(mOwnState.serveraddr); std::cerr << sockaddr_storage_tostring(mOwnState.serveraddr);
std::cerr << std::endl; std::cerr << std::endl;
} }
else if (mOwnState.netMode & RS_NET_MODE_EXT) else if (mOwnState.netMode & RS_NET_MODE_EXT)
{ {
sockaddr_storage_copyip(mOwnState.serveraddr,extAddr); sockaddr_storage_copyip(mOwnState.serveraddr,extAddr);
std::cerr << "p3PeerMgrIMPL::UpdateOwnAddress() Disabling Update of Server Port "; std::cerr << "p3PeerMgrIMPL::UpdateOwnAddress() Disabling Update of Server Port ";
std::cerr << " as MANUAL FORWARD Mode"; std::cerr << " as MANUAL FORWARD Mode";
std::cerr << std::endl; std::cerr << std::endl;
std::cerr << "Address is Now: "; std::cerr << "Address is Now: ";
std::cerr << sockaddr_storage_tostring(mOwnState.serveraddr); std::cerr << sockaddr_storage_tostring(mOwnState.serveraddr);
std::cerr << std::endl; std::cerr << std::endl;
} }
else else
{ {
mOwnState.serveraddr = extAddr; mOwnState.serveraddr = extAddr;
} }
} }
IndicateConfigChanged(); /**** INDICATE MSG CONFIG CHANGED! *****/ IndicateConfigChanged(); /**** INDICATE MSG CONFIG CHANGED! *****/
mLinkMgr->setLocalAddress(localAddr); mLinkMgr->setLocalAddress(localAddr);
return true; return true;
} }

10
libretroshare/src/pqi/pqissl.cc
View file

@ -1313,17 +1313,11 @@ int pqissl::Authorise_SSL_Connection()
uint32_t check_result ; uint32_t check_result ;
if(!rsBanList->isAddressAccepted(remote_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,check_result)) if(!rsBanList->isAddressAccepted(remote_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,&check_result))
{ {
std::cerr << "(SS) connection attempt from banned IP address. Refusing it. Reason: " << check_result << ". Attack??" << std::endl; std::cerr << "(SS) connection attempt from banned IP address. Refusing it. Reason: " << check_result << ". Attack??" << std::endl;
reset_locked(); reset_locked();
return 0 ; return 0 ;
}
if(rsDht->isAddressBanned(remote_addr))
{
std::cerr << "(SS) connection attempt from banned IP address. Refusing it. Attack??" << std::endl;
reset_locked();
return 0 ;
} }
// check it's the right one. // check it's the right one.
if (certCorrect) if (certCorrect)
@ -1361,7 +1355,7 @@ int pqissl::accept_locked(SSL *ssl, int fd, const struct sockaddr_storage &forei
{ {
uint32_t check_result; uint32_t check_result;
if(!rsBanList->isAddressAccepted(foreign_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,check_result)) if(!rsBanList->isAddressAccepted(foreign_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,&check_result))
{ {
std::cerr << "(SS) refusing incoming SSL connection from blacklisted foreign address " << sockaddr_storage_iptostring(foreign_addr) std::cerr << "(SS) refusing incoming SSL connection from blacklisted foreign address " << sockaddr_storage_iptostring(foreign_addr)
<< ". Reason: " << check_result << "." << std::endl; << ". Reason: " << check_result << "." << std::endl;

2
libretroshare/src/retroshare/rsbanlist.h
View file

@ -99,7 +99,7 @@ public:
// check_result: returned result of the check in RSBANLIST_CHECK_RESULT_* // check_result: returned result of the check in RSBANLIST_CHECK_RESULT_*
// returned value: true=address is accepted, false=address is rejected. // returned value: true=address is accepted, false=address is rejected.
virtual bool isAddressAccepted(const struct sockaddr_storage& addr,uint32_t checking_flags,uint32_t& check_result) =0; virtual bool isAddressAccepted(const struct sockaddr_storage& addr,uint32_t checking_flags,uint32_t *check_result=NULL) =0;
virtual void getBannedIps(std::list<BanListPeer>& list) =0; virtual void getBannedIps(std::list<BanListPeer>& list) =0;
virtual void getWhiteListedIps(std::list<BanListPeer>& list) =0; virtual void getWhiteListedIps(std::list<BanListPeer>& list) =0;

47
libretroshare/src/services/p3banlist.cc
View file

@ -239,9 +239,10 @@ void p3BanList::autoFigureOutBanRanges()
condenseBanSources_locked() ; condenseBanSources_locked() ;
} }
bool p3BanList::isAddressAccepted(const sockaddr_storage &addr, uint32_t checking_flags,uint32_t& check_result) bool p3BanList::isAddressAccepted(const sockaddr_storage &addr, uint32_t checking_flags,uint32_t *check_result)
{ {
check_result = RSBANLIST_CHECK_RESULT_NOCHECK ; if(check_result != NULL)
*check_result = RSBANLIST_CHECK_RESULT_NOCHECK ;
if(!mIPFilteringEnabled) if(!mIPFilteringEnabled)
return true ; return true ;
@ -261,21 +262,25 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr, uint32_t checkin
if(white_list_found) if(white_list_found)
{ {
check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ; if(check_result != NULL)
std::cerr << ". Address is in whitelist. Accepting" << std::endl; *check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ;
std::cerr << ". Address is in whitelist. Accepting" << std::endl;
return true ; return true ;
} }
if(checking_flags & RSBANLIST_CHECKING_FLAGS_WHITELIST) if(checking_flags & RSBANLIST_CHECKING_FLAGS_WHITELIST)
{ {
check_result = RSBANLIST_CHECK_RESULT_NOT_WHITELISTED ; if(check_result != NULL)
std::cerr << ". Address is not whitelist, and whitelist is required. Rejecting" << std::endl; *check_result = RSBANLIST_CHECK_RESULT_NOT_WHITELISTED ;
std::cerr << ". Address is not whitelist, and whitelist is required. Rejecting" << std::endl;
return false ; return false ;
} }
if(!(checking_flags & RSBANLIST_CHECKING_FLAGS_BLACKLIST)) if(!(checking_flags & RSBANLIST_CHECKING_FLAGS_BLACKLIST))
{ {
std::cerr << ". No blacklisting required. Accepting." << std::endl; std::cerr << ". No blacklisting required. Accepting." << std::endl;
if(check_result != NULL)
*check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ;
return true; return true;
} }
@ -287,7 +292,8 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr, uint32_t checkin
#ifdef DEBUG_BANLIST #ifdef DEBUG_BANLIST
std::cerr << " found in blacklisted range " << sockaddr_storage_iptostring(it->first) << "/16. returning false. attempts=" << it->second.connect_attempts << std::endl; std::cerr << " found in blacklisted range " << sockaddr_storage_iptostring(it->first) << "/16. returning false. attempts=" << it->second.connect_attempts << std::endl;
#endif #endif
check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ; if(check_result != NULL)
*check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
return false ; return false ;
} }
@ -297,7 +303,8 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr, uint32_t checkin
#ifdef DEBUG_BANLIST #ifdef DEBUG_BANLIST
std::cerr << "found in blacklisted range " << sockaddr_storage_iptostring(it->first) << "/24. returning false. attempts=" << it->second.connect_attempts << std::endl; std::cerr << "found in blacklisted range " << sockaddr_storage_iptostring(it->first) << "/24. returning false. attempts=" << it->second.connect_attempts << std::endl;
#endif #endif
check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ; if(check_result != NULL)
*check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
return false ; return false ;
} }
@ -307,14 +314,16 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr, uint32_t checkin
#ifdef DEBUG_BANLIST #ifdef DEBUG_BANLIST
std::cerr << "found as blacklisted address " << sockaddr_storage_iptostring(it->first) << ". returning false. attempts=" << it->second.connect_attempts << std::endl; std::cerr << "found as blacklisted address " << sockaddr_storage_iptostring(it->first) << ". returning false. attempts=" << it->second.connect_attempts << std::endl;
#endif #endif
check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ; if(check_result != NULL)
*check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
return false ; return false ;
} }
#ifdef DEBUG_BANLIST #ifdef DEBUG_BANLIST
std::cerr << " not blacklisted. Accepting." << std::endl; std::cerr << " not blacklisted. Accepting." << std::endl;
#endif #endif
check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ; if(check_result != NULL)
*check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ;
return true ; return true ;
} }
void p3BanList::getWhiteListedIps(std::list<BanListPeer> &lst) void p3BanList::getWhiteListedIps(std::list<BanListPeer> &lst)
@ -792,6 +801,21 @@ bool p3BanList::addBanEntry(const RsPeerId &peerId, const struct sockaddr_storag
return updated; return updated;
} }
bool p3BanList::isWhiteListed_locked(const sockaddr_storage& addr)
{
if(mWhiteListedRanges.find(addr) != mWhiteListedRanges.end())
return true ;
if(mWhiteListedRanges.find(makeBitsRange(addr,1)) != mWhiteListedRanges.end())
return true ;
if(mWhiteListedRanges.find(makeBitsRange(addr,2)) != mWhiteListedRanges.end())
return true ;
return false ;
}
/*** /***
* EXTRA DEBUGGING. * EXTRA DEBUGGING.
* #define DEBUG_BANLIST_CONDENSE 1 * #define DEBUG_BANLIST_CONDENSE 1
@ -856,6 +880,9 @@ int p3BanList::condenseBanSources_locked()
sockaddr_storage_copyip(bannedaddr, lit->second.addr); sockaddr_storage_copyip(bannedaddr, lit->second.addr);
sockaddr_storage_setport(bannedaddr, 0); sockaddr_storage_setport(bannedaddr, 0);
if(isWhiteListed_locked(bannedaddr))
continue ;
/* check if it exists in the Set already */ /* check if it exists in the Set already */
std::map<struct sockaddr_storage, BanListPeer>::iterator sit; std::map<struct sockaddr_storage, BanListPeer>::iterator sit;
sit = mBanSet.find(bannedaddr); sit = mBanSet.find(bannedaddr);

3
libretroshare/src/services/p3banlist.h
View file

@ -61,7 +61,7 @@ public:
/***** overloaded from RsBanList *****/ /***** overloaded from RsBanList *****/
virtual bool isAddressAccepted(const struct sockaddr_storage& addr, uint32_t checking_flags,uint32_t& check_result) ; virtual bool isAddressAccepted(const struct sockaddr_storage& addr, uint32_t checking_flags,uint32_t *check_result=NULL) ;
virtual void getBannedIps(std::list<BanListPeer>& list) ; virtual void getBannedIps(std::list<BanListPeer>& list) ;
virtual void getWhiteListedIps(std::list<BanListPeer>& list) ; virtual void getWhiteListedIps(std::list<BanListPeer>& list) ;
@ -137,6 +137,7 @@ private:
int condenseBanSources_locked(); int condenseBanSources_locked();
int printBanSources_locked(std::ostream &out); int printBanSources_locked(std::ostream &out);
int printBanSet_locked(std::ostream &out); int printBanSet_locked(std::ostream &out);
bool isWhiteListed_locked(const sockaddr_storage &addr);
time_t mSentListTime; time_t mSentListTime;
std::map<RsPeerId, BanList> mBanSources; std::map<RsPeerId, BanList> mBanSources;