added a simple challenge response mechanism for connecting clients

3 files changed, 51 insertions, 1 deletions

diff --git a/src/engine/server/server.cpp b/src/engine/server/server.cpp
index 6c459257f..8b3d9d53a 100644
--- a/src/engine/server/server.cpp
+++ b/src/engine/server/server.cpp
@@ -268,6 +268,16 @@ void CServer::CClient::Reset()
 	m_Score = 0;
 }
 
+bool CServer::CClient::CRCheck()
+{
+	if(m_CRSuccess || (m_CRCounter == m_CRCheckVal))
+	{
+		m_CRSuccess = true;
+		return true;
+	}
+	return false;
+}
+
 CServer::CServer() : m_DemoRecorder(&m_SnapshotDelta)
 {
 	m_TickSpeed = SERVER_TICK_SPEED;
@@ -690,6 +700,9 @@ int CServer::NewClientCallback(int ClientID, void *pUser)
 {
 	CServer *pThis = (CServer *)pUser;
 	pThis->m_aClients[ClientID].m_State = CClient::STATE_AUTH;
+	pThis->m_aClients[ClientID].m_CRCounter = 0;
+	pThis->m_aClients[ClientID].m_CRCheckVal = rand()%CClient::CR_MAXVAL;
+	pThis->m_aClients[ClientID].m_CRSuccess = false;
 	pThis->m_aClients[ClientID].m_aName[0] = 0;
 	pThis->m_aClients[ClientID].m_aClan[0] = 0;
 	pThis->m_aClients[ClientID].m_Country = -1;
@@ -796,6 +809,17 @@ void CServer::UpdateClientRconCommands()
 	}
 }
 
+void CServer::CRAuthentification(int ClientID)
+{
+	if((g_Config.m_SvCRFailBantime >= 0) && (!m_aClients[ClientID].CRCheck()))
+	{
+		if(g_Config.m_SvCRFailBantime == 0)
+			m_NetServer.Drop(ClientID, "Failed challenge response");
+		else
+			m_ServerBan.BanAddr(m_NetServer.ClientAddr(ClientID), g_Config.m_SvCRFailBantime * 60, "Failed challenge response");
+	}
+}
+
 void CServer::ProcessClientPacket(CNetChunk *pPacket)
 {
 	int ClientID = pPacket->m_ClientID;
@@ -836,6 +860,14 @@ void CServer::ProcessClientPacket(CNetChunk *pPacket)
 				}
 
 				m_aClients[ClientID].m_State = CClient::STATE_CONNECTING;
+
+				// send challenge response (via ping requests)
+				for (int i = 0; i < m_aClients[ClientID].m_CRCheckVal; ++i)
+				{
+					CMsgPacker CRMsg(NETMSG_PING);
+					SendMsgEx(&CRMsg, 0, ClientID, true);
+				}
+
 				SendMap(ClientID);
 			}
 		}
@@ -844,6 +876,9 @@ void CServer::ProcessClientPacket(CNetChunk *pPacket)
 			if((pPacket->m_Flags&NET_CHUNKFLAG_VITAL) == 0 || m_aClients[ClientID].m_State < CClient::STATE_CONNECTING)
 				return;
 
+			// check challenge response
+			CRAuthentification(ClientID);
+
 			int Chunk = Unpacker.GetInt();
 			unsigned int ChunkSize = 1024-128;
 			unsigned int Offset = Chunk * ChunkSize;
@@ -880,6 +915,9 @@ void CServer::ProcessClientPacket(CNetChunk *pPacket)
 		{
 			if((pPacket->m_Flags&NET_CHUNKFLAG_VITAL) != 0 && m_aClients[ClientID].m_State == CClient::STATE_CONNECTING)
 			{
+				// check challenge response
+				CRAuthentification(ClientID);
+
 				char aAddrStr[NETADDR_MAXSTRSIZE];
 				net_addr_str(m_NetServer.ClientAddr(ClientID), aAddrStr, sizeof(aAddrStr), true);
 
@@ -1044,6 +1082,10 @@ void CServer::ProcessClientPacket(CNetChunk *pPacket)
 			CMsgPacker Msg(NETMSG_PING_REPLY);
 			SendMsgEx(&Msg, 0, ClientID, true);
 		}
+		else if(Msg == NETMSG_PING_REPLY)
+		{
+			m_aClients[ClientID].m_CRCounter++;
+		}
 		else
 		{
 			if(g_Config.m_Debug)
diff --git a/src/engine/server/server.h b/src/engine/server/server.h
index c3c1794dc..0bddf1def 100644
--- a/src/engine/server/server.h
+++ b/src/engine/server/server.h
@@ -92,7 +92,9 @@ public:
 
 			SNAPRATE_INIT=0,
 			SNAPRATE_FULL,
-			SNAPRATE_RECOVER
+			SNAPRATE_RECOVER,
+
+			CR_MAXVAL=128,
 		};
 
 		class CInput
@@ -104,6 +106,9 @@ public:
 
 		// connection state info
 		int m_State;
+		int m_CRCounter;
+		int m_CRCheckVal;
+		int m_CRSuccess;
 		int m_Latency;
 		int m_SnapRate;
 
@@ -125,6 +130,7 @@ public:
 		const IConsole::CCommandInfo *m_pRconCmdToSend;
 
 		void Reset();
+		bool CRCheck();
 	};
 
 	CClient m_aClients[MAX_CLIENTS];
@@ -204,6 +210,7 @@ public:
 	void SendRconCmdAdd(const IConsole::CCommandInfo *pCommandInfo, int ClientID);
 	void SendRconCmdRem(const IConsole::CCommandInfo *pCommandInfo, int ClientID);
 	void UpdateClientRconCommands();
+	void CRAuthentification(int ClientID);
 
 	void ProcessClientPacket(CNetChunk *pPacket);
 
diff --git a/src/engine/shared/config_variables.h b/src/engine/shared/config_variables.h
index 025a9cf38..ed20d42d3 100644
--- a/src/engine/shared/config_variables.h
+++ b/src/engine/shared/config_variables.h
@@ -91,6 +91,7 @@ MACRO_CONFIG_STR(SvRconPassword, sv_rcon_password, 32, "", CFGFLAG_SERVER, "Remo
 MACRO_CONFIG_STR(SvRconModPassword, sv_rcon_mod_password, 32, "", CFGFLAG_SERVER, "Remote console password for moderators (limited access)")
 MACRO_CONFIG_INT(SvRconMaxTries, sv_rcon_max_tries, 3, 0, 100, CFGFLAG_SERVER, "Maximum number of tries for remote console authentication")
 MACRO_CONFIG_INT(SvRconBantime, sv_rcon_bantime, 5, 0, 1440, CFGFLAG_SERVER, "The time a client gets banned if remote console authentication fails. 0 makes it just use kick")
+MACRO_CONFIG_INT(SvCRFailBantime, sv_crfail_bantime, 3, -1, 1440, CFGFLAG_SERVER, "The time a client gets banned if challenge response authentification fails. 0 makes it just use kick. -1 disables it")
 MACRO_CONFIG_INT(SvAutoDemoRecord, sv_auto_demo_record, 0, 0, 1, CFGFLAG_SERVER, "Automatically record demos")
 MACRO_CONFIG_INT(SvAutoDemoMax, sv_auto_demo_max, 10, 0, 1000, CFGFLAG_SERVER, "Maximum number of automatically recorded demos (0 = no limit)")