From 2eb1f2e3f267600373aaf015b4caf6ea4a4163dc Mon Sep 17 00:00:00 2001
From: divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Fri, 24 Jan 2014 16:39:06 +0000
Subject: [PATCH] Fix some d0_blind_id related bugs:

- Higher numbered CAs should have priority over lower numbered CAs,
  making CA 0 the "default" CA.
- Fix the "Authenticated connection to ..." message (no more -@- crap).

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@12051 d7cf8633-e32d-0410-b094-e92efae38249
---
 crypto.c  | 29 ++++++++++++-----------------
 crypto.h  |  2 +-
 netconn.c | 12 ++++++------
 3 files changed, 19 insertions(+), 24 deletions(-)

diff --git a/crypto.c b/crypto.c
index 622e5a39..b9f21454 100644
--- a/crypto.c
+++ b/crypto.c
@@ -1,4 +1,3 @@
-// TODO key loading, generating, saving
 #include "quakedef.h"
 #include "crypto.h"
 #include "common.h"
@@ -534,7 +533,7 @@ static crypto_t *Crypto_ServerFindInstance(lhnetaddress_t *peeraddress, qboolean
 	return crypto;
 }
 
-qboolean Crypto_ServerFinishInstance(crypto_t *out, crypto_t *crypto)
+qboolean Crypto_FinishInstance(crypto_t *out, crypto_t *crypto)
 {
 	// no check needed here (returned pointers are only used in prefilled fields)
 	if(!crypto || !crypto->authenticated)
@@ -651,7 +650,7 @@ static void Crypto_StoreHostKey(lhnetaddress_t *peeraddress, const char *keystri
 
 		if(idend - idstart == FP64_SIZE && keyend - keystart == FP64_SIZE)
 		{
-			for(keyid = 0; keyid < MAX_PUBKEYS; ++keyid)
+			for(keyid = MAX_PUBKEYS - 1; keyid >= 0; --keyid)
 				if(pubkeys[keyid])
 					if(!memcmp(pubkeys_fp64[keyid], keystart, FP64_SIZE))
 					{
@@ -659,8 +658,7 @@ static void Crypto_StoreHostKey(lhnetaddress_t *peeraddress, const char *keystri
 						idfp[FP64_SIZE] = 0;
 						break;
 					}
-			if(keyid >= MAX_PUBKEYS)
-				keyid = -1;
+			// If this failed, keyid will be -1.
 		}
 	}
 
@@ -1764,13 +1762,13 @@ static int Crypto_ServerParsePacket_Internal(const char *data_in, size_t len_in,
 			p = GetUntilNul(&data_in, &len_in);
 			if(p && *p)
 			{
+				// Find the highest numbered matching key for p.
 				for(i = 0; i < MAX_PUBKEYS; ++i)
 				{
 					if(pubkeys[i])
 						if(!strcmp(p, pubkeys_fp64[i]))
 							if(pubkeys_havepriv[i])
-								if(serverid < 0)
-									serverid = i;
+								serverid = i;
 				}
 				if(serverid < 0)
 					return Crypto_ServerError(data_out, len_out, "Invalid server key", NULL);
@@ -1778,12 +1776,12 @@ static int Crypto_ServerParsePacket_Internal(const char *data_in, size_t len_in,
 			p = GetUntilNul(&data_in, &len_in);
 			if(p && *p)
 			{
+				// Find the highest numbered matching key for p.
 				for(i = 0; i < MAX_PUBKEYS; ++i)
 				{
 					if(pubkeys[i])
 						if(!strcmp(p, pubkeys_fp64[i]))
-							if(clientid < 0)
-								clientid = i;
+							clientid = i;
 				}
 				if(clientid < 0)
 					return Crypto_ServerError(data_out, len_out, "Invalid client key", NULL);
@@ -2236,22 +2234,20 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
 					break;
 				continue;
 			}
+			// Find the highest numbered matching key for p.
 			for(i = 0; i < MAX_PUBKEYS; ++i)
 			{
 				if(pubkeys[i])
 				if(!strcmp(p, pubkeys_fp64[i]))
 				{
 					if(pubkeys_havepriv[i])
-						if(clientid < 0)
-							clientid = i;
+						clientid = i;
 					if(server_can_auth)
-						if(serverid < 0)
-							if(wantserverid < 0 || i == wantserverid)
-								serverid = i;
+						if(wantserverid < 0 || i == wantserverid)
+							serverid = i;
 				}
 			}
-			if(clientid >= 0 && serverid >= 0)
-				break;
+			// Not breaking, as higher keys in the list always have priority.
 		}
 
 		// if stored host key is not found:
@@ -2260,7 +2256,6 @@ int Crypto_ClientParsePacket(const char *data_in, size_t len_in, char *data_out,
 
 		if(serverid >= 0 || clientid >= 0)
 		{
-			// TODO at this point, fill clientside crypto struct!
 			MAKE_CDATA;
 			CDATA->cdata_id = ++cdata_id;
 			CDATA->s = serverid;
diff --git a/crypto.h b/crypto.h
index ddc00a92..106e5a9a 100644
--- a/crypto.h
+++ b/crypto.h
@@ -48,7 +48,7 @@ int Crypto_ServerParsePacket(const char *data_in, size_t len_in, char *data_out,
 
 qboolean Crypto_ServerAppendToChallenge(const char *data_in, size_t len_in, char *data_out, size_t *len_out, size_t maxlen);
 crypto_t *Crypto_ServerGetInstance(lhnetaddress_t *peeraddress);
-qboolean Crypto_ServerFinishInstance(crypto_t *out, crypto_t *in); // also clears allocated memory
+qboolean Crypto_FinishInstance(crypto_t *out, crypto_t *in); // also clears allocated memory, and frees the instance received by ServerGetInstance
 const char *Crypto_GetInfoResponseDataString(void);
 
 // retrieves a host key for an address (can be exposed to menuqc, or used by the engine to look up stored keys e.g. for server bookmarking)
diff --git a/netconn.c b/netconn.c
index 707197b4..5f256cd9 100755
--- a/netconn.c
+++ b/netconn.c
@@ -1516,10 +1516,10 @@ static void NetConn_ConnectionEstablished(lhnetsocket_t *mysocket, lhnetaddress_
 	}
 	// allocate a net connection to keep track of things
 	cls.netcon = NetConn_Open(mysocket, peeraddress);
-	crypto = &cls.crypto;
-	if(crypto && crypto->authenticated)
+	crypto = &cls.netcon->crypto;
+	if(cls.crypto.authenticated)
 	{
-		Crypto_ServerFinishInstance(&cls.netcon->crypto, crypto);
+		Crypto_FinishInstance(crypto, &cls.crypto);
 		Con_Printf("%s connection to %s has been established: server is %s@%.*s, I am %.*s@%.*s\n",
 				crypto->use_aes ? "Encrypted" : "Authenticated",
 				cls.netcon->address,
@@ -3079,7 +3079,7 @@ static int NetConn_ServerParsePacket(lhnetsocket_t *mysocket, unsigned char *dat
 							Con_Printf("Datagram_ParseConnectionless: sending \"accept\" to %s.\n", addressstring2);
 						NetConn_WriteString(mysocket, "\377\377\377\377accept", peeraddress);
 						if(crypto && crypto->authenticated)
-							Crypto_ServerFinishInstance(&client->netconnection->crypto, crypto);
+							Crypto_FinishInstance(&client->netconnection->crypto, crypto);
 						SV_SendServerinfo(client);
 					}
 					else
@@ -3089,7 +3089,7 @@ static int NetConn_ServerParsePacket(lhnetsocket_t *mysocket, unsigned char *dat
 						if (developer_extra.integer)
 							Con_Printf("Datagram_ParseConnectionless: sending duplicate accept to %s.\n", addressstring2);
 						if(crypto && crypto->authenticated)
-							Crypto_ServerFinishInstance(&client->netconnection->crypto, crypto);
+							Crypto_FinishInstance(&client->netconnection->crypto, crypto);
 						NetConn_WriteString(mysocket, "\377\377\377\377accept", peeraddress);
 					}
 					return true;
@@ -3111,7 +3111,7 @@ static int NetConn_ServerParsePacket(lhnetsocket_t *mysocket, unsigned char *dat
 					NetConn_WriteString(mysocket, "\377\377\377\377accept", peeraddress);
 					// now set up the client
 					if(crypto && crypto->authenticated)
-						Crypto_ServerFinishInstance(&conn->crypto, crypto);
+						Crypto_FinishInstance(&conn->crypto, crypto);
 					SV_ConnectClient(clientnum, conn);
 					NetConn_Heartbeat(1);
 					return true;
-- 
2.39.2