Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

completed server side security of new subscription system

  • Loading branch information...
commit 1b6fdf6093f06465268144b14744e6876430db4f 1 parent fa3badc
roberto@precise64 authored
3  plugins/corerouter/corerouter.c
View
@@ -157,6 +157,9 @@ void corerouter_manage_subscription(char *key, uint16_t keylen, char *val, uint1
else if (!uwsgi_strncmp("weight", 6, key, keylen)) {
usr->weight = uwsgi_str_num(val, vallen);
}
+ else if (!uwsgi_strncmp("unix", 4, key, keylen)) {
+ usr->unix_check = uwsgi_str_num(val, vallen);
+ }
else if (!uwsgi_strncmp("sign", 4, key, keylen)) {
usr->sign = val;
usr->sign_len = vallen;
1  plugins/corerouter/cr_common.c
View
@@ -132,6 +132,7 @@ void uwsgi_corerouter_manage_subscription(struct uwsgi_corerouter *ucr, int id,
#ifdef UWSGI_SSL
if (uwsgi.subscriptions_sign_check_dir) {
if (usr.sign_len == 0 || usr.base_len == 0) return;
+ if (usr.unix_check <= node->unix_check) return ;
if (!uwsgi_subscription_sign_check(node->slot, &usr)) {
return;
}
29 subscription.c
View
@@ -277,6 +277,13 @@ struct uwsgi_subscribe_node *uwsgi_add_subscribe_node(struct uwsgi_subscribe_slo
node = current_slot->nodes;
while(node) {
if (!uwsgi_strncmp(node->name, node->len, usr->address, usr->address_len)) {
+#ifdef UWSGI_SSL
+ // this should avoid sending sniffed packets...
+ if (uwsgi.subscriptions_sign_check_dir && usr->unix_check <= node->unix_check) {
+ uwsgi_log("[uwsgi-subscription for pid %d] invalid (sniffed ?) packet sent for slot: %.*s node: %.*s unix_check: %lu\n",(int) uwsgi.mypid, usr->keylen, usr->key, usr->address_len, usr->address, (unsigned long) usr->unix_check);
+ return NULL;
+ }
+#endif
// remove death mark and update cores and load
node->death_mark = 0;
node->last_check = time(NULL);
@@ -290,6 +297,13 @@ struct uwsgi_subscribe_node *uwsgi_add_subscribe_node(struct uwsgi_subscribe_slo
node = node->next;
}
+#ifdef UWSGI_SSL
+ if (uwsgi.subscriptions_sign_check_dir && usr->unix_check < (uwsgi_now()-(time_t)uwsgi.subscriptions_sign_check_tolerance)) {
+ uwsgi_log("[uwsgi-subscription for pid %d] invalid (sniffed ?) packet sent for slot: %.*s node: %.*s unix_check: %lu\n",(int) uwsgi.mypid, usr->keylen, usr->key, usr->address_len, usr->address, (unsigned long) usr->unix_check);
+ return NULL;
+ }
+#endif
+
node = uwsgi_malloc(sizeof(struct uwsgi_subscribe_node));
node->len = usr->address_len;
node->modifier1 = usr->modifier1;
@@ -302,6 +316,7 @@ struct uwsgi_subscribe_node *uwsgi_add_subscribe_node(struct uwsgi_subscribe_slo
node->cores = usr->cores;
node->load = usr->load;
node->weight = usr->weight;
+ node->unix_check = usr->unix_check;
if (!node->weight) node->weight = 1;
node->wrr = node->weight;
node->last_check = time(NULL);
@@ -318,6 +333,10 @@ struct uwsgi_subscribe_node *uwsgi_add_subscribe_node(struct uwsgi_subscribe_slo
#ifdef UWSGI_SSL
FILE *kf = NULL;
if (uwsgi.subscriptions_sign_check_dir) {
+ if (usr->unix_check < (uwsgi_now()-(time_t)uwsgi.subscriptions_sign_check_tolerance)) {
+ uwsgi_log("[uwsgi-subscription for pid %d] invalid (sniffed ?) packet sent for slot: %.*s node: %.*s unix_check: %lu\n",(int) uwsgi.mypid, usr->keylen, usr->key, usr->address_len, usr->address, (unsigned long) usr->unix_check);
+ return NULL;
+ }
char *keyfile = uwsgi_sanitize_cert_filename(uwsgi.subscriptions_sign_check_dir, usr->key, usr->keylen);
kf = fopen(keyfile, "r");
free(keyfile);
@@ -347,6 +366,7 @@ struct uwsgi_subscribe_node *uwsgi_add_subscribe_node(struct uwsgi_subscribe_slo
EVP_PKEY_free(current_slot->sign_public_key);
EVP_MD_CTX_destroy(current_slot->sign_ctx);
free(current_slot);
+ return NULL;
}
}
#endif
@@ -380,6 +400,7 @@ struct uwsgi_subscribe_node *uwsgi_add_subscribe_node(struct uwsgi_subscribe_slo
current_slot->nodes->cores = usr->cores;
current_slot->nodes->load = usr->load;
current_slot->nodes->weight = usr->weight;
+ current_slot->nodes->unix_check = usr->unix_check;
if (!current_slot->nodes->weight) current_slot->nodes->weight = 1;
current_slot->nodes->wrr = current_slot->nodes->weight;
memcpy(current_slot->nodes->name, usr->address, usr->address_len);
@@ -589,7 +610,7 @@ void uwsgi_send_subscription(char *udp_address, char *key, size_t keysize, uint8
if (sign) {
// add space for "unix" item
char unix_dst[sizeof(UMAX64_STR)+1];
- if (snprintf(unix_dst, sizeof(UMAX64_STR)+1, "%lu", (unsigned long) uwsgi_now()) < 1) {
+ if (snprintf(unix_dst, sizeof(UMAX64_STR)+1, "%lu", (unsigned long) (uwsgi_now() + (time_t)cmd)) < 1) {
uwsgi_error("unable to generate unix time for subscription !!!\n");
free(subscrbuf);
return;
@@ -671,10 +692,14 @@ int uwsgi_subscription_sign_check(struct uwsgi_subscribe_slot *slot, struct uwsg
return 0;
}
- if (EVP_VerifyFinal(slot->sign_ctx, (unsigned char *)usr->sign, usr->sign_len, slot->sign_public_key) <= 0) {
+ if (EVP_VerifyFinal(slot->sign_ctx, (unsigned char *)usr->sign, usr->sign_len, slot->sign_public_key) != 1) {
+#ifdef UWSGI_DEBUG
+ ERR_print_errors_fp(stderr);
+#endif
return 0;
}
+
return 1;
}
#endif
6 uwsgi.c
View
@@ -293,6 +293,7 @@ static struct uwsgi_option uwsgi_base_options[] = {
#endif
#ifdef UWSGI_SSL
{"subscriptions-sign-check", required_argument, 0, "set digest algorithm and certificate directory for secured subscription system", uwsgi_opt_scd, NULL, UWSGI_OPT_MASTER},
+ {"subscriptions-sign-check-tolerance", required_argument, 0, "set the maximum tolerance (in seconds) of clock skew for secured subscription system", uwsgi_opt_set_int, &uwsgi.subscriptions_sign_check_tolerance, UWSGI_OPT_MASTER},
#endif
{"subscribe-to", required_argument, 0, "subscribe to the specified subscription server", uwsgi_opt_add_string_list, &uwsgi.subscriptions, UWSGI_OPT_MASTER},
{"st", required_argument, 0, "subscribe to the specified subscription server", uwsgi_opt_add_string_list, &uwsgi.subscriptions, UWSGI_OPT_MASTER},
@@ -1510,6 +1511,11 @@ int main(int argc, char *argv[], char *envp[]) {
uwsgi.shared->worker_log_pipe[0] = -1;
uwsgi.shared->worker_log_pipe[1] = -1;
+#ifdef UWSGI_SSL
+ // 1 day of tolerance
+ uwsgi.subscriptions_sign_check_tolerance = 3600 * 24 ;
+#endif
+
#ifdef UWSGI_BLACKLIST
if (!uwsgi_file_to_string_list(UWSGI_BLACKLIST, &uwsgi.blacklist)) {
5 uwsgi.h
View
@@ -1303,6 +1303,7 @@ struct uwsgi_server {
#ifdef UWSGI_SSL
char *subscriptions_sign_check_dir;
+ int subscriptions_sign_check_tolerance;
const EVP_MD *subscriptions_sign_check_md;
#endif
@@ -2355,6 +2356,8 @@ struct uwsgi_subscribe_req {
char *sign;
uint16_t sign_len;
+ time_t unix_check;
+
char *base;
uint16_t base_len;
};
@@ -2602,6 +2605,8 @@ struct uwsgi_subscribe_node {
uint64_t weight;
uint64_t wrr;
+ time_t unix_check;
+
struct uwsgi_subscribe_slot *slot;
struct uwsgi_subscribe_node *next;
Please sign in to comment.
Something went wrong with that request. Please try again.