BOOL CSecurity::IsDenied(const CQuerySearch* pQuery, const CString& strContent)
{
const DWORD tNow = static_cast< DWORD >( time( NULL ) );
CQuickLock oLock( m_pSection );
for ( POSITION pos = GetIterator() ; pos ; )
{
POSITION posLast = pos;
CSecureRule* pRule = GetNext( pos );
if ( pRule->IsExpired( tNow ) )
{
m_pRules.RemoveAt( posLast );
delete pRule;
}
else if ( pRule->Match( pQuery, strContent ) )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
return m_bDenyPolicy;
}
void CSecurity::Expire()
{
CQuickLock oLock( m_pSection );
const DWORD tNow = static_cast< DWORD >( time( NULL ) );
for ( POSITION pos = m_Complains.GetStartPosition() ; pos ; )
{
DWORD pAddress;
CComplain* pComplain;
m_Complains.GetNextAssoc( pos, pAddress, pComplain );
if ( pComplain->m_nExpire < tNow )
{
m_Complains.RemoveKey( pAddress );
delete pComplain;
}
}
for ( POSITION pos = GetIterator() ; pos ; )
{
POSITION posLast = pos;
CSecureRule* pRule = GetNext( pos );
if ( pRule->IsExpired( tNow ) )
{
m_pRules.RemoveAt( posLast );
delete pRule;
}
}
}
BOOL CSecurity::IsDenied(const IN_ADDR* pAddress)
{
if ( m_Cache.count( *(DWORD*)pAddress ) )
return m_bDenyPolicy;
//theApp.Message( MSG_DEBUG, _T("Skipped Repeat IP Security Check (%i Cached)"), m_Cache.size() );
if ( BYTE nIndex = GetAddressMap( *(DWORD*)pAddress ) )
{
if ( CSecureRule* pRule = m_pRuleIndexMap[ nIndex ] )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
const DWORD tNow = static_cast< DWORD >( time( NULL ) );
{
CQuickLock oLock( m_pSection );
for ( POSITION pos = GetIterator() ; pos ; )
{
POSITION posLast = pos;
CSecureRule* pRule = GetNext( pos );
if ( pRule->IsExpired( tNow ) )
{
m_pRules.RemoveAt( posLast );
delete pRule;
continue;
}
if ( pRule->Match( pAddress ) )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
// Add 5 min penalty for early access
if ( pRule->m_nExpire > CSecureRule::srSession &&
pRule->m_nExpire < tNow + 300 )
pRule->m_nExpire = tNow + 300;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
}
m_Cache.insert( *(DWORD*)pAddress ); // Skip future lookups
return m_bDenyPolicy;
}
void CSecurity::Ban(const CPeerProjectFile* pFile, int nBanLength, BOOL bMessage)
{
CQuickLock oLock( m_pSection );
const DWORD tNow = static_cast< DWORD >( time( NULL ) );
for ( POSITION pos = GetIterator() ; pos ; )
{
POSITION posCurrent = pos;
CSecureRule* pRule = GetNext( pos );
if ( pRule->IsExpired( tNow ) )
{
m_pRules.RemoveAt( posCurrent );
delete pRule;
continue;
}
if ( pRule->Match( pFile ) ) // Non-regexp name, hash, or size:ext:0000
{
if ( pRule->m_nAction == CSecureRule::srDeny )
{
if ( nBanLength == banWeek && ( pRule->m_nExpire < tNow + 604000 ) )
pRule->m_nExpire = tNow + 604800;
else if ( nBanLength == banCustom && ( pRule->m_nExpire < tNow + Settings.Security.DefaultBan + 3600 ) )
pRule->m_nExpire = tNow + Settings.Security.DefaultBan + 3600;
else if ( nBanLength == banForever && ( pRule->m_nExpire != CSecureRule::srIndefinite ) )
pRule->m_nExpire = CSecureRule::srIndefinite;
return;
}
}
}
CSecureRule* pRule = NewBanRule( nBanLength );
if ( pFile->m_oSHA1 || pFile->m_oTiger || pFile->m_oED2K || pFile->m_oBTH || pFile->m_oMD5 )
{
pRule->m_nType = CSecureRule::srContentHash;
pRule->SetContentWords(
( pFile->m_oSHA1 ? pFile->m_oSHA1.toUrn() + _T(" ") : CString() ) +
( pFile->m_oTiger ? pFile->m_oTiger.toUrn() + _T(" ") : CString() ) +
( pFile->m_oED2K ? pFile->m_oED2K.toUrn() + _T(" ") : CString() ) +
( pFile->m_oMD5 ? pFile->m_oMD5.toUrn() + _T(" ") : CString() ) +
( pFile->m_oBTH ? pFile->m_oBTH.toUrn() : CString() ) );
}
Add( pRule );
if ( bMessage && pFile )
theApp.Message( MSG_NOTICE, IDS_NETWORK_SECURITY_BLOCKED, (LPCTSTR)pFile->m_sName );
}
BOOL CSecurity::IsDenied(LPCTSTR pszContent)
{
if ( CString(pszContent).GetLength() > 30 && StartsWith( pszContent, _PT("urn:") ) )
{
if ( BYTE nIndex = GetHashMap( pszContent ) )
{
if ( CSecureRule* pRule = GetRuleByIndex( nIndex ) )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
return m_bDenyPolicy;
}
const DWORD tNow = static_cast< DWORD >( time( NULL ) );
CQuickLock oLock( m_pSection );
for ( POSITION pos = GetIterator() ; pos ; )
{
POSITION posLast = pos;
CSecureRule* pRule = GetNext( pos );
if ( pRule->IsExpired( tNow ) )
{
m_pRules.RemoveAt( posLast );
delete pRule;
}
else if ( pRule->Match( pszContent ) )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
// Add 5 min penalty for early access
if ( pRule->m_nExpire > CSecureRule::srSession &&
pRule->m_nExpire < tNow + 300 )
pRule->m_nExpire = tNow + 300;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
return m_bDenyPolicy;
}
void CSecurity::Ban(const IN_ADDR* pAddress, int nBanLength, BOOL bMessage, LPCTSTR szComment)
{
CQuickLock oLock( m_pSection );
const DWORD tNow = static_cast< DWORD >( time( NULL ) );
for ( POSITION pos = GetIterator() ; pos ; )
{
POSITION posCurrent = pos;
CSecureRule* pRule = GetNext( pos );
if ( pRule->IsExpired( tNow ) )
{
m_pRules.RemoveAt( posCurrent );
delete pRule;
continue;
}
if ( pRule->Match( pAddress ) && pRule->m_nAction == CSecureRule::srDeny )
{
if ( nBanLength == banWeek && ( pRule->m_nExpire < tNow + 604000 ) )
pRule->m_nExpire = tNow + 604800;
else if ( nBanLength == banCustom && ( pRule->m_nExpire < tNow + Settings.Security.DefaultBan + 3600 ) )
pRule->m_nExpire = tNow + Settings.Security.DefaultBan + 3600;
else if ( nBanLength == banForever && ( pRule->m_nExpire != CSecureRule::srIndefinite ) )
pRule->m_nExpire = CSecureRule::srIndefinite;
else if ( bMessage && pAddress )
theApp.Message( MSG_NOTICE, IDS_NETWORK_SECURITY_ALREADY_BLOCKED, (LPCTSTR)CString( inet_ntoa( *pAddress ) ) );
return;
}
}
CSecureRule* pRule = NewBanRule( nBanLength, szComment );
pRule->m_nType = CSecureRule::srAddress;
CopyMemory( pRule->m_nIP, pAddress, sizeof pRule->m_nIP );
Add( pRule );
if ( bMessage )
theApp.Message( MSG_NOTICE, IDS_NETWORK_SECURITY_BLOCKED, (LPCTSTR)CString( inet_ntoa( *pAddress ) ) );
}
void CSecurity::Serialize(CArchive& ar)
{
int nVersion = SECURITY_SER_VERSION;
if ( ar.IsStoring() )
{
ar << nVersion;
ar << m_bDenyPolicy;
ar.WriteCount( GetCount() );
for ( POSITION pos = GetIterator() ; pos ; )
{
GetNext( pos )->Serialize( ar, nVersion );
}
// Unimplemented
//for ( CAddressRuleMap::const_iterator i = m_pIPRules.begin() ; i != m_pIPRules.end() ; ++i )
//{
// (*i).second->Serialize( ar, nVersion );
//}
}
else // Loading
{
Clear();
ar >> nVersion;
ar >> m_bDenyPolicy;
const DWORD tNow = static_cast< DWORD >( time( NULL ) );
for ( DWORD_PTR nCount = ar.ReadCount() ; nCount > 0 ; nCount-- )
{
CSecureRule* pRule = new CSecureRule( FALSE );
pRule->Serialize( ar, nVersion );
if ( pRule->IsExpired( tNow, TRUE ) )
{
delete pRule;
continue;
}
// Special handling for single-IP security rules
if ( pRule->m_nType == CSecureRule::srAddress &&
pRule->m_nAction == CSecureRule::srDeny &&
*(DWORD*)pRule->m_nMask == 0xffffffff )
{
SetAddressMap( *(DWORD*)pRule->m_nIP, SetRuleIndex( pRule ) );
continue;
}
if ( pRule->m_nType == CSecureRule::srContentHash &&
pRule->m_nAction == CSecureRule::srDeny )
{
SetHashMap( pRule->GetContentWords(), SetRuleIndex( pRule ) );
continue;
}
if ( pRule->m_nType == CSecureRule::srExternal )
ListLoader.AddList( pRule );
m_pRules.AddTail( pRule );
}
}
}
BOOL CSecurity::IsDenied(const CPeerProjectFile* pFile)
{
if ( pFile->m_oSHA1 && ! m_HashMap[urnSHA].empty() )
if ( BYTE nIndex = GetHashMap( pFile->m_oSHA1.toUrn() ) )
{
if ( CSecureRule* pRule = GetRuleByIndex( nIndex ) )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
if ( pFile->m_oTiger && ! m_HashMap[urnTiger].empty() )
if ( BYTE nIndex = GetHashMap( pFile->m_oTiger.toUrn() ) )
{
if ( CSecureRule* pRule = GetRuleByIndex( nIndex ) )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
if ( pFile->m_oED2K && ! m_HashMap[urnED2K].empty() )
if ( BYTE nIndex = GetHashMap( pFile->m_oED2K.toUrn() ) )
{
if ( CSecureRule* pRule = GetRuleByIndex( nIndex ) )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
if ( pFile->m_oBTH && ! m_HashMap[urnBTH].empty() )
if ( BYTE nIndex = GetHashMap( pFile->m_oBTH.toUrn() ) )
{
if ( CSecureRule* pRule = GetRuleByIndex( nIndex ) )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
if ( pFile->m_oMD5 && ! m_HashMap[urnMD5].empty() )
if ( BYTE nIndex = GetHashMap( pFile->m_oMD5.toUrn() ) )
{
if ( CSecureRule* pRule = GetRuleByIndex( nIndex ) )
{
pRule->m_nToday ++;
pRule->m_nEver ++;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
const DWORD tNow = static_cast< DWORD >( time( NULL ) );
CQuickLock oLock( m_pSection );
for ( POSITION pos = GetIterator() ; pos ; )
{
POSITION posLast = pos;
CSecureRule* pRule = GetNext( pos );
if ( pRule->IsExpired( tNow ) )
{
m_pRules.RemoveAt( posLast );
delete pRule;
}
else if ( pRule->Match( pFile ) ) // Non-regexp name, hash, or size:ext:0000
{
pRule->m_nToday ++;
pRule->m_nEver ++;
// Add 5 min penalty for early access
if ( pRule->m_nExpire > CSecureRule::srSession &&
pRule->m_nExpire < tNow + 300 )
pRule->m_nExpire = tNow + 300;
if ( pRule->m_nAction == CSecureRule::srDeny ) return TRUE;
if ( pRule->m_nAction == CSecureRule::srAccept ) return FALSE;
}
}
return m_bDenyPolicy;
}
