Feature: sub-connection auth (TOKEN_CONN_AUTH) with HMAC + clientID binding

Client first packet on every sub-connection signs (clientID || timestamp || nonce) and waits for server ack. Server verifies signature and pins clientID on the sub-connection ctx, eliminating IP-reverse-lookup unreliability for NAT/localhost scenarios. Sub-conn coverage: Win 12 sites, Linux/macOS 3-4 each. Main connection keeps existing TOKEN_LOGIN flow unchanged. Includes: - Protocol structs sized to 512/256 bytes with reserved space for future extensions (locale, OS info, session token, etc.) - 5-min timestamp tolerance (Kerberos-grade replay window) - 10-sec client wait for cross-pacific / weak-network tolerance - Fix RemoveFromHostList side-effect ordering: MarkDeviceOffline and m_ActiveWndW.erase now only fire when ctx is actually removed from m_HostList, preventing sub-conn disconnects from misreporting main as offline (regression introduced by auth-set clientID on sub ctx) - Fix latent bug: IOCPClient::m_conn was never assigned in ctor, leaving GetConnectionAddress() always NULL and FileManager V2 transfer's srcClientID always 0 Breaking change: new client cannot use sub-features against old server. New server tolerates legacy clients (no auth). Future tightening can reject unauthenticated sub-connections via IsAuthenticated() flag. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 23:55:34 +02:00
parent 2c5b5ad628
commit ef8165c3b4
11 changed files with 363 additions and 49 deletions
--- a/client/IOCPClient.h
+++ b/client/IOCPClient.h
@@ -32,6 +32,8 @@
 #endif
 #include "IOCPBase.h"
 #include <mutex>
+#include <condition_variable>
+#include <chrono>

 #define MAX_RECV_BUFFER  1024*32
 #define MAX_SEND_BUFFER  1024*128  // 增大分块大小以提高发送效率
@@ -259,6 +261,26 @@ public:
        m_LoginMsg = msg;
        m_LoginSignature = hmac;
    }
+
+    // 子连接身份校验：发 TOKEN_CONN_AUTH 包，等服务端 ConnAuthAck 响应。
+    // 返回 true 表示通过，false 表示超时/失败/网络错误。
+    // 主连接不调用此方法。新客户端必须调用并校验成功后才能继续后续命令。
+    // 已实现的协议扩展（如 KeyBoard 子连接的 cap word）保留不变，与本机制并行工作。
+    bool PerformConnAuth(uint64_t clientID, int timeoutMs);
+
+    // 让 ConnectServer 在每次成功后自动调一次 PerformConnAuth（opt-in）。
+    // 子连接构造后调用此方法启用。
+    //   - clientID == 0：每次 auth 时从 m_conn->clientID 现取（Windows 客户端走此路径）。
+    //     这样即便 IOCPClient 创建时主连接还没拿到 ID，真正连上时也能用到最新值。
+    //   - clientID != 0：显式指定（Linux/macOS 客户端 IOCPClient 不带 m_conn 时用此参数）。
+    void EnableSubConnAuth(bool enabled = true, uint64_t clientID = 0) {
+        m_subConnAuthEnabled = enabled;
+        m_subConnAuthClientID = clientID;
+    }
+
+    // 内部：在收到的数据帧分发到 manager 之前，尝试识别并消费 TOKEN_CONN_AUTH ack。
+    // 仅在我们正在等待 auth 响应时（m_authPending=true）才消费；否则透传给 manager。
+    bool TryHandleAuthResponse(PBYTE buf, ULONG len);
 protected:
    virtual int ReceiveData(char* buffer, int bufSize, int flags)
    {
@@ -285,6 +307,16 @@ protected:
    BOOL				m_bConnected;

    std::mutex          m_Locker;
+
+    // 子连接身份校验同步状态。仅在 PerformConnAuth 调用期间生效。
+    std::mutex                m_authMtx;
+    std::condition_variable   m_authCv;
+    int                       m_authStatus = -1;     // -1 = 未启动；其它 = ConnAuthStatus
+    bool                      m_authPending = false; // true 时 TryHandleAuthResponse 才消费 ack
+
+    // ConnectServer 成功后自动 auth 的 opt-in 标志。子连接构造后调 EnableSubConnAuth() 设为 true。
+    bool                      m_subConnAuthEnabled = false;
+    uint64_t                  m_subConnAuthClientID = 0;  // 0 表示从 m_conn->clientID 现取
 #if USING_CTX
    ZSTD_CCtx*			m_Cctx;						// 压缩上下文
    ZSTD_DCtx*			m_Dctx;						// 解压上下文