1.19 auth support (server side)
This commit is contained in:
Tnze
@ -2,20 +2,22 @@ package auth
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto"
|
||||
"crypto/aes"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/sha1"
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/Tnze/go-mc/data/packetid"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/Tnze/go-mc/data/packetid"
|
||||
"github.com/Tnze/go-mc/net"
|
||||
"github.com/Tnze/go-mc/net/CFB8"
|
||||
pk "github.com/Tnze/go-mc/net/packet"
|
||||
@ -25,7 +27,7 @@ import (
|
||||
const verifyTokenLen = 16
|
||||
|
||||
//Encrypt a connection, with authentication
|
||||
func Encrypt(conn *net.Conn, name string) (*Resp, error) {
|
||||
func Encrypt(conn *net.Conn, name string, profilePubKey *rsa.PublicKey) (*Resp, error) {
|
||||
//generate keys
|
||||
key, err := rsa.GenerateKey(rand.Reader, 1024)
|
||||
if err != nil {
|
||||
@ -38,32 +40,18 @@ func Encrypt(conn *net.Conn, name string) (*Resp, error) {
|
||||
}
|
||||
|
||||
//encryption request
|
||||
VT1, err := encryptionRequest(conn, publicKey)
|
||||
nonce, err := encryptionRequest(conn, publicKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
//encryption response
|
||||
ESharedSecret, EVerifyToken, err := encryptionResponse(conn)
|
||||
SharedSecret, err := encryptionResponse(conn, profilePubKey, nonce, key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
//encryption the connection
|
||||
SharedSecret, err := rsa.DecryptPKCS1v15(rand.Reader, key, ESharedSecret)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
VT2, err := rsa.DecryptPKCS1v15(rand.Reader, key, EVerifyToken)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
//confirm to verify token
|
||||
if !bytes.Equal(VT1, VT2) {
|
||||
return nil, errors.New("verify token not match")
|
||||
}
|
||||
|
||||
block, err := aes.NewCipher(SharedSecret)
|
||||
if err != nil {
|
||||
return nil, errors.New("load aes encryption key fail")
|
||||
@ -71,8 +59,8 @@ func Encrypt(conn *net.Conn, name string) (*Resp, error) {
|
||||
|
||||
conn.SetCipher( //启用加密
|
||||
CFB8.NewCFB8Encrypt(block, SharedSecret),
|
||||
CFB8.NewCFB8Decrypt(block, SharedSecret))
|
||||
|
||||
CFB8.NewCFB8Decrypt(block, SharedSecret),
|
||||
)
|
||||
hash := authDigest("", SharedSecret, publicKey)
|
||||
resp, err := authentication(name, hash) //auth
|
||||
if err != nil {
|
||||
@ -97,22 +85,64 @@ func encryptionRequest(conn *net.Conn, publicKey []byte) ([]byte, error) {
|
||||
return verifyToken[:], err
|
||||
}
|
||||
|
||||
func encryptionResponse(conn *net.Conn) ([]byte, []byte, error) {
|
||||
func encryptionResponse(conn *net.Conn, profilePubKey *rsa.PublicKey, nonce []byte, key *rsa.PrivateKey) ([]byte, error) {
|
||||
var p pk.Packet
|
||||
err := conn.ReadPacket(&p)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
return nil, err
|
||||
}
|
||||
if p.ID != packetid.LoginEncryptionResponse {
|
||||
return nil, nil, fmt.Errorf("0x%02X is not Encryption Response", p.ID)
|
||||
return nil, fmt.Errorf("0x%02X is not Encryption Response", p.ID)
|
||||
}
|
||||
|
||||
var SharedSecret, VerifyToken pk.ByteArray
|
||||
if err = p.Scan(&SharedSecret, &VerifyToken); err != nil {
|
||||
return nil, nil, err
|
||||
r := bytes.NewReader(p.Data)
|
||||
var ESharedSecret pk.ByteArray
|
||||
if _, err = ESharedSecret.ReadFrom(r); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var isNonce pk.Boolean
|
||||
if _, err = isNonce.ReadFrom(r); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if isNonce {
|
||||
var nonce2 pk.ByteArray
|
||||
_, err = nonce2.ReadFrom(r)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
nonce2, err = rsa.DecryptPKCS1v15(rand.Reader, key, nonce2)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !bytes.Equal(nonce, nonce2) {
|
||||
return nil, errors.New("nonce not match")
|
||||
}
|
||||
|
||||
} else {
|
||||
var salt pk.Long
|
||||
var signature pk.ByteArray
|
||||
_, err = pk.Tuple{&salt, &signature}.ReadFrom(r)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
hash := sha256.New()
|
||||
unwrap(hash.Write(nonce))
|
||||
unwrap(salt.WriteTo(hash))
|
||||
err := rsa.VerifyPKCS1v15(profilePubKey, crypto.SHA256, hash.Sum(nil), signature)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
return SharedSecret, VerifyToken, nil
|
||||
//confirm to verify token
|
||||
SharedSecret, err := rsa.DecryptPKCS1v15(rand.Reader, key, ESharedSecret)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return SharedSecret, nil
|
||||
}
|
||||
|
||||
func authentication(name, hash string) (*Resp, error) {
|
||||
@ -178,9 +208,11 @@ func twosComplement(p []byte) []byte {
|
||||
type Resp struct {
|
||||
Name string
|
||||
ID uuid.UUID
|
||||
Properties [1]struct {
|
||||
Name, Value, Signature string
|
||||
}
|
||||
Properties []Property
|
||||
}
|
||||
|
||||
type Property struct {
|
||||
Name, Value, Signature string
|
||||
}
|
||||
|
||||
//Texture includes player's skin and cape
|
||||
|
||||
92
server/auth/validator.go
Normal file
92
server/auth/validator.go
Normal file
@ -0,0 +1,92 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
_ "embed"
|
||||
"encoding/base64"
|
||||
"io"
|
||||
)
|
||||
|
||||
//go:embed yggdrasil_session_pubkey.der
|
||||
var pubKeyBytes []byte
|
||||
var pubKey = unwrap(x509.ParsePKIXPublicKey(pubKeyBytes)).(*rsa.PublicKey)
|
||||
|
||||
// VerifySignature has the same functional as
|
||||
// net.minecraft.world.entity.player.ProfilePublicKey.Data#validateSignature
|
||||
func VerifySignature(profilePubKey, signature []byte) bool {
|
||||
hash := sha256.New()
|
||||
unwrap(hash.Write([]byte("-----BEGIN RSA PRIVATE KEY-----\n")))
|
||||
breaker := lineBreaker{out: hash}
|
||||
enc := base64.NewEncoder(base64.StdEncoding, &breaker)
|
||||
unwrap(enc.Write(profilePubKey))
|
||||
must(enc.Close())
|
||||
must(breaker.Close())
|
||||
unwrap(hash.Write([]byte("\n-----END RSA PRIVATE KEY-----\n")))
|
||||
return rsa.VerifyPKCS1v15(pubKey, crypto.SHA256, hash.Sum(nil), signature) != nil
|
||||
}
|
||||
|
||||
const pemLineLength = 76
|
||||
|
||||
var nl = []byte{'\n'}
|
||||
|
||||
type lineBreaker struct {
|
||||
line [pemLineLength]byte
|
||||
used int
|
||||
out io.Writer
|
||||
}
|
||||
|
||||
func (l *lineBreaker) Write(b []byte) (n int, err error) {
|
||||
if l.used+len(b) < pemLineLength {
|
||||
copy(l.line[l.used:], b)
|
||||
l.used += len(b)
|
||||
return len(b), nil
|
||||
}
|
||||
|
||||
n, err = l.out.Write(l.line[0:l.used])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
excess := pemLineLength - l.used
|
||||
l.used = 0
|
||||
|
||||
n1, err := l.out.Write(b[0:excess])
|
||||
if err != nil {
|
||||
return n + n1, err
|
||||
}
|
||||
|
||||
n2, err := l.out.Write(nl)
|
||||
if err != nil {
|
||||
return n + n1 + n2, err
|
||||
}
|
||||
|
||||
n3, err := l.Write(b[excess:])
|
||||
return n1 + n2 + n3, err
|
||||
}
|
||||
|
||||
func (l *lineBreaker) Close() (err error) {
|
||||
if l.used > 0 {
|
||||
_, err = l.out.Write(l.line[0:l.used])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
_, err = l.out.Write(nl)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func must(err error) {
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
|
||||
func unwrap[T any](v T, err error) T {
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
return v
|
||||
}
|
||||
BIN
server/auth/yggdrasil_session_pubkey.der
Normal file
BIN
server/auth/yggdrasil_session_pubkey.der
Normal file
Binary file not shown.
Reference in New Issue
Block a user