fix server login for 1.19.3
This commit is contained in:
Tnze
@ -2,12 +2,10 @@ package auth
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto"
|
||||
"crypto/aes"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/sha1"
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
@ -27,26 +25,26 @@ import (
|
||||
const verifyTokenLen = 16
|
||||
|
||||
// Encrypt a connection, with authentication
|
||||
func Encrypt(conn *net.Conn, name string, profilePubKey *rsa.PublicKey) (*Resp, error) {
|
||||
// generate keys
|
||||
key, err := rsa.GenerateKey(rand.Reader, 1024)
|
||||
func Encrypt(conn *net.Conn, name string, serverKey *rsa.PrivateKey) (*Resp, error) {
|
||||
publicKey, err := x509.MarshalPKIXPublicKey(&serverKey.PublicKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
publicKey, err := x509.MarshalPKIXPublicKey(&key.PublicKey)
|
||||
verifyToken := make([]byte, verifyTokenLen)
|
||||
_, err = rand.Read(verifyToken)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// encryption request
|
||||
nonce, err := encryptionRequest(conn, publicKey)
|
||||
err = encryptionRequest(conn, publicKey, verifyToken)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// encryption response
|
||||
SharedSecret, err := encryptionResponse(conn, profilePubKey, nonce, key)
|
||||
SharedSecret, err := encryptionResponse(conn, serverKey, verifyToken)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -70,22 +68,16 @@ func Encrypt(conn *net.Conn, name string, profilePubKey *rsa.PublicKey) (*Resp,
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func encryptionRequest(conn *net.Conn, publicKey []byte) ([]byte, error) {
|
||||
var verifyToken [verifyTokenLen]byte
|
||||
_, err := rand.Read(verifyToken[:])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
err = conn.WritePacket(pk.Marshal(
|
||||
func encryptionRequest(conn *net.Conn, publicKey, verifyToken []byte) error {
|
||||
return conn.WritePacket(pk.Marshal(
|
||||
packetid.LoginEncryptionRequest,
|
||||
pk.String(""),
|
||||
pk.ByteArray(publicKey),
|
||||
pk.ByteArray(verifyToken[:]),
|
||||
pk.ByteArray(verifyToken),
|
||||
))
|
||||
return verifyToken[:], err
|
||||
}
|
||||
|
||||
func encryptionResponse(conn *net.Conn, profilePubKey *rsa.PublicKey, nonce []byte, key *rsa.PrivateKey) ([]byte, error) {
|
||||
func encryptionResponse(conn *net.Conn, serverKey *rsa.PrivateKey, verifyToken []byte) ([]byte, error) {
|
||||
var p pk.Packet
|
||||
err := conn.ReadPacket(&p)
|
||||
if err != nil {
|
||||
@ -95,54 +87,29 @@ func encryptionResponse(conn *net.Conn, profilePubKey *rsa.PublicKey, nonce []by
|
||||
return nil, fmt.Errorf("0x%02X is not Encryption Response", p.ID)
|
||||
}
|
||||
|
||||
r := bytes.NewReader(p.Data)
|
||||
var ESharedSecret pk.ByteArray
|
||||
if _, err = ESharedSecret.ReadFrom(r); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var isNonce pk.Boolean
|
||||
if _, err = isNonce.ReadFrom(r); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if isNonce {
|
||||
var nonce2 pk.ByteArray
|
||||
_, err = nonce2.ReadFrom(r)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var keyBytes pk.ByteArray
|
||||
var encryptedVerifyToken pk.ByteArray
|
||||
|
||||
nonce2, err = rsa.DecryptPKCS1v15(rand.Reader, key, nonce2)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !bytes.Equal(nonce, nonce2) {
|
||||
return nil, errors.New("nonce not match")
|
||||
}
|
||||
|
||||
} else {
|
||||
var salt pk.Long
|
||||
var signature pk.ByteArray
|
||||
_, err = pk.Tuple{&salt, &signature}.ReadFrom(r)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
hash := sha256.New()
|
||||
unwrap(hash.Write(nonce))
|
||||
unwrap(salt.WriteTo(hash))
|
||||
err := rsa.VerifyPKCS1v15(profilePubKey, crypto.SHA256, hash.Sum(nil), signature)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
// confirm to verify token
|
||||
SharedSecret, err := rsa.DecryptPKCS1v15(rand.Reader, key, ESharedSecret)
|
||||
err = p.Scan(&keyBytes, &encryptedVerifyToken)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return SharedSecret, nil
|
||||
// confirm to verify token
|
||||
decryptedVerifyToken, err := rsa.DecryptPKCS1v15(rand.Reader, serverKey, encryptedVerifyToken)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if !bytes.Equal(verifyToken, decryptedVerifyToken) {
|
||||
return nil, errors.New("verifyToken not match")
|
||||
}
|
||||
|
||||
// get sharedSecret
|
||||
sharedSecret, err := rsa.DecryptPKCS1v15(rand.Reader, serverKey, keyBytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return sharedSecret, nil
|
||||
}
|
||||
|
||||
func authentication(name, hash string) (*Resp, error) {
|
||||
|
||||
@ -1,7 +1,11 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"fmt"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
|
||||
"github.com/Tnze/go-mc/chat"
|
||||
"github.com/Tnze/go-mc/data/packetid"
|
||||
@ -48,8 +52,40 @@ type MojangLoginHandler struct {
|
||||
// (e.g. blacklist or is server full).
|
||||
// This is optional field and can be set to nil.
|
||||
LoginChecker
|
||||
|
||||
// PrivateKey is the key used by encrypt the connection.
|
||||
privateKey atomic.Pointer[rsa.PrivateKey]
|
||||
lockPrivateKey sync.Mutex
|
||||
}
|
||||
|
||||
func (d *MojangLoginHandler) getPrivateKey() (key *rsa.PrivateKey, err error) {
|
||||
key = d.privateKey.Load()
|
||||
if key != nil {
|
||||
return
|
||||
}
|
||||
|
||||
d.lockPrivateKey.Lock()
|
||||
defer d.lockPrivateKey.Unlock()
|
||||
|
||||
key = d.privateKey.Load()
|
||||
if key == nil {
|
||||
key, err = rsa.GenerateKey(rand.Reader, 1024)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
d.privateKey.Store(key)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
/*
|
||||
var verifyToken [verifyTokenLen]byte
|
||||
_, err := rand.Read(verifyToken[:])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
*/
|
||||
|
||||
// AcceptLogin implement LoginHandler for MojangLoginHandler
|
||||
func (d *MojangLoginHandler) AcceptLogin(conn *net.Conn, protocol int32) (name string, id uuid.UUID, profilePubKey *auth.PublicKey, properties []auth.Property, err error) {
|
||||
// login start
|
||||
@ -63,14 +99,9 @@ func (d *MojangLoginHandler) AcceptLogin(conn *net.Conn, protocol int32) (name s
|
||||
return
|
||||
}
|
||||
|
||||
var (
|
||||
pubKey pk.Option[auth.PublicKey, *auth.PublicKey]
|
||||
profileUUID pk.Option[pk.UUID, *pk.UUID] // ignored
|
||||
)
|
||||
err = p.Scan(
|
||||
(*pk.String)(&name), // decode username as pk.String
|
||||
&pubKey,
|
||||
&profileUUID,
|
||||
(*pk.UUID)(&id),
|
||||
)
|
||||
if err != nil {
|
||||
return
|
||||
@ -78,20 +109,14 @@ func (d *MojangLoginHandler) AcceptLogin(conn *net.Conn, protocol int32) (name s
|
||||
|
||||
// auth
|
||||
if d.OnlineMode {
|
||||
if pubKey.Has {
|
||||
if !pubKey.Val.Verify() {
|
||||
err = LoginFailErr{reason: chat.TranslateMsg("multiplayer.disconnect.invalid_public_key_signature")}
|
||||
return
|
||||
}
|
||||
profilePubKey = &pubKey.Val
|
||||
} else if d.EnforceSecureProfile {
|
||||
err = LoginFailErr{reason: chat.TranslateMsg("multiplayer.disconnect.missing_public_key")}
|
||||
var serverKey *rsa.PrivateKey
|
||||
serverKey, err = d.getPrivateKey()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
var resp *auth.Resp
|
||||
// Auth, Encrypt
|
||||
resp, err = auth.Encrypt(conn, name, pubKey.Val.PubKey)
|
||||
resp, err = auth.Encrypt(conn, name, serverKey)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user