falloutBot/go-mc
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix server login for 1.19.3

Browse Source
This commit is contained in:
Tnze
2022-12-12 23:48:26 +08:00
parent ecc06204c1
commit 8445fb63cd
3 changed files with 70 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
net/packet/util.go
View File

@ -256,7 +256,7 @@ func (t Tuple) ReadFrom(r io.Reader) (n int64, err error) {
for i, v := range t { for i, v := range t {
nn, err := v.(FieldDecoder).ReadFrom(r) nn, err := v.(FieldDecoder).ReadFrom(r)
if err != nil { if err != nil {
return n, fmt.Errorf("decode tuple[%d] error: %w", i, err) return n, fmt.Errorf("decode tuple[%d] %T error: %w", i, v, err)
} }
n += nn n += nn
} }

89
server/auth/auth.go
View File

@ -2,12 +2,10 @@ package auth
import ( import (
"bytes" "bytes"
"crypto"
"crypto/aes" "crypto/aes"
"crypto/rand" "crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/sha1" "crypto/sha1"
"crypto/sha256"
"crypto/x509" "crypto/x509"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
@ -27,26 +25,26 @@ import (
const verifyTokenLen = 16 const verifyTokenLen = 16
// Encrypt a connection, with authentication // Encrypt a connection, with authentication
func Encrypt(conn *net.Conn, name string, profilePubKey *rsa.PublicKey) (*Resp, error) { func Encrypt(conn *net.Conn, name string, serverKey *rsa.PrivateKey) (*Resp, error) {
// generate keys publicKey, err := x509.MarshalPKIXPublicKey(&serverKey.PublicKey)
key, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil { if err != nil {
return nil, err return nil, err
} }
publicKey, err := x509.MarshalPKIXPublicKey(&key.PublicKey) verifyToken := make([]byte, verifyTokenLen)
_, err = rand.Read(verifyToken)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// encryption request // encryption request
nonce, err := encryptionRequest(conn, publicKey) err = encryptionRequest(conn, publicKey, verifyToken)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// encryption response // encryption response
SharedSecret, err := encryptionResponse(conn, profilePubKey, nonce, key) SharedSecret, err := encryptionResponse(conn, serverKey, verifyToken)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -70,22 +68,16 @@ func Encrypt(conn *net.Conn, name string, profilePubKey *rsa.PublicKey) (*Resp,
return resp, nil return resp, nil
} }
func encryptionRequest(conn *net.Conn, publicKey []byte) ([]byte, error) { func encryptionRequest(conn *net.Conn, publicKey, verifyToken []byte) error {
var verifyToken [verifyTokenLen]byte return conn.WritePacket(pk.Marshal(
_, err := rand.Read(verifyToken[:])
if err != nil {
return nil, err
}
err = conn.WritePacket(pk.Marshal(
packetid.LoginEncryptionRequest, packetid.LoginEncryptionRequest,
pk.String(""), pk.String(""),
pk.ByteArray(publicKey), pk.ByteArray(publicKey),
pk.ByteArray(verifyToken[:]), pk.ByteArray(verifyToken),
)) ))
return verifyToken[:], err
} }
func encryptionResponse(conn *net.Conn, profilePubKey *rsa.PublicKey, nonce []byte, key *rsa.PrivateKey) ([]byte, error) { func encryptionResponse(conn *net.Conn, serverKey *rsa.PrivateKey, verifyToken []byte) ([]byte, error) {
var p pk.Packet var p pk.Packet
err := conn.ReadPacket(&p) err := conn.ReadPacket(&p)
if err != nil { if err != nil {
@ -95,54 +87,29 @@ func encryptionResponse(conn *net.Conn, profilePubKey *rsa.PublicKey, nonce []by
return nil, fmt.Errorf("0x%02X is not Encryption Response", p.ID) return nil, fmt.Errorf("0x%02X is not Encryption Response", p.ID)
} }
r := bytes.NewReader(p.Data) var keyBytes pk.ByteArray
var ESharedSecret pk.ByteArray var encryptedVerifyToken pk.ByteArray
if _, err = ESharedSecret.ReadFrom(r); err != nil {
return nil, err
}
var isNonce pk.Boolean
if _, err = isNonce.ReadFrom(r); err != nil {
return nil, err
}
if isNonce {
var nonce2 pk.ByteArray
_, err = nonce2.ReadFrom(r)
if err != nil {
return nil, err
}
nonce2, err = rsa.DecryptPKCS1v15(rand.Reader, key, nonce2) err = p.Scan(&keyBytes, &encryptedVerifyToken)
if err != nil {
return nil, err
}
if !bytes.Equal(nonce, nonce2) {
return nil, errors.New("nonce not match")
}
} else {
var salt pk.Long
var signature pk.ByteArray
_, err = pk.Tuple{&salt, &signature}.ReadFrom(r)
if err != nil {
return nil, err
}
hash := sha256.New()
unwrap(hash.Write(nonce))
unwrap(salt.WriteTo(hash))
err := rsa.VerifyPKCS1v15(profilePubKey, crypto.SHA256, hash.Sum(nil), signature)
if err != nil {
return nil, err
}
}
// confirm to verify token
SharedSecret, err := rsa.DecryptPKCS1v15(rand.Reader, key, ESharedSecret)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return SharedSecret, nil // confirm to verify token
decryptedVerifyToken, err := rsa.DecryptPKCS1v15(rand.Reader, serverKey, encryptedVerifyToken)
if err != nil {
return nil, err
} else if !bytes.Equal(verifyToken, decryptedVerifyToken) {
return nil, errors.New("verifyToken not match")
}
// get sharedSecret
sharedSecret, err := rsa.DecryptPKCS1v15(rand.Reader, serverKey, keyBytes)
if err != nil {
return nil, err
}
return sharedSecret, nil
} }
func authentication(name, hash string) (*Resp, error) { func authentication(name, hash string) (*Resp, error) {

57
server/login.go
View File

@ -1,7 +1,11 @@
package server package server
import ( import (
"crypto/rand"
"crypto/rsa"
"fmt" "fmt"
"sync"
"sync/atomic"
"github.com/Tnze/go-mc/chat" "github.com/Tnze/go-mc/chat"
"github.com/Tnze/go-mc/data/packetid" "github.com/Tnze/go-mc/data/packetid"
@ -48,8 +52,40 @@ type MojangLoginHandler struct {
// (e.g. blacklist or is server full). // (e.g. blacklist or is server full).
// This is optional field and can be set to nil. // This is optional field and can be set to nil.
LoginChecker LoginChecker
// PrivateKey is the key used by encrypt the connection.
privateKey atomic.Pointer[rsa.PrivateKey]
lockPrivateKey sync.Mutex
} }
func (d *MojangLoginHandler) getPrivateKey() (key *rsa.PrivateKey, err error) {
key = d.privateKey.Load()
if key != nil {
return
}
d.lockPrivateKey.Lock()
defer d.lockPrivateKey.Unlock()
key = d.privateKey.Load()
if key == nil {
key, err = rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
return
}
d.privateKey.Store(key)
}
return
}
/*
var verifyToken [verifyTokenLen]byte
_, err := rand.Read(verifyToken[:])
if err != nil {
return nil, err
}
*/
// AcceptLogin implement LoginHandler for MojangLoginHandler // AcceptLogin implement LoginHandler for MojangLoginHandler
func (d *MojangLoginHandler) AcceptLogin(conn *net.Conn, protocol int32) (name string, id uuid.UUID, profilePubKey *auth.PublicKey, properties []auth.Property, err error) { func (d *MojangLoginHandler) AcceptLogin(conn *net.Conn, protocol int32) (name string, id uuid.UUID, profilePubKey *auth.PublicKey, properties []auth.Property, err error) {
// login start // login start
@ -63,14 +99,9 @@ func (d *MojangLoginHandler) AcceptLogin(conn *net.Conn, protocol int32) (name s
return return
} }
var (
pubKey pk.Option[auth.PublicKey, *auth.PublicKey]
profileUUID pk.Option[pk.UUID, *pk.UUID] // ignored
)
err = p.Scan( err = p.Scan(
(*pk.String)(&name), // decode username as pk.String (*pk.String)(&name), // decode username as pk.String
&pubKey, (*pk.UUID)(&id),
&profileUUID,
) )
if err != nil { if err != nil {
return return
@ -78,20 +109,14 @@ func (d *MojangLoginHandler) AcceptLogin(conn *net.Conn, protocol int32) (name s
// auth // auth
if d.OnlineMode { if d.OnlineMode {
if pubKey.Has { var serverKey *rsa.PrivateKey
if !pubKey.Val.Verify() { serverKey, err = d.getPrivateKey()
err = LoginFailErr{reason: chat.TranslateMsg("multiplayer.disconnect.invalid_public_key_signature")} if err != nil {
return
}
profilePubKey = &pubKey.Val
} else if d.EnforceSecureProfile {
err = LoginFailErr{reason: chat.TranslateMsg("multiplayer.disconnect.missing_public_key")}
return return
} }
var resp *auth.Resp var resp *auth.Resp
// Auth, Encrypt // Auth, Encrypt
resp, err = auth.Encrypt(conn, name, pubKey.Val.PubKey) resp, err = auth.Encrypt(conn, name, serverKey)
if err != nil { if err != nil {
return return
} }