mirror of
https://github.com/pmmp/PocketMine-MP.git
synced 2025-05-12 16:59:44 +00:00
Split ProcessLoginTask into two tasks: 1) verify, 2) server handshake
This commit is contained in:
Dylan K. Taylor
parent
193a41566d
commit
0e4966dfdf
@ -23,6 +23,7 @@ declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe;
|
||||
|
||||
use Mdanter\Ecc\Crypto\Key\PublicKeyInterface;
|
||||
use pocketmine\entity\effect\EffectInstance;
|
||||
use pocketmine\entity\Human;
|
||||
use pocketmine\entity\Living;
|
||||
@ -522,7 +523,10 @@ class NetworkSession{
|
||||
}, $reason);
|
||||
}
|
||||
|
||||
public function setAuthenticationStatus(bool $authenticated, bool $authRequired, ?string $error) : bool{
|
||||
public function setAuthenticationStatus(bool $authenticated, bool $authRequired, ?string $error, PublicKeyInterface $clientPubKey) : void{
|
||||
if(!$this->connected){
|
||||
return;
|
||||
}
|
||||
if($authenticated and $this->info->getXuid() === ""){
|
||||
$error = "Expected XUID but none found";
|
||||
}
|
||||
@ -530,7 +534,7 @@ class NetworkSession{
|
||||
if($error !== null){
|
||||
$this->disconnect($this->server->getLanguage()->translateString("pocketmine.disconnect.invalidSession", [$error]));
|
||||
|
||||
return false;
|
||||
return;
|
||||
}
|
||||
|
||||
$this->authenticated = $authenticated;
|
||||
@ -538,7 +542,7 @@ class NetworkSession{
|
||||
if(!$this->authenticated){
|
||||
if($authRequired){
|
||||
$this->disconnect("disconnectionScreen.notAuthenticated");
|
||||
return false;
|
||||
return;
|
||||
}
|
||||
|
||||
if($this->info->getXuid() !== ""){
|
||||
@ -547,10 +551,19 @@ class NetworkSession{
|
||||
}
|
||||
$this->logger->debug("Xbox Live authenticated: " . ($this->authenticated ? "YES" : "NO"));
|
||||
|
||||
return $this->manager->kickDuplicates($this);
|
||||
if($this->manager->kickDuplicates($this)){
|
||||
if(NetworkCipher::$ENABLED){
|
||||
$this->server->getAsyncPool()->submitTask(new PrepareEncryptionTask($this, $clientPubKey));
|
||||
}else{
|
||||
$this->onLoginSuccess();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function enableEncryption(string $encryptionKey, string $handshakeJwt) : void{
|
||||
if(!$this->connected){
|
||||
return;
|
||||
}
|
||||
$this->sendDataPacket(ServerToClientHandshakePacket::create($handshakeJwt), true); //make sure this gets sent before encryption is enabled
|
||||
|
||||
$this->cipher = new NetworkCipher($encryptionKey);
|
||||
|
||||
111
src/pocketmine/network/mcpe/PrepareEncryptionTask.php
Normal file
111
src/pocketmine/network/mcpe/PrepareEncryptionTask.php
Normal file
@ -0,0 +1,111 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
*
|
||||
* ____ _ _ __ __ _ __ __ ____
|
||||
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
|
||||
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
|
||||
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
|
||||
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* @author PocketMine Team
|
||||
* @link http://www.pocketmine.net/
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe;
|
||||
|
||||
use Mdanter\Ecc\Crypto\Key\PrivateKeyInterface;
|
||||
use Mdanter\Ecc\Crypto\Key\PublicKeyInterface;
|
||||
use Mdanter\Ecc\EccFactory;
|
||||
use Mdanter\Ecc\Serializer\PrivateKey\DerPrivateKeySerializer;
|
||||
use Mdanter\Ecc\Serializer\PrivateKey\PemPrivateKeySerializer;
|
||||
use Mdanter\Ecc\Serializer\PublicKey\DerPublicKeySerializer;
|
||||
use Mdanter\Ecc\Serializer\Signature\DerSignatureSerializer;
|
||||
use pocketmine\scheduler\AsyncTask;
|
||||
use function base64_encode;
|
||||
use function gmp_strval;
|
||||
use function hex2bin;
|
||||
use function json_encode;
|
||||
use function openssl_digest;
|
||||
use function openssl_sign;
|
||||
use function rtrim;
|
||||
use function str_pad;
|
||||
use const OPENSSL_ALGO_SHA384;
|
||||
use const STR_PAD_LEFT;
|
||||
|
||||
class PrepareEncryptionTask extends AsyncTask{
|
||||
|
||||
private const TLS_KEY_SESSION = "session";
|
||||
|
||||
/** @var PrivateKeyInterface|null */
|
||||
private static $SERVER_PRIVATE_KEY = null;
|
||||
|
||||
/** @var PrivateKeyInterface|null */
|
||||
private $serverPrivateKey = null;
|
||||
|
||||
/** @var string|null */
|
||||
private $aesKey = null;
|
||||
/** @var string|null */
|
||||
private $handshakeJwt = null;
|
||||
/** @var PublicKeyInterface */
|
||||
private $clientPub;
|
||||
|
||||
public function __construct(NetworkSession $session, PublicKeyInterface $clientPub){
|
||||
if(self::$SERVER_PRIVATE_KEY === null){
|
||||
self::$SERVER_PRIVATE_KEY = EccFactory::getNistCurves()->generator384()->createPrivateKey();
|
||||
}
|
||||
|
||||
$this->serverPrivateKey = self::$SERVER_PRIVATE_KEY;
|
||||
$this->clientPub = $clientPub;
|
||||
$this->storeLocal(self::TLS_KEY_SESSION, $session);
|
||||
}
|
||||
|
||||
public function onRun() : void{
|
||||
$serverPriv = $this->serverPrivateKey;
|
||||
$salt = random_bytes(16);
|
||||
$sharedSecret = $serverPriv->createExchange($this->clientPub)->calculateSharedKey();
|
||||
|
||||
$this->aesKey = openssl_digest($salt . hex2bin(str_pad(gmp_strval($sharedSecret, 16), 96, "0", STR_PAD_LEFT)), 'sha256', true);
|
||||
$this->handshakeJwt = $this->generateServerHandshakeJwt($serverPriv, $salt);
|
||||
}
|
||||
|
||||
private function generateServerHandshakeJwt(PrivateKeyInterface $serverPriv, string $salt) : string{
|
||||
$jwtBody = self::b64UrlEncode(json_encode([
|
||||
"x5u" => base64_encode((new DerPublicKeySerializer())->serialize($serverPriv->getPublicKey())),
|
||||
"alg" => "ES384"
|
||||
])
|
||||
) . "." . self::b64UrlEncode(json_encode([
|
||||
"salt" => base64_encode($salt)
|
||||
])
|
||||
);
|
||||
|
||||
openssl_sign($jwtBody, $sig, (new PemPrivateKeySerializer(new DerPrivateKeySerializer()))->serialize($serverPriv), OPENSSL_ALGO_SHA384);
|
||||
|
||||
$decodedSig = (new DerSignatureSerializer())->parse($sig);
|
||||
$jwtSig = self::b64UrlEncode(
|
||||
hex2bin(str_pad(gmp_strval($decodedSig->getR(), 16), 96, "0", STR_PAD_LEFT)) .
|
||||
hex2bin(str_pad(gmp_strval($decodedSig->getS(), 16), 96, "0", STR_PAD_LEFT))
|
||||
);
|
||||
|
||||
return "$jwtBody.$jwtSig";
|
||||
}
|
||||
|
||||
private static function b64UrlEncode(string $str) : string{
|
||||
return rtrim(strtr(base64_encode($str), '+/', '-_'), '=');
|
||||
}
|
||||
|
||||
public function onCompletion() : void{
|
||||
/** @var NetworkSession $session */
|
||||
$session = $this->fetchLocal(self::TLS_KEY_SESSION);
|
||||
$session->enableEncryption($this->aesKey, $this->handshakeJwt);
|
||||
}
|
||||
}
|
||||
@ -23,12 +23,8 @@ declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe;
|
||||
|
||||
use Mdanter\Ecc\Crypto\Key\PrivateKeyInterface;
|
||||
use Mdanter\Ecc\Crypto\Key\PublicKeyInterface;
|
||||
use Mdanter\Ecc\Crypto\Signature\Signature;
|
||||
use Mdanter\Ecc\EccFactory;
|
||||
use Mdanter\Ecc\Serializer\PrivateKey\DerPrivateKeySerializer;
|
||||
use Mdanter\Ecc\Serializer\PrivateKey\PemPrivateKeySerializer;
|
||||
use Mdanter\Ecc\Serializer\PublicKey\DerPublicKeySerializer;
|
||||
use Mdanter\Ecc\Serializer\PublicKey\PemPublicKeySerializer;
|
||||
use Mdanter\Ecc\Serializer\Signature\DerSignatureSerializer;
|
||||
@ -36,26 +32,16 @@ use pocketmine\network\mcpe\protocol\LoginPacket;
|
||||
use pocketmine\scheduler\AsyncTask;
|
||||
use function assert;
|
||||
use function base64_decode;
|
||||
use function base64_encode;
|
||||
use function bin2hex;
|
||||
use function explode;
|
||||
use function gmp_init;
|
||||
use function gmp_strval;
|
||||
use function hex2bin;
|
||||
use function json_decode;
|
||||
use function json_encode;
|
||||
use function openssl_digest;
|
||||
use function openssl_sign;
|
||||
use function openssl_verify;
|
||||
use function random_bytes;
|
||||
use function rtrim;
|
||||
use function str_pad;
|
||||
use function str_repeat;
|
||||
use function str_split;
|
||||
use function strlen;
|
||||
use function time;
|
||||
use const OPENSSL_ALGO_SHA384;
|
||||
use const STR_PAD_LEFT;
|
||||
|
||||
class ProcessLoginTask extends AsyncTask{
|
||||
private const TLS_KEY_SESSION = "session";
|
||||
@ -64,9 +50,6 @@ class ProcessLoginTask extends AsyncTask{
|
||||
|
||||
private const CLOCK_DRIFT_MAX = 60;
|
||||
|
||||
/** @var PrivateKeyInterface|null */
|
||||
private static $SERVER_PRIVATE_KEY = null;
|
||||
|
||||
/** @var LoginPacket */
|
||||
private $packet;
|
||||
|
||||
@ -86,52 +69,22 @@ class ProcessLoginTask extends AsyncTask{
|
||||
/** @var bool */
|
||||
private $authRequired;
|
||||
|
||||
/**
|
||||
* @var bool
|
||||
* Whether or not to enable encryption for the session that sent this login.
|
||||
*/
|
||||
private $useEncryption = true;
|
||||
/** @var PublicKeyInterface|null */
|
||||
private $clientPublicKey = null;
|
||||
|
||||
/** @var PrivateKeyInterface|null */
|
||||
private $serverPrivateKey = null;
|
||||
|
||||
/** @var string|null */
|
||||
private $aesKey = null;
|
||||
/** @var string|null */
|
||||
private $handshakeJwt = null;
|
||||
|
||||
public function __construct(NetworkSession $session, LoginPacket $packet, bool $authRequired, bool $useEncryption = true){
|
||||
public function __construct(NetworkSession $session, LoginPacket $packet, bool $authRequired){
|
||||
$this->storeLocal(self::TLS_KEY_SESSION, $session);
|
||||
$this->packet = $packet;
|
||||
$this->authRequired = $authRequired;
|
||||
$this->useEncryption = $useEncryption;
|
||||
if($useEncryption){
|
||||
if(self::$SERVER_PRIVATE_KEY === null){
|
||||
self::$SERVER_PRIVATE_KEY = EccFactory::getNistCurves()->generator384()->createPrivateKey();
|
||||
}
|
||||
|
||||
$this->serverPrivateKey = self::$SERVER_PRIVATE_KEY;
|
||||
}
|
||||
}
|
||||
|
||||
public function onRun() : void{
|
||||
try{
|
||||
$clientPub = $this->validateChain();
|
||||
$this->clientPublicKey = $this->validateChain();
|
||||
$this->error = null;
|
||||
}catch(VerifyLoginException $e){
|
||||
$this->error = $e->getMessage();
|
||||
return;
|
||||
}
|
||||
|
||||
if($this->useEncryption){
|
||||
$serverPriv = $this->serverPrivateKey;
|
||||
$salt = random_bytes(16);
|
||||
$sharedSecret = $serverPriv->createExchange($clientPub)->calculateSharedKey();
|
||||
|
||||
$this->aesKey = openssl_digest($salt . hex2bin(str_pad(gmp_strval($sharedSecret, 16), 96, "0", STR_PAD_LEFT)), 'sha256', true);
|
||||
$this->handshakeJwt = $this->generateServerHandshakeJwt($serverPriv, $salt);
|
||||
}
|
||||
|
||||
$this->error = null;
|
||||
}
|
||||
|
||||
private function validateChain() : PublicKeyInterface{
|
||||
@ -210,27 +163,6 @@ class ProcessLoginTask extends AsyncTask{
|
||||
$currentPublicKey = $claims["identityPublicKey"] ?? null; //if there are further links, the next link should be signed with this
|
||||
}
|
||||
|
||||
private function generateServerHandshakeJwt(PrivateKeyInterface $serverPriv, string $salt) : string{
|
||||
$jwtBody = self::b64UrlEncode(json_encode([
|
||||
"x5u" => base64_encode((new DerPublicKeySerializer())->serialize($serverPriv->getPublicKey())),
|
||||
"alg" => "ES384"
|
||||
])
|
||||
) . "." . self::b64UrlEncode(json_encode([
|
||||
"salt" => base64_encode($salt)
|
||||
])
|
||||
);
|
||||
|
||||
openssl_sign($jwtBody, $sig, (new PemPrivateKeySerializer(new DerPrivateKeySerializer()))->serialize($serverPriv), OPENSSL_ALGO_SHA384);
|
||||
|
||||
$decodedSig = (new DerSignatureSerializer())->parse($sig);
|
||||
$jwtSig = self::b64UrlEncode(
|
||||
hex2bin(str_pad(gmp_strval($decodedSig->getR(), 16), 96, "0", STR_PAD_LEFT)) .
|
||||
hex2bin(str_pad(gmp_strval($decodedSig->getS(), 16), 96, "0", STR_PAD_LEFT))
|
||||
);
|
||||
|
||||
return "$jwtBody.$jwtSig";
|
||||
}
|
||||
|
||||
private static function b64UrlDecode(string $str) : string{
|
||||
if(($len = strlen($str) % 4) !== 0){
|
||||
$str .= str_repeat('=', 4 - $len);
|
||||
@ -238,21 +170,9 @@ class ProcessLoginTask extends AsyncTask{
|
||||
return base64_decode(strtr($str, '-_', '+/'), true);
|
||||
}
|
||||
|
||||
private static function b64UrlEncode(string $str) : string{
|
||||
return rtrim(strtr(base64_encode($str), '+/', '-_'), '=');
|
||||
}
|
||||
|
||||
public function onCompletion() : void{
|
||||
/** @var NetworkSession $session */
|
||||
$session = $this->fetchLocal(self::TLS_KEY_SESSION);
|
||||
if(!$session->isConnected()){
|
||||
$session->getLogger()->debug("Disconnected before login could be verified");
|
||||
}elseif($session->setAuthenticationStatus($this->authenticated, $this->authRequired, $this->error)){
|
||||
if(!$this->useEncryption){
|
||||
$session->onLoginSuccess();
|
||||
}else{
|
||||
$session->enableEncryption($this->aesKey, $this->handshakeJwt);
|
||||
}
|
||||
}
|
||||
$session->setAuthenticationStatus($this->authenticated, $this->authRequired, $this->error, $this->clientPublicKey);
|
||||
}
|
||||
}
|
||||
|
||||
@ -25,7 +25,6 @@ namespace pocketmine\network\mcpe\handler;
|
||||
|
||||
use pocketmine\entity\Skin;
|
||||
use pocketmine\event\player\PlayerPreLoginEvent;
|
||||
use pocketmine\network\mcpe\NetworkCipher;
|
||||
use pocketmine\network\mcpe\NetworkSession;
|
||||
use pocketmine\network\mcpe\ProcessLoginTask;
|
||||
use pocketmine\network\mcpe\protocol\LoginPacket;
|
||||
@ -133,7 +132,7 @@ class LoginPacketHandler extends PacketHandler{
|
||||
* @throws \InvalidArgumentException
|
||||
*/
|
||||
protected function processLogin(LoginPacket $packet, bool $authRequired) : void{
|
||||
$this->server->getAsyncPool()->submitTask(new ProcessLoginTask($this->session, $packet, $authRequired, NetworkCipher::$ENABLED));
|
||||
$this->server->getAsyncPool()->submitTask(new ProcessLoginTask($this->session, $packet, $authRequired));
|
||||
$this->session->setHandler(NullPacketHandler::getInstance()); //drop packets received during login verification
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user