mirrors/PocketMine-MP
1
0
Fork 0
mirror of https://github.com/pmmp/PocketMine-MP.git synced 2025-04-20 16:00:20 +00:00
Code Issues Projects Releases Wiki Activity

Implemented network encryption (#2343)

Browse Source 
For those who fuss about performance, you can disable the `network.enable-encryption` option to use sessions without encryption.
This commit is contained in:
Dylan K. Taylor 2018-07-31 15:54:18 +01:00 committed by GitHub
parent 62cb7963dc
commit 2bf6764112
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 556 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.travis.yml
View File

@ -6,6 +6,7 @@ php:
before_script:
# - pecl install channel://pecl.php.net/pthreads-3.1.6
- echo | pecl install channel://pecl.php.net/yaml-2.0.2
- pecl install channel://pecl.php.net/crypto-0.3.1
- git clone https://github.com/pmmp/pthreads.git
- cd pthreads
- git checkout c8cfacda84f21032d6014b53e72bf345ac901dac

3
composer.json
View File

@ -9,8 +9,10 @@
"php-64bit": "*",
"ext-bcmath": "*",
"ext-curl": "*",
"ext-crypto": "^0.3.1",
"ext-ctype": "*",
"ext-date": "*",
"ext-gmp": "*",
"ext-hash": "*",
"ext-json": "*",
"ext-mbstring": "*",
@ -24,6 +26,7 @@
"ext-yaml": ">=2.0.0",
"ext-zip": "*",
"ext-zlib": ">=1.2.11",
"mdanter/ecc": "^0.5.0",
"pocketmine/raklib": "^0.12.0",
"pocketmine/spl": "^0.3.0",
"pocketmine/binaryutils": "^0.1.0",

145
composer.lock generated
View File

@ -4,8 +4,149 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "2670b9e2a730ff758909be8b9e9d609a",
"content-hash": "85fe0f9aca77848b0f753dbc28815c79",
"packages": [
{
"name": "fgrosse/phpasn1",
"version": "2.0.1",
"source": {
"type": "git",
"url": "https://github.com/fgrosse/PHPASN1.git",
"reference": "0e27e71e3d0a8d5c3f1471d727fd9574d920f33c"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/fgrosse/PHPASN1/zipball/0e27e71e3d0a8d5c3f1471d727fd9574d920f33c",
"reference": "0e27e71e3d0a8d5c3f1471d727fd9574d920f33c",
"shasum": ""
},
"require": {
"ext-gmp": "*",
"php": ">=7.0.0"
},
"require-dev": {
"phpunit/phpunit": "~6.3",
"satooshi/php-coveralls": "dev-master"
},
"suggest": {
"php-curl": "For loading OID information from the web if they have not bee defined statically"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "2.0.x-dev"
}
},
"autoload": {
"psr-4": {
"FG\\": "lib/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Friedrich Große",
"email": "friedrich.grosse@gmail.com",
"homepage": "https://github.com/FGrosse",
"role": "Author"
},
{
"name": "All contributors",
"homepage": "https://github.com/FGrosse/PHPASN1/contributors"
}
],
"description": "A PHP Framework that allows you to encode and decode arbitrary ASN.1 structures using the ITU-T X.690 Encoding Rules.",
"homepage": "https://github.com/FGrosse/PHPASN1",
"keywords": [
"DER",
"asn.1",
"asn1",
"ber",
"binary",
"decoding",
"encoding",
"x.509",
"x.690",
"x509",
"x690"
],
"time": "2017-12-17T10:21:51+00:00"
},
{
"name": "mdanter/ecc",
"version": "v0.5.0",
"source": {
"type": "git",
"url": "https://github.com/phpecc/phpecc.git",
"reference": "ed5c6d496f5310de1b7071b8375fafa3559a1344"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/phpecc/phpecc/zipball/ed5c6d496f5310de1b7071b8375fafa3559a1344",
"reference": "ed5c6d496f5310de1b7071b8375fafa3559a1344",
"shasum": ""
},
"require": {
"ext-gmp": "*",
"fgrosse/phpasn1": "v2.0.x",
"php": ">=7.0"
},
"require-dev": {
"phpunit/phpunit": "^6.0",
"squizlabs/php_codesniffer": "~2",
"symfony/yaml": "~2.6|~3.0"
},
"type": "library",
"autoload": {
"psr-4": {
"Mdanter\\Ecc\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Matyas Danter",
"homepage": "http://matejdanter.com/",
"role": "Author"
},
{
"name": "Thibaud Fabre",
"email": "thibaud@aztech.io",
"homepage": "http://aztech.io",
"role": "Maintainer"
},
{
"name": "Thomas Kerin",
"email": "afk11@users.noreply.github.com",
"role": "Maintainer"
}
],
"description": "PHP Elliptic Curve Cryptography library",
"homepage": "https://github.com/phpecc/phpecc",
"keywords": [
"Diffie",
"ECDSA",
"Hellman",
"curve",
"ecdh",
"elliptic",
"nistp192",
"nistp224",
"nistp256",
"nistp384",
"nistp521",
"phpecc",
"secp256k1",
"secp256r1"
],
"time": "2017-10-09T16:05:37+00:00"
},
{
"name": "pocketmine/binaryutils",
"version": "0.1.0",
@ -235,8 +376,10 @@
"php-64bit": "*",
"ext-bcmath": "*",
"ext-curl": "*",
"ext-crypto": "^0.3.1",
"ext-ctype": "*",
"ext-date": "*",
"ext-gmp": "*",
"ext-hash": "*",
"ext-json": "*",
"ext-mbstring": "*",

25
src/pocketmine/Player.php
View File

@ -124,7 +124,7 @@ use pocketmine\network\mcpe\protocol\types\ContainerIds;
use pocketmine\network\mcpe\protocol\types\PlayerPermissions;
use pocketmine\network\mcpe\protocol\UpdateAttributesPacket;
use pocketmine\network\mcpe\protocol\UpdateBlockPacket;
use pocketmine\network\mcpe\VerifyLoginTask;
use pocketmine\network\mcpe\ProcessLoginTask;
use pocketmine\permission\PermissibleBase;
use pocketmine\permission\PermissionAttachment;
use pocketmine\permission\PermissionAttachmentInfo;
@ -1795,17 +1795,18 @@ class Player extends Human implements CommandSender, ChunkLoader, IPlayer{
}
if(!$packet->skipVerification){
$this->server->getAsyncPool()->submitTask(new VerifyLoginTask($this, $packet));
$this->server->getAsyncPool()->submitTask(new ProcessLoginTask($this, $packet));
}else{
$this->onVerifyCompleted(true, null);
$this->setAuthenticationStatus(true, null);
$this->networkSession->onLoginSuccess();
}
return true;
}
public function onVerifyCompleted(bool $authenticated, ?string $error) : void{
public function setAuthenticationStatus(bool $authenticated, ?string $error) : bool{
if($this->closed){
return;
return false;
}
if($authenticated and $this->xuid === ""){
@ -1814,14 +1815,15 @@ class Player extends Human implements CommandSender, ChunkLoader, IPlayer{
if($error !== null){
$this->close("", $this->server->getLanguage()->translateString("pocketmine.disconnect.invalidSession", [$error]));
return;
return false;
}
$this->authenticated = $authenticated;
if(!$this->authenticated){
if($this->server->requiresAuthentication() and $this->kick("disconnectionScreen.notAuthenticated", false)){ //use kick to allow plugins to cancel this
return;
return false;
}
$this->server->getLogger()->debug($this->getName() . " is NOT logged into Xbox Live");
@ -1833,21 +1835,22 @@ class Player extends Human implements CommandSender, ChunkLoader, IPlayer{
$this->server->getLogger()->debug($this->getName() . " is logged into Xbox Live");
}
//TODO: encryption
foreach($this->server->getLoggedInPlayers() as $p){
if($p !== $this and ($p->iusername === $this->iusername or $this->getUniqueId()->equals($p->getUniqueId()))){
if(!$p->kick("logged in from another location")){
$this->close($this->getLeaveMessage(), "Logged in from another location");
return;
return false;
}
}
}
return true;
}
public function onLoginSuccess() : void{
$this->loggedIn = true;
$this->server->onPlayerLogin($this);
$this->networkSession->onLoginSuccess();
}
public function _actuallyConstruct(){

2
src/pocketmine/PocketMine.php
View File

@ -77,8 +77,10 @@ namespace pocketmine {
$extensions = [
"bcmath" => "BC Math",
"curl" => "cURL",
"crypto" => "php-crypto",
"ctype" => "ctype",
"date" => "Date",
"gmp" => "GMP",
"hash" => "Hash",
"json" => "JSON",
"mbstring" => "Multibyte String",

3
src/pocketmine/Server.php
View File

@ -71,6 +71,7 @@ use pocketmine\nbt\tag\ShortTag;
use pocketmine\nbt\tag\StringTag;
use pocketmine\network\AdvancedNetworkInterface;
use pocketmine\network\mcpe\CompressBatchedTask;
use pocketmine\network\mcpe\NetworkCipher;
use pocketmine\network\mcpe\NetworkCompression;
use pocketmine\network\mcpe\NetworkSession;
use pocketmine\network\mcpe\PacketStream;
@ -1544,6 +1545,8 @@ class Server{
}
$this->networkCompressionAsync = (bool) $this->getProperty("network.async-compression", true);
NetworkCipher::$ENABLED = (bool) $this->getProperty("network.enable-encryption", true);
$this->autoTickRate = (bool) $this->getProperty("level-settings.auto-tick-rate", true);
$this->autoTickRateLimit = (int) $this->getProperty("level-settings.auto-tick-rate-limit", 20);
$this->alwaysTickPlayers = (bool) $this->getProperty("level-settings.always-tick-players", false);

83
src/pocketmine/network/mcpe/NetworkCipher.php Normal file
View File

@ -0,0 +1,83 @@
<?php
/*
*
* ____ _ _ __ __ _ __ __ ____
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* @author PocketMine Team
* @link http://www.pocketmine.net/
*
*
*/
declare(strict_types=1);
namespace pocketmine\network\mcpe;
use Crypto\Cipher;
use pocketmine\utils\Binary;
class NetworkCipher{
private const ENCRYPTION_SCHEME = "AES-256-CFB8";
private const CHECKSUM_ALGO = "sha256";
public static $ENABLED = true;
/** @var string */
private $key;
/** @var Cipher */
private $decryptCipher;
/** @var int */
private $decryptCounter = 0;
/** @var Cipher */
private $encryptCipher;
/** @var int */
private $encryptCounter = 0;
public function __construct(string $encryptionKey){
//TODO: ext/crypto doesn't offer us a way to disable padding. This doesn't matter at the moment because we're
//using CFB8, but this might change in the future. This is supposed to be CFB8 no-padding.
$this->key = $encryptionKey;
$iv = substr($this->key, 0, 16);
$this->decryptCipher = new Cipher(self::ENCRYPTION_SCHEME);
$this->decryptCipher->decryptInit($this->key, $iv);
$this->encryptCipher = new Cipher(self::ENCRYPTION_SCHEME);
$this->encryptCipher->encryptInit($this->key, $iv);
}
public function decrypt($encrypted){
if(strlen($encrypted) < 9){
throw new \InvalidArgumentException("Payload is too short");
}
$decrypted = $this->decryptCipher->decryptUpdate($encrypted);
$payload = substr($decrypted, 0, -8);
if(($expected = $this->calculateChecksum($this->decryptCounter++, $payload)) !== ($actual = substr($decrypted, -8))){
throw new \InvalidArgumentException("Encrypted payload has invalid checksum (expected " . bin2hex($expected) . ", got " . bin2hex($actual) . ")");
}
return $payload;
}
public function encrypt(string $payload) : string{
return $this->encryptCipher->encryptUpdate($payload . $this->calculateChecksum($this->encryptCounter++, $payload));
}
private function calculateChecksum(int $counter, string $payload) : string{
return substr(hash(self::CHECKSUM_ALGO, Binary::writeLLong($counter) . $payload . $this->key, true), 0, 8);
}
}

34
src/pocketmine/network/mcpe/NetworkSession.php
View File

@ -27,6 +27,7 @@ use pocketmine\event\player\PlayerCreationEvent;
use pocketmine\event\server\DataPacketReceiveEvent;
use pocketmine\event\server\DataPacketSendEvent;
use pocketmine\network\mcpe\handler\DeathSessionHandler;
use pocketmine\network\mcpe\handler\HandshakeSessionHandler;
use pocketmine\network\mcpe\handler\LoginSessionHandler;
use pocketmine\network\mcpe\handler\PreSpawnSessionHandler;
use pocketmine\network\mcpe\handler\ResourcePacksSessionHandler;
@ -36,14 +37,13 @@ use pocketmine\network\mcpe\protocol\DataPacket;
use pocketmine\network\mcpe\protocol\DisconnectPacket;
use pocketmine\network\mcpe\protocol\PacketPool;
use pocketmine\network\mcpe\protocol\PlayStatusPacket;
use pocketmine\network\mcpe\protocol\ServerToClientHandshakePacket;
use pocketmine\network\NetworkInterface;
use pocketmine\Player;
use pocketmine\Server;
use pocketmine\timings\Timings;
class NetworkSession{
/** @var Server */
private $server;
/** @var Player */
@ -63,6 +63,9 @@ class NetworkSession{
/** @var bool */
private $connected = true;
/** @var NetworkCipher */
private $cipher;
public function __construct(Server $server, NetworkInterface $interface, string $ip, int $port){
$this->server = $server;
$this->interface = $interface;
@ -142,7 +145,15 @@ class NetworkSession{
return;
}
//TODO: decryption if enabled
if($this->cipher !== null){
try{
$payload = $this->cipher->decrypt($payload);
}catch(\InvalidArgumentException $e){
$this->server->getLogger()->debug("Encrypted packet from " . $this->ip . " " . $this->port . ": " . bin2hex($payload));
$this->disconnect("Packet decryption error: " . $e->getMessage());
return;
}
}
try{
$stream = new PacketStream(NetworkCompression::decompress($payload));
@ -151,6 +162,7 @@ class NetworkSession{
$this->disconnect("Compressed packet batch decode error (incompatible game version?)", false);
return;
}
while(!$stream->feof() and $this->connected){
$this->handleDataPacket(PacketPool::getPacket($stream->getString()));
}
@ -193,7 +205,9 @@ class NetworkSession{
}
public function sendEncoded(string $payload, bool $immediate = false) : void{
//TODO: encryption
if($this->cipher !== null){
$payload = $this->cipher->encrypt($payload);
}
$this->interface->putPacket($this, $payload, $immediate);
}
@ -262,13 +276,23 @@ class NetworkSession{
$this->player = null;
}
//TODO: onEnableEncryption() step
public function enableEncryption(string $encryptionKey, string $handshakeJwt) : void{
$pk = new ServerToClientHandshakePacket();
$pk->jwt = $handshakeJwt;
$this->sendDataPacket($pk, true); //make sure this gets sent before encryption is enabled
$this->cipher = new NetworkCipher($encryptionKey);
$this->setHandler(new HandshakeSessionHandler($this));
$this->server->getLogger()->debug("Enabled encryption for $this->ip $this->port");
}
public function onLoginSuccess() : void{
$pk = new PlayStatusPacket();
$pk->status = PlayStatusPacket::LOGIN_SUCCESS;
$this->sendDataPacket($pk);
$this->player->onLoginSuccess();
$this->setHandler(new ResourcePacksSessionHandler($this->player, $this, $this->server->getResourcePackManager()));
}

229
src/pocketmine/network/mcpe/ProcessLoginTask.php Normal file
View File

@ -0,0 +1,229 @@
<?php
/*
*
* ____ _ _ __ __ _ __ __ ____
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* @author PocketMine Team
* @link http://www.pocketmine.net/
*
*
*/
declare(strict_types=1);
namespace pocketmine\network\mcpe;
use Mdanter\Ecc\Crypto\Key\PrivateKeyInterface;
use Mdanter\Ecc\Crypto\Key\PublicKeyInterface;
use Mdanter\Ecc\Crypto\Signature\Signature;
use Mdanter\Ecc\EccFactory;
use Mdanter\Ecc\Serializer\PrivateKey\DerPrivateKeySerializer;
use Mdanter\Ecc\Serializer\PrivateKey\PemPrivateKeySerializer;
use Mdanter\Ecc\Serializer\PublicKey\DerPublicKeySerializer;
use Mdanter\Ecc\Serializer\PublicKey\PemPublicKeySerializer;
use Mdanter\Ecc\Serializer\Signature\DerSignatureSerializer;
use pocketmine\network\mcpe\protocol\LoginPacket;
use pocketmine\Player;
use pocketmine\scheduler\AsyncTask;
use pocketmine\Server;
class ProcessLoginTask extends AsyncTask{
public const MOJANG_ROOT_PUBLIC_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8ELkixyLcwlZryUQcu1TvPOmI2B7vX83ndnWRUaXm74wFfa5f/lwQNTfrLVHa2PmenpGI6JhIMUJaWZrjmMj90NoKNFSNBuKdm8rYiXsfaz3K36x/1U26HpG0ZxK/V1V";
/** @var PrivateKeyInterface|null */
private static $SERVER_PRIVATE_KEY = null;
/** @var LoginPacket */
private $packet;
/**
* @var string|null
* Whether the keychain signatures were validated correctly. This will be set to an error message if any link in the
* keychain is invalid for whatever reason (bad signature, not in nbf-exp window, etc). If this is non-null, the
* keychain might have been tampered with. The player will always be disconnected if this is non-null.
*/
private $error = "Unknown";
/**
* @var bool
* Whether the player is logged into Xbox Live. This is true if any link in the keychain is signed with the Mojang
* root public key.
*/
private $authenticated = false;
/**
* @var bool
* Whether or not to enable encryption for the session that sent this login.
*/
private $useEncryption = true;
/** @var PrivateKeyInterface|null */
private $serverPrivateKey = null;
/** @var string|null */
private $aesKey = null;
/** @var string|null */
private $handshakeJwt = null;
public function __construct(Player $player, LoginPacket $packet, bool $useEncryption = true){
$this->storeLocal($player);
$this->packet = $packet;
$this->useEncryption = $useEncryption;
if($useEncryption){
if(self::$SERVER_PRIVATE_KEY === null){
self::$SERVER_PRIVATE_KEY = EccFactory::getNistCurves()->generator384()->createPrivateKey();
}
$this->serverPrivateKey = self::$SERVER_PRIVATE_KEY;
}
}
public function onRun() : void{
try{
$clientPub = $this->validateChain();
}catch(VerifyLoginException $e){
$this->error = $e->getMessage();
return;
}
if($this->useEncryption){
$serverPriv = $this->serverPrivateKey;
$salt = random_bytes(16);
$sharedSecret = $serverPriv->createExchange($clientPub)->calculateSharedKey();
$this->aesKey = hash('sha256', $salt . hex2bin(str_pad(gmp_strval($sharedSecret, 16), 96, "0", STR_PAD_LEFT)), true);
$this->handshakeJwt = $this->generateServerHandshakeJwt($serverPriv, $salt);
}
$this->error = null;
}
private function validateChain() : PublicKeyInterface{
$packet = $this->packet;
$currentKey = null;
$first = true;
foreach($packet->chainData["chain"] as $jwt){
$this->validateToken($jwt, $currentKey, $first);
if($first){
$first = false;
}
}
/** @var string $clientKey */
$clientKey = $currentKey;
$this->validateToken($packet->clientDataJwt, $currentKey);
return (new DerPublicKeySerializer())->parse(base64_decode($clientKey, true));
}
/**
* @param string $jwt
* @param null|string $currentPublicKey
* @param bool $first
*
* @throws VerifyLoginException if errors are encountered
*/
private function validateToken(string $jwt, ?string &$currentPublicKey, bool $first = false) : void{
[$headB64, $payloadB64, $sigB64] = explode('.', $jwt);
if($currentPublicKey === null){
if(!$first){
throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.missingKey");
}
//First link, check that it is self-signed
$headers = json_decode(self::b64UrlDecode($headB64), true);
$currentPublicKey = $headers["x5u"];
}
$plainSignature = self::b64UrlDecode($sigB64);
assert(strlen($plainSignature) === 96);
[$rString, $sString] = str_split($plainSignature, 48);
$sig = new Signature(gmp_init(bin2hex($rString), 16), gmp_init(bin2hex($sString), 16));
$derSerializer = new DerPublicKeySerializer();
$v = openssl_verify(
"$headB64.$payloadB64",
(new DerSignatureSerializer())->serialize($sig),
(new PemPublicKeySerializer($derSerializer))->serialize($derSerializer->parse(base64_decode($currentPublicKey))),
OPENSSL_ALGO_SHA384
);
if($v !== 1){
throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.badSignature");
}
if($currentPublicKey === self::MOJANG_ROOT_PUBLIC_KEY){
$this->authenticated = true; //we're signed into xbox live
}
$claims = json_decode(self::b64UrlDecode($payloadB64), true);
$time = time();
if(isset($claims["nbf"]) and $claims["nbf"] > $time){
throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.tooEarly");
}
if(isset($claims["exp"]) and $claims["exp"] < $time){
throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.tooLate");
}
$currentPublicKey = $claims["identityPublicKey"] ?? null; //if there are further links, the next link should be signed with this
}
private function generateServerHandshakeJwt(PrivateKeyInterface $serverPriv, string $salt) : string{
$jwtBody = self::b64UrlEncode(json_encode([
"x5u" => base64_encode((new DerPublicKeySerializer())->serialize($serverPriv->getPublicKey())),
"alg" => "ES384"
])
) . "." . self::b64UrlEncode(json_encode([
"salt" => base64_encode($salt)
])
);
openssl_sign($jwtBody, $sig, (new PemPrivateKeySerializer(new DerPrivateKeySerializer()))->serialize($serverPriv), OPENSSL_ALGO_SHA384);
$decodedSig = (new DerSignatureSerializer())->parse($sig);
$jwtSig = self::b64UrlEncode(
hex2bin(str_pad(gmp_strval($decodedSig->getR(), 16), 96, "0", STR_PAD_LEFT)) .
hex2bin(str_pad(gmp_strval($decodedSig->getS(), 16), 96, "0", STR_PAD_LEFT))
);
return "$jwtBody.$jwtSig";
}
private static function b64UrlDecode(string $str) : string{
return base64_decode(strtr($str, '-_', '+/'), true);
}
private static function b64UrlEncode(string $str) : string{
return strtr(base64_encode($str), '+/', '-_');
}
public function onCompletion(Server $server) : void{
/** @var Player $player */
$player = $this->fetchLocal();
if($player->isClosed()){
$server->getLogger()->error("Player " . $player->getName() . " was disconnected before their login could be verified");
}elseif($player->setAuthenticationStatus($this->authenticated, $this->error)){
if(!$this->useEncryption){
$player->getNetworkSession()->onLoginSuccess();
}else{
$player->getNetworkSession()->enableEncryption($this->aesKey, $this->handshakeJwt);
}
}
}
}

154
src/pocketmine/network/mcpe/VerifyLoginTask.php
View File

@ -1,154 +0,0 @@
<?php
/*
*
* ____ _ _ __ __ _ __ __ ____
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* @author PocketMine Team
* @link http://www.pocketmine.net/
*
*
*/
declare(strict_types=1);
namespace pocketmine\network\mcpe;
use pocketmine\network\mcpe\protocol\LoginPacket;
use pocketmine\Player;
use pocketmine\scheduler\AsyncTask;
use pocketmine\Server;
class VerifyLoginTask extends AsyncTask{
public const MOJANG_ROOT_PUBLIC_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8ELkixyLcwlZryUQcu1TvPOmI2B7vX83ndnWRUaXm74wFfa5f/lwQNTfrLVHa2PmenpGI6JhIMUJaWZrjmMj90NoKNFSNBuKdm8rYiXsfaz3K36x/1U26HpG0ZxK/V1V";
/** @var LoginPacket */
private $packet;
/**
* @var string|null
* Whether the keychain signatures were validated correctly. This will be set to an error message if any link in the
* keychain is invalid for whatever reason (bad signature, not in nbf-exp window, etc). If this is non-null, the
* keychain might have been tampered with. The player will always be disconnected if this is non-null.
*/
private $error = "Unknown";
/**
* @var bool
* Whether the player is logged into Xbox Live. This is true if any link in the keychain is signed with the Mojang
* root public key.
*/
private $authenticated = false;
public function __construct(Player $player, LoginPacket $packet){
$this->storeLocal($player);
$this->packet = $packet;
}
public function onRun() : void{
$packet = $this->packet; //Get it in a local variable to make sure it stays unserialized
try{
$currentKey = null;
$first = true;
foreach($packet->chainData["chain"] as $jwt){
$this->validateToken($jwt, $currentKey, $first);
$first = false;
}
$this->validateToken($packet->clientDataJwt, $currentKey);
$this->error = null;
}catch(VerifyLoginException $e){
$this->error = $e->getMessage();
}
}
/**
* @param string $jwt
* @param null|string $currentPublicKey
* @param bool $first
*
* @throws VerifyLoginException if errors are encountered
*/
private function validateToken(string $jwt, ?string &$currentPublicKey, bool $first = false) : void{
[$headB64, $payloadB64, $sigB64] = explode('.', $jwt);
$headers = json_decode(base64_decode(strtr($headB64, '-_', '+/'), true), true);
if($currentPublicKey === null){
if(!$first){
throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.missingKey");
}
//First link, check that it is self-signed
$currentPublicKey = $headers["x5u"];
}
$plainSignature = base64_decode(strtr($sigB64, '-_', '+/'), true);
//OpenSSL wants a DER-encoded signature, so we extract R and S from the plain signature and crudely serialize it.
assert(strlen($plainSignature) === 96);
[$rString, $sString] = str_split($plainSignature, 48);
$rString = ltrim($rString, "\x00");
if(ord($rString{0}) >= 128){ //Would be considered signed, pad it with an extra zero
$rString = "\x00" . $rString;
}
$sString = ltrim($sString, "\x00");
if(ord($sString{0}) >= 128){ //Would be considered signed, pad it with an extra zero
$sString = "\x00" . $sString;
}
//0x02 = Integer ASN.1 tag
$sequence = "\x02" . chr(strlen($rString)) . $rString . "\x02" . chr(strlen($sString)) . $sString;
//0x30 = Sequence ASN.1 tag
$derSignature = "\x30" . chr(strlen($sequence)) . $sequence;
$v = openssl_verify("$headB64.$payloadB64", $derSignature, "-----BEGIN PUBLIC KEY-----\n" . $currentPublicKey . "\n-----END PUBLIC KEY-----\n", OPENSSL_ALGO_SHA384);
if($v !== 1){
throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.badSignature");
}
if($currentPublicKey === self::MOJANG_ROOT_PUBLIC_KEY){
$this->authenticated = true; //we're signed into xbox live
}
$claims = json_decode(base64_decode(strtr($payloadB64, '-_', '+/'), true), true);
$time = time();
if(isset($claims["nbf"]) and $claims["nbf"] > $time){
throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.tooEarly");
}
if(isset($claims["exp"]) and $claims["exp"] < $time){
throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.tooLate");
}
$currentPublicKey = $claims["identityPublicKey"] ?? null; //if there are further links, the next link should be signed with this
}
public function onCompletion(Server $server) : void{
/** @var Player $player */
$player = $this->fetchLocal();
if($player->isClosed()){
$server->getLogger()->error("Player " . $player->getName() . " was disconnected before their login could be verified");
}else{
$player->onVerifyCompleted($this->authenticated, $this->error);
}
}
}

45
src/pocketmine/network/mcpe/handler/HandshakeSessionHandler.php Normal file
View File

@ -0,0 +1,45 @@
<?php
/*
*
* ____ _ _ __ __ _ __ __ ____
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* @author PocketMine Team
* @link http://www.pocketmine.net/
*
*
*/
declare(strict_types=1);
namespace pocketmine\network\mcpe\handler;
use pocketmine\network\mcpe\NetworkSession;
use pocketmine\network\mcpe\protocol\ClientToServerHandshakePacket;
/**
* Handler responsible for awaiting client response from crypto handshake.
*/
class HandshakeSessionHandler extends SessionHandler{
/** @var string */
private $session;
public function __construct(NetworkSession $session){
$this->session = $session;
}
public function handleClientToServerHandshake(ClientToServerHandshakePacket $packet) : bool{
$this->session->onLoginSuccess();
return true;
}
}

5
src/pocketmine/network/mcpe/handler/SimpleSessionHandler.php
View File

@ -30,7 +30,6 @@ use pocketmine\network\mcpe\protocol\BlockEntityDataPacket;
use pocketmine\network\mcpe\protocol\BlockPickRequestPacket;
use pocketmine\network\mcpe\protocol\BookEditPacket;
use pocketmine\network\mcpe\protocol\BossEventPacket;
use pocketmine\network\mcpe\protocol\ClientToServerHandshakePacket;
use pocketmine\network\mcpe\protocol\CommandBlockUpdatePacket;
use pocketmine\network\mcpe\protocol\CommandRequestPacket;
use pocketmine\network\mcpe\protocol\ContainerClosePacket;
@ -75,10 +74,6 @@ class SimpleSessionHandler extends SessionHandler{
$this->player = $player;
}
public function handleClientToServerHandshake(ClientToServerHandshakePacket $packet) : bool{
return false; //TODO
}
public function handleText(TextPacket $packet) : bool{
if($packet->type === TextPacket::TYPE_CHAT){
return $this->player->chat($packet->message);

3
src/pocketmine/resources/pocketmine.yml
View File

@ -97,6 +97,9 @@ network:
#Maximum size in bytes of packets sent over the network (default 1492 bytes). Packets larger than this will be
#fragmented or split into smaller parts. Clients can request MTU sizes up to but not more than this number.
max-mtu-size: 1492
#Enable encryption of Minecraft network traffic. This has an impact on performance, but prevents hackers from stealing sessions and pretending to be other players.
#DO NOT DISABLE THIS unless you understand the risks involved.
enable-encryption: true
debug:
#To enable assertion execution, set zend.assertions in your php.ini to 1