From 11a3f9f1b906d0a73adb5a81a6eff120b56cf6fa Mon Sep 17 00:00:00 2001
From: "Dylan K. Taylor" <odigiman@gmail.com>
Date: Wed, 17 Jun 2020 17:52:19 +0100
Subject: [PATCH] VerifyLoginTask: fast-fail by checking header x5u before
 verifying signature this is less costly, although it doesn't make any
 difference except in invalid cases.

---
 src/pocketmine/network/mcpe/VerifyLoginTask.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/pocketmine/network/mcpe/VerifyLoginTask.php b/src/pocketmine/network/mcpe/VerifyLoginTask.php
index 26df6f3a8..c1ccb540a 100644
--- a/src/pocketmine/network/mcpe/VerifyLoginTask.php
+++ b/src/pocketmine/network/mcpe/VerifyLoginTask.php
@@ -115,6 +115,9 @@ class VerifyLoginTask extends AsyncTask{
 
 			//First link, check that it is self-signed
 			$currentPublicKey = $headers["x5u"];
+		}elseif($headers["x5u"] !== $currentPublicKey){
+			//Fast path: if the header key doesn't match what we expected, the signature isn't going to validate anyway
+			throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.badSignature");
 		}
 
 		$plainSignature = base64_decode(strtr($sigB64, '-_', '+/'), true);