forked from TuxCoding/FastLogin
Make client public key verification optional
This commit is contained in:
games647
@ -32,6 +32,8 @@ import com.github.games647.fastlogin.core.shared.LoginSession;
|
||||
|
||||
import java.util.Optional;
|
||||
|
||||
import javax.annotation.Nullable;
|
||||
|
||||
/**
|
||||
* Represents a client connecting to the server.
|
||||
*
|
||||
@ -83,6 +85,7 @@ public class BukkitLoginSession extends LoginSession {
|
||||
return verifyToken.clone();
|
||||
}
|
||||
|
||||
@Nullable
|
||||
public ClientPublicKey getClientPublicKey() {
|
||||
return clientPublicKey;
|
||||
}
|
||||
|
||||
@ -117,7 +117,7 @@ public class FastLoginBukkit extends JavaPlugin implements PlatformPlugin<Comman
|
||||
if (pluginManager.isPluginEnabled("ProtocolSupport")) {
|
||||
pluginManager.registerEvents(new ProtocolSupportListener(this, core.getAntiBot()), this);
|
||||
} else if (pluginManager.isPluginEnabled("ProtocolLib")) {
|
||||
ProtocolLibListener.register(this, core.getAntiBot());
|
||||
ProtocolLibListener.register(this, core.getAntiBot(), core.getConfig().getBoolean("verifyClientKeys"));
|
||||
|
||||
if (isPluginInstalled("floodgate")) {
|
||||
if (getConfig().getBoolean("floodgatePrefixWorkaround")){
|
||||
|
||||
@ -27,8 +27,6 @@ package com.github.games647.fastlogin.bukkit.listener.protocollib;
|
||||
|
||||
import com.comphenix.protocol.ProtocolLibrary;
|
||||
import com.comphenix.protocol.events.PacketEvent;
|
||||
import com.comphenix.protocol.wrappers.BukkitConverters;
|
||||
import com.comphenix.protocol.wrappers.WrappedProfilePublicKey.WrappedProfileKeyData;
|
||||
import com.github.games647.fastlogin.bukkit.BukkitLoginSession;
|
||||
import com.github.games647.fastlogin.bukkit.FastLoginBukkit;
|
||||
import com.github.games647.fastlogin.bukkit.event.BukkitFastLoginPreLoginEvent;
|
||||
@ -38,7 +36,6 @@ import com.github.games647.fastlogin.core.shared.JoinManagement;
|
||||
import com.github.games647.fastlogin.core.shared.event.FastLoginPreLoginEvent;
|
||||
|
||||
import java.security.PublicKey;
|
||||
import java.util.Optional;
|
||||
import java.util.Random;
|
||||
|
||||
import org.bukkit.command.CommandSender;
|
||||
@ -49,6 +46,8 @@ public class NameCheckTask extends JoinManagement<Player, CommandSender, Protoco
|
||||
|
||||
private final FastLoginBukkit plugin;
|
||||
private final PacketEvent packetEvent;
|
||||
|
||||
private final ClientPublicKey clientKey;
|
||||
private final PublicKey serverKey;
|
||||
|
||||
private final Random random;
|
||||
@ -57,11 +56,12 @@ public class NameCheckTask extends JoinManagement<Player, CommandSender, Protoco
|
||||
private final String username;
|
||||
|
||||
public NameCheckTask(FastLoginBukkit plugin, Random random, Player player, PacketEvent packetEvent,
|
||||
String username, PublicKey serverKey) {
|
||||
String username, ClientPublicKey clientKey, PublicKey serverKey) {
|
||||
super(plugin.getCore(), plugin.getCore().getAuthPluginHook(), plugin.getBedrockService());
|
||||
|
||||
this.plugin = plugin;
|
||||
this.packetEvent = packetEvent;
|
||||
this.clientKey = clientKey;
|
||||
this.serverKey = serverKey;
|
||||
this.random = random;
|
||||
this.player = player;
|
||||
@ -71,10 +71,7 @@ public class NameCheckTask extends JoinManagement<Player, CommandSender, Protoco
|
||||
@Override
|
||||
public void run() {
|
||||
try {
|
||||
Optional<WrappedProfileKeyData> clientKey = packetEvent.getPacket()
|
||||
.getOptionals(BukkitConverters.getWrappedPublicKeyDataConverter()).read(0);
|
||||
|
||||
super.onLogin(username, new ProtocolLibLoginSource(player, random, serverKey, clientKey.orElse(null)));
|
||||
super.onLogin(username, new ProtocolLibLoginSource(player, random, serverKey, clientKey));
|
||||
} finally {
|
||||
ProtocolLibrary.getProtocolManager().getAsynchronousManager().signalPacketTransmission(packetEvent);
|
||||
}
|
||||
@ -104,8 +101,7 @@ public class NameCheckTask extends JoinManagement<Player, CommandSender, Protoco
|
||||
core.getPendingLogin().put(ip + username, new Object());
|
||||
|
||||
byte[] verify = source.getVerifyToken();
|
||||
WrappedProfileKeyData key = source.getClientPublicKey();
|
||||
ClientPublicKey clientKey = new ClientPublicKey(key.getExpireTime(), key.getKey(), key.getSignature());
|
||||
ClientPublicKey clientKey = source.getClientKey();
|
||||
|
||||
BukkitLoginSession playerSession = new BukkitLoginSession(username, verify, clientKey, registered, profile);
|
||||
plugin.putSession(player.getAddress(), playerSession);
|
||||
|
||||
@ -49,6 +49,7 @@ import java.security.PublicKey;
|
||||
import java.security.SecureRandom;
|
||||
import java.security.SignatureException;
|
||||
import java.time.Instant;
|
||||
import java.util.Optional;
|
||||
|
||||
import org.bukkit.entity.Player;
|
||||
|
||||
@ -66,7 +67,9 @@ public class ProtocolLibListener extends PacketAdapter {
|
||||
private final KeyPair keyPair = EncryptionUtil.generateKeyPair();
|
||||
private final AntiBotService antiBotService;
|
||||
|
||||
public ProtocolLibListener(FastLoginBukkit plugin, AntiBotService antiBotService) {
|
||||
private final boolean verifyClientKeys;
|
||||
|
||||
public ProtocolLibListener(FastLoginBukkit plugin, AntiBotService antiBotService, boolean verifyClientKeys) {
|
||||
//run async in order to not block the server, because we are making api calls to Mojang
|
||||
super(params()
|
||||
.plugin(plugin)
|
||||
@ -75,14 +78,15 @@ public class ProtocolLibListener extends PacketAdapter {
|
||||
|
||||
this.plugin = plugin;
|
||||
this.antiBotService = antiBotService;
|
||||
this.verifyClientKeys = verifyClientKeys;
|
||||
}
|
||||
|
||||
public static void register(FastLoginBukkit plugin, AntiBotService antiBotService) {
|
||||
public static void register(FastLoginBukkit plugin, AntiBotService antiBotService, boolean verifyClientKeys) {
|
||||
// they will be created with a static builder, because otherwise it will throw a NoClassDefFoundError
|
||||
// TODO: make synchronous processing, but do web or database requests async
|
||||
ProtocolLibrary.getProtocolManager()
|
||||
.getAsynchronousManager()
|
||||
.registerAsyncHandler(new ProtocolLibListener(plugin, antiBotService))
|
||||
.registerAsyncHandler(new ProtocolLibListener(plugin, antiBotService, verifyClientKeys))
|
||||
.start();
|
||||
}
|
||||
|
||||
@ -141,6 +145,13 @@ public class ProtocolLibListener extends PacketAdapter {
|
||||
plugin.getLog().warn("GameProfile {} tried to send encryption response at invalid state", sender.getAddress());
|
||||
sender.kickPlayer(plugin.getCore().getMessage("invalid-request"));
|
||||
} else {
|
||||
if (session.getClientPublicKey() == null) {
|
||||
// we cannot verify the signature if no public was provided
|
||||
plugin.getLog().error("No public key provided for signed nonce {}", sender);
|
||||
sender.kickPlayer(plugin.getCore().getMessage("invalid-verify-token"));
|
||||
return;
|
||||
}
|
||||
|
||||
Either<byte[], ?> either = packetEvent.getPacket().getSpecificModifier(Either.class).read(0);
|
||||
Object signatureData = either.right().get();
|
||||
long salt = FuzzyReflection.getFieldValue(signatureData, Long.TYPE, true);
|
||||
@ -176,9 +187,13 @@ public class ProtocolLibListener extends PacketAdapter {
|
||||
}
|
||||
|
||||
PacketContainer packet = packetEvent.getPacket();
|
||||
WrappedProfileKeyData profileKey = packet.getOptionals(BukkitConverters.getWrappedPublicKeyDataConverter())
|
||||
.read(0).orElse(null);
|
||||
if (profileKey != null && !verifyPublicKey(profileKey)) {
|
||||
var profileKey = packet.getOptionals(BukkitConverters.getWrappedPublicKeyDataConverter())
|
||||
.read(0);
|
||||
|
||||
var clientKey = profileKey.flatMap(this::verifyPublicKey);
|
||||
if (verifyClientKeys && !clientKey.isPresent()) {
|
||||
// missing or incorrect
|
||||
// expired always not allowed
|
||||
player.kickPlayer(plugin.getCore().getMessage("invalid-public-key"));
|
||||
plugin.getLog().warn("Invalid public key from player {}", username);
|
||||
return;
|
||||
@ -187,20 +202,24 @@ public class ProtocolLibListener extends PacketAdapter {
|
||||
plugin.getLog().trace("GameProfile {} with {} connecting", sessionKey, username);
|
||||
|
||||
packetEvent.getAsyncMarker().incrementProcessingDelay();
|
||||
Runnable nameCheckTask = new NameCheckTask(plugin, random, player, packetEvent, username, keyPair.getPublic());
|
||||
Runnable nameCheckTask = new NameCheckTask(plugin, random, player, packetEvent, username, clientKey.orElse(null), keyPair.getPublic());
|
||||
plugin.getScheduler().runAsync(nameCheckTask);
|
||||
}
|
||||
|
||||
private boolean verifyPublicKey(WrappedProfileKeyData profileKey) {
|
||||
private Optional<ClientPublicKey> verifyPublicKey(WrappedProfileKeyData profileKey) {
|
||||
Instant expires = profileKey.getExpireTime();
|
||||
PublicKey key = profileKey.getKey();
|
||||
byte[] signature = profileKey.getSignature();
|
||||
ClientPublicKey clientKey = new ClientPublicKey(expires, key, signature);
|
||||
try {
|
||||
return EncryptionUtil.verifyClientKey(clientKey, Instant.now());
|
||||
if (EncryptionUtil.verifyClientKey(clientKey, Instant.now())) {
|
||||
return Optional.of(clientKey);
|
||||
}
|
||||
} catch (SignatureException | InvalidKeyException | NoSuchAlgorithmException ex) {
|
||||
return false;
|
||||
return Optional.empty();
|
||||
}
|
||||
|
||||
return Optional.empty();
|
||||
}
|
||||
|
||||
private String getUsername(PacketContainer packet) {
|
||||
|
||||
@ -30,7 +30,7 @@ import com.comphenix.protocol.ProtocolManager;
|
||||
import com.comphenix.protocol.events.PacketContainer;
|
||||
import com.comphenix.protocol.reflect.StructureModifier;
|
||||
import com.comphenix.protocol.wrappers.WrappedChatComponent;
|
||||
import com.comphenix.protocol.wrappers.WrappedProfilePublicKey.WrappedProfileKeyData;
|
||||
import com.github.games647.fastlogin.bukkit.listener.protocollib.packet.ClientPublicKey;
|
||||
import com.github.games647.fastlogin.core.shared.LoginSource;
|
||||
|
||||
import java.net.InetSocketAddress;
|
||||
@ -49,17 +49,17 @@ class ProtocolLibLoginSource implements LoginSource {
|
||||
|
||||
private final Random random;
|
||||
|
||||
private final WrappedProfileKeyData clientPublicKey;
|
||||
private final ClientPublicKey clientKey;
|
||||
private final PublicKey publicKey;
|
||||
|
||||
private final String serverId = "";
|
||||
private byte[] verifyToken;
|
||||
|
||||
public ProtocolLibLoginSource(Player player, Random random, PublicKey serverPublicKey, WrappedProfileKeyData clientPublicKey) {
|
||||
public ProtocolLibLoginSource(Player player, Random random, PublicKey serverPublicKey, ClientPublicKey clientKey) {
|
||||
this.player = player;
|
||||
this.random = random;
|
||||
this.publicKey = serverPublicKey;
|
||||
this.clientPublicKey = clientPublicKey;
|
||||
this.clientKey = clientKey;
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -112,8 +112,8 @@ class ProtocolLibLoginSource implements LoginSource {
|
||||
return player.getAddress();
|
||||
}
|
||||
|
||||
public WrappedProfileKeyData getClientPublicKey() {
|
||||
return clientPublicKey;
|
||||
public ClientPublicKey getClientKey() {
|
||||
return clientKey;
|
||||
}
|
||||
|
||||
public String getServerId() {
|
||||
|
||||
@ -263,7 +263,7 @@ public class VerifyResponseTask implements Runnable {
|
||||
|
||||
EquivalentConverter<WrappedProfileKeyData> converter = BukkitConverters.getWrappedPublicKeyDataConverter();
|
||||
var key = new WrappedProfileKeyData(clientKey.expiry(), clientKey.key(), sharedSecret);
|
||||
startPacket.getOptionals(converter).write(0, Optional.of(key));
|
||||
startPacket.getOptionals(converter).write(0, Optional.ofNullable(key));
|
||||
} else {
|
||||
//uuid is ignored by the packet definition
|
||||
WrappedGameProfile fakeProfile = new WrappedGameProfile(UUID.randomUUID(), username);
|
||||
|
||||
@ -272,6 +272,15 @@ autoRegisterFloodgate: false
|
||||
# Enabling this might lead to people gaining unauthorized access to other's accounts!
|
||||
floodgatePrefixWorkaround: false
|
||||
|
||||
# This option resembles the vanilla configuration option 'enforce-secure-profile' in the 'server.properties' file.
|
||||
# It verifies if the incoming cryptographic key in the login request from the player is signed by Mojang. This key
|
||||
# is necessary for servers where you or other in-game players want to verify that a chat message sent and signed by
|
||||
# this player is not modified by any third-party. Modifications by your server would also invalidate the message.
|
||||
#
|
||||
# This feature is only relevant if you use the plugin in ProtocolLib mode. This also the case if you don't have any
|
||||
# proxies in use.
|
||||
verifyClientKeys: true
|
||||
|
||||
# Database configuration
|
||||
# Recommended is the use of MariaDB (a better version of MySQL)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user