1
0

Protocol proxy now decrypts the data (but doesn't understand the packets yet)

git-svn-id: http://mc-server.googlecode.com/svn/trunk@826 0a769ca7-a7f5-676a-18bf-c427514a06d6
This commit is contained in:
madmaxoft@gmail.com 2012-09-02 21:38:13 +00:00
parent 38efe73154
commit 532ed91a72
4 changed files with 569 additions and 18 deletions

View File

@ -11,12 +11,66 @@
#define HANDLE_CLIENT_PACKET_READ(Proc, Type, Var) \
Type Var; \
{ \
if (!m_ClientBuffer.Proc(Var)) \
{ \
return; \
} \
}
#define HANDLE_SERVER_PACKET_READ(Proc, Type, Var) \
Type Var; \
{ \
if (!m_ServerBuffer.Proc(Var)) \
{ \
return; \
} \
}
#define CLIENTSEND(...) SendData(m_ClientSocket, __VA_ARGS__, "Client")
#define SERVERSEND(...) SendData(m_ServerSocket, __VA_ARGS__, "Server")
#define CLIENTENCRYPTSEND(...) SendEncryptedData(m_ClientSocket, m_ClientEncryptor, __VA_ARGS__, "Client")
#define SERVERENCRYPTSEND(...) SendEncryptedData(m_ServerSocket, m_ServerEncryptor, __VA_ARGS__, "Server")
#define MAX_ENC_LEN 1024
typedef unsigned char Byte;
enum
{
PACKET_HANDSHAKE = 0x02,
PACKET_ENCRYPTION_KEY_RESPONSE = 0xfc,
PACKET_ENCRYPTION_KEY_REQUEST = 0xfd,
PACKET_PING = 0xfe,
PACKET_KICK = 0xff,
} ;
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// cConnection:
cConnection::cConnection(SOCKET a_ClientSocket, cServer & a_Server) :
m_Server(a_Server),
m_LogFile(NULL),
m_ClientSocket(a_ClientSocket),
m_ServerSocket(-1),
m_BeginTick(clock())
m_BeginTick(clock()),
m_ClientState(csUnencrypted),
m_ServerState(csUnencrypted),
m_ClientBuffer(64 KiB),
m_ServerBuffer(64 KiB),
m_Nonce(0)
{
AString fnam;
Printf(fnam, "Log_%d.log", (int)time(NULL));
@ -55,23 +109,26 @@ void cConnection::Run(void)
if (res <= 0)
{
printf("select() failed: %d; aborting client", WSAGetLastError());
return;
break;
}
if (FD_ISSET(m_ServerSocket, &ReadFDs))
{
if (!RelayFromServer())
{
return;
break;
}
}
if (FD_ISSET(m_ClientSocket, &ReadFDs))
{
if (!RelayFromClient())
{
return;
break;
}
}
}
Log("Relaying ended, closing sockets");
closesocket(m_ServerSocket);
closesocket(m_ClientSocket);
}
@ -88,8 +145,12 @@ void cConnection::Log(const char * a_Format, ...)
AString FullMsg;
Printf(FullMsg, "[%5.3f] %s\n", GetRelativeTime(), msg.c_str());
// Log to file:
cCSLock Lock(m_CSLog);
fputs(FullMsg.c_str(), m_LogFile);
// Log to screen:
puts(FullMsg.c_str());
}
@ -107,8 +168,12 @@ void cConnection::DataLog(const void * a_Data, int a_Size, const char * a_Format
AString Hex;
Printf(FullMsg, "[%5.3f] %s\n%s", GetRelativeTime(), msg.c_str(), CreateHexDump(Hex, a_Data, a_Size, 16).c_str());
// Log to file:
cCSLock Lock(m_CSLog);
fputs(FullMsg.c_str(), m_LogFile);
// Log to screen:
puts(FullMsg.c_str());
}
@ -131,6 +196,7 @@ bool cConnection::ConnectToServer(void)
printf("connection to server failed: %d\n", WSAGetLastError());
return false;
}
Log("Connected to SERVER");
return true;
}
@ -148,14 +214,27 @@ bool cConnection::RelayFromServer(void)
return false;
}
DataLog(Buffer, res, "Received %d bytes from the server", res);
// TODO: Process the data
DataLog(Buffer, res, "Received %d bytes from the SERVER", res);
res = send(m_ClientSocket, Buffer, res, 0);
if (res <= 0)
switch (m_ServerState)
{
Log("Client closed the socket: %d, %d; aborting connection", res, WSAGetLastError());
return false;
case csUnencrypted:
{
return DecodeServersPackets(Buffer, res);
}
case csEncryptedUnderstood:
{
m_ServerDecryptor.ProcessData((byte *)Buffer, (byte *)Buffer, res);
DataLog(Buffer, res, "Decrypted %d bytes from the SERVER", res);
return DecodeServersPackets(Buffer, res);
}
case csEncryptedUnknown:
{
m_ServerDecryptor.ProcessData((byte *)Buffer, (byte *)Buffer, res);
DataLog(Buffer, res, "Decrypted %d bytes from the SERVER", res);
m_ClientEncryptor.ProcessData((byte *)Buffer, (byte *)Buffer, res);
return CLIENTSEND(Buffer, res);
}
}
return true;
@ -175,14 +254,27 @@ bool cConnection::RelayFromClient(void)
return false;
}
DataLog(Buffer, res, "Received %d bytes from the client", res);
// TODO: Process the data
DataLog(Buffer, res, "Received %d bytes from the CLIENT", res);
res = send(m_ServerSocket, Buffer, res, 0);
if (res <= 0)
switch (m_ClientState)
{
Log("Server closed the socket: %d, %d; aborting connection", res, WSAGetLastError());
return false;
case csUnencrypted:
{
return DecodeClientsPackets(Buffer, res);
}
case csEncryptedUnderstood:
{
m_ClientDecryptor.ProcessData((byte *)Buffer, (byte *)Buffer, res);
DataLog(Buffer, res, "Decrypted %d bytes from the CLIENT", res);
return DecodeClientsPackets(Buffer, res);
}
case csEncryptedUnknown:
{
m_ClientDecryptor.ProcessData((byte *)Buffer, (byte *)Buffer, res);
DataLog(Buffer, res, "Decrypted %d bytes from the CLIENT", res);
m_ServerEncryptor.ProcessData((byte *)Buffer, (byte *)Buffer, res);
return SERVERSEND(Buffer, res);
}
}
return true;
@ -201,3 +293,394 @@ double cConnection::GetRelativeTime(void)
bool cConnection::SendData(SOCKET a_Socket, const char * a_Data, int a_Size, const char * a_Peer)
{
DataLog(a_Data, a_Size, "Sending data to %s", a_Peer);
int res = send(a_Socket, a_Data, a_Size, 0);
if (res <= 0)
{
Log("%s closed the socket: %d, %d; aborting connection", a_Peer, res, WSAGetLastError());
return false;
}
return true;
}
bool cConnection::SendData(SOCKET a_Socket, cByteBuffer & a_Data, const char * a_Peer)
{
AString All;
a_Data.ReadAll(All);
a_Data.CommitRead();
return SendData(a_Socket, All.data(), All.size(), a_Peer);
}
bool cConnection::SendEncryptedData(SOCKET a_Socket, Encryptor & a_Encryptor, const char * a_Data, int a_Size, const char * a_Peer)
{
DataLog(a_Data, a_Size, "Sending encrypted %d bytes to %s", a_Size, a_Peer);
const byte * Data = (const byte *)a_Data;
while (a_Size > 0)
{
byte Buffer[512];
int NumBytes = (a_Size > sizeof(Buffer)) ? sizeof(Buffer) : a_Size;
a_Encryptor.ProcessData(Buffer, Data, NumBytes);
bool res = SendData(a_Socket, (const char *)Buffer, NumBytes, a_Peer);
if (!res)
{
return false;
}
Data += NumBytes;
a_Size -= NumBytes;
}
return true;
}
bool cConnection::SendEncryptedData(SOCKET a_Socket, Encryptor & a_Encryptor, cByteBuffer & a_Data, const char * a_Peer)
{
AString All;
a_Data.ReadAll(All);
a_Data.CommitRead();
return SendEncryptedData(a_Socket, a_Encryptor, All.data(), All.size(), a_Peer);
}
bool cConnection::DecodeClientsPackets(const char * a_Data, int a_Size)
{
if (!m_ClientBuffer.Write(a_Data, a_Size))
{
Log("Too much queued data for the server, aborting connection");
return false;
}
while (m_ClientBuffer.CanReadBytes(1))
{
unsigned char PacketType;
m_ClientBuffer.ReadByte(PacketType);
switch (PacketType)
{
case PACKET_ENCRYPTION_KEY_RESPONSE: HandleClientEncryptionKeyResponse(); break;
case PACKET_HANDSHAKE: HandleClientHandshake(); break;
case PACKET_PING: HandleClientPing(); break;
default:
{
if (m_ClientState == csEncryptedUnderstood)
{
Log("Unknown packet 0x%02x from the client while encrypted; continuing to relay blind only", PacketType);
m_ClientState = csEncryptedUnknown;
m_ClientBuffer.ResetRead();
if (m_ServerState == csUnencrypted)
{
SERVERSEND(m_ClientBuffer);
}
else
{
SERVERENCRYPTSEND(m_ClientBuffer);
}
return true;
}
else
{
Log("Unknown packet 0x%02x from the client while unencrypted; aborting connection", PacketType);
return false;
}
}
} // switch (PacketType)
m_ClientBuffer.CommitRead();
} // while (CanReadBytes(1))
return true;
}
bool cConnection::DecodeServersPackets(const char * a_Data, int a_Size)
{
if (!m_ServerBuffer.Write(a_Data, a_Size))
{
Log("Too much queued data for the client, aborting connection");
return false;
}
if (
(m_ServerState == csEncryptedUnderstood) &&
(m_ClientState == csUnencrypted)
)
{
// Client hasn't finished encryption handshake yet, don't send them any data yet
}
while (m_ServerBuffer.CanReadBytes(1))
{
unsigned char PacketType;
m_ServerBuffer.ReadByte(PacketType);
switch (PacketType)
{
case PACKET_ENCRYPTION_KEY_REQUEST: HandleServerEncryptionKeyRequest(); break;
case PACKET_ENCRYPTION_KEY_RESPONSE: HandleServerEncryptionKeyResponse(); break;
case PACKET_KICK: HandleServerKick(); break;
default:
{
if (m_ServerState == csEncryptedUnderstood)
{
Log("Unknown packet 0x%02x from the server while encrypted; continuing to relay blind only", PacketType);
m_ServerState = csEncryptedUnknown;
m_ServerBuffer.ResetRead();
if (m_ClientState == csUnencrypted)
{
CLIENTSEND(m_ServerBuffer);
}
else
{
CLIENTENCRYPTSEND(m_ServerBuffer);
}
return true;
}
else
{
Log("Unknown packet 0x%02x from the server while unencrypted; aborting connection", PacketType);
return false;
}
}
} // switch (PacketType)
m_ServerBuffer.CommitRead();
} // while (CanReadBytes(1))
return true;
}
void cConnection::HandleClientEncryptionKeyResponse(void)
{
HANDLE_CLIENT_PACKET_READ(ReadBEShort, short, EncKeyLength);
AString EncKey;
if (!m_ClientBuffer.ReadString(EncKey, EncKeyLength))
{
return;
}
HANDLE_CLIENT_PACKET_READ(ReadBEShort, short, EncNonceLength);
AString EncNonce;
if (!m_ClientBuffer.ReadString(EncNonce, EncNonceLength))
{
return;
}
if ((EncKeyLength > MAX_ENC_LEN) || (EncNonceLength > MAX_ENC_LEN))
{
Log("Client: Too long encryption params");
return;
}
StartClientEncryption(EncKey, EncNonce);
}
void cConnection::HandleClientHandshake(void)
{
// Read the packet from the client:
HANDLE_CLIENT_PACKET_READ(ReadByte, Byte, ProtocolVersion);
HANDLE_CLIENT_PACKET_READ(ReadBEUTF16String16, AString, Username);
HANDLE_CLIENT_PACKET_READ(ReadBEUTF16String16, AString, ServerHost);
HANDLE_CLIENT_PACKET_READ(ReadBEInt, int, ServerPort);
m_ClientBuffer.CommitRead();
// Send the same packet to the server:
cByteBuffer ToServer(512);
ToServer.WriteByte (PACKET_HANDSHAKE);
ToServer.WriteByte (ProtocolVersion);
ToServer.WriteBEUTF16String16(Username);
ToServer.WriteBEUTF16String16(ServerHost);
ToServer.WriteBEInt (m_Server.GetConnectPort());
SERVERSEND(ToServer);
}
void cConnection::HandleClientPing(void)
{
Log("Received a PACKET_PING from the CLIENT");
m_ClientBuffer.ResetRead();
SERVERSEND(m_ClientBuffer);
}
void cConnection::HandleServerEncryptionKeyRequest(void)
{
// Read the packet from the server:
HANDLE_SERVER_PACKET_READ(ReadBEUTF16String16, AString, ServerID);
HANDLE_SERVER_PACKET_READ(ReadBEShort, short, PublicKeyLength);
AString PublicKey;
if (!m_ServerBuffer.ReadString(PublicKey, PublicKeyLength))
{
return;
}
HANDLE_SERVER_PACKET_READ(ReadBEShort, short, NonceLength);
AString Nonce;
if (!m_ServerBuffer.ReadString(Nonce, NonceLength))
{
return;
}
Log("Got PACKET_ENCRYPTION_KEY_REQUEST from the SERVER:");
Log(" ServerID = %s", ServerID.c_str());
// Reply to the server:
SendEncryptionKeyResponse(PublicKey, Nonce);
// Send a 0xFD Encryption Key Request http://wiki.vg/Protocol#0xFD to the client, using our own key:
Log("Sending PACKET_ENCRYPTION_KEY_REQUEST to the CLIENT");
AString key;
StringSink sink(key); // GCC won't allow inline instantiation in the following line, damned temporary refs
m_Server.GetPublicKey().Save(sink);
cByteBuffer ToClient(512);
ToClient.WriteByte (PACKET_ENCRYPTION_KEY_REQUEST);
ToClient.WriteBEUTF16String16(ServerID);
ToClient.WriteBEShort ((short)key.size());
ToClient.WriteBuf (key.data(), key.size());
ToClient.WriteBEShort (4);
ToClient.WriteBEInt (m_Nonce); // Using 'this' as the cryptographic nonce, so that we don't have to generate one each time :)
CLIENTSEND(ToClient);
}
void cConnection::HandleServerEncryptionKeyResponse(void)
{
HANDLE_SERVER_PACKET_READ(ReadBEInt, int, Lengths);
if (Lengths != 0)
{
Log("Lengths are not zero!");
return;
}
m_ServerState = csEncryptedUnderstood;
}
void cConnection::HandleServerKick(void)
{
HANDLE_SERVER_PACKET_READ(ReadBEUTF16String16, AString, Reason);
Log("Received PACKET_KICK from the SERVER:");
Log(" Reason = \"%s\"", Reason.c_str());
cByteBuffer ToClient(Reason.size() * 2 + 4);
ToClient.WriteByte(PACKET_KICK);
ToClient.WriteBEUTF16String16(Reason);
CLIENTSEND(ToClient);
}
void cConnection::SendEncryptionKeyResponse(const AString & a_ServerPublicKey, const AString & a_Nonce)
{
// Generate the shared secret and encrypt using the server's public key
byte SharedSecret[16];
byte EncryptedSecret[128];
memset(SharedSecret, 0, sizeof(SharedSecret)); // Use all zeroes for the initial secret
RSA::PublicKey pk;
CryptoPP::StringSource src(a_ServerPublicKey, true);
ByteQueue bq;
src.TransferTo(bq);
bq.MessageEnd();
pk.Load(bq);
RSAES<PKCS1v15>::Encryptor rsaEncryptor(pk);
AutoSeededRandomPool rng;
int EncryptedLength = rsaEncryptor.FixedCiphertextLength();
ASSERT(EncryptedLength <= sizeof(EncryptedSecret));
rsaEncryptor.Encrypt(rng, SharedSecret, sizeof(SharedSecret), EncryptedSecret);
m_ServerEncryptor.SetKey(SharedSecret, 16, MakeParameters(Name::IV(), ConstByteArrayParameter(SharedSecret, 16))(Name::FeedbackSize(), 1));
m_ServerDecryptor.SetKey(SharedSecret, 16, MakeParameters(Name::IV(), ConstByteArrayParameter(SharedSecret, 16))(Name::FeedbackSize(), 1));
// Encrypt the nonce:
byte EncryptedNonce[128];
rsaEncryptor.Encrypt(rng, (const byte *)(a_Nonce.data()), a_Nonce.size(), EncryptedNonce);
// Send the packet to the server:
Log("Sending PACKET_ENCRYPTION_KEY_RESPONSE to the SERVER");
cByteBuffer ToServer(1024);
ToServer.WriteByte(PACKET_ENCRYPTION_KEY_RESPONSE);
ToServer.WriteBEShort(EncryptedLength);
ToServer.WriteBuf(EncryptedSecret, EncryptedLength);
ToServer.WriteBEShort(EncryptedLength);
ToServer.WriteBuf(EncryptedNonce, EncryptedLength);
SERVERSEND(ToServer);
}
void cConnection::StartClientEncryption(const AString & a_EncKey, const AString & a_EncNonce)
{
// Decrypt EncNonce using privkey
RSAES<PKCS1v15>::Decryptor rsaDecryptor(m_Server.GetPrivateKey());
AutoSeededRandomPool rng;
byte DecryptedNonce[MAX_ENC_LEN];
DecodingResult res = rsaDecryptor.Decrypt(rng, (const byte *)a_EncNonce.data(), a_EncNonce.size(), DecryptedNonce);
if (!res.isValidCoding || (res.messageLength != 4))
{
Log("Client: Bad nonce length");
return;
}
if (ntohl(*((int *)DecryptedNonce)) != m_Nonce)
{
Log("Bad nonce value");
return;
}
// Decrypt the symmetric encryption key using privkey:
byte SharedSecret[MAX_ENC_LEN];
res = rsaDecryptor.Decrypt(rng, (const byte *)a_EncKey.data(), a_EncKey.size(), SharedSecret);
if (!res.isValidCoding || (res.messageLength != 16))
{
Log("Bad key length");
return;
}
// Send encryption key response:
cByteBuffer ToClient(6);
ToClient.WriteByte((char)0xfc);
ToClient.WriteBEShort(0);
ToClient.WriteBEShort(0);
CLIENTSEND(ToClient);
// Start the encryption:
m_ClientEncryptor.SetKey(SharedSecret, 16, MakeParameters(Name::IV(), ConstByteArrayParameter(SharedSecret, 16))(Name::FeedbackSize(), 1));
m_ClientDecryptor.SetKey(SharedSecret, 16, MakeParameters(Name::IV(), ConstByteArrayParameter(SharedSecret, 16))(Name::FeedbackSize(), 1));
m_ClientState = csEncryptedUnderstood;
// Handle all postponed server data
DecodeServersPackets(NULL, 0);
}

View File

@ -10,6 +10,7 @@
#pragma once
#include <time.h>
#include "ByteBuffer.h"
@ -32,6 +33,18 @@ class cConnection
clock_t m_BeginTick; // Tick when the relative time was first retrieved (used for GetRelativeTime())
enum eConnectionState
{
csUnencrypted, // The connection is not encrypted. Packets must be decoded in order to be able to start decryption.
csEncryptedUnderstood, // The communication is encrypted and so far all packets have been understood, so they can be still decoded
csEncryptedUnknown, // The communication is encrypted, but an unknown packet has been received, so packets cannot be decoded anymore
};
eConnectionState m_ClientState;
eConnectionState m_ServerState;
int m_Nonce;
public:
cConnection(SOCKET a_ClientSocket, cServer & a_Server);
~cConnection();
@ -42,6 +55,18 @@ public:
void DataLog(const void * a_Data, int a_Size, const char * a_Format, ...);
protected:
typedef CFB_Mode<AES>::Encryption Encryptor;
typedef CFB_Mode<AES>::Decryption Decryptor;
cByteBuffer m_ClientBuffer;
cByteBuffer m_ServerBuffer;
Decryptor m_ServerDecryptor;
Encryptor m_ServerEncryptor;
Decryptor m_ClientDecryptor;
Encryptor m_ClientEncryptor;
bool ConnectToServer(void);
/// Relays data from server to client; returns false if connection aborted
@ -52,6 +77,40 @@ protected:
/// Returns the time relative to the first call of this function, in the fractional seconds elapsed
double GetRelativeTime(void);
/// Sends data to the specified socket. If sending fails, prints a fail message using a_Peer and returns false.
bool SendData(SOCKET a_Socket, const char * a_Data, int a_Size, const char * a_Peer);
/// Sends data to the specified socket. If sending fails, prints a fail message using a_Peer and returns false.
bool SendData(SOCKET a_Socket, cByteBuffer & a_Data, const char * a_Peer);
/// Sends data to the specfied socket, after encrypting it using a_Encryptor. If sending fails, prints a fail message using a_Peer and returns false
bool SendEncryptedData(SOCKET a_Socket, Encryptor & a_Encryptor, const char * a_Data, int a_Size, const char * a_Peer);
/// Sends data to the specfied socket, after encrypting it using a_Encryptor. If sending fails, prints a fail message using a_Peer and returns false
bool SendEncryptedData(SOCKET a_Socket, Encryptor & a_Encryptor, cByteBuffer & a_Data, const char * a_Peer);
/// Decodes packets coming from the client, sends appropriate counterparts to the server; returns false if the connection is to be dropped
bool DecodeClientsPackets(const char * a_Data, int a_Size);
/// Decodes packets coming from the server, sends appropriate counterparts to the client; returns false if the connection is to be dropped
bool DecodeServersPackets(const char * a_Data, int a_Size);
// Packet handling, client-side:
void HandleClientEncryptionKeyResponse(void);
void HandleClientHandshake(void);
void HandleClientPing(void);
// Packet handling, server-side:
void HandleServerEncryptionKeyRequest(void);
void HandleServerEncryptionKeyResponse(void);
void HandleServerKick(void);
/// Send EKResp to the server:
void SendEncryptionKeyResponse(const AString & a_ServerPublicKey, const AString & a_Nonce);
/// Starts client encryption based on the parameters received
void StartClientEncryption(const AString & a_EncryptedSecret, const AString & a_EncryptedNonce);
} ;

View File

@ -208,6 +208,7 @@ public:
#include "CryptoPP/osrng.h"
#include "CryptoPP/rsa.h"
#include "CryptoPP/modes.h"
using namespace CryptoPP;

View File

@ -42,7 +42,7 @@
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="..;../source"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="1"
@ -118,7 +118,7 @@
Optimization="2"
EnableIntrinsicFunctions="true"
AdditionalIncludeDirectories="..;../source"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="2"
@ -176,6 +176,14 @@
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx;h;hpp"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath="..\source\ByteBuffer.cpp"
>
</File>
<File
RelativePath="..\source\ByteBuffer.h"
>
</File>
<File
RelativePath="..\source\cCriticalSection.cpp"
>