testserver/Remapped-Spigot-Server-Patches/0298-Add-Velocity-IP-Forwar...

304 lines
15 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Andrew Steinborn <git@steinborn.me>
Date: Mon, 8 Oct 2018 14:36:14 -0400
Subject: [PATCH] Add Velocity IP Forwarding Support
While Velocity supports BungeeCord-style IP forwarding, it is not secure. Users
have a lot of problems setting up firewalls or setting up plugins like IPWhitelist.
Further, the BungeeCord IP forwarding protocol still retains essentially its original
form, when there is brand new support for custom login plugin messages in 1.13.
Velocity's modern IP forwarding uses an HMAC-SHA256 code to ensure authenticity
of messages, is packed into a binary format that is smaller than BungeeCord's
forwarding, and is integrated into the Minecraft login process by using the 1.13
login plugin message packet.
diff --git a/src/main/java/com/destroystokyo/paper/PaperConfig.java b/src/main/java/com/destroystokyo/paper/PaperConfig.java
index 7178b37f7978c7e9031a22726005c5099fd78fe0..3139c194f9b1bc3510d51a81f13ae43d00a3dc29 100644
--- a/src/main/java/com/destroystokyo/paper/PaperConfig.java
+++ b/src/main/java/com/destroystokyo/paper/PaperConfig.java
@@ -8,6 +8,7 @@ import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
+import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -252,7 +253,7 @@ public class PaperConfig {
}
public static boolean isProxyOnlineMode() {
- return Bukkit.getOnlineMode() || (SpigotConfig.bungee && bungeeOnlineMode);
+ return Bukkit.getOnlineMode() || (SpigotConfig.bungee && bungeeOnlineMode) || (velocitySupport && velocityOnlineMode);
}
public static int packetInSpamThreshold = 300;
@@ -324,4 +325,18 @@ public class PaperConfig {
}
tabSpamLimit = getInt("settings.spam-limiter.tab-spam-limit", tabSpamLimit);
}
+
+ public static boolean velocitySupport;
+ public static boolean velocityOnlineMode;
+ public static byte[] velocitySecretKey;
+ private static void velocitySupport() {
+ velocitySupport = getBoolean("settings.velocity-support.enabled", false);
+ velocityOnlineMode = getBoolean("settings.velocity-support.online-mode", false);
+ String secret = getString("settings.velocity-support.secret", "");
+ if (velocitySupport && secret.isEmpty()) {
+ fatal("Velocity support is enabled, but no secret key was specified. A secret key is required!");
+ } else {
+ velocitySecretKey = secret.getBytes(StandardCharsets.UTF_8);
+ }
+ }
}
diff --git a/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java b/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java
new file mode 100644
index 0000000000000000000000000000000000000000..5490ddb9f2ff1fc3e6088e703c246a06594076bc
--- /dev/null
+++ b/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java
@@ -0,0 +1,66 @@
+package com.destroystokyo.paper.proxy;
+
+import com.destroystokyo.paper.PaperConfig;
+import com.google.common.net.InetAddresses;
+import com.mojang.authlib.GameProfile;
+import com.mojang.authlib.properties.Property;
+import java.net.InetAddress;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import net.minecraft.network.FriendlyByteBuf;
+import net.minecraft.resources.ResourceLocation;
+
+public class VelocityProxy {
+ private static final int SUPPORTED_FORWARDING_VERSION = 1;
+ public static final ResourceLocation PLAYER_INFO_CHANNEL = new ResourceLocation("velocity", "player_info");
+
+ public static boolean checkIntegrity(final FriendlyByteBuf buf) {
+ final byte[] signature = new byte[32];
+ buf.readBytes(signature);
+
+ final byte[] data = new byte[buf.readableBytes()];
+ buf.getBytes(buf.readerIndex(), data);
+
+ try {
+ final Mac mac = Mac.getInstance("HmacSHA256");
+ mac.init(new SecretKeySpec(PaperConfig.velocitySecretKey, "HmacSHA256"));
+ final byte[] mySignature = mac.doFinal(data);
+ if (!MessageDigest.isEqual(signature, mySignature)) {
+ return false;
+ }
+ } catch (final InvalidKeyException | NoSuchAlgorithmException e) {
+ throw new AssertionError(e);
+ }
+
+ int version = buf.readVarInt();
+ if (version != SUPPORTED_FORWARDING_VERSION) {
+ throw new IllegalStateException("Unsupported forwarding version " + version + ", wanted " + SUPPORTED_FORWARDING_VERSION);
+ }
+
+ return true;
+ }
+
+ public static InetAddress readAddress(final FriendlyByteBuf buf) {
+ return InetAddresses.forString(buf.readUTF(Short.MAX_VALUE));
+ }
+
+ public static GameProfile createProfile(final FriendlyByteBuf buf) {
+ final GameProfile profile = new GameProfile(buf.readUUID(), buf.readUTF(16));
+ readProperties(buf, profile);
+ return profile;
+ }
+
+ private static void readProperties(final FriendlyByteBuf buf, final GameProfile profile) {
+ final int properties = buf.readVarInt();
+ for (int i1 = 0; i1 < properties; i1++) {
+ final String name = buf.readUTF(Short.MAX_VALUE);
+ final String value = buf.readUTF(Short.MAX_VALUE);
+ final String signature = buf.readBoolean() ? buf.readUTF(Short.MAX_VALUE) : null;
+ profile.getProperties().put(name, new Property(name, value, signature));
+ }
+ }
+}
diff --git a/src/main/java/net/minecraft/network/FriendlyByteBuf.java b/src/main/java/net/minecraft/network/FriendlyByteBuf.java
index 10f1e3d761af83507bf71a00092641e22d0c8049..a295845409824b930992426451ef26856d6e7c36 100644
--- a/src/main/java/net/minecraft/network/FriendlyByteBuf.java
+++ b/src/main/java/net/minecraft/network/FriendlyByteBuf.java
@@ -191,6 +191,7 @@ public class FriendlyByteBuf extends ByteBuf {
return this.writeVarInt(oenum.ordinal());
}
+ public int readVarInt() { return readVarInt(); } // Paper - OBFHELPER
public int readVarInt() {
int i = 0;
int j = 0;
@@ -231,6 +232,7 @@ public class FriendlyByteBuf extends ByteBuf {
return this;
}
+ public UUID readUUID() { return readUUID(); } // Paper - OBFHELPER
public UUID readUUID() {
return new UUID(this.readLong(), this.readLong());
}
@@ -358,6 +360,7 @@ public class FriendlyByteBuf extends ByteBuf {
}
}
+ public String readUTF(int maxLength) { return this.readUtf(maxLength); } // Paper - OBFHELPER
public String readUtf(int i) {
int j = this.readVarInt();
diff --git a/src/main/java/net/minecraft/network/protocol/login/ClientboundCustomQueryPacket.java b/src/main/java/net/minecraft/network/protocol/login/ClientboundCustomQueryPacket.java
index 8a0301cc4a411c4f9384331d68794ca73b797f5f..88a63635d73983afe58406c66f4ea81cd823c627 100644
--- a/src/main/java/net/minecraft/network/protocol/login/ClientboundCustomQueryPacket.java
+++ b/src/main/java/net/minecraft/network/protocol/login/ClientboundCustomQueryPacket.java
@@ -13,6 +13,14 @@ public class ClientboundCustomQueryPacket implements Packet<ClientLoginPacketLis
public ClientboundCustomQueryPacket() {}
+ // Paper start
+ public ClientboundCustomQueryPacket(int id, ResourceLocation channel, FriendlyByteBuf buf) {
+ this.transactionId = id;
+ this.identifier = channel;
+ this.data = buf;
+ }
+ // Paper end
+
@Override
public void read(FriendlyByteBuf buf) throws IOException {
this.transactionId = buf.readVarInt();
diff --git a/src/main/java/net/minecraft/network/protocol/login/ServerboundCustomQueryPacket.java b/src/main/java/net/minecraft/network/protocol/login/ServerboundCustomQueryPacket.java
index ed5c62d121c69e91da9fd5f91ccf9abd665a3b40..790edd9f5a2527f5f715e2e2bec0b454cf0a2ce7 100644
--- a/src/main/java/net/minecraft/network/protocol/login/ServerboundCustomQueryPacket.java
+++ b/src/main/java/net/minecraft/network/protocol/login/ServerboundCustomQueryPacket.java
@@ -6,8 +6,8 @@ import net.minecraft.network.protocol.Packet;
public class ServerboundCustomQueryPacket implements Packet<ServerLoginPacketListener> {
- private int transactionId;
- private FriendlyByteBuf data;
+ private int transactionId; public int getId() { return transactionId; } // Paper - OBFHELPER
+ private FriendlyByteBuf data; public FriendlyByteBuf getBuf() { return data; } // Paper - OBFHELPER
public ServerboundCustomQueryPacket() {}
diff --git a/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java b/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java
index 0aa3a154d68f00edcc09b947a24b2b59b1e135e6..22d6f41001977917ec75046252cbf7157b92396d 100644
--- a/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java
+++ b/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java
@@ -18,9 +18,11 @@ import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import net.minecraft.DefaultUncaughtExceptionHandler;
import net.minecraft.network.Connection;
+import net.minecraft.network.FriendlyByteBuf;
import net.minecraft.network.chat.Component;
import net.minecraft.network.chat.TextComponent;
import net.minecraft.network.chat.TranslatableComponent;
+import net.minecraft.network.protocol.login.ClientboundCustomQueryPacket;
import net.minecraft.network.protocol.login.ClientboundGameProfilePacket;
import net.minecraft.network.protocol.login.ClientboundHelloPacket;
import net.minecraft.network.protocol.login.ClientboundLoginCompressionPacket;
@@ -43,6 +45,7 @@ import org.bukkit.craftbukkit.util.Waitable;
import org.bukkit.event.player.AsyncPlayerPreLoginEvent;
import org.bukkit.event.player.PlayerPreLoginEvent;
// CraftBukkit end
+import io.netty.buffer.Unpooled; // Paper
public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener {
@@ -59,6 +62,7 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
private SecretKey secretKey;
private ServerPlayer delayedAcceptPlayer;
public String hostname = ""; // CraftBukkit - add field
+ private int velocityLoginMessageId = -1; // Paper - Velocity support
public ServerLoginPacketListenerImpl(MinecraftServer server, Connection connection) {
this.state = ServerLoginPacketListenerImpl.State.HELLO;
@@ -211,6 +215,14 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
this.state = ServerLoginPacketListenerImpl.State.KEY;
this.connection.send(new ClientboundHelloPacket("", this.server.getKeyPair().getPublic().getEncoded(), this.nonce));
} else {
+ // Paper start - Velocity support
+ if (com.destroystokyo.paper.PaperConfig.velocitySupport) {
+ this.velocityLoginMessageId = java.util.concurrent.ThreadLocalRandom.current().nextInt();
+ ClientboundCustomQueryPacket packet1 = new ClientboundCustomQueryPacket(this.velocityLoginMessageId, com.destroystokyo.paper.proxy.VelocityProxy.PLAYER_INFO_CHANNEL, new FriendlyByteBuf(Unpooled.EMPTY_BUFFER));
+ this.connection.send(packet1);
+ return;
+ }
+ // Paper end
// Spigot start
// Paper start - Cache authenticator threads
authenticatorPool.execute(new Runnable() {
@@ -312,6 +324,12 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
public class LoginHandler {
public void fireEvents() throws Exception {
+ // Paper start - Velocity support
+ if (ServerLoginPacketListenerImpl.this.velocityLoginMessageId == -1 && com.destroystokyo.paper.PaperConfig.velocitySupport) {
+ disconnect("This server requires you to connect with Velocity.");
+ return;
+ }
+ // Paper end
String playerName = gameProfile.getName();
java.net.InetAddress address = ((java.net.InetSocketAddress) connection.getRemoteAddress()).getAddress();
java.util.UUID uniqueId = gameProfile.getId();
@@ -359,6 +377,40 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
// Spigot end
public void handleCustomQueryPacket(ServerboundCustomQueryPacket packet) {
+ // Paper start - Velocity support
+ if (com.destroystokyo.paper.PaperConfig.velocitySupport && packet.getId() == this.velocityLoginMessageId) {
+ FriendlyByteBuf buf = packet.getBuf();
+ if (buf == null) {
+ this.disconnect("This server requires you to connect with Velocity.");
+ return;
+ }
+
+ if (!com.destroystokyo.paper.proxy.VelocityProxy.checkIntegrity(buf)) {
+ this.disconnect("Unable to verify player details");
+ return;
+ }
+
+ java.net.SocketAddress listening = this.connection.getRemoteAddress();
+ int port = 0;
+ if (listening instanceof java.net.InetSocketAddress) {
+ port = ((java.net.InetSocketAddress) listening).getPort();
+ }
+ this.connection.address = new java.net.InetSocketAddress(com.destroystokyo.paper.proxy.VelocityProxy.readAddress(buf), port);
+
+ this.setGameProfile(com.destroystokyo.paper.proxy.VelocityProxy.createProfile(buf));
+
+ // Proceed with login
+ authenticatorPool.execute(() -> {
+ try {
+ new LoginHandler().fireEvents();
+ } catch (Exception ex) {
+ disconnect("Failed to verify username!");
+ server.server.getLogger().log(java.util.logging.Level.WARNING, "Exception verifying " + gameProfile.getName(), ex);
+ }
+ });
+ return;
+ }
+ // Paper end
this.disconnect(new TranslatableComponent("multiplayer.disconnect.unexpected_query_response"));
}
diff --git a/src/main/java/org/bukkit/craftbukkit/CraftServer.java b/src/main/java/org/bukkit/craftbukkit/CraftServer.java
index 5e36d705c56384f507fd85f704eae634379a27f1..c06b35f114a8d243198b66c44ef57d8c2b201361 100644
--- a/src/main/java/org/bukkit/craftbukkit/CraftServer.java
+++ b/src/main/java/org/bukkit/craftbukkit/CraftServer.java
@@ -680,7 +680,7 @@ public final class CraftServer implements Server {
@Override
public long getConnectionThrottle() {
// Spigot Start - Automatically set connection throttle for bungee configurations
- if (org.spigotmc.SpigotConfig.bungee) {
+ if (org.spigotmc.SpigotConfig.bungee || com.destroystokyo.paper.PaperConfig.velocitySupport) { // Paper - Velocity support
return -1;
} else {
return this.configuration.getInt("settings.connection-throttle");