304 lines
15 KiB
Diff
304 lines
15 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Andrew Steinborn <git@steinborn.me>
|
|
Date: Mon, 8 Oct 2018 14:36:14 -0400
|
|
Subject: [PATCH] Add Velocity IP Forwarding Support
|
|
|
|
While Velocity supports BungeeCord-style IP forwarding, it is not secure. Users
|
|
have a lot of problems setting up firewalls or setting up plugins like IPWhitelist.
|
|
Further, the BungeeCord IP forwarding protocol still retains essentially its original
|
|
form, when there is brand new support for custom login plugin messages in 1.13.
|
|
|
|
Velocity's modern IP forwarding uses an HMAC-SHA256 code to ensure authenticity
|
|
of messages, is packed into a binary format that is smaller than BungeeCord's
|
|
forwarding, and is integrated into the Minecraft login process by using the 1.13
|
|
login plugin message packet.
|
|
|
|
diff --git a/src/main/java/com/destroystokyo/paper/PaperConfig.java b/src/main/java/com/destroystokyo/paper/PaperConfig.java
|
|
index 7178b37f7978c7e9031a22726005c5099fd78fe0..3139c194f9b1bc3510d51a81f13ae43d00a3dc29 100644
|
|
--- a/src/main/java/com/destroystokyo/paper/PaperConfig.java
|
|
+++ b/src/main/java/com/destroystokyo/paper/PaperConfig.java
|
|
@@ -8,6 +8,7 @@ import java.io.IOException;
|
|
import java.lang.reflect.InvocationTargetException;
|
|
import java.lang.reflect.Method;
|
|
import java.lang.reflect.Modifier;
|
|
+import java.nio.charset.StandardCharsets;
|
|
import java.util.HashMap;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
@@ -252,7 +253,7 @@ public class PaperConfig {
|
|
}
|
|
|
|
public static boolean isProxyOnlineMode() {
|
|
- return Bukkit.getOnlineMode() || (SpigotConfig.bungee && bungeeOnlineMode);
|
|
+ return Bukkit.getOnlineMode() || (SpigotConfig.bungee && bungeeOnlineMode) || (velocitySupport && velocityOnlineMode);
|
|
}
|
|
|
|
public static int packetInSpamThreshold = 300;
|
|
@@ -324,4 +325,18 @@ public class PaperConfig {
|
|
}
|
|
tabSpamLimit = getInt("settings.spam-limiter.tab-spam-limit", tabSpamLimit);
|
|
}
|
|
+
|
|
+ public static boolean velocitySupport;
|
|
+ public static boolean velocityOnlineMode;
|
|
+ public static byte[] velocitySecretKey;
|
|
+ private static void velocitySupport() {
|
|
+ velocitySupport = getBoolean("settings.velocity-support.enabled", false);
|
|
+ velocityOnlineMode = getBoolean("settings.velocity-support.online-mode", false);
|
|
+ String secret = getString("settings.velocity-support.secret", "");
|
|
+ if (velocitySupport && secret.isEmpty()) {
|
|
+ fatal("Velocity support is enabled, but no secret key was specified. A secret key is required!");
|
|
+ } else {
|
|
+ velocitySecretKey = secret.getBytes(StandardCharsets.UTF_8);
|
|
+ }
|
|
+ }
|
|
}
|
|
diff --git a/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java b/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..5490ddb9f2ff1fc3e6088e703c246a06594076bc
|
|
--- /dev/null
|
|
+++ b/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java
|
|
@@ -0,0 +1,66 @@
|
|
+package com.destroystokyo.paper.proxy;
|
|
+
|
|
+import com.destroystokyo.paper.PaperConfig;
|
|
+import com.google.common.net.InetAddresses;
|
|
+import com.mojang.authlib.GameProfile;
|
|
+import com.mojang.authlib.properties.Property;
|
|
+import java.net.InetAddress;
|
|
+import java.security.InvalidKeyException;
|
|
+import java.security.MessageDigest;
|
|
+import java.security.NoSuchAlgorithmException;
|
|
+
|
|
+import javax.crypto.Mac;
|
|
+import javax.crypto.spec.SecretKeySpec;
|
|
+import net.minecraft.network.FriendlyByteBuf;
|
|
+import net.minecraft.resources.ResourceLocation;
|
|
+
|
|
+public class VelocityProxy {
|
|
+ private static final int SUPPORTED_FORWARDING_VERSION = 1;
|
|
+ public static final ResourceLocation PLAYER_INFO_CHANNEL = new ResourceLocation("velocity", "player_info");
|
|
+
|
|
+ public static boolean checkIntegrity(final FriendlyByteBuf buf) {
|
|
+ final byte[] signature = new byte[32];
|
|
+ buf.readBytes(signature);
|
|
+
|
|
+ final byte[] data = new byte[buf.readableBytes()];
|
|
+ buf.getBytes(buf.readerIndex(), data);
|
|
+
|
|
+ try {
|
|
+ final Mac mac = Mac.getInstance("HmacSHA256");
|
|
+ mac.init(new SecretKeySpec(PaperConfig.velocitySecretKey, "HmacSHA256"));
|
|
+ final byte[] mySignature = mac.doFinal(data);
|
|
+ if (!MessageDigest.isEqual(signature, mySignature)) {
|
|
+ return false;
|
|
+ }
|
|
+ } catch (final InvalidKeyException | NoSuchAlgorithmException e) {
|
|
+ throw new AssertionError(e);
|
|
+ }
|
|
+
|
|
+ int version = buf.readVarInt();
|
|
+ if (version != SUPPORTED_FORWARDING_VERSION) {
|
|
+ throw new IllegalStateException("Unsupported forwarding version " + version + ", wanted " + SUPPORTED_FORWARDING_VERSION);
|
|
+ }
|
|
+
|
|
+ return true;
|
|
+ }
|
|
+
|
|
+ public static InetAddress readAddress(final FriendlyByteBuf buf) {
|
|
+ return InetAddresses.forString(buf.readUTF(Short.MAX_VALUE));
|
|
+ }
|
|
+
|
|
+ public static GameProfile createProfile(final FriendlyByteBuf buf) {
|
|
+ final GameProfile profile = new GameProfile(buf.readUUID(), buf.readUTF(16));
|
|
+ readProperties(buf, profile);
|
|
+ return profile;
|
|
+ }
|
|
+
|
|
+ private static void readProperties(final FriendlyByteBuf buf, final GameProfile profile) {
|
|
+ final int properties = buf.readVarInt();
|
|
+ for (int i1 = 0; i1 < properties; i1++) {
|
|
+ final String name = buf.readUTF(Short.MAX_VALUE);
|
|
+ final String value = buf.readUTF(Short.MAX_VALUE);
|
|
+ final String signature = buf.readBoolean() ? buf.readUTF(Short.MAX_VALUE) : null;
|
|
+ profile.getProperties().put(name, new Property(name, value, signature));
|
|
+ }
|
|
+ }
|
|
+}
|
|
diff --git a/src/main/java/net/minecraft/network/FriendlyByteBuf.java b/src/main/java/net/minecraft/network/FriendlyByteBuf.java
|
|
index 10f1e3d761af83507bf71a00092641e22d0c8049..a295845409824b930992426451ef26856d6e7c36 100644
|
|
--- a/src/main/java/net/minecraft/network/FriendlyByteBuf.java
|
|
+++ b/src/main/java/net/minecraft/network/FriendlyByteBuf.java
|
|
@@ -191,6 +191,7 @@ public class FriendlyByteBuf extends ByteBuf {
|
|
return this.writeVarInt(oenum.ordinal());
|
|
}
|
|
|
|
+ public int readVarInt() { return readVarInt(); } // Paper - OBFHELPER
|
|
public int readVarInt() {
|
|
int i = 0;
|
|
int j = 0;
|
|
@@ -231,6 +232,7 @@ public class FriendlyByteBuf extends ByteBuf {
|
|
return this;
|
|
}
|
|
|
|
+ public UUID readUUID() { return readUUID(); } // Paper - OBFHELPER
|
|
public UUID readUUID() {
|
|
return new UUID(this.readLong(), this.readLong());
|
|
}
|
|
@@ -358,6 +360,7 @@ public class FriendlyByteBuf extends ByteBuf {
|
|
}
|
|
}
|
|
|
|
+ public String readUTF(int maxLength) { return this.readUtf(maxLength); } // Paper - OBFHELPER
|
|
public String readUtf(int i) {
|
|
int j = this.readVarInt();
|
|
|
|
diff --git a/src/main/java/net/minecraft/network/protocol/login/ClientboundCustomQueryPacket.java b/src/main/java/net/minecraft/network/protocol/login/ClientboundCustomQueryPacket.java
|
|
index 8a0301cc4a411c4f9384331d68794ca73b797f5f..88a63635d73983afe58406c66f4ea81cd823c627 100644
|
|
--- a/src/main/java/net/minecraft/network/protocol/login/ClientboundCustomQueryPacket.java
|
|
+++ b/src/main/java/net/minecraft/network/protocol/login/ClientboundCustomQueryPacket.java
|
|
@@ -13,6 +13,14 @@ public class ClientboundCustomQueryPacket implements Packet<ClientLoginPacketLis
|
|
|
|
public ClientboundCustomQueryPacket() {}
|
|
|
|
+ // Paper start
|
|
+ public ClientboundCustomQueryPacket(int id, ResourceLocation channel, FriendlyByteBuf buf) {
|
|
+ this.transactionId = id;
|
|
+ this.identifier = channel;
|
|
+ this.data = buf;
|
|
+ }
|
|
+ // Paper end
|
|
+
|
|
@Override
|
|
public void read(FriendlyByteBuf buf) throws IOException {
|
|
this.transactionId = buf.readVarInt();
|
|
diff --git a/src/main/java/net/minecraft/network/protocol/login/ServerboundCustomQueryPacket.java b/src/main/java/net/minecraft/network/protocol/login/ServerboundCustomQueryPacket.java
|
|
index ed5c62d121c69e91da9fd5f91ccf9abd665a3b40..790edd9f5a2527f5f715e2e2bec0b454cf0a2ce7 100644
|
|
--- a/src/main/java/net/minecraft/network/protocol/login/ServerboundCustomQueryPacket.java
|
|
+++ b/src/main/java/net/minecraft/network/protocol/login/ServerboundCustomQueryPacket.java
|
|
@@ -6,8 +6,8 @@ import net.minecraft.network.protocol.Packet;
|
|
|
|
public class ServerboundCustomQueryPacket implements Packet<ServerLoginPacketListener> {
|
|
|
|
- private int transactionId;
|
|
- private FriendlyByteBuf data;
|
|
+ private int transactionId; public int getId() { return transactionId; } // Paper - OBFHELPER
|
|
+ private FriendlyByteBuf data; public FriendlyByteBuf getBuf() { return data; } // Paper - OBFHELPER
|
|
|
|
public ServerboundCustomQueryPacket() {}
|
|
|
|
diff --git a/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java b/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java
|
|
index 0aa3a154d68f00edcc09b947a24b2b59b1e135e6..22d6f41001977917ec75046252cbf7157b92396d 100644
|
|
--- a/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java
|
|
+++ b/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java
|
|
@@ -18,9 +18,11 @@ import javax.crypto.Cipher;
|
|
import javax.crypto.SecretKey;
|
|
import net.minecraft.DefaultUncaughtExceptionHandler;
|
|
import net.minecraft.network.Connection;
|
|
+import net.minecraft.network.FriendlyByteBuf;
|
|
import net.minecraft.network.chat.Component;
|
|
import net.minecraft.network.chat.TextComponent;
|
|
import net.minecraft.network.chat.TranslatableComponent;
|
|
+import net.minecraft.network.protocol.login.ClientboundCustomQueryPacket;
|
|
import net.minecraft.network.protocol.login.ClientboundGameProfilePacket;
|
|
import net.minecraft.network.protocol.login.ClientboundHelloPacket;
|
|
import net.minecraft.network.protocol.login.ClientboundLoginCompressionPacket;
|
|
@@ -43,6 +45,7 @@ import org.bukkit.craftbukkit.util.Waitable;
|
|
import org.bukkit.event.player.AsyncPlayerPreLoginEvent;
|
|
import org.bukkit.event.player.PlayerPreLoginEvent;
|
|
// CraftBukkit end
|
|
+import io.netty.buffer.Unpooled; // Paper
|
|
|
|
public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener {
|
|
|
|
@@ -59,6 +62,7 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
|
|
private SecretKey secretKey;
|
|
private ServerPlayer delayedAcceptPlayer;
|
|
public String hostname = ""; // CraftBukkit - add field
|
|
+ private int velocityLoginMessageId = -1; // Paper - Velocity support
|
|
|
|
public ServerLoginPacketListenerImpl(MinecraftServer server, Connection connection) {
|
|
this.state = ServerLoginPacketListenerImpl.State.HELLO;
|
|
@@ -211,6 +215,14 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
|
|
this.state = ServerLoginPacketListenerImpl.State.KEY;
|
|
this.connection.send(new ClientboundHelloPacket("", this.server.getKeyPair().getPublic().getEncoded(), this.nonce));
|
|
} else {
|
|
+ // Paper start - Velocity support
|
|
+ if (com.destroystokyo.paper.PaperConfig.velocitySupport) {
|
|
+ this.velocityLoginMessageId = java.util.concurrent.ThreadLocalRandom.current().nextInt();
|
|
+ ClientboundCustomQueryPacket packet1 = new ClientboundCustomQueryPacket(this.velocityLoginMessageId, com.destroystokyo.paper.proxy.VelocityProxy.PLAYER_INFO_CHANNEL, new FriendlyByteBuf(Unpooled.EMPTY_BUFFER));
|
|
+ this.connection.send(packet1);
|
|
+ return;
|
|
+ }
|
|
+ // Paper end
|
|
// Spigot start
|
|
// Paper start - Cache authenticator threads
|
|
authenticatorPool.execute(new Runnable() {
|
|
@@ -312,6 +324,12 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
|
|
public class LoginHandler {
|
|
|
|
public void fireEvents() throws Exception {
|
|
+ // Paper start - Velocity support
|
|
+ if (ServerLoginPacketListenerImpl.this.velocityLoginMessageId == -1 && com.destroystokyo.paper.PaperConfig.velocitySupport) {
|
|
+ disconnect("This server requires you to connect with Velocity.");
|
|
+ return;
|
|
+ }
|
|
+ // Paper end
|
|
String playerName = gameProfile.getName();
|
|
java.net.InetAddress address = ((java.net.InetSocketAddress) connection.getRemoteAddress()).getAddress();
|
|
java.util.UUID uniqueId = gameProfile.getId();
|
|
@@ -359,6 +377,40 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
|
|
// Spigot end
|
|
|
|
public void handleCustomQueryPacket(ServerboundCustomQueryPacket packet) {
|
|
+ // Paper start - Velocity support
|
|
+ if (com.destroystokyo.paper.PaperConfig.velocitySupport && packet.getId() == this.velocityLoginMessageId) {
|
|
+ FriendlyByteBuf buf = packet.getBuf();
|
|
+ if (buf == null) {
|
|
+ this.disconnect("This server requires you to connect with Velocity.");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if (!com.destroystokyo.paper.proxy.VelocityProxy.checkIntegrity(buf)) {
|
|
+ this.disconnect("Unable to verify player details");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ java.net.SocketAddress listening = this.connection.getRemoteAddress();
|
|
+ int port = 0;
|
|
+ if (listening instanceof java.net.InetSocketAddress) {
|
|
+ port = ((java.net.InetSocketAddress) listening).getPort();
|
|
+ }
|
|
+ this.connection.address = new java.net.InetSocketAddress(com.destroystokyo.paper.proxy.VelocityProxy.readAddress(buf), port);
|
|
+
|
|
+ this.setGameProfile(com.destroystokyo.paper.proxy.VelocityProxy.createProfile(buf));
|
|
+
|
|
+ // Proceed with login
|
|
+ authenticatorPool.execute(() -> {
|
|
+ try {
|
|
+ new LoginHandler().fireEvents();
|
|
+ } catch (Exception ex) {
|
|
+ disconnect("Failed to verify username!");
|
|
+ server.server.getLogger().log(java.util.logging.Level.WARNING, "Exception verifying " + gameProfile.getName(), ex);
|
|
+ }
|
|
+ });
|
|
+ return;
|
|
+ }
|
|
+ // Paper end
|
|
this.disconnect(new TranslatableComponent("multiplayer.disconnect.unexpected_query_response"));
|
|
}
|
|
|
|
diff --git a/src/main/java/org/bukkit/craftbukkit/CraftServer.java b/src/main/java/org/bukkit/craftbukkit/CraftServer.java
|
|
index 5e36d705c56384f507fd85f704eae634379a27f1..c06b35f114a8d243198b66c44ef57d8c2b201361 100644
|
|
--- a/src/main/java/org/bukkit/craftbukkit/CraftServer.java
|
|
+++ b/src/main/java/org/bukkit/craftbukkit/CraftServer.java
|
|
@@ -680,7 +680,7 @@ public final class CraftServer implements Server {
|
|
@Override
|
|
public long getConnectionThrottle() {
|
|
// Spigot Start - Automatically set connection throttle for bungee configurations
|
|
- if (org.spigotmc.SpigotConfig.bungee) {
|
|
+ if (org.spigotmc.SpigotConfig.bungee || com.destroystokyo.paper.PaperConfig.velocitySupport) { // Paper - Velocity support
|
|
return -1;
|
|
} else {
|
|
return this.configuration.getInt("settings.connection-throttle");
|