283 lines
13 KiB
Diff
283 lines
13 KiB
Diff
From b980e21362028ef6fafe9d3625d80d3bb2ec9f1a Mon Sep 17 00:00:00 2001
|
|
From: Andrew Steinborn <git@steinborn.me>
|
|
Date: Mon, 8 Oct 2018 14:36:14 -0400
|
|
Subject: [PATCH] Add Velocity IP Forwarding Support
|
|
|
|
While Velocity supports BungeeCord-style IP forwarding, it is not secure. Users
|
|
have a lot of problems setting up firewalls or setting up plugins like IPWhitelist.
|
|
Further, the BungeeCord IP forwarding protocol still retains essentially its original
|
|
form, when there is brand new support for custom login plugin messages in 1.13.
|
|
|
|
Velocity's modern IP forwarding uses an HMAC-SHA256 code to ensure authenticity
|
|
of messages, is packed into a binary format that is smaller than BungeeCord's
|
|
forwarding, and is integrated into the Minecraft login process by using the 1.13
|
|
login plugin message packet.
|
|
|
|
diff --git a/src/main/java/com/destroystokyo/paper/PaperConfig.java b/src/main/java/com/destroystokyo/paper/PaperConfig.java
|
|
index 7f9845d92..52ce8f89e 100644
|
|
--- a/src/main/java/com/destroystokyo/paper/PaperConfig.java
|
|
+++ b/src/main/java/com/destroystokyo/paper/PaperConfig.java
|
|
@@ -8,6 +8,7 @@ import java.io.IOException;
|
|
import java.lang.reflect.InvocationTargetException;
|
|
import java.lang.reflect.Method;
|
|
import java.lang.reflect.Modifier;
|
|
+import java.nio.charset.StandardCharsets;
|
|
import java.util.HashMap;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
@@ -256,7 +257,7 @@ public class PaperConfig {
|
|
}
|
|
|
|
public static boolean isProxyOnlineMode() {
|
|
- return Bukkit.getOnlineMode() || (SpigotConfig.bungee && bungeeOnlineMode);
|
|
+ return Bukkit.getOnlineMode() || (SpigotConfig.bungee && bungeeOnlineMode) || (velocitySupport && velocityOnlineMode);
|
|
}
|
|
|
|
public static int packetInSpamThreshold = 300;
|
|
@@ -434,4 +435,18 @@ public class PaperConfig {
|
|
}
|
|
}
|
|
}
|
|
+
|
|
+ public static boolean velocitySupport;
|
|
+ public static boolean velocityOnlineMode;
|
|
+ public static byte[] velocitySecretKey;
|
|
+ private static void velocitySupport() {
|
|
+ velocitySupport = getBoolean("settings.velocity-support.enabled", false);
|
|
+ velocityOnlineMode = getBoolean("settings.velocity-support.online-mode", false);
|
|
+ String secret = getString("settings.velocity-support.secret", "");
|
|
+ if (velocitySupport && secret.isEmpty()) {
|
|
+ fatal("Velocity support is enabled, but no secret key was specified. A secret key is required!");
|
|
+ } else {
|
|
+ velocitySecretKey = secret.getBytes(StandardCharsets.UTF_8);
|
|
+ }
|
|
+ }
|
|
}
|
|
diff --git a/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java b/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java
|
|
new file mode 100644
|
|
index 000000000..fdd8708f9
|
|
--- /dev/null
|
|
+++ b/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java
|
|
@@ -0,0 +1,67 @@
|
|
+package com.destroystokyo.paper.proxy;
|
|
+
|
|
+import com.destroystokyo.paper.PaperConfig;
|
|
+import com.google.common.net.InetAddresses;
|
|
+import com.mojang.authlib.GameProfile;
|
|
+import com.mojang.authlib.properties.Property;
|
|
+import net.minecraft.server.MinecraftKey;
|
|
+import net.minecraft.server.PacketDataSerializer;
|
|
+
|
|
+import java.net.InetAddress;
|
|
+import java.security.InvalidKeyException;
|
|
+import java.security.MessageDigest;
|
|
+import java.security.NoSuchAlgorithmException;
|
|
+
|
|
+import javax.crypto.Mac;
|
|
+import javax.crypto.spec.SecretKeySpec;
|
|
+
|
|
+public class VelocityProxy {
|
|
+ private static final int SUPPORTED_FORWARDING_VERSION = 1;
|
|
+ public static final MinecraftKey PLAYER_INFO_CHANNEL = new MinecraftKey("velocity", "player_info");
|
|
+
|
|
+ public static boolean checkIntegrity(final PacketDataSerializer buf) {
|
|
+ final byte[] signature = new byte[32];
|
|
+ buf.readBytes(signature);
|
|
+
|
|
+ final byte[] data = new byte[buf.readableBytes()];
|
|
+ buf.getBytes(buf.readerIndex(), data);
|
|
+
|
|
+ try {
|
|
+ final Mac mac = Mac.getInstance("HmacSHA256");
|
|
+ mac.init(new SecretKeySpec(PaperConfig.velocitySecretKey, "HmacSHA256"));
|
|
+ final byte[] mySignature = mac.doFinal(data);
|
|
+ if (!MessageDigest.isEqual(signature, mySignature)) {
|
|
+ return false;
|
|
+ }
|
|
+ } catch (final InvalidKeyException | NoSuchAlgorithmException e) {
|
|
+ throw new AssertionError(e);
|
|
+ }
|
|
+
|
|
+ int version = buf.readVarInt();
|
|
+ if (version != SUPPORTED_FORWARDING_VERSION) {
|
|
+ throw new IllegalStateException("Unsupported forwarding version " + version + ", wanted " + SUPPORTED_FORWARDING_VERSION);
|
|
+ }
|
|
+
|
|
+ return true;
|
|
+ }
|
|
+
|
|
+ public static InetAddress readAddress(final PacketDataSerializer buf) {
|
|
+ return InetAddresses.forString(buf.readUTF(Short.MAX_VALUE));
|
|
+ }
|
|
+
|
|
+ public static GameProfile createProfile(final PacketDataSerializer buf) {
|
|
+ final GameProfile profile = new GameProfile(buf.readUUID(), buf.readUTF(16));
|
|
+ readProperties(buf, profile);
|
|
+ return profile;
|
|
+ }
|
|
+
|
|
+ private static void readProperties(final PacketDataSerializer buf, final GameProfile profile) {
|
|
+ final int properties = buf.readVarInt();
|
|
+ for (int i1 = 0; i1 < properties; i1++) {
|
|
+ final String name = buf.readUTF(Short.MAX_VALUE);
|
|
+ final String value = buf.readUTF(Short.MAX_VALUE);
|
|
+ final String signature = buf.readBoolean() ? buf.readUTF(Short.MAX_VALUE) : null;
|
|
+ profile.getProperties().put(name, new Property(name, value, signature));
|
|
+ }
|
|
+ }
|
|
+}
|
|
diff --git a/src/main/java/net/minecraft/server/LoginListener.java b/src/main/java/net/minecraft/server/LoginListener.java
|
|
index c5801122d..ca76f2a38 100644
|
|
--- a/src/main/java/net/minecraft/server/LoginListener.java
|
|
+++ b/src/main/java/net/minecraft/server/LoginListener.java
|
|
@@ -42,6 +42,7 @@ public class LoginListener implements PacketLoginInListener, ITickable {
|
|
private SecretKey loginKey;
|
|
private EntityPlayer l;
|
|
public String hostname = ""; // CraftBukkit - add field
|
|
+ private int velocityLoginMessageId = -1; // Paper - Velocity support
|
|
|
|
public LoginListener(MinecraftServer minecraftserver, NetworkManager networkmanager) {
|
|
this.g = LoginListener.EnumProtocolState.HELLO;
|
|
@@ -186,6 +187,14 @@ public class LoginListener implements PacketLoginInListener, ITickable {
|
|
this.g = LoginListener.EnumProtocolState.KEY;
|
|
this.networkManager.sendPacket(new PacketLoginOutEncryptionBegin("", this.server.E().getPublic(), this.e));
|
|
} else {
|
|
+ // Paper start - Velocity support
|
|
+ if (com.destroystokyo.paper.PaperConfig.velocitySupport) {
|
|
+ this.velocityLoginMessageId = java.util.concurrent.ThreadLocalRandom.current().nextInt();
|
|
+ PacketLoginOutCustomPayload packet = new PacketLoginOutCustomPayload(this.velocityLoginMessageId, com.destroystokyo.paper.proxy.VelocityProxy.PLAYER_INFO_CHANNEL, new PacketDataSerializer(io.netty.buffer.Unpooled.EMPTY_BUFFER));
|
|
+ this.networkManager.sendPacket(packet);
|
|
+ return;
|
|
+ }
|
|
+ // Paper end
|
|
// Spigot start
|
|
// Paper start - Cache authenticator threads
|
|
authenticatorPool.execute(new Runnable() {
|
|
@@ -277,6 +286,12 @@ public class LoginListener implements PacketLoginInListener, ITickable {
|
|
public class LoginHandler {
|
|
|
|
public void fireEvents() throws Exception {
|
|
+ // Paper start - Velocity support
|
|
+ if (LoginListener.this.velocityLoginMessageId == -1 && com.destroystokyo.paper.PaperConfig.velocitySupport) {
|
|
+ disconnect("This server requires you to connect with Velocity.");
|
|
+ return;
|
|
+ }
|
|
+ // Paper end
|
|
String playerName = i.getName();
|
|
java.net.InetAddress address = ((java.net.InetSocketAddress) networkManager.getSocketAddress()).getAddress();
|
|
java.util.UUID uniqueId = i.getId();
|
|
@@ -324,6 +339,35 @@ public class LoginListener implements PacketLoginInListener, ITickable {
|
|
// Spigot end
|
|
|
|
public void a(PacketLoginInCustomPayload packetloginincustompayload) {
|
|
+ // Paper start - Velocity support
|
|
+ if (com.destroystokyo.paper.PaperConfig.velocitySupport && packetloginincustompayload.getId() == this.velocityLoginMessageId) {
|
|
+ PacketDataSerializer buf = packetloginincustompayload.getBuf();
|
|
+ if (buf == null) {
|
|
+ this.disconnect("This server requires you to connect with Velocity.");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if (!com.destroystokyo.paper.proxy.VelocityProxy.checkIntegrity(buf)) {
|
|
+ this.disconnect("Unable to verify player details");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ this.networkManager.setSpoofedRemoteAddress(new java.net.InetSocketAddress(com.destroystokyo.paper.proxy.VelocityProxy.readAddress(buf), ((java.net.InetSocketAddress) this.networkManager.getSocketAddress()).getPort()));
|
|
+
|
|
+ this.setGameProfile(com.destroystokyo.paper.proxy.VelocityProxy.createProfile(buf));
|
|
+
|
|
+ // Proceed with login
|
|
+ authenticatorPool.execute(() -> {
|
|
+ try {
|
|
+ new LoginHandler().fireEvents();
|
|
+ } catch (Exception ex) {
|
|
+ disconnect("Failed to verify username!");
|
|
+ server.server.getLogger().log(java.util.logging.Level.WARNING, "Exception verifying " + i.getName(), ex);
|
|
+ }
|
|
+ });
|
|
+ return;
|
|
+ }
|
|
+ // Paper end
|
|
this.disconnect(new ChatMessage("multiplayer.disconnect.unexpected_query_response", new Object[0]));
|
|
}
|
|
|
|
diff --git a/src/main/java/net/minecraft/server/NetworkManager.java b/src/main/java/net/minecraft/server/NetworkManager.java
|
|
index 4c1110479..c53697914 100644
|
|
--- a/src/main/java/net/minecraft/server/NetworkManager.java
|
|
+++ b/src/main/java/net/minecraft/server/NetworkManager.java
|
|
@@ -46,7 +46,7 @@ public class NetworkManager extends SimpleChannelInboundHandler<Packet<?>> {
|
|
private final Queue<NetworkManager.QueuedPacket> packetQueue = Queues.newConcurrentLinkedQueue(); private final Queue<NetworkManager.QueuedPacket> getPacketQueue() { return this.packetQueue; } // Paper - OBFHELPER
|
|
private final ReentrantReadWriteLock j = new ReentrantReadWriteLock();
|
|
public Channel channel;
|
|
- public SocketAddress socketAddress;
|
|
+ public SocketAddress socketAddress; public void setSpoofedRemoteAddress(SocketAddress address) { this.socketAddress = address; } // Paper - OBFHELPER
|
|
// Spigot Start
|
|
public java.util.UUID spoofedUUID;
|
|
public com.mojang.authlib.properties.Property[] spoofedProfile;
|
|
diff --git a/src/main/java/net/minecraft/server/PacketDataSerializer.java b/src/main/java/net/minecraft/server/PacketDataSerializer.java
|
|
index b95836d44..621aad150 100644
|
|
--- a/src/main/java/net/minecraft/server/PacketDataSerializer.java
|
|
+++ b/src/main/java/net/minecraft/server/PacketDataSerializer.java
|
|
@@ -140,6 +140,7 @@ public class PacketDataSerializer extends ByteBuf {
|
|
return this.d(oenum.ordinal());
|
|
}
|
|
|
|
+ public int readVarInt() { return this.g(); } // Paper - OBFHELPER
|
|
public int g() {
|
|
int i = 0;
|
|
int j = 0;
|
|
@@ -180,6 +181,7 @@ public class PacketDataSerializer extends ByteBuf {
|
|
return this;
|
|
}
|
|
|
|
+ public UUID readUUID() { return this.i(); } // Paper - OBFHELPER
|
|
public UUID i() {
|
|
return new UUID(this.readLong(), this.readLong());
|
|
}
|
|
@@ -298,6 +300,7 @@ public class PacketDataSerializer extends ByteBuf {
|
|
}
|
|
}
|
|
|
|
+ public String readUTF(int maxLength) { return this.e(maxLength); } // Paper - OBFHELPER
|
|
public String e(int i) {
|
|
int j = this.g();
|
|
|
|
diff --git a/src/main/java/net/minecraft/server/PacketLoginInCustomPayload.java b/src/main/java/net/minecraft/server/PacketLoginInCustomPayload.java
|
|
index bdac03da4..430445cc6 100644
|
|
--- a/src/main/java/net/minecraft/server/PacketLoginInCustomPayload.java
|
|
+++ b/src/main/java/net/minecraft/server/PacketLoginInCustomPayload.java
|
|
@@ -4,8 +4,8 @@ import java.io.IOException;
|
|
|
|
public class PacketLoginInCustomPayload implements Packet<PacketLoginInListener> {
|
|
|
|
- private int a;
|
|
- private PacketDataSerializer b;
|
|
+ private int a; public int getId() { return a; } // Paper - OBFHELPER
|
|
+ private PacketDataSerializer b; public PacketDataSerializer getBuf() { return b; } // Paper - OBFHELPER
|
|
|
|
public PacketLoginInCustomPayload() {}
|
|
|
|
diff --git a/src/main/java/net/minecraft/server/PacketLoginOutCustomPayload.java b/src/main/java/net/minecraft/server/PacketLoginOutCustomPayload.java
|
|
index 345843a7f..23c96f44b 100644
|
|
--- a/src/main/java/net/minecraft/server/PacketLoginOutCustomPayload.java
|
|
+++ b/src/main/java/net/minecraft/server/PacketLoginOutCustomPayload.java
|
|
@@ -10,6 +10,14 @@ public class PacketLoginOutCustomPayload implements Packet<PacketLoginOutListene
|
|
|
|
public PacketLoginOutCustomPayload() {}
|
|
|
|
+ // Paper start
|
|
+ public PacketLoginOutCustomPayload(int id, MinecraftKey channel, PacketDataSerializer buf) {
|
|
+ this.a = id;
|
|
+ this.b = channel;
|
|
+ this.c = buf;
|
|
+ }
|
|
+ // Paper end
|
|
+
|
|
public void a(PacketDataSerializer packetdataserializer) throws IOException {
|
|
this.a = packetdataserializer.g();
|
|
this.b = packetdataserializer.l();
|
|
--
|
|
2.16.1.windows.1
|
|
|