author: Mattes D <github@xoft.cz> 2014-04-30 17:05:13 +0200
committer: Mattes D <github@xoft.cz> 2014-04-30 17:05:13 +0200
commit: 014fab58e6eafce87a092aa859c5008dbdaa5c7b (patch)
tree: ac4ea8515e0461483714e18cef7bbb961f0fbec3 /src/Protocol
parent: Delayed sending the KeepAlive packet for 3 seconds after login. (diff)
parent: Removed unneeded #includes. (diff)
download: cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar
cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.gz
cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.bz2
cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.lz
cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.xz
cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.zst
cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.zip
5 files changed, 90 insertions, 136 deletions
diff --git a/src/Protocol/Authenticator.cpp b/src/Protocol/Authenticator.cpp
index bbc656eda..8100b6395 100644
--- a/src/Protocol/Authenticator.cpp
+++ b/src/Protocol/Authenticator.cpp
@@ -10,13 +10,7 @@
 #include "inifile/iniFile.h"
 #include "json/json.h"
 
-#include "polarssl/config.h"
-#include "polarssl/net.h"
-#include "polarssl/ssl.h"
-#include "polarssl/entropy.h"
-#include "polarssl/ctr_drbg.h"
-#include "polarssl/error.h"
-#include "polarssl/certs.h"
+#include "PolarSSL++/BlockingSslClientSocket.h"
 
 #include <sstream>
 #include <iomanip>
@@ -148,92 +142,74 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S
 {
 	LOGD("Trying to auth user %s", a_UserName.c_str());
 	
-	int ret, server_fd = -1;
+	int ret;
 	unsigned char buf[1024];
-	const char *pers = "cAuthenticator";
-
-	entropy_context entropy;
-	ctr_drbg_context ctr_drbg;
-	ssl_context ssl;
-	x509_crt cacert;
-
-	/* Initialize the RNG and the session data */
-	memset(&ssl, 0, sizeof(ssl_context));
-	x509_crt_init(&cacert);
-
-	entropy_init(&entropy);
-	if ((ret = ctr_drbg_init(&ctr_drbg, entropy_func, &entropy, (const unsigned char *)pers, strlen(pers))) != 0)
-	{
-		LOGWARNING("cAuthenticator: ctr_drbg_init returned %d", ret);
-
-		// Free all resources which have been initialized up to this line
-		x509_crt_free(&cacert);
-		entropy_free(&entropy);
-		return false;
-	}
 
 	/* Initialize certificates */
-	// TODO: Grab the sessionserver's root CA and any intermediates and hard-code them here, instead of test_ca_list
-	ret = x509_crt_parse(&cacert, (const unsigned char *)test_ca_list, strlen(test_ca_list));
-
-	if (ret < 0)
+	// This is the data of the root certs for Starfield Technologies, the CA that signed sessionserver.mojang.com's cert:
+	// Downloaded from http://certs.starfieldtech.com/repository/
+	static const AString StarfieldCACert(
+		// G2 cert
+		"-----BEGIN CERTIFICATE-----\n"
+		"MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx\n"
+		"EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT\n"
+		"HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs\n"
+		"ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw\n"
+		"MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6\n"
+		"b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj\n"
+		"aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp\n"
+		"Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n"
+		"ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg\n"
+		"nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1\n"
+		"HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N\n"
+		"Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN\n"
+		"dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0\n"
+		"HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO\n"
+		"BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G\n"
+		"CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU\n"
+		"sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3\n"
+		"4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg\n"
+		"8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K\n"
+		"pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1\n"
+		"mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0\n"
+		"-----END CERTIFICATE-----\n\n"
+		// Original (G1) cert:
+		"-----BEGIN CERTIFICATE-----\n"
+		"MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl\n"
+		"MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp\n"
+		"U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw\n"
+		"NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE\n"
+		"ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp\n"
+		"ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3\n"
+		"DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf\n"
+		"8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN\n"
+		"+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0\n"
+		"X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa\n"
+		"K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA\n"
+		"1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G\n"
+		"A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR\n"
+		"zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0\n"
+		"YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD\n"
+		"bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w\n"
+		"DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3\n"
+		"L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D\n"
+		"eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl\n"
+		"xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp\n"
+		"VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY\n"
+		"WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=\n"
+		"-----END CERTIFICATE-----\n"
+	);
+
+	// Connect the socket:
+	cBlockingSslClientSocket Socket;
+	Socket.SetTrustedRootCertsFromString(StarfieldCACert, m_Server);
+	if (!Socket.Connect(m_Server, 443))
 	{
-		LOGWARNING("cAuthenticator: x509_crt_parse returned -0x%x", -ret);
-
-		// Free all resources which have been initialized up to this line
-		x509_crt_free(&cacert);
-		entropy_free(&entropy);
-		return false;
-	}
-
-	/* Connect */
-	if ((ret = net_connect(&server_fd, m_Server.c_str(), 443)) != 0)
-	{
-		LOGWARNING("cAuthenticator: Can't connect to %s: %d", m_Server.c_str(), ret);
-
-		// Free all resources which have been initialized up to this line
-		x509_crt_free(&cacert);
-		entropy_free(&entropy);
+		LOGWARNING("cAuthenticator: Can't connect to %s: %s", m_Server.c_str(), Socket.GetLastErrorText().c_str());
 		return false;
 	}
 
-	/* Setup */
-	if ((ret = ssl_init(&ssl)) != 0)
-	{
-		LOGWARNING("cAuthenticator: ssl_init returned %d", ret);
-
-		// Free all resources which have been initialized up to this line
-		x509_crt_free(&cacert);
-		net_close(server_fd);
-		ssl_free(&ssl);
-		entropy_free(&entropy);
-		memset(&ssl, 0, sizeof(ssl));
-		return false;
-	}
-	ssl_set_endpoint(&ssl, SSL_IS_CLIENT);
-	ssl_set_authmode(&ssl, SSL_VERIFY_OPTIONAL);
-	ssl_set_ca_chain(&ssl, &cacert, NULL, "PolarSSL Server 1");
-	ssl_set_rng(&ssl, ctr_drbg_random, &ctr_drbg);
-	ssl_set_bio(&ssl, net_recv, &server_fd, net_send, &server_fd);
-
-	/* Handshake */
-	while ((ret = ssl_handshake(&ssl)) != 0)
-	{
-		if ((ret != POLARSSL_ERR_NET_WANT_READ) && (ret != POLARSSL_ERR_NET_WANT_WRITE))
-		{
-			LOGWARNING("cAuthenticator: ssl_handshake returned -0x%x", -ret);
-
-			// Free all resources which have been initialized up to this line
-			x509_crt_free(&cacert);
-			net_close(server_fd);
-			ssl_free(&ssl);
-			entropy_free(&entropy);
-			memset(&ssl, 0, sizeof(ssl));
-			return false;
-		}
-	}
-
-	/* Write the GET request */
+	// Create the GET request:
 	AString ActualAddress = m_Address;
 	ReplaceString(ActualAddress, "%USERNAME%", a_UserName);
 	ReplaceString(ActualAddress, "%SERVERID%", a_ServerId);
@@ -245,30 +221,23 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S
 	Request += "Connection: close\r\n";
 	Request += "\r\n";
 
-	ret = ssl_write(&ssl, (const unsigned char *)Request.c_str(), Request.size());
-	if (ret <= 0)
+	if (!Socket.Send(Request.c_str(), Request.size()))
 	{
-		LOGWARNING("cAuthenticator: ssl_write returned %d", ret);
-		
-		// Free all resources which have been initialized up to this line
-		x509_crt_free(&cacert);
-		net_close(server_fd);
-		ssl_free(&ssl);
-		entropy_free(&entropy);
-		memset(&ssl, 0, sizeof(ssl));
+		LOGWARNING("cAuthenticator: Writing SSL data failed: %s", Socket.GetLastErrorText().c_str());
 		return false;
 	}
 
-	/* Read the HTTP response */
+	// Read the HTTP response:
 	std::string Response;
 	for (;;)
 	{
-		memset(buf, 0, sizeof(buf));
-		ret = ssl_read(&ssl, buf, sizeof(buf));
+		ret = Socket.Receive(buf, sizeof(buf));
 
 		if ((ret == POLARSSL_ERR_NET_WANT_READ) || (ret == POLARSSL_ERR_NET_WANT_WRITE))
 		{
-			continue;
+			// This value should never be returned, it is handled internally by cBlockingSslClientSocket
+			LOGWARNING("cAuthenticator: SSL reading failed internally.");
+			return false;
 		}
 		if (ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY)
 		{
@@ -276,24 +245,18 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S
 		}
 		if (ret < 0)
 		{
-			LOGWARNING("cAuthenticator: ssl_read returned %d", ret);
-			break;
+			LOGWARNING("cAuthenticator: SSL reading failed: -0x%x", -ret);
+			return false;
 		}
 		if (ret == 0)
 		{
-			LOGWARNING("cAuthenticator: EOF");
 			break;
 		}
 
-		Response.append((const char *)buf, ret);
-	} 
+		Response.append((const char *)buf, (size_t)ret);
+	}
 
-	ssl_close_notify(&ssl);
-	x509_crt_free(&cacert);
-	net_close(server_fd);
-	ssl_free(&ssl);
-	entropy_free(&entropy);
-	memset(&ssl, 0, sizeof(ssl));
+	Socket.Disconnect();
 
 	// Check the HTTP status line:
 	AString prefix("HTTP/1.1 200 OK");
diff --git a/src/Protocol/Protocol132.cpp b/src/Protocol/Protocol132.cpp
index 53d8c1561..f4717f592 100644
--- a/src/Protocol/Protocol132.cpp
+++ b/src/Protocol/Protocol132.cpp
@@ -18,19 +18,7 @@
 #include "../WorldStorage/FastNBT.h"
 #include "../WorldStorage/EnchantmentSerializer.h"
 #include "../StringCompression.h"
-
-#ifdef _MSC_VER
-	#pragma warning(push)
-	#pragma warning(disable:4127)
-	#pragma warning(disable:4244)
-	#pragma warning(disable:4231)
-	#pragma warning(disable:4189)
-	#pragma warning(disable:4702)
-#endif
-
-#ifdef _MSC_VER
-	#pragma warning(pop)
-#endif
+#include "PolarSSL++/Sha1Checksum.h"
 
 
 
@@ -819,7 +807,7 @@ void cProtocol132::SendEncryptionKeyRequest(void)
 void cProtocol132::HandleEncryptionKeyResponse(const AString & a_EncKey, const AString & a_EncNonce)
 {
 	// Decrypt EncNonce using privkey
-	cRSAPrivateKey & rsaDecryptor = cRoot::Get()->GetServer()->GetPrivateKey();
+	cRsaPrivateKey & rsaDecryptor = cRoot::Get()->GetServer()->GetPrivateKey();
 
 	Int32 DecryptedNonce[MAX_ENC_LEN / sizeof(Int32)];
 	int res = rsaDecryptor.Decrypt((const Byte *)a_EncNonce.data(), a_EncNonce.size(), (Byte *)DecryptedNonce, sizeof(DecryptedNonce));
@@ -876,7 +864,7 @@ void cProtocol132::StartEncryption(const Byte * a_Key)
 	m_IsEncrypted = true;
 	
 	// Prepare the m_AuthServerID:
-	cSHA1Checksum Checksum;
+	cSha1Checksum Checksum;
 	cServer * Server = cRoot::Get()->GetServer();
 	AString ServerID = Server->GetServerID();
 	Checksum.Update((const Byte *)ServerID.c_str(), ServerID.length());
@@ -884,7 +872,7 @@ void cProtocol132::StartEncryption(const Byte * a_Key)
 	Checksum.Update((const Byte *)Server->GetPublicKeyDER().data(), Server->GetPublicKeyDER().size());
 	Byte Digest[20];
 	Checksum.Finalize(Digest);
-	cSHA1Checksum::DigestToJava(Digest, m_AuthServerID);
+	cSha1Checksum::DigestToJava(Digest, m_AuthServerID);
 }
 
 
diff --git a/src/Protocol/Protocol132.h b/src/Protocol/Protocol132.h
index b280c8a41..32bc7d581 100644
--- a/src/Protocol/Protocol132.h
+++ b/src/Protocol/Protocol132.h
@@ -24,7 +24,8 @@
 	#pragma warning(pop)
 #endif
 
-#include "../Crypto.h"
+#include "PolarSSL++/AesCfb128Decryptor.h"
+#include "PolarSSL++/AesCfb128Encryptor.h"
 
 
 
@@ -79,8 +80,8 @@ public:
 protected:
 	bool m_IsEncrypted;
 	
-	cAESCFBDecryptor m_Decryptor;
-	cAESCFBEncryptor m_Encryptor;
+	cAesCfb128Decryptor m_Decryptor;
+	cAesCfb128Encryptor m_Encryptor;
 	
 	AString m_DataToSend;
 	
diff --git a/src/Protocol/Protocol17x.cpp b/src/Protocol/Protocol17x.cpp
index a04d8ac3c..a6d566625 100644
--- a/src/Protocol/Protocol17x.cpp
+++ b/src/Protocol/Protocol17x.cpp
@@ -33,6 +33,7 @@ Implements the 1.7.x protocol classes:
 #include "../CompositeChat.h"
 #include "../Entities/ArrowEntity.h"
 #include "../Entities/FireworkEntity.h"
+#include "PolarSSL++/Sha1Checksum.h"
 
 
 
@@ -1690,7 +1691,7 @@ void cProtocol172::HandlePacketLoginEncryptionResponse(cByteBuffer & a_ByteBuffe
 	}
 
 	// Decrypt EncNonce using privkey
-	cRSAPrivateKey & rsaDecryptor = cRoot::Get()->GetServer()->GetPrivateKey();
+	cRsaPrivateKey & rsaDecryptor = cRoot::Get()->GetServer()->GetPrivateKey();
 	Int32 DecryptedNonce[MAX_ENC_LEN / sizeof(Int32)];
 	int res = rsaDecryptor.Decrypt((const Byte *)EncNonce.data(), EncNonce.size(), (Byte *)DecryptedNonce, sizeof(DecryptedNonce));
 	if (res != 4)
@@ -2293,7 +2294,7 @@ void cProtocol172::StartEncryption(const Byte * a_Key)
 	m_IsEncrypted = true;
 	
 	// Prepare the m_AuthServerID:
-	cSHA1Checksum Checksum;
+	cSha1Checksum Checksum;
 	cServer * Server = cRoot::Get()->GetServer();
 	const AString & ServerID = Server->GetServerID();
 	Checksum.Update((const Byte *)ServerID.c_str(), ServerID.length());
@@ -2301,7 +2302,7 @@ void cProtocol172::StartEncryption(const Byte * a_Key)
 	Checksum.Update((const Byte *)Server->GetPublicKeyDER().data(), Server->GetPublicKeyDER().size());
 	Byte Digest[20];
 	Checksum.Finalize(Digest);
-	cSHA1Checksum::DigestToJava(Digest, m_AuthServerID);
+	cSha1Checksum::DigestToJava(Digest, m_AuthServerID);
 }
 
 
diff --git a/src/Protocol/Protocol17x.h b/src/Protocol/Protocol17x.h
index 6a3e81eff..3f9c93357 100644
--- a/src/Protocol/Protocol17x.h
+++ b/src/Protocol/Protocol17x.h
@@ -30,7 +30,8 @@ Declares the 1.7.x protocol classes:
 	#pragma warning(pop)
 #endif
 
-#include "../Crypto.h"
+#include "PolarSSL++/AesCfb128Decryptor.h"
+#include "PolarSSL++/AesCfb128Encryptor.h"
 
 
 
@@ -236,8 +237,8 @@ protected:
 	
 	bool m_IsEncrypted;
 	
-	cAESCFBDecryptor m_Decryptor;
-	cAESCFBEncryptor m_Encryptor;
+	cAesCfb128Decryptor m_Decryptor;
+	cAesCfb128Decryptor m_Encryptor;
 
 	/** The logfile where the comm is logged, when g_ShouldLogComm is true */
 	cFile m_CommLogFile;
author	Mattes D <github@xoft.cz>	2014-04-30 17:05:13 +0200
committer	Mattes D <github@xoft.cz>	2014-04-30 17:05:13 +0200
commit	014fab58e6eafce87a092aa859c5008dbdaa5c7b (patch)
tree	ac4ea8515e0461483714e18cef7bbb961f0fbec3 /src/Protocol
parent	Delayed sending the KeepAlive packet for 3 seconds after login. (diff)
parent	Removed unneeded #includes. (diff)
download	cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.gz cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.bz2 cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.lz cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.xz cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.tar.zst cuberite-014fab58e6eafce87a092aa859c5008dbdaa5c7b.zip