PaperMC/patches/server/0278-Add-Velocity-IP-Forwarding-Support.patch
Nassim Jahnke 26734e83b0
Updated Upstream (Bukkit/CraftBukkit/Spigot) (#7454)
* Updated Upstream (Bukkit/CraftBukkit/Spigot)

Upstream has released updates that appear to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing

Bukkit Changes:
8085edde SPIGOT-6918: Add SpawnCategory API and configurations for Axolotls
04c7e13c PR-719: Add Player Profile API
71564210 SPIGOT-6910: Add BlockDamageAbortEvent

CraftBukkit Changes:
febaa1c6 SPIGOT-6918: Add SpawnCategory API and configurations for Axolotls
9dafd109 Don't send updates over large distances
bdac46b0 SPIGOT-6782: EntityPortalEvent should not destroy entity when setTo() uses same world as getFrom()
8f361ece PR-1002: Add Player Profile API
911875d4 Increase outdated build delay
e5f8a767 SPIGOT-6917: Use main scoreboard for /trigger
a672a531 Clean up callBlockDamageEvent
8e1bdeef SPIGOT-6910: Add BlockDamageAbortEvent

Spigot Changes:
6edb62f3 Rebuild patches
7fbc6a1e Rebuild patches

* Updated Upstream (CraftBukkit)

Upstream has released updates that appear to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing

CraftBukkit Changes:
de951355 SPIGOT-6927: Fix default value of spawn-limits in Worlds
2022-02-12 14:20:33 +01:00

239 lines
12 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Andrew Steinborn <git@steinborn.me>
Date: Mon, 8 Oct 2018 14:36:14 -0400
Subject: [PATCH] Add Velocity IP Forwarding Support
While Velocity supports BungeeCord-style IP forwarding, it is not secure. Users
have a lot of problems setting up firewalls or setting up plugins like IPWhitelist.
Further, the BungeeCord IP forwarding protocol still retains essentially its original
form, when there is brand new support for custom login plugin messages in 1.13.
Velocity's modern IP forwarding uses an HMAC-SHA256 code to ensure authenticity
of messages, is packed into a binary format that is smaller than BungeeCord's
forwarding, and is integrated into the Minecraft login process by using the 1.13
login plugin message packet.
diff --git a/src/main/java/com/destroystokyo/paper/PaperConfig.java b/src/main/java/com/destroystokyo/paper/PaperConfig.java
index 9aa28bb2968522ef1b9375bcc872e6d8dfb01764..edf0a82ba7e16b86100aa1920fa41508be2ab1e8 100644
--- a/src/main/java/com/destroystokyo/paper/PaperConfig.java
+++ b/src/main/java/com/destroystokyo/paper/PaperConfig.java
@@ -9,6 +9,7 @@ import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
+import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -265,7 +266,7 @@ public class PaperConfig {
}
public static boolean isProxyOnlineMode() {
- return Bukkit.getOnlineMode() || (SpigotConfig.bungee && bungeeOnlineMode);
+ return Bukkit.getOnlineMode() || (SpigotConfig.bungee && bungeeOnlineMode) || (velocitySupport && velocityOnlineMode);
}
public static int packetInSpamThreshold = 300;
@@ -348,6 +349,20 @@ public class PaperConfig {
tabSpamLimit = getInt("settings.spam-limiter.tab-spam-limit", tabSpamLimit);
}
+ public static boolean velocitySupport;
+ public static boolean velocityOnlineMode;
+ public static byte[] velocitySecretKey;
+ private static void velocitySupport() {
+ velocitySupport = getBoolean("settings.velocity-support.enabled", false);
+ velocityOnlineMode = getBoolean("settings.velocity-support.online-mode", false);
+ String secret = getString("settings.velocity-support.secret", "");
+ if (velocitySupport && secret.isEmpty()) {
+ fatal("Velocity support is enabled, but no secret key was specified. A secret key is required!");
+ } else {
+ velocitySecretKey = secret.getBytes(StandardCharsets.UTF_8);
+ }
+ }
+
public static boolean asyncChunks = false;
private static void asyncChunks() {
ConfigurationSection section;
diff --git a/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java b/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java
new file mode 100644
index 0000000000000000000000000000000000000000..41d73aa91fb401612e087aa1b7278ba61d28bf3a
--- /dev/null
+++ b/src/main/java/com/destroystokyo/paper/proxy/VelocityProxy.java
@@ -0,0 +1,66 @@
+package com.destroystokyo.paper.proxy;
+
+import com.destroystokyo.paper.PaperConfig;
+import com.google.common.net.InetAddresses;
+import com.mojang.authlib.GameProfile;
+import com.mojang.authlib.properties.Property;
+import java.net.InetAddress;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import net.minecraft.network.FriendlyByteBuf;
+import net.minecraft.resources.ResourceLocation;
+
+public class VelocityProxy {
+ private static final int SUPPORTED_FORWARDING_VERSION = 1;
+ public static final ResourceLocation PLAYER_INFO_CHANNEL = new ResourceLocation("velocity", "player_info");
+
+ public static boolean checkIntegrity(final FriendlyByteBuf buf) {
+ final byte[] signature = new byte[32];
+ buf.readBytes(signature);
+
+ final byte[] data = new byte[buf.readableBytes()];
+ buf.getBytes(buf.readerIndex(), data);
+
+ try {
+ final Mac mac = Mac.getInstance("HmacSHA256");
+ mac.init(new SecretKeySpec(PaperConfig.velocitySecretKey, "HmacSHA256"));
+ final byte[] mySignature = mac.doFinal(data);
+ if (!MessageDigest.isEqual(signature, mySignature)) {
+ return false;
+ }
+ } catch (final InvalidKeyException | NoSuchAlgorithmException e) {
+ throw new AssertionError(e);
+ }
+
+ int version = buf.readVarInt();
+ if (version != SUPPORTED_FORWARDING_VERSION) {
+ throw new IllegalStateException("Unsupported forwarding version " + version + ", wanted " + SUPPORTED_FORWARDING_VERSION);
+ }
+
+ return true;
+ }
+
+ public static InetAddress readAddress(final FriendlyByteBuf buf) {
+ return InetAddresses.forString(buf.readUtf(Short.MAX_VALUE));
+ }
+
+ public static GameProfile createProfile(final FriendlyByteBuf buf) {
+ final GameProfile profile = new GameProfile(buf.readUUID(), buf.readUtf(16));
+ readProperties(buf, profile);
+ return profile;
+ }
+
+ private static void readProperties(final FriendlyByteBuf buf, final GameProfile profile) {
+ final int properties = buf.readVarInt();
+ for (int i1 = 0; i1 < properties; i1++) {
+ final String name = buf.readUtf(Short.MAX_VALUE);
+ final String value = buf.readUtf(Short.MAX_VALUE);
+ final String signature = buf.readBoolean() ? buf.readUtf(Short.MAX_VALUE) : null;
+ profile.getProperties().put(name, new Property(name, value, signature));
+ }
+ }
+}
diff --git a/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java b/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java
index 67b300574655854249c1f7440f56a6e8f0fad351..bb767f5b626225e70a8af273384bb74dbd21430d 100644
--- a/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java
+++ b/src/main/java/net/minecraft/server/network/ServerLoginPacketListenerImpl.java
@@ -18,6 +18,7 @@ import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import net.minecraft.DefaultUncaughtExceptionHandler;
import net.minecraft.network.Connection;
+import net.minecraft.network.FriendlyByteBuf;
import net.minecraft.network.chat.Component;
import net.minecraft.network.chat.TextComponent;
import net.minecraft.network.chat.TranslatableComponent;
@@ -44,6 +45,7 @@ import org.bukkit.craftbukkit.util.Waitable;
import org.bukkit.event.player.AsyncPlayerPreLoginEvent;
import org.bukkit.event.player.PlayerPreLoginEvent;
// CraftBukkit end
+import io.netty.buffer.Unpooled; // Paper
public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener {
@@ -62,6 +64,7 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
@Nullable
private ServerPlayer delayedAcceptPlayer;
public String hostname = ""; // CraftBukkit - add field
+ private int velocityLoginMessageId = -1; // Paper - Velocity support
public ServerLoginPacketListenerImpl(MinecraftServer server, Connection connection) {
this.state = ServerLoginPacketListenerImpl.State.HELLO;
@@ -234,6 +237,14 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
this.state = ServerLoginPacketListenerImpl.State.KEY;
this.connection.send(new ClientboundHelloPacket("", this.server.getKeyPair().getPublic().getEncoded(), this.nonce));
} else {
+ // Paper start - Velocity support
+ if (com.destroystokyo.paper.PaperConfig.velocitySupport) {
+ this.velocityLoginMessageId = java.util.concurrent.ThreadLocalRandom.current().nextInt();
+ net.minecraft.network.protocol.login.ClientboundCustomQueryPacket packet1 = new net.minecraft.network.protocol.login.ClientboundCustomQueryPacket(this.velocityLoginMessageId, com.destroystokyo.paper.proxy.VelocityProxy.PLAYER_INFO_CHANNEL, new FriendlyByteBuf(Unpooled.EMPTY_BUFFER));
+ this.connection.send(packet1);
+ return;
+ }
+ // Paper end
// Spigot start
// Paper start - Cache authenticator threads
authenticatorPool.execute(new Runnable() {
@@ -335,6 +346,12 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
public class LoginHandler {
public void fireEvents() throws Exception {
+ // Paper start - Velocity support
+ if (ServerLoginPacketListenerImpl.this.velocityLoginMessageId == -1 && com.destroystokyo.paper.PaperConfig.velocitySupport) {
+ disconnect("This server requires you to connect with Velocity.");
+ return;
+ }
+ // Paper end
String playerName = ServerLoginPacketListenerImpl.this.gameProfile.getName();
java.net.InetAddress address = ((java.net.InetSocketAddress) ServerLoginPacketListenerImpl.this.connection.getRemoteAddress()).getAddress();
java.util.UUID uniqueId = ServerLoginPacketListenerImpl.this.gameProfile.getId();
@@ -382,6 +399,40 @@ public class ServerLoginPacketListenerImpl implements ServerLoginPacketListener
// Spigot end
public void handleCustomQueryPacket(ServerboundCustomQueryPacket packet) {
+ // Paper start - Velocity support
+ if (com.destroystokyo.paper.PaperConfig.velocitySupport && packet.getTransactionId() == this.velocityLoginMessageId) {
+ FriendlyByteBuf buf = packet.getData();
+ if (buf == null) {
+ this.disconnect("This server requires you to connect with Velocity.");
+ return;
+ }
+
+ if (!com.destroystokyo.paper.proxy.VelocityProxy.checkIntegrity(buf)) {
+ this.disconnect("Unable to verify player details");
+ return;
+ }
+
+ java.net.SocketAddress listening = this.connection.getRemoteAddress();
+ int port = 0;
+ if (listening instanceof java.net.InetSocketAddress) {
+ port = ((java.net.InetSocketAddress) listening).getPort();
+ }
+ this.connection.address = new java.net.InetSocketAddress(com.destroystokyo.paper.proxy.VelocityProxy.readAddress(buf), port);
+
+ this.gameProfile = com.destroystokyo.paper.proxy.VelocityProxy.createProfile(buf);
+
+ // Proceed with login
+ authenticatorPool.execute(() -> {
+ try {
+ new LoginHandler().fireEvents();
+ } catch (Exception ex) {
+ disconnect("Failed to verify username!");
+ server.server.getLogger().log(java.util.logging.Level.WARNING, "Exception verifying " + gameProfile.getName(), ex);
+ }
+ });
+ return;
+ }
+ // Paper end
this.disconnect(new TranslatableComponent("multiplayer.disconnect.unexpected_query_response"));
}
diff --git a/src/main/java/org/bukkit/craftbukkit/CraftServer.java b/src/main/java/org/bukkit/craftbukkit/CraftServer.java
index 17ec1302e06792835f57d97b7d406065522cba54..092f6e2a76d8252de0a40425e271abd11763ee62 100644
--- a/src/main/java/org/bukkit/craftbukkit/CraftServer.java
+++ b/src/main/java/org/bukkit/craftbukkit/CraftServer.java
@@ -762,7 +762,7 @@ public final class CraftServer implements Server {
@Override
public long getConnectionThrottle() {
// Spigot Start - Automatically set connection throttle for bungee configurations
- if (org.spigotmc.SpigotConfig.bungee) {
+ if (org.spigotmc.SpigotConfig.bungee || com.destroystokyo.paper.PaperConfig.velocitySupport) { // Paper - Velocity support
return -1;
} else {
return this.configuration.getInt("settings.connection-throttle");