[FEATURE] Защита от взлома лаунчера в LauncherRequest

2024-12-22 16:41:46 +03:00 · 2019-09-29 15:40:26 +07:00 · 2019-09-29 15:40:26 +07:00 · efd58d66c7
commit efd58d66c7
parent a38853180b
9 changed files with 56 additions and 11 deletions
--- a/LaunchServer/src/main/java/pro/gravit/launchserver/auth/protect/StdProtectHandler.java
+++ b/LaunchServer/src/main/java/pro/gravit/launchserver/auth/protect/StdProtectHandler.java
@ -4,6 +4,7 @@
 import pro.gravit.utils.helper.SecurityHelper;

 public class StdProtectHandler extends ProtectHandler {
+    public boolean checkSecure = true;
    @Override
    public String generateSecureToken(AuthResponse.AuthContext context) {
        return SecurityHelper.randomStringToken();
@ -21,7 +22,7 @@ public boolean verifyClientSecureToken(String token, String secureKey) {

    @Override
    public boolean allowGetAccessToken(AuthResponse.AuthContext context) {
-        return (context.authType == AuthResponse.ConnectTypes.CLIENT);
+        return (context.authType == AuthResponse.ConnectTypes.CLIENT) && (!checkSecure || context.client.isSecure);
    }

    @Override
--- a/LaunchServer/src/main/java/pro/gravit/launchserver/binary/LauncherConfigurator.java
+++ b/LaunchServer/src/main/java/pro/gravit/launchserver/binary/LauncherConfigurator.java
@ -87,6 +87,10 @@ private void setStringField(String name, String value)
    public void setGuardType(String key) {
        setStringField("guardType", key);
    }
+    public void setSecureCheck(String hash, String salt) {
+        setStringField("secureCheckHash", hash);
+        setStringField("secureCheckSalt", salt);
+    }

    private void push(final int value) {
        if (value >= -1 && value <= 5)
--- a/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/MainBuildTask.java
+++ b/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/MainBuildTask.java
@ -8,6 +8,8 @@
 import java.nio.file.Path;
 import java.nio.file.SimpleFileVisitor;
 import java.nio.file.attribute.BasicFileAttributes;
+import java.util.Arrays;
+import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.jar.JarFile;
@ -133,6 +135,11 @@ public Path process(Path inputJar) throws IOException {
            launcherConfigurator.setGuardType(server.config.launcher.guardType);
            launcherConfigurator.setWarningMissArchJava(server.config.launcher.warningMissArchJava);
            launcherConfigurator.setEnv(server.config.env);
+            String launcherSalt = SecurityHelper.randomStringToken();
+            byte[] launcherSecureHash = SecurityHelper.digest(SecurityHelper.DigestAlgorithm.SHA256,
+                    server.runtime.clientCheckSecret.concat(".").concat(launcherSalt));
+            launcherConfigurator.setSecureCheck(Base64.getEncoder().encodeToString(launcherSecureHash), launcherSalt);
+            //LogHelper.debug("[checkSecure] %s: %s", launcherSalt, Arrays.toString(launcherSecureHash));
            if (server.runtime.oemUnlockKey == null) server.runtime.oemUnlockKey = SecurityHelper.randomStringToken();
            launcherConfigurator.setOemUnlockKey(server.runtime.oemUnlockKey);
            server.buildHookManager.registerAllClientModuleClass(launcherConfigurator);
--- a/LaunchServer/src/main/java/pro/gravit/launchserver/config/LaunchServerRuntimeConfig.java
+++ b/LaunchServer/src/main/java/pro/gravit/launchserver/config/LaunchServerRuntimeConfig.java
@ -7,13 +7,16 @@ public class LaunchServerRuntimeConfig {
    public String clientToken;
    public String oemUnlockKey;
    public String registerApiKey;
+    public String clientCheckSecret;

    public void verify() {
        if (clientToken == null) LogHelper.error("[RuntimeConfig] clientToken must not be null");
+        if (clientCheckSecret == null) { LogHelper.warning("[RuntimeConfig] clientCheckSecret must not be null"); clientCheckSecret = SecurityHelper.randomStringToken(); }
    }

    public void reset() {
        clientToken = SecurityHelper.randomStringToken();
        registerApiKey = SecurityHelper.randomStringToken();
+        clientCheckSecret = SecurityHelper.randomStringToken();
    }
 }
--- a/LaunchServer/src/main/java/pro/gravit/launchserver/socket/response/auth/AuthResponse.java
+++ b/LaunchServer/src/main/java/pro/gravit/launchserver/socket/response/auth/AuthResponse.java
@ -11,7 +11,6 @@
 import io.netty.channel.ChannelHandlerContext;
 import pro.gravit.launcher.events.request.AuthRequestEvent;
 import pro.gravit.launcher.hwid.HWID;
-import pro.gravit.launcher.hwid.OshiHWID;
 import pro.gravit.launcher.profiles.ClientProfile;
 import pro.gravit.launcher.request.auth.AuthRequest;
 import pro.gravit.launcher.request.auth.password.AuthPlainPassword;
@ -72,7 +71,7 @@ public void execute(ChannelHandlerContext ctx, Client clientData) throws Excepti
            AuthProviderPair pair;
            if (auth_id.isEmpty()) pair = server.config.getAuthProviderPair();
            else pair = server.config.getAuthProviderPair(auth_id);
-            AuthContext context = new AuthContext(0, login, customText, client, null, ip, authType);
+            AuthContext context = new AuthContext(clientData, login, customText, client, hwid, ip, authType);
            AuthProvider provider = pair.provider;
            server.authHookManager.preHook.hook(context, clientData);
            provider.preAuth(login, password, customText, ip);
@ -131,24 +130,23 @@ public void execute(ChannelHandlerContext ctx, Client clientData) throws Excepti
    }

    public static class AuthContext {
-        public AuthContext(long session, String login, String customText, String client, String hwid, String ip, ConnectTypes authType) {
-            this.session = session;
+        public AuthContext(Client client, String login, String customText, String profileName, HWID hwid, String ip, ConnectTypes authType) {
+            this.client = client;
            this.login = login;
            this.customText = customText;
-            this.client = client;
+            this.profileName = profileName;
            this.hwid = hwid;
            this.ip = ip;
            this.authType = authType;
        }
-
-        public long session;
        public String login;
        @Deprecated
        public int password_length; //Use AuthProvider for get password
-        public String client;
-        public String hwid;
+        public String profileName;
+        public HWID hwid;
        public String customText;
        public String ip;
        public ConnectTypes authType;
+        public Client client;
    }
 }
--- a/LaunchServer/src/main/java/pro/gravit/launchserver/socket/response/update/LauncherResponse.java
+++ b/LaunchServer/src/main/java/pro/gravit/launchserver/socket/response/update/LauncherResponse.java
@ -8,6 +8,8 @@
 import pro.gravit.launchserver.socket.Client;
 import pro.gravit.launchserver.socket.response.SimpleResponse;
 import pro.gravit.utils.Version;
+import pro.gravit.utils.helper.LogHelper;
+import pro.gravit.utils.helper.SecurityHelper;

 public class LauncherResponse extends SimpleResponse {
    public Version version;
@ -15,6 +17,9 @@ public class LauncherResponse extends SimpleResponse {
    public byte[] digest;
    public int launcher_type;

+    public String secureHash;
+    public String secureSalt;
+
    @Override
    public String getType() {
        return "launcher";
@ -33,6 +38,7 @@ public void execute(ChannelHandlerContext ctx, Client client) {
            if (hash == null) service.sendObjectAndClose(ctx, new LauncherRequestEvent(true, server.config.netty.launcherURL));
            if (Arrays.equals(bytes, hash)) {
                client.checkSign = true;
+                client.isSecure = checkSecure(secureHash, secureSalt);
                sendResult(new LauncherRequestEvent(false, server.config.netty.launcherURL));
            } else {
                sendResultAndClose(new LauncherRequestEvent(true, server.config.netty.launcherURL));
@ -43,12 +49,21 @@ public void execute(ChannelHandlerContext ctx, Client client) {
            if (hash == null) sendResultAndClose(new LauncherRequestEvent(true, server.config.netty.launcherEXEURL));
            if (Arrays.equals(bytes, hash)) {
                client.checkSign = true;
+                client.isSecure = checkSecure(secureHash, secureSalt);
                sendResult(new LauncherRequestEvent(false, server.config.netty.launcherEXEURL));
            } else {
                sendResultAndClose(new LauncherRequestEvent(true, server.config.netty.launcherEXEURL));
            }
        } else sendError("Request launcher type error");
-
+    }
+    private boolean checkSecure(String hash, String salt)
+    {
+        if(hash == null || salt == null) return false;
+        byte[] normal_hash = SecurityHelper.digest(SecurityHelper.DigestAlgorithm.SHA256,
+                server.runtime.clientCheckSecret.concat(".").concat(salt));
+        byte[] launcher_hash = Base64.getDecoder().decode(hash);
+        //LogHelper.debug("[checkSecure] %s vs %s", Arrays.toString(normal_hash), Arrays.toString(launcher_hash));
+        return Arrays.equals(normal_hash, launcher_hash);
    }

 }
--- a/LauncherAPI/src/main/java/pro/gravit/launcher/AutogenConfig.java
+++ b/LauncherAPI/src/main/java/pro/gravit/launcher/AutogenConfig.java
@ -10,6 +10,8 @@ public class AutogenConfig {
    public String guardLicenseName;
    public String guardLicenseKey;
    public String guardLicenseEncryptKey;
+    public String secureCheckHash;
+    public String secureCheckSalt;
    public int env;
    public boolean isWarningMissArchJava;
    // 0 - Dev (дебаг включен по умолчанию, все сообщения)
--- a/LauncherAPI/src/main/java/pro/gravit/launcher/LauncherConfig.java
+++ b/LauncherAPI/src/main/java/pro/gravit/launcher/LauncherConfig.java
@ -43,10 +43,15 @@ public static AutogenConfig getAutogenConfig() {
    public final String guardLicenseKey;
    public final String guardLicenseEncryptKey;
    public final String guardType;
+    
+    public final String secureCheckHash;
+    public final String secureCheckSalt;

    @LauncherAPI
    public LauncherConfig(HInput input) throws IOException, InvalidKeySpecException {
        publicKey = SecurityHelper.toPublicRSAKey(input.readByteArray(SecurityHelper.CRYPTO_MAX_LENGTH));
+        secureCheckHash = config.secureCheckHash;
+        secureCheckSalt = config.secureCheckSalt;
        projectname = config.projectname;
        clientPort = config.clientPort;
        secretKeyClient = config.secretKeyClient;
@ -92,6 +97,8 @@ public LauncherConfig(String address, RSAPublicKey publicKey, Map<String, byte[]
        isWarningMissArchJava = true;
        isNettyEnabled = false;
        environment = LauncherEnvironment.STD;
+        secureCheckSalt = null;
+        secureCheckHash = null;
    }

    @LauncherAPI
@ -108,6 +115,8 @@ public LauncherConfig(String address, RSAPublicKey publicKey, Map<String, byte[]
        isWarningMissArchJava = true;
        isNettyEnabled = false;
        environment = LauncherEnvironment.STD;
+        secureCheckSalt = null;
+        secureCheckHash = null;
    }

    @Override
--- a/LauncherAPI/src/main/java/pro/gravit/launcher/request/update/LauncherRequest.java
+++ b/LauncherAPI/src/main/java/pro/gravit/launcher/request/update/LauncherRequest.java
@ -24,6 +24,10 @@ public final class LauncherRequest extends Request<LauncherRequestEvent> impleme
    @LauncherNetworkAPI
    public byte[] digest;
    @LauncherNetworkAPI
+    public String secureHash;
+    @LauncherNetworkAPI
+    public String secureSalt;
+    @LauncherNetworkAPI
    public int launcher_type = EXE_BINARY ? 2 : 1;
    @LauncherAPI
    public static final Path BINARY_PATH = IOHelper.getCodeSource(Launcher.class);
@ -89,6 +93,8 @@ public LauncherRequest() {
        } catch (IOException e) {
            LogHelper.error(e);
        }
+        secureHash = Launcher.getConfig().secureCheckHash;
+        secureSalt = Launcher.getConfig().secureCheckSalt;
    }

    @Override