Union/ProjectLighthouse
1
0
Fork 0
mirror of https://github.com/LBPUnion/ProjectLighthouse.git synced 2025-10-04 15:19:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Rewrite DigestMiddleware to use an opt-in instead of opt-out for endpoints

Browse source
This commit is contained in:
Slendy 2024-02-29 15:27:37 -06:00
commit fd210b3125
No known key found for this signature in database
GPG key ID: 7288D68361B91428
3 changed files with 159 additions and 172 deletions
Download patch file Download diff file Expand all files Collapse all files

201
ProjectLighthouse.Servers.GameServer/Middlewares/DigestMiddleware.cs
View file

@ -2,6 +2,7 @@ using LBPUnion.ProjectLighthouse.Configuration;
using LBPUnion.ProjectLighthouse.Extensions;
using LBPUnion.ProjectLighthouse.Helpers;
using LBPUnion.ProjectLighthouse.Middlewares;
using LBPUnion.ProjectLighthouse.Servers.GameServer.Types;
using Microsoft.Extensions.Primitives;
using Org.BouncyCastle.Utilities.Zlib;
@ -16,101 +17,17 @@ public class DigestMiddleware : Middleware
this.computeDigests = computeDigests;
}
#if !DEBUG
private static readonly HashSet<string> exemptPathList = new()
private readonly List<string> digestKeys;
public DigestMiddleware(RequestDelegate next, List<string> digestKeys) : base(next)
{
"/login",
"/eula",
"/announce",
"/status",
"/farc_hashes",
"/t_conf",
"/network_settings.nws",
"/ChallengeConfig.xml",
};
#endif
this.digestKeys = digestKeys;
}
public override async Task InvokeAsync(HttpContext context)
private static async Task HandleResponseCompression(HttpContext context, MemoryStream responseBuffer)
{
// Client digest check.
if (!context.Request.Cookies.TryGetValue("MM_AUTH", out string? authCookie)) authCookie = string.Empty;
string digestPath = context.Request.Path;
#if !DEBUG
const string url = "/LITTLEBIGPLANETPS3_XML";
string strippedPath = digestPath.Contains(url) ? digestPath[url.Length..] : "";
#endif
byte[] bodyBytes = await context.Request.BodyReader.ReadAllAsync();
bool usedAlternateDigestKey = false;
if (this.computeDigests && digestPath.StartsWith("/LITTLEBIGPLANETPS3_XML"))
{
// The game sets X-Digest-B on a resource upload instead of X-Digest-A
string digestHeaderKey = "X-Digest-A";
bool excludeBodyFromDigest = false;
if (digestPath.Contains("/upload/"))
{
digestHeaderKey = "X-Digest-B";
excludeBodyFromDigest = true;
}
string clientRequestDigest = CryptoHelper.ComputeDigest(digestPath,
authCookie,
bodyBytes,
ServerConfiguration.Instance.DigestKey.PrimaryDigestKey,
excludeBodyFromDigest);
// Check the digest we've just calculated against the digest header if the game set the header. They should match.
if (context.Request.Headers.TryGetValue(digestHeaderKey, out StringValues sentDigest))
{
if (clientRequestDigest != sentDigest)
{
// If we got here, the normal ServerDigestKey failed to validate. Lets try again with the alternate digest key.
usedAlternateDigestKey = true;
clientRequestDigest = CryptoHelper.ComputeDigest(digestPath,
authCookie,
bodyBytes,
ServerConfiguration.Instance.DigestKey.AlternateDigestKey,
excludeBodyFromDigest);
if (clientRequestDigest != sentDigest)
{
#if DEBUG
Console.WriteLine("Digest failed");
Console.WriteLine("digestKey: " + ServerConfiguration.Instance.DigestKey.PrimaryDigestKey);
Console.WriteLine("altDigestKey: " + ServerConfiguration.Instance.DigestKey.AlternateDigestKey);
Console.WriteLine("computed digest: " + clientRequestDigest);
#endif
// We still failed to validate. Abort the request.
context.Response.StatusCode = 403;
return;
}
}
}
#if !DEBUG
// The game doesn't start sending digests until after the announcement so if it's not one of those requests
// and it doesn't include a digest we need to reject the request
else if (!exemptPathList.Contains(strippedPath))
{
context.Response.StatusCode = 403;
return;
}
#endif
context.Response.Headers.Append("X-Digest-B", clientRequestDigest);
context.Request.Body.Position = 0;
}
// This does the same as above, but for the response stream.
await using MemoryStream responseBuffer = new();
Stream oldResponseStream = context.Response.Body;
context.Response.Body = responseBuffer;
await this.next(context); // Handle the request so we can get the server digest hash
responseBuffer.Position = 0;
if (responseBuffer.Length > 1000 &&
const int minCompressionLen = 1000;
if (responseBuffer.Length > minCompressionLen &&
context.Request.Headers.AcceptEncoding.Contains("deflate") &&
(context.Response.ContentType ?? string.Empty).Contains("text/xml"))
{
@ -130,30 +47,94 @@ public class DigestMiddleware : Middleware
}
else
{
string headerName = !context.Response.Headers.ContentLength.HasValue
? "Content-Length"
: "X-Original-Content-Length";
string headerName = !context.Response.Headers.ContentLength.HasValue ? "Content-Length" : "X-Original-Content-Length";
context.Response.Headers.Append(headerName, responseBuffer.Length.ToString());
}
}
// Compute the server digest hash.
if (this.computeDigests)
public override async Task InvokeAsync(HttpContext context)
{
UseDigestAttribute? digestAttribute = context.GetEndpoint()?.Metadata.OfType<UseDigestAttribute>().FirstOrDefault();
if (digestAttribute == null)
{
responseBuffer.Position = 0;
string digestKey = usedAlternateDigestKey
? ServerConfiguration.Instance.DigestKey.AlternateDigestKey
: ServerConfiguration.Instance.DigestKey.PrimaryDigestKey;
// Compute the digest for the response.
string serverDigest =
CryptoHelper.ComputeDigest(context.Request.Path, authCookie, responseBuffer.ToArray(), digestKey);
context.Response.Headers.Append("X-Digest-A", serverDigest);
await this.next(context);
return;
}
// Copy the buffered response to the actual response stream.
if (!context.Request.Cookies.TryGetValue("MM_AUTH", out string? authCookie))
{
context.Response.StatusCode = 403;
return;
}
string digestPath = context.Request.Path;
byte[] bodyBytes = await context.Request.BodyReader.ReadAllAsync();
if (!context.Request.Headers.TryGetValue(digestAttribute.DigestHeaderName, out StringValues digestHeaders) ||
digestHeaders.Count != 1 && digestAttribute.EnforceDigest)
{
context.Response.StatusCode = 403;
return;
}
string? clientDigest = digestHeaders[0];
string? matchingDigestKey = null;
string? calculatedRequestDigest = null;
foreach (string digestKey in this.digestKeys)
{
string calculatedDigest = CryptoHelper.ComputeDigest(digestPath,
authCookie,
bodyBytes,
digestKey,
digestAttribute.ExcludeBodyFromDigest);
if (calculatedDigest != clientDigest) continue;
matchingDigestKey = digestKey;
calculatedRequestDigest = calculatedDigest;
}
matchingDigestKey ??= this.digestKeys.First();
switch (matchingDigestKey)
{
case null when digestAttribute.EnforceDigest:
context.Response.StatusCode = 403;
return;
case null:
calculatedRequestDigest = CryptoHelper.ComputeDigest(digestPath,
authCookie,
bodyBytes,
matchingDigestKey,
digestAttribute.ExcludeBodyFromDigest);
break;
}
context.Response.Headers.Append("X-Digest-B", calculatedRequestDigest);
// context.Request.Body.Position = 0;
// Let endpoint generate response so we can calculate the digest for it
Stream originalBody = context.Response.Body;
await using MemoryStream responseBuffer = new();
context.Response.Body = responseBuffer;
await this.next(context);
await HandleResponseCompression(context, responseBuffer);
string responseDigest = CryptoHelper.ComputeDigest(digestPath,
authCookie,
responseBuffer.ToArray(),
matchingDigestKey,
digestAttribute.ExcludeBodyFromDigest);
context.Response.Headers.Append("X-Digest-A", responseDigest);
responseBuffer.Position = 0;
await responseBuffer.CopyToAsync(oldResponseStream);
context.Response.Body = oldResponseStream;
await responseBuffer.CopyToAsync(originalBody);
context.Response.Body = originalBody;
}
}