Cookie data

src/protocol/OpenConnectionReply1.php

@@ -16,17 +16,21 @@
 
 namespace raklib\protocol;
 
+use function is_int;
+
 class OpenConnectionReply1 extends OfflineMessage{
 	public static $ID = MessageIdentifiers::ID_OPEN_CONNECTION_REPLY_1;
 
 	public int $serverID;
-	public bool $serverSecurity = false;
+	public bool $serverSecurity;
+	public ?int $cookie;
 	public int $mtuSize;
 
-	public static function create(int $serverId, bool $serverSecurity, int $mtuSize) : self{
+	public static function create(int $serverId, bool $serverSecurity, ?int $cookie = null, int $mtuSize) : self{
 		$result = new self;
 		$result->serverID = $serverId;
 		$result->serverSecurity = $serverSecurity;
+		$result->cookie = $cookie;
 		$result->mtuSize = $mtuSize;
 		return $result;
 	}
@@ -35,13 +39,19 @@ protected function encodePayload(PacketSerializer $out) : void{
 		$this->writeMagic($out);
 		$out->putLong($this->serverID);
 		$out->putByte($this->serverSecurity ? 1 : 0);
+		if ($this->serverSecurity && is_int($this->cookie)) {
+			$out->putInt($this->cookie);
+		}
 		$out->putShort($this->mtuSize);
 	}
 
 	protected function decodePayload(PacketSerializer $in) : void{
 		$this->readMagic($in);
 		$this->serverID = $in->getLong();
 		$this->serverSecurity = $in->getByte() !== 0;
+		if ($this->serverSecurity) {
+			$this->cookie = $in->getInt();
+		}
 		$this->mtuSize = $in->getShort();
 	}
 }

src/protocol/OpenConnectionRequest2.php

@@ -17,23 +17,34 @@
 namespace raklib\protocol;
 
 use raklib\utils\InternetAddress;
+use raklib\utils\Cookie;
 
 class OpenConnectionRequest2 extends OfflineMessage{
 	public static $ID = MessageIdentifiers::ID_OPEN_CONNECTION_REQUEST_2;
 
+	public int $cookie = 0;
 	public int $clientID;
+	public bool $clientSupportsSecurity = false; // Always false for the vanilla client.
 	public InternetAddress $serverAddress;
 	public int $mtuSize;
 
 	protected function encodePayload(PacketSerializer $out) : void{
 		$this->writeMagic($out);
+		if (Cookie::hasServerSecurity()) {
+			$out->putInt($this->cookie);
+			$out->putBool($this->clientSupportsSecurity);
+		}
 		$out->putAddress($this->serverAddress);
 		$out->putShort($this->mtuSize);
 		$out->putLong($this->clientID);
 	}
 
 	protected function decodePayload(PacketSerializer $in) : void{
 		$this->readMagic($in);
+		if (Cookie::hasServerSecurity()) {
+			$this->cookie = $in->getInt();
+			$this->clientSupportsSecurity = $in->getBool();
+		}
 		$this->serverAddress = $in->getAddress();
 		$this->mtuSize = $in->getShort();
 		$this->clientID = $in->getLong();

src/server/UnconnectedMessageHandler.php

@@ -30,6 +30,7 @@
 use raklib\protocol\UnconnectedPingOpenConnections;
 use raklib\protocol\UnconnectedPong;
 use raklib\utils\InternetAddress;
+use raklib\utils\Cookie;
 use function get_class;
 use function min;
 use function ord;
@@ -81,10 +82,16 @@ private function handle(OfflineMessage $packet, InternetAddress $address) : bool
 				$this->server->sendPacket(IncompatibleProtocolVersion::create($this->protocolAcceptor->getPrimaryVersion(), $this->server->getID()), $address);
 				$this->server->getLogger()->notice("Refused connection from $address due to incompatible RakNet protocol version (version $packet->protocol)");
 			}else{
+				$cookie = null;
+				if (Cookie::hasServerSecurity()) {
+					Cookie::add($address);
+					$cookie = Cookie::get($address);
+				}
 				//IP header size (20 bytes) + UDP header size (8 bytes)
-				$this->server->sendPacket(OpenConnectionReply1::create($this->server->getID(), false, $packet->mtuSize + 28), $address);
+				$this->server->sendPacket(OpenConnectionReply1::create($this->server->getID(), Cookie::hasServerSecurity(), $cookie, $packet->mtuSize + 28), $address);
 			}
 		}elseif($packet instanceof OpenConnectionRequest2){
+			// The client may not send such data even though serverSecurity is enabled, and if we try to decode this, we may encounter an error
 			if($packet->serverAddress->getPort() === $this->server->getPort() or !$this->server->portChecking){
 				if($packet->mtuSize < Session::MIN_MTU_SIZE){
 					$this->server->getLogger()->debug("Not creating session for $address due to bad MTU size $packet->mtuSize");
@@ -97,6 +104,13 @@ private function handle(OfflineMessage $packet, InternetAddress $address) : bool
 					$this->server->getLogger()->debug("Not creating session for $address due to session already opened");
 					return true;
 				}
+				if (Cookie::hasServerSecurity()) {
+					if (!Cookie::check($address, $packet->cookie)) {
+						// Disconnect if OpenConnectionReply1 and the cookie in the OpenCnnectionRequest2 packet do not match
+						$this->server->getLogger()->debug("Not creating session for $address due to session mismatched cookies");
+						return true;
+					}
+				}
 				$mtuSize = min($packet->mtuSize, $this->server->getMaxMtuSize()); //Max size, do not allow creating large buffers to fill server memory
 				$this->server->sendPacket(OpenConnectionReply2::create($this->server->getID(), $address, $mtuSize, false), $address);
 				$this->server->createSession($address, $packet->clientID, $mtuSize);

src/utils/Cookie.php

@@ -0,0 +1,66 @@
+<?php
+
+/*
+ * This file is part of RakLib.
+ * Copyright (C) 2014-2022 PocketMine Team <https://github.com/pmmp/RakLib>
+ *
+ * RakLib is not affiliated with Jenkins Software LLC nor RakNet.
+ *
+ * RakLib is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ */
+
+ declare(strict_types=1);
+
+ namespace raklib\utils;
+
+ use raklib\utils\InternetAddress;
+ use pocketmine\utils\Binary;
+ use function mt_rand;
+ use function crc32;
+
+ final class Cookie{
+
+    public static bool $serverHasSecurity = false;
+
+	 /**
+     * @var array<string, int> $cookies
+     */
+	private static array $cookies = [];
+
+    public static function get(InternetAddress $address) : int{
+        if (isset(self::$cookies[$address->toString()])) {
+            return self::$cookies[$address->toString()];
+        }
+        return 0;
+    }
+
+    public static function hasServerSecurity () : bool {
+        return self::$serverHasSecurity;
+    }
+
+    public static function check(InternetAddress $address, int $cookie) : bool{
+        $addressStr = $address->toString();
+
+        if (isset(self::$cookies[$addressStr])) {
+            // If it checks the Cookie, it means that it is in the OpenConnectionRequest2 phase and we can delete it from memory
+            unset(self::$cookies[$addressStr]);
+            if (self::$cookies[$addressStr] == $cookie) {
+                return true;
+            }
+        } // Is there any chance that this is something else?
+        return false;
+    }
+
+    public static function add(InternetAddress $address) : void{
+        if (!isset(self::$cookies[$address->toString()])) {
+            self::$cookies[$address->toString()] = self::generate($address);
+        }
+    }
+
+    private static function generate(InternetAddress $address) : int{
+        return crc32(Binary::writeLInt(mt_rand(0, 0xFFFFFFFF)) . Binary::writeLShort($address->getPort()) . $address->getIp());
+    }
+}