mirror of
https://github.com/exogen/t2-mapper.git
synced 2026-02-18 06:03:50 +00:00
194 lines
7 KiB
C#
194 lines
7 KiB
C#
// Tribes 2 Unofficial Authentication System
|
|
// http://www.tribesnext.com/
|
|
// Written by Electricutioner/Thyth
|
|
// Copyright 2008 by Electricutioner/Thyth and the Tribes 2 Community System Reengineering Intitiative
|
|
|
|
// Version 1.1: 03/14/2009
|
|
|
|
// load the clan support functions
|
|
exec("t2csri/clientSideClans.cs");
|
|
|
|
// prevents a warning generated when leaving a server, and allows the yellow
|
|
// highlight selection on the warrior screen that indicates the active account
|
|
function WONGetAuthInfo()
|
|
{
|
|
$LoginCertificate = t2csri_getAccountCertificate();
|
|
return getField($LoginCertificate, 0) @ "\t\t0\t" @ getField($LoginCertificate, 1) @ "\n";
|
|
}
|
|
|
|
// this sends a request to the authentication server to retrieve an account that is
|
|
// not locally stored on the client machine. It does some fancy mangling on the
|
|
// password to prevent the authentication server from decrypting the password
|
|
function t2csri_downloadAccount(%username, %password)
|
|
{
|
|
// clear out any previously downloaded account
|
|
$Authentication::Status::LastCert = "";
|
|
$Authentication::Status::LastExp = "";
|
|
|
|
// bring up a UI to indicate account download is in progress
|
|
LoginMessagePopup("DOWNLOADING", "Downloading account credentials...");
|
|
|
|
// this hash is what the auth server stores -- it does not store the password
|
|
// in a recoverable manner
|
|
%authStored = sha1sum("3.14159265" @ strlwr(%username) @ %password);
|
|
//echo(%authStored);
|
|
|
|
// get time in UTC, use it as a nonce to prevent replay attacks
|
|
%utc = time();
|
|
|
|
// time/username nonce
|
|
%timeNonce = sha1sum(%utc @ strlwr(%username));
|
|
//echo(%timeNonce);
|
|
|
|
// combined hash
|
|
%requestHash = sha1sum(%authStored @ %timeNonce);
|
|
//echo(%requestHash);
|
|
|
|
// sent to server: username utc requesthash
|
|
// server sends back: certificate and encrypted private exponent
|
|
Authentication_recoverAccount(%username @ "\t" @ %utc @ "\t" @ %requestHash);
|
|
t2csri_processDownloadCompletion();
|
|
}
|
|
|
|
function t2csri_processDownloadCompletion()
|
|
{
|
|
if ($Authentication::Status::ActiveMode != 0)
|
|
{
|
|
schedule(128, 0, t2csri_processDownloadCompletion);
|
|
return;
|
|
}
|
|
else
|
|
{
|
|
if (strlen($Authentication::Status::LastCert) > 0)
|
|
{
|
|
popLoginMessage();
|
|
LoginMessagePopup("SUCCESS", "Account credentials downloaded successfully.");
|
|
schedule(3000, 0, popLoginMessage);
|
|
|
|
%cert = strreplace($Authentication::Status::LastCert, "'", "\\'");
|
|
%exp = strreplace($Authentication::Status::LastExp, "'", "\\'");
|
|
%cert = getSubStr(%cert, 6, strlen(%cert));
|
|
%exp = getField(%cert, 0) @ "\t" @ getSubStr(%exp, 5, strlen(%exp));
|
|
// add it to the store
|
|
t2csri_storeAccount(%cert, %exp);
|
|
|
|
// refresh the UI
|
|
$LastLoginKey = $LoginName;
|
|
LoginEditMenu.clear();
|
|
LoginEditMenu.populate();
|
|
LoginEditMenu.setActive(1);
|
|
LoginEditBox.clear();
|
|
}
|
|
else
|
|
{
|
|
popLoginMessage();
|
|
LoginMessagePopup("ERROR", "Credential download failed. Check your username/password.");
|
|
schedule(3000, 0, popLoginMessage);
|
|
}
|
|
}
|
|
}
|
|
|
|
// gets a hex version of the game server's IP address
|
|
// used to prevent a replay attack as described by Rain
|
|
function t2csri_gameServerHexAddress()
|
|
{
|
|
%ip = ServerConnection.getAddress();
|
|
|
|
%ip = getSubStr(%ip, strstr(%ip, ":") + 1, strlen(%ip));
|
|
%ip = getSubStr(%ip, 0, strstr(%ip, ":"));
|
|
%ip = strReplace(%ip, ".", " ");
|
|
|
|
for (%i = 0; %i < getWordCount(%ip); %i++)
|
|
{
|
|
%byte = DecToHex(getWord(%ip, %i));
|
|
if (strLen(%byte) < 2)
|
|
%byte = "0" @ %byte;
|
|
%hex = %hex @ %byte;
|
|
}
|
|
return %hex;
|
|
}
|
|
|
|
// client side interface to communicate with the game server
|
|
function clientCmdt2csri_pokeClient(%version)
|
|
{
|
|
echo("T2CSRI: Authenticating with connected game server. (" @ %version @ ")");
|
|
|
|
// send the community certificate, assuming server is running later than 1.0
|
|
if (getWord(%version, 1) > 1.0)
|
|
t2csri_sendCommunityCert();
|
|
|
|
$encryptedchallenge = "";
|
|
|
|
$LoginCertificate = t2csri_getAccountCertificate();
|
|
// send the certificate in 200 byte parts
|
|
for (%i = 0; %i < strlen($LoginCertificate); %i += 200)
|
|
{
|
|
commandToServer('t2csri_sendCertChunk', getSubStr($LoginCertificate, %i, 200));
|
|
}
|
|
|
|
// send a 64 bit challenge to the server to prevent replay attacks
|
|
$loginchallenge = rand_challenge(18446744073709551615);
|
|
// append what the client thinks the server IP address is, for anti-replay purposes
|
|
$loginchallenge = $loginchallenge @ t2csri_gameServerHexAddress();
|
|
|
|
schedule(0, 0, commandToServer, 't2csri_sendChallenge', $loginchallenge);
|
|
|
|
// at this point, server will validate the signature on the certificate then
|
|
// proceed to verifying the client has the private part of the key if valid
|
|
// or disconnecting them if invalid
|
|
// the only way the client can have a valid cert is if the auth server signed it
|
|
}
|
|
|
|
function clientCmdt2csri_getChallengeChunk(%chunk)
|
|
{
|
|
$encryptedchallenge = $encryptedchallenge @ %chunk;
|
|
}
|
|
|
|
function clientCmdt2csri_decryptChallenge()
|
|
{
|
|
// sanitize the challenge to make sure it contains nothing but hex characters.
|
|
// anything else means that the server is trying to hijack control of the interpreter
|
|
%challenge = strlwr($encryptedchallenge);
|
|
for (%i = 0; %i < strlen(%challenge); %i++)
|
|
{
|
|
if (!isxdigit(getSubStr(%challenge, %i, 1)))
|
|
{
|
|
schedule(1000, 0, MessageBoxOK, "REJECTED","Invalid characters in server challenge.");
|
|
disconnect();
|
|
return;
|
|
}
|
|
}
|
|
|
|
%decryptedChallenge = t2csri_rsa_decrypt(%challenge);
|
|
|
|
// verify that the client challenge is intact, and extract the server challenge
|
|
%replayedClientChallenge = getSubStr(%decryptedChallenge, 0, strLen($loginchallenge));
|
|
%serverChallenge = getSubStr(%decryptedChallenge, strlen(%replayedClientChallenge), strLen(%decryptedChallenge));
|
|
if (%replayedClientChallenge !$= $loginchallenge)
|
|
{
|
|
schedule(1000, 0, MessageBoxOK, "REJECTED","Server sent back wrong client challenge.");
|
|
disconnect();
|
|
return;
|
|
}
|
|
|
|
// analyze the IP address the server thinks the client is connecting from for the purposes
|
|
// of preventing replay attacks
|
|
%clip = ipv4_hexBlockToIP(getSubStr(%serverChallenge, strLen(%serverChallenge) - 8, 8));
|
|
if (!ipv4_reasonableConnection(ipv4_hexBlockToIP(t2csri_gameServerHexAddress()), %clip))
|
|
{
|
|
schedule(1000, 0, MessageBoxOK, "REJECTED","Server sent back unreasonable IP challenge source. Possible replay attack attempt.");
|
|
disconnect();
|
|
return;
|
|
}
|
|
|
|
// send the server part of the challenge to prove client identity
|
|
// this is done on a schedule to prevent side-channel timing attacks on the client's
|
|
// private exponent -- different x requires different time for x^d, and d bits can be found
|
|
// if you are really resourceful... adding this schedule kills time accuracy and makes such
|
|
// a correlation attack very improbable
|
|
schedule(getRandom(64, 512), 0, commandToServer, 't2csri_challengeResponse', %serverChallenge);
|
|
|
|
// at this point, server will verify that the challenge is equivalent to the one it sent encrypted
|
|
// to the client. the only way it can be equivalent is if the client has the private key they
|
|
// claim to have. normal T2 connection process continues from this point
|
|
}
|