mirror of
https://github.com/neoStudiosLCE/neoLegacy.git
synced 2026-06-09 04:23:02 +00:00
ba3ebe666c
Comprehensive security system to protect against packet-sniffing attacks, XUID harvesting, privilege escalation, bot flooding, and XUID impersonation. - Stream cipher: per-session XOR cipher with 4-message handshake via CustomPayloadPacket (MC|CKey, MC|CAck, MC|COn). Negotiated per-connection, backwards compatible (old clients/servers fall back to plaintext). - Security gate: buffers all game data until cipher handshake completes, preventing unsecured clients from receiving any XUIDs or game state. - Cipher handshake enforcer: kicks clients that don't complete the handshake within 5 seconds (configurable via require-secure-client). - Identity tokens: persistent per-XUID tokens in identity-tokens.json, issued over the encrypted channel, verified on reconnect. Prevents XUID replay attacks. Client stores server-specific tokens. - PROXY protocol v1: parses real client IPs from playit.gg tunnel headers so rate limiting, IP bans, and XUID spoof detection work per-player. - Rate limiting: per-IP sliding window (default 5 connections/30s) with pending connection cap (default 10). - Privilege hardening: OP requires ops.json, live checks on every command and privilege packet. Host-only server settings changes. - XUID stripping: PreLoginPacket response sends INVALID_XUID placeholders. - Packet validation: readUtf global string cap, reduced max packet size, stream desync protection on oversized strings. - OpManager: persistent ops.json with XUID-based OP list. - Whitelist improvements: whitelist add accepts player names with ambiguity detection, XUID cache from login attempts. - revoketoken command: revoke identity tokens for players who lost theirs. - server.log: persistent log file written alongside console output with flush-per-write to survive crashes. - CLI security logging: consolidated per-join security summary with cipher status, token status, XUID, and real IP. Security warnings for kicks, spoofing, and unauthorized commands.
45 lines
1.6 KiB
C++
45 lines
1.6 KiB
C++
#pragma once
|
|
using namespace std;
|
|
|
|
#include "Packet.h"
|
|
|
|
class CustomPayloadPacket : public Packet, public enable_shared_from_this<CustomPayloadPacket>
|
|
{
|
|
public:
|
|
|
|
// Mojang-defined custom packets
|
|
static const wstring CUSTOM_BOOK_PACKET;
|
|
static const wstring CUSTOM_BOOK_SIGN_PACKET;
|
|
static const wstring TEXTURE_PACK_PACKET;
|
|
static const wstring TRADER_LIST_PACKET;
|
|
static const wstring TRADER_SELECTION_PACKET;
|
|
static const wstring SET_ADVENTURE_COMMAND_PACKET;
|
|
static const wstring SET_BEACON_PACKET;
|
|
static const wstring SET_ITEM_NAME_PACKET;
|
|
|
|
// Security: stream cipher handshake channels
|
|
static const wstring CIPHER_KEY_CHANNEL; // server->client: carries 16-byte key
|
|
static const wstring CIPHER_ACK_CHANNEL; // client->server: ack (empty payload)
|
|
static const wstring CIPHER_ON_CHANNEL; // server->client: activation signal (empty payload)
|
|
|
|
// Security: identity token channels
|
|
static const wstring IDENTITY_TOKEN_ISSUE; // server->client: issue new 32-byte token
|
|
static const wstring IDENTITY_TOKEN_CHALLENGE; // server->client: request stored token
|
|
static const wstring IDENTITY_TOKEN_RESPONSE; // client->server: present stored token
|
|
|
|
wstring identifier;
|
|
int length;
|
|
byteArray data;
|
|
|
|
CustomPayloadPacket();
|
|
CustomPayloadPacket(const wstring &identifier, byteArray data);
|
|
|
|
virtual void read(DataInputStream *dis);
|
|
virtual void write(DataOutputStream *dos);
|
|
virtual void handle(PacketListener *listener);
|
|
virtual int getEstimatedSize();
|
|
|
|
public:
|
|
static shared_ptr<Packet> create() { return std::make_shared<CustomPayloadPacket>(); }
|
|
virtual int getId() { return 250; }
|
|
}; |