Added RSA signing to Diffie Hellman

TwoTenPvP · TwoTenPvP · commit ec0ba47f7f2d · 2018-03-31T02:00:03.000+02:00
diff --git a/MLAPI/Data/NetworkingConfiguration.cs b/MLAPI/Data/NetworkingConfiguration.cs
@@ -31,6 +31,10 @@ public class NetworkingConfiguration
         public bool HandleObjectSpawning = true;
 
         public bool EnableEncryption = true;
+        public bool SignKeyExchange = true;
+        public string RSAPrivateKey = "<RSAKeyValue><Modulus>vBEvOQki/EftWOgwh4G8/nFRvcDJLylc8P7Dhz5m/hpkkNtAMzizNKYUrGbs7sYWlEuMYBOWrzkIDGOMoOsYc9uCi+8EcmNoHDlIhK5yNfZUexYBF551VbvZ625LSBR7kmBxkyo4IPuA09fYCHeUFm3prt4h6aTD0Hjc7ZsJHUU=</Modulus><Exponent>EQ==</Exponent><P>ydgcrq5qLJOdDQibD3m9+o3/dkKoFeCC110dnMgdpEteCruyBdL0zjGKKvjjgy3XTSSp43EN591NiXaBp0JtDw==</P><Q>7obHrUnUCsSHUsIJ7+JOrupcGrQ0XaYcQ+Uwb2v7d2YUzwZ46U4gI9snfD2J0tc3DGEh3v3G0Q8q7bxEe3H4aw==</Q><DP>L34k3c6vkgSdbHp+1nb/hj+HZx6+I0PijQbZyolwYuSOmR0a1DGjA1bzVWe9D86NAxevgM9OkOjG8yrxVIgZqQ==</DP><DQ>OB+2gyBuIKa2bdNNodrlVlVC2RtXnZB/HwjAGjeGdnJfP8VJoE6eJo3rLEq3BG7fxq1xYaUfuLhGVg4uOyngGQ==</DQ><InverseQ>o97PimYu58qH5eFmySRCIsyhBr/tK2GM17Zd9QQPJZRSorrhIJn1m6gwQ/G5aJLIM/3Yl04CoyqmQGsPXMzW2w==</InverseQ><D>CxAR1i22w4vCquB7U0Pd8Nl9R2Wxez6rHTwpnoszPB+rkAzlqKj7e5FMgpykhoQfciKPyWqQZKkAeTMIRbN56JinvpAt5POId/28HDd5xjGymHE81k3RzoHqzQXFIOF1TSYKUWzjPPF/TU4nn7auD4i6lOODATsMqtLr5DRBN/0=</D></RSAKeyValue>"; //CHANGE THESE FOR PRODUCTION!
+        public string RSAPublicKey = "<RSAKeyValue><Modulus>vBEvOQki/EftWOgwh4G8/nFRvcDJLylc8P7Dhz5m/hpkkNtAMzizNKYUrGbs7sYWlEuMYBOWrzkIDGOMoOsYc9uCi+8EcmNoHDlIhK5yNfZUexYBF551VbvZ625LSBR7kmBxkyo4IPuA09fYCHeUFm3prt4h6aTD0Hjc7ZsJHUU=</Modulus><Exponent>EQ==</Exponent></RSAKeyValue>"; //CHANGE THESE FOR PRODUCTION!
+
         public bool AllowPassthroughMessages = true;
         public bool EnableSceneSwitching = false;
 
diff --git a/MLAPI/MonoBehaviours/Core/NetworkingManager.cs b/MLAPI/MonoBehaviours/Core/NetworkingManager.cs
@@ -7,6 +7,7 @@
 using UnityEngine;
 using UnityEngine.Networking;
 using System.Linq;
+using System.Security.Cryptography;
 
 namespace MLAPI
 {
@@ -588,10 +589,6 @@ private void HandleIncomingData(int clientId, byte[] data, int channelId)
                                                 ushort diffiePublicSize = messageReader.ReadUInt16();
                                                 byte[] diffiePublic = messageReader.ReadBytes(diffiePublicSize);
                                                 diffieHellmanPublicKeys.Add(clientId, diffiePublic);
-                                                /*
-                                                EllipticDiffieHellman diffieHellman = new EllipticDiffieHellman(EllipticDiffieHellman.DEFAULT_CURVE, EllipticDiffieHellman.DEFAULT_GENERATOR, EllipticDiffieHellman.DEFAULT_ORDER);
-                                                aesKey = diffieHellman.GetSharedSecret(diffiePublic);
-                                                */
 
                                             }
                                             if (NetworkConfig.ConnectionApproval)
@@ -625,7 +622,25 @@ private void HandleIncomingData(int clientId, byte[] data, int channelId)
                                             if (NetworkConfig.EnableEncryption)
                                             {
                                                 ushort keyLength = messageReader.ReadUInt16();
-                                                clientAesKey = clientDiffieHellman.GetSharedSecret(messageReader.ReadBytes(keyLength));
+                                                byte[] serverPublicKey = messageReader.ReadBytes(keyLength);
+                                                clientAesKey = clientDiffieHellman.GetSharedSecret(serverPublicKey);
+                                                if (NetworkConfig.SignKeyExchange)
+                                                {
+                                                    ushort signatureLength = messageReader.ReadUInt16();
+                                                    byte[] publicKeySignature = messageReader.ReadBytes(signatureLength);
+                                                    using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
+                                                    {
+                                                        rsa.PersistKeyInCsp = false;
+                                                        rsa.FromXmlString(NetworkConfig.RSAPublicKey);
+                                                        if(!rsa.VerifyData(serverPublicKey, new SHA512CryptoServiceProvider(), publicKeySignature))
+                                                        {
+                                                            //Man in the middle.
+                                                            Debug.LogWarning("MLAPI: Signature doesnt match for the key exchange public part. Disconnecting");
+                                                            StopClient();
+                                                            return;
+                                                        }
+                                                    }
+                                                }
                                             }
 
                                             float netTime = messageReader.ReadSingle();
@@ -1292,6 +1307,7 @@ private void HandleApproval(int clientId, bool approved)
 
                 byte[] aesKey = new byte[0];
                 byte[] publicKey = new byte[0];
+                byte[] publicKeySignature = new byte[0];
                 if (NetworkConfig.EnableEncryption)
                 {
                     EllipticDiffieHellman diffieHellman = new EllipticDiffieHellman(EllipticDiffieHellman.DEFAULT_CURVE, EllipticDiffieHellman.DEFAULT_GENERATOR, EllipticDiffieHellman.DEFAULT_ORDER);
@@ -1300,6 +1316,16 @@ private void HandleApproval(int clientId, bool approved)
 
                     if (diffieHellmanPublicKeys.ContainsKey(clientId))
                         diffieHellmanPublicKeys.Remove(clientId);
+
+                    if (NetworkConfig.SignKeyExchange)
+                    {
+                        using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
+                        {
+                            rsa.PersistKeyInCsp = false;
+                            rsa.FromXmlString(NetworkConfig.RSAPrivateKey);
+                            publicKeySignature = rsa.SignData(publicKeySignature, new SHA512CryptoServiceProvider());
+                        }
+                    }
                 }
 
                 NetworkedClient client = new NetworkedClient()
@@ -1315,21 +1341,26 @@ private void HandleApproval(int clientId, bool approved)
                     GameObject go = SpawnManager.SpawnPlayerObject(clientId, networkId);
                     connectedClients[clientId].PlayerObject = go;
                 }
-
                 int sizeOfStream = 16 + ((connectedClients.Count - 1) * 4);
 
                 int amountOfObjectsToSend = SpawnManager.spawnedObjects.Values.Count(x => x.ServerOnly == false);
 
-                if(NetworkConfig.HandleObjectSpawning)
+                if (NetworkConfig.HandleObjectSpawning)
                 {
                     sizeOfStream += 4;
                     sizeOfStream += 14 * amountOfObjectsToSend;
                 }
-                if(NetworkConfig.EnableEncryption)
+
+                if (NetworkConfig.EnableEncryption)
                 {
                     sizeOfStream += 2 + publicKey.Length;
+                    if (NetworkConfig.SignKeyExchange)
+                    {
+                        sizeOfStream += 2 + publicKeySignature.Length;
+                    }
                 }
-                if(NetworkConfig.EnableSceneSwitching)
+
+                if (NetworkConfig.EnableSceneSwitching)
                 {
                     sizeOfStream += 4;
                 }
@@ -1344,10 +1375,15 @@ private void HandleApproval(int clientId, bool approved)
                             writer.Write(NetworkSceneManager.CurrentSceneIndex);
                         }
 
-                        if(NetworkConfig.EnableEncryption)
+                        if (NetworkConfig.EnableEncryption)
                         {
                             writer.Write((ushort)publicKey.Length);
                             writer.Write(publicKey);
+                            if (NetworkConfig.SignKeyExchange)
+                            {
+                                writer.Write((ushort)publicKeySignature.Length);
+                                writer.Write(publicKeySignature);
+                            }
                         }
 
                         writer.Write(NetworkTime);
