spacebar/rust-nex
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages 50 Wiki Activity Actions

fix forgetting to save file

Browse source
This commit is contained in:
Maple 2026-02-01 21:10:03 +01:00
commit 7e3cade00e
11 changed files with 124 additions and 121 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.ci-scripts/make-edition.sh
View file

@ -3,8 +3,8 @@
export EDITION=$1 export EDITION=$1
export BA="--build-arg EDITION=$1" export BA="--build-arg EDITION=$1"
podman build $BA -t "$CI_REGISTRY_IMAGE/$EDITION/dev-container:latest" --target=dev-container . # podman build $BA -t "$CI_REGISTRY_IMAGE/$EDITION/dev-container:latest" --target=dev-container .
podman push "$CI_REGISTRY_IMAGE/$EDITION/dev-container:latest" # podman push "$CI_REGISTRY_IMAGE/$EDITION/dev-container:latest"
podman build $BA -t "$CI_REGISTRY_IMAGE/$EDITION/node-holder:$CI_COMMIT_SHORT_SHA" --target=node-holder . podman build $BA -t "$CI_REGISTRY_IMAGE/$EDITION/node-holder:$CI_COMMIT_SHORT_SHA" --target=node-holder .
podman build $BA -t "$CI_REGISTRY_IMAGE/$EDITION/proxy-secure:$CI_COMMIT_SHORT_SHA" --target=proxy-secure . podman build $BA -t "$CI_REGISTRY_IMAGE/$EDITION/proxy-secure:$CI_COMMIT_SHORT_SHA" --target=proxy-secure .
podman build $BA -t "$CI_REGISTRY_IMAGE/$EDITION/proxy-insecure:$CI_COMMIT_SHORT_SHA" --target=proxy-insecure . podman build $BA -t "$CI_REGISTRY_IMAGE/$EDITION/proxy-insecure:$CI_COMMIT_SHORT_SHA" --target=proxy-insecure .

1
Cargo.lock generated
View file

@ -672,6 +672,7 @@ version = "0.1.1"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"bytemuck", "bytemuck",
"cfg-if",
"chrono", "chrono",
"dotenv", "dotenv",
"hex", "hex",

BIN
out/backend_server_secure Executable file
View file

Binary file not shown.

2
proxy/src/insecure.rs
View file

@ -1,5 +1,3 @@
use std::process::abort;
use proxy::edge_node_dc_callback; use proxy::edge_node_dc_callback;
use proxy_common::{ProxyStartupParam, setup_edge_node_connection}; use proxy_common::{ProxyStartupParam, setup_edge_node_connection};
use rnex_core::common::setup; use rnex_core::common::setup;

15
prudpv0/src/crypto/friends_insecure.rs
View file

@ -65,11 +65,14 @@ impl Crypto for Insecure {
packet_data: &[u8], packet_data: &[u8],
self_signat: [u8; 4], self_signat: [u8; 4],
remote_signat: [u8; 4], remote_signat: [u8; 4],
) -> Self::Instance { ) -> Option<(Self::Instance, Vec<u8>)> {
InsecureInstance { Some((
pair: EncryptionPair::init_both(|| Rc4::new(&DEFAULT_KEY)), InsecureInstance {
self_signat, pair: EncryptionPair::init_both(|| Rc4::new(&DEFAULT_KEY)),
remote_signat, self_signat,
} remote_signat,
},
vec![],
))
} }
} }

52
prudpv0/src/crypto/friends_secure.rs
View file

@ -1,10 +1,18 @@
use hmac::Mac; use hmac::Mac;
use rc4::{Rc4, StreamCipher}; use md5::{Digest, Md5};
use rnex_core::prudp::{ use rc4::{KeyInit, Rc4, StreamCipher};
encryption::EncryptionPair, use rnex_core::{
types_flags::{TypesFlags, types::DATA}, executables::common::SECURE_SERVER_ACCOUNT,
nex::account::Account,
prudp::{
encryption::EncryptionPair,
ticket::read_secure_connection_data,
types_flags::{TypesFlags, types::DATA},
},
rmc::structures::RmcSerialize,
}; };
use typenum::U32; use std::io::Write;
use typenum::U16;
use crate::crypto::{ use crate::crypto::{
Crypto, CryptoInstance, Crypto, CryptoInstance,
@ -13,7 +21,7 @@ use crate::crypto::{
}; };
pub struct SecureInstance { pub struct SecureInstance {
pair: EncryptionPair<Rc4<U32>>, pair: EncryptionPair<Rc4<U16>>,
uid: u32, uid: u32,
self_signat: [u8; 4], self_signat: [u8; 4],
remote_signat: [u8; 4], remote_signat: [u8; 4],
@ -34,7 +42,9 @@ impl CryptoInstance for SecureInstance {
if data.len() == 0 { if data.len() == 0 {
[0x78, 0x56, 0x34, 0x12] [0x78, 0x56, 0x34, 0x12]
} else { } else {
let mut hmac = <HmacMd5 as Mac>::new_from_slice(ACCESS_KEY.as_bytes()) let mut hash = Md5::new();
hash.write(ACCESS_KEY.as_bytes()).unwrap();
let mut hmac = <HmacMd5 as Mac>::new_from_slice(&hash.finalize().as_slice())
.expect("unable to create hmac md5"); .expect("unable to create hmac md5");
hmac.update(data); hmac.update(data);
hmac.finalize().into_bytes()[0..4].try_into().unwrap() hmac.finalize().into_bytes()[0..4].try_into().unwrap()
@ -45,12 +55,12 @@ impl CryptoInstance for SecureInstance {
} }
} }
pub struct Secure(); pub struct Secure(&'static Account);
impl Crypto for Secure { impl Crypto for Secure {
type Instance = SecureInstance; type Instance = SecureInstance;
fn new() -> Self { fn new() -> Self {
Self() Self(&SECURE_SERVER_ACCOUNT)
} }
fn calculate_checksum(&self, data: &[u8]) -> u8 { fn calculate_checksum(&self, data: &[u8]) -> u8 {
common_checksum(ACCESS_KEY, data) common_checksum(ACCESS_KEY, data)
@ -60,7 +70,27 @@ impl Crypto for Secure {
data: &[u8], data: &[u8],
self_signat: [u8; 4], self_signat: [u8; 4],
remote_signat: [u8; 4], remote_signat: [u8; 4],
) -> Self::Instance { ) -> Option<(Self::Instance, Vec<u8>)> {
todo!() let (session_key, pid, check_value) = read_secure_connection_data(data, &self.0)?;
let check_value_response = check_value + 1;
let data = bytemuck::bytes_of(&check_value_response);
let mut response = Vec::new();
data.serialize(&mut response).ok()?;
Some((
SecureInstance {
pair: EncryptionPair::init_both(|| {
Rc4::new_from_slice(&session_key).expect("unable to initialize rc4 stream")
}),
self_signat,
remote_signat,
uid: pid,
},
response,
))
} }
} }

2
prudpv0/src/crypto/mod.rs
View file

@ -19,7 +19,7 @@ pub trait Crypto: Send + Sync + 'static {
data: &[u8], data: &[u8],
self_signat: [u8; 4], self_signat: [u8; 4],
remote_signat: [u8; 4], remote_signat: [u8; 4],
) -> Self::Instance; ) -> Option<(Self::Instance, Vec<u8>)>;
} }
cfg_if! { cfg_if! {

21
prudpv0/src/packet.rs
View file

@ -1,7 +1,7 @@
use std::mem::transmute; use std::mem::transmute;
use bytemuck::{Pod, Zeroable, try_from_bytes, try_from_bytes_mut}; use bytemuck::{Pod, Zeroable, try_from_bytes, try_from_bytes_mut};
use log::{error, info}; use log::{error, info, warn};
use rnex_core::prudp::{ use rnex_core::prudp::{
types_flags::{ types_flags::{
self, TypesFlags, self, TypesFlags,
@ -146,6 +146,15 @@ impl<T: AsRef<[u8]>> PRUDPV0Packet<T> {
let Some(checksum) = self.checksum() else { let Some(checksum) = self.checksum() else {
return false; return false;
}; };
if checksum != crypto.calculate_checksum(data) {
warn!(
"checksum doesnt match expected checksum: {} != {}",
checksum,
crypto.calculate_checksum(data)
)
}
checksum == crypto.calculate_checksum(data) checksum == crypto.calculate_checksum(data)
} }
@ -230,7 +239,7 @@ pub fn new_connect_packet(
) -> Vec<u8> { ) -> Vec<u8> {
let type_flags = TypesFlags::default().types(CONNECT).flags(flags); let type_flags = TypesFlags::default().types(CONNECT).flags(flags);
let vec = vec![0; precalc_size(type_flags, 0)]; let vec = vec![0; precalc_size(type_flags, data.len())];
let mut packet = PRUDPV0Packet::new(vec); let mut packet = PRUDPV0Packet::new(vec);
let header = packet.header_mut().expect("packet malformed in creation"); let header = packet.header_mut().expect("packet malformed in creation");
@ -245,6 +254,12 @@ pub fn new_connect_packet(
*packet *packet
.connection_signature_mut() .connection_signature_mut()
.expect("packet malformed in creation") = remote_signat; .expect("packet malformed in creation") = remote_signat;
packet
.payload_mut()
.expect("packet malformed in creation")
.copy_from_slice(data);
if let Some(size) = packet.size_mut() { if let Some(size) = packet.size_mut() {
size.copy_from_slice(&(data.len() as u16).to_le_bytes()); size.copy_from_slice(&(data.len() as u16).to_le_bytes());
} }
@ -281,6 +296,8 @@ pub fn new_data_packet(
.expect("packet malformed in creation") .expect("packet malformed in creation")
.copy_from_slice(data); .copy_from_slice(data);
crypto_instance.encrypt_outgoing(packet.payload_mut().expect("packet malformed in creation"));
if let Some(size) = packet.size_mut() { if let Some(size) = packet.size_mut() {
size.copy_from_slice(&(data.len() as u16).to_le_bytes()); size.copy_from_slice(&(data.len() as u16).to_le_bytes());
} }

57
prudpv0/src/server.rs
View file

@ -3,7 +3,7 @@ use std::{
hash::Hash, hash::Hash,
net::{Ipv4Addr, SocketAddr, SocketAddrV4}, net::{Ipv4Addr, SocketAddr, SocketAddrV4},
sync::{ sync::{
Arc, LazyLock, Arc, LazyLock, Weak,
atomic::{AtomicBool, AtomicU32}, atomic::{AtomicBool, AtomicU32},
}, },
thread::sleep, thread::sleep,
@ -123,13 +123,14 @@ impl<C: Crypto> Server<C> {
let packet = Arc::new(packet); let packet = Arc::new(packet);
let packet_ref = Arc::downgrade(&packet); let packet_ref = Arc::downgrade(&packet);
let conn = Arc::downgrade(&conn);
let this = Arc::downgrade(&self);
inner.unacknowledged_packets.insert(seq, packet); inner.unacknowledged_packets.insert(seq, packet);
drop(inner); drop(inner);
let conn = Arc::downgrade(&conn);
let this = Arc::downgrade(&self);
spawn(async move { spawn(async move {
for n in 0..5 { for n in 0..5 {
let Some(data) = packet_ref.upgrade() else { let Some(data) = packet_ref.upgrade() else {
@ -153,10 +154,11 @@ impl<C: Crypto> Server<C> {
} }
async fn connection_thread( async fn connection_thread(
self: Arc<Self>, self: Arc<Self>,
conn: Arc<Connection<C::Instance>>, conn: Weak<Connection<C::Instance>>,
mut recv: SplittableBufferConnection, mut recv: SplittableBufferConnection,
) { ) {
while let Some(data) = recv.recv().await { while let Some(data) = recv.recv().await {
let Some(conn) = conn.upgrade() else { break };
if &data[..] == &[0, 0, 0, 0, 0] { if &data[..] == &[0, 0, 0, 0, 0] {
info!("got keepalive"); info!("got keepalive");
continue; continue;
@ -168,8 +170,8 @@ impl<C: Crypto> Server<C> {
async fn timeout_thread(self: Arc<Self>, conn: Arc<Connection<C::Instance>>) { async fn timeout_thread(self: Arc<Self>, conn: Arc<Connection<C::Instance>>) {
loop { loop {
sleep(Duration::from_secs(3)); sleep(Duration::from_secs(3));
info!("running another loop");
let mut inner = conn.inner.lock().await; let mut inner = conn.inner.lock().await;
if (Instant::now() - inner.last_action).as_secs() > 5 { if (Instant::now() - inner.last_action).as_secs() > 5 {
warn!("connection exceeded silence limit, sending ping"); warn!("connection exceeded silence limit, sending ping");
let packet = new_ping_packet( let packet = new_ping_packet(
@ -187,11 +189,11 @@ impl<C: Crypto> Server<C> {
.await; .await;
} }
if (Instant::now() - conn.inner.lock().await.last_action).as_secs() > 15 { if (Instant::now() - inner.last_action).as_secs() > 15 {
warn!("client timed out..."); warn!("client timed out...");
let packet = new_disconnect_packet( let packet = new_disconnect_packet(
0, NEED_ACK,
self.param.virtual_port, self.param.virtual_port,
conn.addr.virtual_port, conn.addr.virtual_port,
0, 0,
@ -209,9 +211,12 @@ impl<C: Crypto> Server<C> {
self.socket self.socket
.send_to(&packet, conn.addr.regular_socket_addr) .send_to(&packet, conn.addr.regular_socket_addr)
.await; .await;
drop(inner);
let mut conns = self.connections.write().await; let mut conns = self.connections.write().await;
conns.remove(&conn.addr); conns.remove(&conn.addr);
drop(conns); drop(conns);
break;
} }
drop(inner); drop(inner);
@ -247,7 +252,10 @@ impl<C: Crypto> Server<C> {
remote_signat[3], remote_signat[3],
]; ];
let ci = self.crypto.instantiate(data, self_signat, remote_signat); let Some((ci, data)) = self.crypto.instantiate(&data, self_signat, remote_signat) else {
warn!("unable to instantiate crypto instance");
return;
};
let pid = ci.get_user_id(); let pid = ci.get_user_id();
let buf_conn = new_backend_connection(&self.param, addr, pid).await; let buf_conn = new_backend_connection(&self.param, addr, pid).await;
@ -281,7 +289,7 @@ impl<C: Crypto> Server<C> {
spawn({ spawn({
let this = self.clone(); let this = self.clone();
let conn = conn.clone(); let conn = Arc::downgrade(&conn);
this.connection_thread(conn, buf_conn) this.connection_thread(conn, buf_conn)
}); });
spawn({ spawn({
@ -297,7 +305,7 @@ impl<C: Crypto> Server<C> {
self_signat, self_signat,
remote_signat, remote_signat,
packet.header().unwrap().session_id, packet.header().unwrap().session_id,
&[], &data,
&self.crypto, &self.crypto,
); );
@ -314,10 +322,7 @@ impl<C: Crypto> Server<C> {
return; return;
}; };
let rd = self.connections.read().await; let Some(res) = self.get_connection(addr).await else {
let res = rd.get(&addr).cloned();
drop(rd);
let Some(res) = res else {
warn!("data packet on inactive connection from: {:?}", addr); warn!("data packet on inactive connection from: {:?}", addr);
return; return;
}; };
@ -335,7 +340,6 @@ impl<C: Crypto> Server<C> {
&self.crypto, &self.crypto,
); );
self.socket.send_to(&ack, addr.regular_socket_addr).await; self.socket.send_to(&ack, addr.regular_socket_addr).await;
conn.last_action = Instant::now();
conn.packet_queue.insert( conn.packet_queue.insert(
packet.header().unwrap().sequence_id, packet.header().unwrap().sequence_id,
(Instant::now(), packet), (Instant::now(), packet),
@ -356,6 +360,7 @@ impl<C: Crypto> Server<C> {
res.target.send(payload.to_owned()).await; res.target.send(payload.to_owned()).await;
conn.client_packet_counter += 1; conn.client_packet_counter += 1;
} }
info!("finished handeling packets, dropping inner connection");
drop(conn); drop(conn);
} }
@ -378,7 +383,6 @@ impl<C: Crypto> Server<C> {
&self.crypto, &self.crypto,
); );
drop(inner); drop(inner);
drop(conn);
self.socket.send_to(&packet, addr.regular_socket_addr).await; self.socket.send_to(&packet, addr.regular_socket_addr).await;
} }
@ -405,7 +409,6 @@ impl<C: Crypto> Server<C> {
&self.crypto, &self.crypto,
); );
drop(inner); drop(inner);
drop(conn);
self.socket.send_to(&packet, addr.regular_socket_addr).await; self.socket.send_to(&packet, addr.regular_socket_addr).await;
self.socket.send_to(&packet, addr.regular_socket_addr).await; self.socket.send_to(&packet, addr.regular_socket_addr).await;
@ -429,17 +432,19 @@ impl<C: Crypto> Server<C> {
return; return;
}; };
info!("len: {}", packet.0.len());
let addr = PRUDPSockAddr::new(addr, header.source); let addr = PRUDPSockAddr::new(addr, header.source);
if header.type_flags.get_flags() & ACK != 0 {
info!("got ack(acks are ignored for now)");
return;
}
if let Some(conn) = self.get_connection(addr).await { if let Some(conn) = self.get_connection(addr).await {
let mut inner = conn.inner.lock().await; let mut inner = conn.inner.lock().await;
inner.last_action = Instant::now(); inner.last_action = Instant::now();
drop(inner); drop(inner);
}; };
if header.type_flags.get_flags() & ACK != 0 {
info!("got ack(acks are ignored for now)");
return;
}
println!("{:?}", header); println!("{:?}", header);
match header.type_flags.get_types() { match header.type_flags.get_types() {
SYN => { SYN => {
@ -464,20 +469,18 @@ impl<C: Crypto> Server<C> {
} }
pub async fn run_task(self: Arc<Self>) { pub async fn run_task(self: Arc<Self>) {
loop { loop {
let mut vec: Vec<u8> = vec![]; let mut vec: Vec<u8> = vec![0u8; 65507];
let addr = match self.socket.recv_buf_from(&mut vec).await { let (len, addr) = match self.socket.recv_from(&mut vec).await {
Err(e) => { Err(e) => {
error!("unable to recv: {}", e); error!("unable to recv: {}", e);
break; break;
} }
Ok(v) => { Ok(v) => v,
assert_eq!(vec.len(), v.0);
v.1
}
}; };
let this = self.clone(); let this = self.clone();
tokio::spawn(async move { tokio::spawn(async move {
let mut data = vec; let mut data = vec;
data.resize(len, 0);
let packet = PRUDPV0Packet::new(data); let packet = PRUDPV0Packet::new(data);
let SocketAddr::V4(addr) = addr else { let SocketAddr::V4(addr) = addr else {

63
prudpv1/src/prudp/secure.rs
View file

@ -8,73 +8,12 @@ use rc4::{KeyInit, Rc4, Rc4Core, StreamCipher};
use rnex_core::kerberos::{TicketInternalData, derive_key}; use rnex_core::kerberos::{TicketInternalData, derive_key};
use rnex_core::nex::account::Account; use rnex_core::nex::account::Account;
use rnex_core::prudp::encryption::EncryptionPair; use rnex_core::prudp::encryption::EncryptionPair;
use rnex_core::prudp::ticket::read_secure_connection_data;
use rnex_core::rmc::structures::RmcSerialize; use rnex_core::rmc::structures::RmcSerialize;
use std::io::Cursor; use std::io::Cursor;
use typenum::U5; use typenum::U5;
use v_byte_helpers::{IS_BIG_ENDIAN, ReadExtensions}; use v_byte_helpers::{IS_BIG_ENDIAN, ReadExtensions};
pub fn read_secure_connection_data(data: &[u8], act: &Account) -> Option<([u8; 32], u32, u32)> {
let mut cursor = Cursor::new(data);
let mut ticket_data: Vec<u8> = Vec::deserialize(&mut cursor).ok()?;
let mut request_data: Vec<u8> = Vec::deserialize(&mut cursor).ok()?;
let ticket_data_size = ticket_data.len();
let ticket_data = &mut ticket_data[0..ticket_data_size - 0x10];
let server_key = derive_key(act.pid, &act.kerbros_password[..]);
let mut rc4: StreamCipherCoreWrapper<Rc4Core<U16>> =
Rc4::new_from_slice(&server_key).expect("unable to init rc4 keystream");
rc4.apply_keystream(ticket_data);
let ticket_data: &TicketInternalData = match bytemuck::try_from_bytes(ticket_data) {
Ok(v) => v,
Err(e) => {
error!("unable to read internal ticket data: {}", e);
return None;
}
};
// todo: add ticket expiration
let TicketInternalData {
session_key,
pid: ticket_source_pid,
issued_time,
} = *ticket_data;
// todo: add checking if tickets are signed with a valid md5-hmac
let request_data_length = request_data.len();
let request_data = &mut request_data[0..request_data_length - 0x10];
let mut rc4: StreamCipherCoreWrapper<Rc4Core<U32>> =
Rc4::new_from_slice(&session_key).expect("unable to init rc4 keystream");
rc4.apply_keystream(request_data);
let mut reqest_data_cursor = Cursor::new(request_data);
let pid: u32 = reqest_data_cursor.read_struct(IS_BIG_ENDIAN).ok()?;
if pid != ticket_source_pid {
let ticket_created_on = issued_time.to_regular_time();
error!(
"someone tried to spoof their pid, ticket was created on: {}",
ticket_created_on.to_rfc2822()
);
return None;
}
let _cid: u32 = reqest_data_cursor.read_struct(IS_BIG_ENDIAN).ok()?;
let response_check: u32 = reqest_data_cursor.read_struct(IS_BIG_ENDIAN).ok()?;
Some((session_key, pid, response_check))
}
type Rc4U32 = StreamCipherCoreWrapper<Rc4Core<U32>>; type Rc4U32 = StreamCipherCoreWrapper<Rc4Core<U32>>;
pub fn generate_secure_encryption_pairs( pub fn generate_secure_encryption_pairs(

28
rnex-core/src/executables/backend_server_insecure.rs
View file

@ -1,8 +1,6 @@
use cfg_if::cfg_if;
use once_cell::sync::Lazy; use once_cell::sync::Lazy;
use rnex_core::common::setup; use rnex_core::common::setup;
use rnex_core::executables::common::{SECURE_SERVER_ACCOUNT, new_simple_backend}; use rnex_core::executables::common::{SECURE_SERVER_ACCOUNT, new_simple_backend};
use rnex_core::executables::regular_backend;
use rnex_core::nex::auth_handler::AuthHandler; use rnex_core::nex::auth_handler::AuthHandler;
use rnex_core::reggie::EdgeNodeHolderConnectOption::DontRegister; use rnex_core::reggie::EdgeNodeHolderConnectOption::DontRegister;
use rnex_core::reggie::RemoteEdgeNodeHolder; use rnex_core::reggie::RemoteEdgeNodeHolder;
@ -25,11 +23,25 @@ pub static FORWARD_EDGE_NODE_HOLDER: Lazy<SocketAddrV4> = Lazy::new(|| {
async fn main() { async fn main() {
setup(); setup();
cfg_if! { let conn = TcpStream::connect(&*FORWARD_EDGE_NODE_HOLDER)
if #[cfg(features = "friends")]{ .await
.unwrap();
} else { let conn: SplittableBufferConnection = conn.into();
regular_backend::start_regular_backend().await
} conn.send(DontRegister.to_data().unwrap()).await;
}
let conn = new_rmc_gateway_connection(conn, |r| {
Arc::new(OnlyRemote::<RemoteEdgeNodeHolder>::new(r))
});
new_simple_backend(move |_, _| {
let controller = conn.clone();
Arc::new(AuthHandler {
destination_server_acct: &SECURE_SERVER_ACCOUNT,
build_name: env!("AUTH_REPORT_VERSION"),
control_server: controller,
})
})
.await;
} }