diff --git a/src/main/java/ua/nanit/limbo/connection/ClientConnection.java b/src/main/java/ua/nanit/limbo/connection/ClientConnection.java index 9d938423..3f1f7c8d 100644 --- a/src/main/java/ua/nanit/limbo/connection/ClientConnection.java +++ b/src/main/java/ua/nanit/limbo/connection/ClientConnection.java @@ -45,6 +45,8 @@ import java.net.SocketAddress; import java.security.InvalidKeyException; import java.security.MessageDigest; +import java.util.Arrays; +import java.util.List; import java.util.UUID; import java.util.concurrent.ThreadLocalRandom; import java.util.concurrent.TimeUnit; @@ -330,18 +332,27 @@ boolean checkVelocityKeyIntegrity(ByteMessage buf) { buf.readBytes(signature); byte[] data = new byte[buf.readableBytes()]; buf.getBytes(buf.readerIndex(), data); - try { - Mac mac = Mac.getInstance("HmacSHA256"); - mac.init(new SecretKeySpec(server.getConfig().getInfoForwarding().getSecretKey(), "HmacSHA256")); - byte[] mySignature = mac.doFinal(data); - if (!MessageDigest.isEqual(signature, mySignature)) - return false; - } catch (InvalidKeyException | java.security.NoSuchAlgorithmException e) { - throw new AssertionError(e); + + List secretKeys = server.getConfig().getInfoForwarding().getSecretKeys(); + boolean validKey = false; + + for (byte[] secretKey : secretKeys) { + try { + Mac mac = Mac.getInstance("HmacSHA256"); + mac.init(new SecretKeySpec(secretKey, "HmacSHA256")); + byte[] mySignature = mac.doFinal(data); + if (MessageDigest.isEqual(signature, mySignature)) { + validKey = true; + break; + } + } catch (InvalidKeyException | java.security.NoSuchAlgorithmException e) { + throw new AssertionError(e); + } } + int version = buf.readVarInt(); if (version != 1) throw new IllegalStateException("Unsupported forwarding version " + version + ", wanted " + '\001'); - return true; + return validKey; } } diff --git a/src/main/java/ua/nanit/limbo/server/data/InfoForwarding.java b/src/main/java/ua/nanit/limbo/server/data/InfoForwarding.java index e20ad7a5..dabd4bd7 100644 --- a/src/main/java/ua/nanit/limbo/server/data/InfoForwarding.java +++ b/src/main/java/ua/nanit/limbo/server/data/InfoForwarding.java @@ -23,19 +23,20 @@ import org.spongepowered.configurate.serialize.TypeSerializer; import java.nio.charset.StandardCharsets; +import java.util.ArrayList; import java.util.List; public class InfoForwarding { private Type type; - private byte[] secretKey; + private List secretKey; private List tokens; public Type getType() { return type; } - public byte[] getSecretKey() { + public List getSecretKeys() { return secretKey; } @@ -83,7 +84,14 @@ public InfoForwarding deserialize(java.lang.reflect.Type type, ConfigurationNode } if (forwarding.type == Type.MODERN) { - forwarding.secretKey = node.node("secret").getString("").getBytes(StandardCharsets.UTF_8); + List secrets = node.node("secret").getList(String.class); + List keys = new ArrayList<>(); + if (secrets != null) { + for (String secret : secrets) { + keys.add(secret.getBytes(StandardCharsets.UTF_8)); + } + } + forwarding.secretKey = keys; } if (forwarding.type == Type.BUNGEE_GUARD) { diff --git a/src/main/resources/settings.yml b/src/main/resources/settings.yml index 3f43a5ef..a1d7c5f3 100644 --- a/src/main/resources/settings.yml +++ b/src/main/resources/settings.yml @@ -90,7 +90,8 @@ title: # Don't use secret if you do not use MODERN type infoForwarding: type: NONE - secret: '' + secret: + - '' tokens: - ''