Prevent man-in-the-middle attacks

core/Cargo.toml

@@ -40,6 +40,7 @@ priority-queue = "1.2.1"
 protobuf = "2"
 quick-xml = { version = "0.22", features = ["serialize"] }
 rand = "0.8"
+rsa = { version = "0.5", default-features = false, features = ["alloc"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 sha-1 = "0.10"

core/src/connection/handshake.rs

@@ -4,7 +4,8 @@ use byteorder::{BigEndian, ByteOrder, WriteBytesExt};
 use hmac::{Hmac, Mac};
 use protobuf::{self, Message};
 use rand::{thread_rng, RngCore};
-use sha1::Sha1;
+use rsa::{BigUint, PublicKey};
+use sha1::{Digest, Sha1};
 use thiserror::Error;
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
 use tokio_util::codec::{Decoder, Framed};
@@ -18,10 +19,31 @@ use crate::protocol::keyexchange::{
     APResponseMessage, ClientHello, ClientResponsePlaintext, Platform, ProductFlags,
 };
 
+const SERVER_KEY: [u8; 256] = [
+    0xac, 0xe0, 0x46, 0x0b, 0xff, 0xc2, 0x30, 0xaf, 0xf4, 0x6b, 0xfe, 0xc3, 0xbf, 0xbf, 0x86, 0x3d,
+    0xa1, 0x91, 0xc6, 0xcc, 0x33, 0x6c, 0x93, 0xa1, 0x4f, 0xb3, 0xb0, 0x16, 0x12, 0xac, 0xac, 0x6a,
+    0xf1, 0x80, 0xe7, 0xf6, 0x14, 0xd9, 0x42, 0x9d, 0xbe, 0x2e, 0x34, 0x66, 0x43, 0xe3, 0x62, 0xd2,
+    0x32, 0x7a, 0x1a, 0x0d, 0x92, 0x3b, 0xae, 0xdd, 0x14, 0x02, 0xb1, 0x81, 0x55, 0x05, 0x61, 0x04,
+    0xd5, 0x2c, 0x96, 0xa4, 0x4c, 0x1e, 0xcc, 0x02, 0x4a, 0xd4, 0xb2, 0x0c, 0x00, 0x1f, 0x17, 0xed,
+    0xc2, 0x2f, 0xc4, 0x35, 0x21, 0xc8, 0xf0, 0xcb, 0xae, 0xd2, 0xad, 0xd7, 0x2b, 0x0f, 0x9d, 0xb3,
+    0xc5, 0x32, 0x1a, 0x2a, 0xfe, 0x59, 0xf3, 0x5a, 0x0d, 0xac, 0x68, 0xf1, 0xfa, 0x62, 0x1e, 0xfb,
+    0x2c, 0x8d, 0x0c, 0xb7, 0x39, 0x2d, 0x92, 0x47, 0xe3, 0xd7, 0x35, 0x1a, 0x6d, 0xbd, 0x24, 0xc2,
+    0xae, 0x25, 0x5b, 0x88, 0xff, 0xab, 0x73, 0x29, 0x8a, 0x0b, 0xcc, 0xcd, 0x0c, 0x58, 0x67, 0x31,
+    0x89, 0xe8, 0xbd, 0x34, 0x80, 0x78, 0x4a, 0x5f, 0xc9, 0x6b, 0x89, 0x9d, 0x95, 0x6b, 0xfc, 0x86,
+    0xd7, 0x4f, 0x33, 0xa6, 0x78, 0x17, 0x96, 0xc9, 0xc3, 0x2d, 0x0d, 0x32, 0xa5, 0xab, 0xcd, 0x05,
+    0x27, 0xe2, 0xf7, 0x10, 0xa3, 0x96, 0x13, 0xc4, 0x2f, 0x99, 0xc0, 0x27, 0xbf, 0xed, 0x04, 0x9c,
+    0x3c, 0x27, 0x58, 0x04, 0xb6, 0xb2, 0x19, 0xf9, 0xc1, 0x2f, 0x02, 0xe9, 0x48, 0x63, 0xec, 0xa1,
+    0xb6, 0x42, 0xa0, 0x9d, 0x48, 0x25, 0xf8, 0xb3, 0x9d, 0xd0, 0xe8, 0x6a, 0xf9, 0x48, 0x4d, 0xa1,
+    0xc2, 0xba, 0x86, 0x30, 0x42, 0xea, 0x9d, 0xb3, 0x08, 0x6c, 0x19, 0x0e, 0x48, 0xb3, 0x9d, 0x66,
+    0xeb, 0x00, 0x06, 0xa2, 0x5a, 0xee, 0xa1, 0x1b, 0x13, 0x87, 0x3c, 0xd7, 0x19, 0xe6, 0x55, 0xbd,
+];
+
 #[derive(Debug, Error)]
 pub enum HandshakeError {
     #[error("invalid key length")]
     InvalidLength,
+    #[error("server key verification failed")]
+    VerificationFailed,
 }
 
 pub async fn handshake<T: AsyncRead + AsyncWrite + Unpin>(
@@ -37,7 +59,35 @@ pub async fn handshake<T: AsyncRead + AsyncWrite + Unpin>(
         .get_diffie_hellman()
         .get_gs()
         .to_owned();
+    let remote_signature = message
+        .get_challenge()
+        .get_login_crypto_challenge()
+        .get_diffie_hellman()
+        .get_gs_signature()
+        .to_owned();
 
+    // Prevent man-in-the-middle attacks: check server signature
+    let n = BigUint::from_bytes_be(&SERVER_KEY);
+    let e = BigUint::new(vec![65537]);
+    let public_key = rsa::RsaPublicKey::new(n, e).map_err(|_| {
+        io::Error::new(
+            io::ErrorKind::InvalidData,
+            HandshakeError::VerificationFailed,
+        )
+    })?;
+
+    let hash = Sha1::digest(&remote_key);
+    let padding = rsa::padding::PaddingScheme::new_pkcs1v15_sign(Some(rsa::hash::Hash::SHA1));
+    public_key
+        .verify(padding, &hash, &remote_signature)
+        .map_err(|_| {
+            io::Error::new(
+                io::ErrorKind::InvalidData,
+                HandshakeError::VerificationFailed,
+            )
+        })?;
+
+    // OK to proceed
     let shared_secret = local_keys.shared_secret(&remote_key);
     let (challenge, send_key, recv_key) = compute_keys(&shared_secret, &accumulator)?;
     let codec = ApCodec::new(&send_key, &recv_key);