devbeni/survival-game
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

aha

Browse Source
This commit is contained in:
B3ni
2025-06-16 15:14:23 +02:00
committed by devbeni
parent 60fe4620ff
commit 4ff561284f
3174 changed files with 428263 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Assets/Mirror/Transports/Encryption/Editor.meta Normal file
View File

@ -0,0 +1,3 @@
fileFormatVersion: 2
guid: 0d3cd9d7d6e84a578f7e4b384ff813f1
timeCreated: 1708793986

18
Assets/Mirror/Transports/Encryption/Editor/EncryptionTransportEditor.asmdef Normal file
View File

@ -0,0 +1,18 @@
{
"name": "EncryptionTransportEditor",
"rootNamespace": "",
"references": [
"GUID:627104647b9c04b4ebb8978a92ecac63"
],
"includePlatforms": [
"Editor"
],
"excludePlatforms": [],
"allowUnsafeCode": false,
"overrideReferences": false,
"precompiledReferences": [],
"autoReferenced": true,
"defineConstraints": [],
"versionDefines": [],
"noEngineReferences": false
}

14
Assets/Mirror/Transports/Encryption/Editor/EncryptionTransportEditor.asmdef.meta Normal file
View File

@ -0,0 +1,14 @@
fileFormatVersion: 2
guid: 4c9c7b0ef83e6e945b276d644816a489
AssemblyDefinitionImporter:
externalObjects: {}
userData:
assetBundleName:
assetBundleVariant:
AssetOrigin:
serializedVersion: 1
productId: 129321
packageName: Mirror
packageVersion: 96.0.1
assetPath: Assets/Mirror/Transports/Encryption/Editor/EncryptionTransportEditor.asmdef
uploadId: 736421

90
Assets/Mirror/Transports/Encryption/Editor/EncryptionTransportInspector.cs Normal file
View File

@ -0,0 +1,90 @@
using UnityEditor;
using UnityEngine;
namespace Mirror.Transports.Encryption
{
[CustomEditor(typeof(EncryptionTransport), true)]
public class EncryptionTransportInspector : UnityEditor.Editor
{
SerializedProperty innerProperty;
SerializedProperty clientValidatesServerPubKeyProperty;
SerializedProperty clientTrustedPubKeySignaturesProperty;
SerializedProperty serverKeypairPathProperty;
SerializedProperty serverLoadKeyPairFromFileProperty;
// Assuming proper SerializedProperty definitions for properties
// Add more SerializedProperty fields related to different modes as needed
void OnEnable()
{
innerProperty = serializedObject.FindProperty("Inner");
clientValidatesServerPubKeyProperty = serializedObject.FindProperty("ClientValidateServerPubKey");
clientTrustedPubKeySignaturesProperty = serializedObject.FindProperty("ClientTrustedPubKeySignatures");
serverKeypairPathProperty = serializedObject.FindProperty("ServerKeypairPath");
serverLoadKeyPairFromFileProperty = serializedObject.FindProperty("ServerLoadKeyPairFromFile");
}
public override void OnInspectorGUI()
{
serializedObject.Update();
// Draw default inspector for the parent class
DrawDefaultInspector();
EditorGUILayout.LabelField("Encryption Settings", EditorStyles.boldLabel);
if (innerProperty != null)
{
EditorGUILayout.LabelField("Common", EditorStyles.boldLabel);
EditorGUILayout.PropertyField(innerProperty);
EditorGUILayout.Separator();
}
// Client Section
EditorGUILayout.LabelField("Client", EditorStyles.boldLabel);
EditorGUILayout.HelpBox("Validating the servers public key is essential for complete man-in-the-middle (MITM) safety, but might not be feasible for all modes of hosting.", MessageType.Info);
EditorGUILayout.PropertyField(clientValidatesServerPubKeyProperty, new GUIContent("Validate Server Public Key"));
EncryptionTransport.ValidationMode validationMode = (EncryptionTransport.ValidationMode)clientValidatesServerPubKeyProperty.enumValueIndex;
switch (validationMode)
{
case EncryptionTransport.ValidationMode.List:
EditorGUILayout.PropertyField(clientTrustedPubKeySignaturesProperty);
break;
case EncryptionTransport.ValidationMode.Callback:
EditorGUILayout.HelpBox("Please set the EncryptionTransport.onClientValidateServerPubKey at runtime.", MessageType.Info);
break;
}
EditorGUILayout.Separator();
// Server Section
EditorGUILayout.LabelField("Server", EditorStyles.boldLabel);
EditorGUILayout.PropertyField(serverLoadKeyPairFromFileProperty, new GUIContent("Load Keypair From File"));
if (serverLoadKeyPairFromFileProperty.boolValue)
{
EditorGUILayout.PropertyField(serverKeypairPathProperty, new GUIContent("Keypair File Path"));
}
if(GUILayout.Button("Generate Key Pair"))
{
EncryptionCredentials keyPair = EncryptionCredentials.Generate();
string path = EditorUtility.SaveFilePanel("Select where to save the keypair", "", "server-keys.json", "json");
if (!string.IsNullOrEmpty(path))
{
keyPair.SaveToFile(path);
EditorUtility.DisplayDialog("KeyPair Saved", $"Successfully saved the keypair.\nThe fingerprint is {keyPair.PublicKeyFingerprint}, you can also retrieve it from the saved json file at any point.", "Ok");
if (validationMode == EncryptionTransport.ValidationMode.List)
{
if (EditorUtility.DisplayDialog("Add key to trusted list?", "Do you also want to add the generated key to the trusted list?", "Yes", "No"))
{
clientTrustedPubKeySignaturesProperty.arraySize++;
clientTrustedPubKeySignaturesProperty.GetArrayElementAtIndex(clientTrustedPubKeySignaturesProperty.arraySize - 1).stringValue = keyPair.PublicKeyFingerprint;
}
}
}
}
serializedObject.ApplyModifiedProperties();
}
[CustomEditor(typeof(ThreadedEncryptionKcpTransport), true)]
class EncryptionThreadedTransportInspector : EncryptionTransportInspector {}
}
}

10
Assets/Mirror/Transports/Encryption/Editor/EncryptionTransportInspector.cs.meta Normal file
View File

@ -0,0 +1,10 @@
fileFormatVersion: 2
guid: 871580d2094a46139279d651cec92b5d
timeCreated: 1708794004
AssetOrigin:
serializedVersion: 1
productId: 129321
packageName: Mirror
packageVersion: 96.0.1
assetPath: Assets/Mirror/Transports/Encryption/Editor/EncryptionTransportInspector.cs
uploadId: 736421

554
Assets/Mirror/Transports/Encryption/EncryptedConnection.cs Normal file
View File

@ -0,0 +1,554 @@
using System;
using System.Security.Cryptography;
using System.Text;
using System.Threading;
using Mirror.BouncyCastle.Crypto;
using Mirror.BouncyCastle.Crypto.Agreement;
using Mirror.BouncyCastle.Crypto.Digests;
using Mirror.BouncyCastle.Crypto.Generators;
using Mirror.BouncyCastle.Crypto.Modes;
using Mirror.BouncyCastle.Crypto.Parameters;
using UnityEngine.Profiling;
namespace Mirror.Transports.Encryption
{
public class EncryptedConnection
{
// 256-bit key
const int KeyLength = 32;
// 512-bit salt for the key derivation function
const int HkdfSaltSize = KeyLength * 2;
// Info tag for the HKDF, this just adds more entropy
static readonly byte[] HkdfInfo = Encoding.UTF8.GetBytes("Mirror/EncryptionTransport");
// fixed size of the unique per-packet nonce. Defaults to 12 bytes/96 bits (not recommended to be changed)
const int NonceSize = 12;
// this is the size of the "checksum" included in each encrypted payload
// 16 bytes/128 bytes is the recommended value for best security
// can be reduced to 12 bytes for a small space savings, but makes encryption slightly weaker.
// Setting it lower than 12 bytes is not recommended
const int MacSizeBytes = 16;
const int MacSizeBits = MacSizeBytes * 8;
// How much metadata overhead we have for regular packets
public const int Overhead = sizeof(OpCodes) + MacSizeBytes + NonceSize;
// After how many seconds of not receiving a handshake packet we should time out
const double DurationTimeout = 2; // 2s
// After how many seconds to assume the last handshake packet got lost and to resend another one
const double DurationResend = 0.05; // 50ms
// Static fields for allocation efficiency, makes this not thread safe
// It'd be as easy as using ThreadLocal though to fix that
// Set up a global cipher instance, it is initialised/reset before use
// (AesFastEngine used to exist, but was removed due to side channel issues)
// use AesUtilities.CreateEngine here as it'll pick the hardware accelerated one if available (which is will not be unless on .net core)
static readonly ThreadLocal<GcmBlockCipher> Cipher = new ThreadLocal<GcmBlockCipher>(() => new GcmBlockCipher(AesUtilities.CreateEngine()));
// Set up a global HKDF with a SHA-256 digest
static readonly ThreadLocal<HkdfBytesGenerator> Hkdf = new ThreadLocal<HkdfBytesGenerator>(() => new HkdfBytesGenerator(new Sha256Digest()));
// Global byte array to store nonce sent by the remote side, they're used immediately after
static readonly ThreadLocal<byte[]> ReceiveNonce = new ThreadLocal<byte[]>(() => new byte[NonceSize]);
// Buffer for the remote salt, as bouncycastle needs to take a byte[] *rolls eyes*
static readonly ThreadLocal<byte[]> TMPRemoteSaltBuffer = new ThreadLocal<byte[]>(() => new byte[HkdfSaltSize]);
// buffer for encrypt/decrypt operations, resized larger as needed
static ThreadLocal<byte[]> TMPCryptBuffer = new ThreadLocal<byte[]>(() => new byte[2048]);
// packet headers
enum OpCodes : byte
{
// start at 1 to maybe filter out random noise
Data = 1,
HandshakeStart = 2,
HandshakeAck = 3,
HandshakeFin = 4
}
enum State
{
// Waiting for a handshake to arrive
// this is for _sendsFirst:
// - false: OpCodes.HandshakeStart
// - true: Opcodes.HandshakeAck
WaitingHandshake,
// Waiting for a handshake reply/acknowledgement to arrive
// this is for _sendsFirst:
// - false: OpCodes.HandshakeFine
// - true: Opcodes.Data (implicitly)
WaitingHandshakeReply,
// Both sides have confirmed the keys are exchanged and data can be sent freely
Ready
}
State state = State.WaitingHandshake;
// Key exchange confirmed and data can be sent freely
public bool IsReady => state == State.Ready;
// Callback to send off encrypted data
readonly Action<ArraySegment<byte>, int> send;
// Callback when received data has been decrypted
readonly Action<ArraySegment<byte>, int> receive;
// Callback when the connection becomes ready
readonly Action ready;
// On-error callback, disconnect expected
readonly Action<TransportError, string> error;
// Optional callback to validate the remotes public key, validation on one side is necessary to ensure MITM resistance
// (usually client validates the server key)
readonly Func<PubKeyInfo, bool> validateRemoteKey;
// Our asymmetric credentials for the initial DH exchange
EncryptionCredentials credentials;
readonly byte[] hkdfSalt;
NetworkReader _tmpReader = new NetworkReader(new ArraySegment<byte>());
// After no handshake packet in this many seconds, the handshake fails
double handshakeTimeout;
// When to assume the last handshake packet got lost and to resend another one
double nextHandshakeResend;
// we can reuse the _cipherParameters here since the nonce is stored as the byte[] reference we pass in
// so we can update it without creating a new AeadParameters instance
// this might break in the future! (will cause bad data)
byte[] nonce = new byte[NonceSize];
AeadParameters cipherParametersEncrypt;
AeadParameters cipherParametersDecrypt;
/*
* Specifies if we send the first key, then receive ack, then send fin
* Or the opposite if set to false
*
* The client does this, since the fin is not acked explicitly, but by receiving data to decrypt
*/
readonly bool sendsFirst;
public EncryptedConnection(EncryptionCredentials credentials,
bool isClient,
Action<ArraySegment<byte>, int> sendAction,
Action<ArraySegment<byte>, int> receiveAction,
Action readyAction,
Action<TransportError, string> errorAction,
Func<PubKeyInfo, bool> validateRemoteKey = null)
{
this.credentials = credentials;
sendsFirst = isClient;
if (!sendsFirst)
// salt is controlled by the server
hkdfSalt = GenerateSecureBytes(HkdfSaltSize);
send = sendAction;
receive = receiveAction;
ready = readyAction;
error = errorAction;
this.validateRemoteKey = validateRemoteKey;
}
// Generates a random starting nonce
static byte[] GenerateSecureBytes(int size)
{
byte[] bytes = new byte[size];
using (RandomNumberGenerator rng = RandomNumberGenerator.Create())
rng.GetBytes(bytes);
return bytes;
}
public void OnReceiveRaw(ArraySegment<byte> data, int channel)
{
if (data.Count < 1)
{
error(TransportError.Unexpected, "Received empty packet");
return;
}
_tmpReader.SetBuffer(data);
OpCodes opcode = (OpCodes)_tmpReader.ReadByte();
switch (opcode)
{
case OpCodes.Data:
// first sender ready is implicit when data is received
if (sendsFirst && state == State.WaitingHandshakeReply)
SetReady();
else if (!IsReady)
error(TransportError.Unexpected, "Unexpected data while not ready.");
if (_tmpReader.Remaining < Overhead)
{
error(TransportError.Unexpected, "received data packet smaller than metadata size");
return;
}
ArraySegment<byte> ciphertext = _tmpReader.ReadBytesSegment(_tmpReader.Remaining - NonceSize);
_tmpReader.ReadBytes(ReceiveNonce.Value, NonceSize);
Profiler.BeginSample("EncryptedConnection.Decrypt");
ArraySegment<byte> plaintext = Decrypt(ciphertext);
Profiler.EndSample();
if (plaintext.Count == 0)
// error
return;
receive(plaintext, channel);
break;
case OpCodes.HandshakeStart:
if (sendsFirst)
{
error(TransportError.Unexpected, "Received HandshakeStart packet, we don't expect this.");
return;
}
if (state == State.WaitingHandshakeReply)
// this is fine, packets may arrive out of order
return;
state = State.WaitingHandshakeReply;
ResetTimeouts();
CompleteExchange(_tmpReader.ReadBytesSegment(_tmpReader.Remaining), hkdfSalt);
SendHandshakeAndPubKey(OpCodes.HandshakeAck);
break;
case OpCodes.HandshakeAck:
if (!sendsFirst)
{
error(TransportError.Unexpected, "Received HandshakeAck packet, we don't expect this.");
return;
}
if (IsReady)
// this is fine, packets may arrive out of order
return;
if (state == State.WaitingHandshakeReply)
// this is fine, packets may arrive out of order
return;
state = State.WaitingHandshakeReply;
ResetTimeouts();
_tmpReader.ReadBytes(TMPRemoteSaltBuffer.Value, HkdfSaltSize);
CompleteExchange(_tmpReader.ReadBytesSegment(_tmpReader.Remaining), TMPRemoteSaltBuffer.Value);
SendHandshakeFin();
break;
case OpCodes.HandshakeFin:
if (sendsFirst)
{
error(TransportError.Unexpected, "Received HandshakeFin packet, we don't expect this.");
return;
}
if (IsReady)
// this is fine, packets may arrive out of order
return;
if (state != State.WaitingHandshakeReply)
{
error(TransportError.Unexpected,
"Received HandshakeFin packet, we didn't expect this yet.");
return;
}
SetReady();
break;
default:
error(TransportError.InvalidReceive, $"Unhandled opcode {(byte)opcode:x}");
break;
}
}
void SetReady()
{
// done with credentials, null out the reference
credentials = null;
state = State.Ready;
ready();
}
void ResetTimeouts()
{
handshakeTimeout = 0;
nextHandshakeResend = -1;
}
public void Send(ArraySegment<byte> data, int channel)
{
using (ConcurrentNetworkWriterPooled writer = ConcurrentNetworkWriterPool.Get())
{
writer.WriteByte((byte)OpCodes.Data);
Profiler.BeginSample("EncryptedConnection.Encrypt");
ArraySegment<byte> encrypted = Encrypt(data);
Profiler.EndSample();
if (encrypted.Count == 0)
// error
return;
writer.WriteBytes(encrypted.Array, 0, encrypted.Count);
// write nonce after since Encrypt will update it
writer.WriteBytes(nonce, 0, NonceSize);
send(writer.ToArraySegment(), channel);
}
}
ArraySegment<byte> Encrypt(ArraySegment<byte> plaintext)
{
if (plaintext.Count == 0)
// Invalid
return new ArraySegment<byte>();
// Need to make the nonce unique again before encrypting another message
UpdateNonce();
// Re-initialize the cipher with our cached parameters
Cipher.Value.Init(true, cipherParametersEncrypt);
// Calculate the expected output size, this should always be input size + mac size
int outSize = Cipher.Value.GetOutputSize(plaintext.Count);
#if UNITY_EDITOR
// expecting the outSize to be input size + MacSize
if (outSize != plaintext.Count + MacSizeBytes)
throw new Exception($"Encrypt: Unexpected output size (Expected {plaintext.Count + MacSizeBytes}, got {outSize}");
#endif
// Resize the static buffer to fit
byte[] cryptBuffer = TMPCryptBuffer.Value;
EnsureSize(ref cryptBuffer, outSize);
TMPCryptBuffer.Value = cryptBuffer;
int resultLen;
try
{
// Run the plain text through the cipher, ProcessBytes will only process full blocks
resultLen =
Cipher.Value.ProcessBytes(plaintext.Array, plaintext.Offset, plaintext.Count, cryptBuffer, 0);
// Then run any potentially remaining partial blocks through with DoFinal (and calculate the mac)
resultLen += Cipher.Value.DoFinal(cryptBuffer, resultLen);
}
// catch all Exception's since BouncyCastle is fairly noisy with both standard and their own exception types
//
catch (Exception e)
{
error(TransportError.Unexpected, $"Unexpected exception while encrypting {e.GetType()}: {e.Message}");
return new ArraySegment<byte>();
}
#if UNITY_EDITOR
// expecting the result length to match the previously calculated input size + MacSize
if (resultLen != outSize)
throw new Exception($"Encrypt: resultLen did not match outSize (expected {outSize}, got {resultLen})");
#endif
return new ArraySegment<byte>(cryptBuffer, 0, resultLen);
}
ArraySegment<byte> Decrypt(ArraySegment<byte> ciphertext)
{
if (ciphertext.Count <= MacSizeBytes)
{
error(TransportError.Unexpected, $"Received too short data packet (min {{MacSizeBytes + 1}}, got {ciphertext.Count})");
// Invalid
return new ArraySegment<byte>();
}
// Re-initialize the cipher with our cached parameters
Cipher.Value.Init(false, cipherParametersDecrypt);
// Calculate the expected output size, this should always be input size - mac size
int outSize = Cipher.Value.GetOutputSize(ciphertext.Count);
#if UNITY_EDITOR
// expecting the outSize to be input size - MacSize
if (outSize != ciphertext.Count - MacSizeBytes)
throw new Exception($"Decrypt: Unexpected output size (Expected {ciphertext.Count - MacSizeBytes}, got {outSize}");
#endif
byte[] cryptBuffer = TMPCryptBuffer.Value;
EnsureSize(ref cryptBuffer, outSize);
TMPCryptBuffer.Value = cryptBuffer;
int resultLen;
try
{
// Run the ciphertext through the cipher, ProcessBytes will only process full blocks
resultLen =
Cipher.Value.ProcessBytes(ciphertext.Array, ciphertext.Offset, ciphertext.Count, cryptBuffer, 0);
// Then run any potentially remaining partial blocks through with DoFinal (and calculate/check the mac)
resultLen += Cipher.Value.DoFinal(cryptBuffer, resultLen);
}
// catch all Exception's since BouncyCastle is fairly noisy with both standard and their own exception types
catch (Exception e)
{
error(TransportError.Unexpected, $"Unexpected exception while decrypting {e.GetType()}: {e.Message}. This usually signifies corrupt data");
return new ArraySegment<byte>();
}
#if UNITY_EDITOR
// expecting the result length to match the previously calculated input size + MacSize
if (resultLen != outSize)
throw new Exception($"Decrypt: resultLen did not match outSize (expected {outSize}, got {resultLen})");
#endif
return new ArraySegment<byte>(cryptBuffer, 0, resultLen);
}
void UpdateNonce()
{
// increment the nonce by one
// we need to ensure the nonce is *always* unique and not reused
// easiest way to do this is by simply incrementing it
for (int i = 0; i < NonceSize; i++)
{
nonce[i]++;
if (nonce[i] != 0)
break;
}
}
static void EnsureSize(ref byte[] buffer, int size)
{
if (buffer.Length < size)
// double buffer to avoid constantly resizing by a few bytes
Array.Resize(ref buffer, Math.Max(size, buffer.Length * 2));
}
void SendHandshakeAndPubKey(OpCodes opcode)
{
using (ConcurrentNetworkWriterPooled writer = ConcurrentNetworkWriterPool.Get())
{
writer.WriteByte((byte)opcode);
if (opcode == OpCodes.HandshakeAck)
writer.WriteBytes(hkdfSalt, 0, HkdfSaltSize);
writer.WriteBytes(credentials.PublicKeySerialized, 0, credentials.PublicKeySerialized.Length);
send(writer.ToArraySegment(), Channels.Unreliable);
}
}
void SendHandshakeFin()
{
using (ConcurrentNetworkWriterPooled writer = ConcurrentNetworkWriterPool.Get())
{
writer.WriteByte((byte)OpCodes.HandshakeFin);
send(writer.ToArraySegment(), Channels.Unreliable);
}
}
void CompleteExchange(ArraySegment<byte> remotePubKeyRaw, byte[] salt)
{
AsymmetricKeyParameter remotePubKey;
try
{
remotePubKey = EncryptionCredentials.DeserializePublicKey(remotePubKeyRaw);
}
catch (Exception e)
{
error(TransportError.Unexpected, $"Failed to deserialize public key of remote. {e.GetType()}: {e.Message}");
return;
}
if (validateRemoteKey != null)
{
PubKeyInfo info = new PubKeyInfo
{
Fingerprint = EncryptionCredentials.PubKeyFingerprint(remotePubKeyRaw),
Serialized = remotePubKeyRaw,
Key = remotePubKey
};
if (!validateRemoteKey(info))
{
error(TransportError.Unexpected, $"Remote public key (fingerprint: {info.Fingerprint}) failed validation. ");
return;
}
}
// Calculate a common symmetric key from our private key and the remotes public key
// This gives us the same key on the other side, with our public key and their remote
// It's like magic, but with math!
ECDHBasicAgreement ecdh = new ECDHBasicAgreement();
ecdh.Init(credentials.PrivateKey);
byte[] sharedSecret;
try
{
sharedSecret = ecdh.CalculateAgreement(remotePubKey).ToByteArrayUnsigned();
}
catch
(Exception e)
{
error(TransportError.Unexpected, $"Failed to calculate the ECDH key exchange. {e.GetType()}: {e.Message}");
return;
}
if (salt.Length != HkdfSaltSize)
{
error(TransportError.Unexpected, $"Salt is expected to be {HkdfSaltSize} bytes long, got {salt.Length}.");
return;
}
Hkdf.Value.Init(new HkdfParameters(sharedSecret, salt, HkdfInfo));
// Allocate a buffer for the output key
byte[] keyRaw = new byte[KeyLength];
// Generate the output keying material
Hkdf.Value.GenerateBytes(keyRaw, 0, keyRaw.Length);
KeyParameter key = new KeyParameter(keyRaw);
// generate a starting nonce
nonce = GenerateSecureBytes(NonceSize);
// we pass in the nonce array once (as it's stored by reference) so we can cache the AeadParameters instance
// instead of creating a new one each encrypt/decrypt
cipherParametersEncrypt = new AeadParameters(key, MacSizeBits, nonce);
cipherParametersDecrypt = new AeadParameters(key, MacSizeBits, ReceiveNonce.Value);
}
/**
* non-ready connections need to be ticked for resending key data over unreliable
*/
public void TickNonReady(double time)
{
if (IsReady)
return;
// Timeout reset
if (handshakeTimeout == 0)
handshakeTimeout = time + DurationTimeout;
else if (time > handshakeTimeout)
{
error?.Invoke(TransportError.Timeout, $"Timed out during {state}, this probably just means the other side went away which is fine.");
return;
}
// Timeout reset
if (nextHandshakeResend < 0)
{
nextHandshakeResend = time + DurationResend;
return;
}
if (time < nextHandshakeResend)
// Resend isn't due yet
return;
nextHandshakeResend = time + DurationResend;
switch (state)
{
case State.WaitingHandshake:
if (sendsFirst)
SendHandshakeAndPubKey(OpCodes.HandshakeStart);
break;
case State.WaitingHandshakeReply:
if (sendsFirst)
SendHandshakeFin();
else
SendHandshakeAndPubKey(OpCodes.HandshakeAck);
break;
case State.Ready: // IsReady is checked above & early-returned
default:
throw new ArgumentOutOfRangeException();
}
}
}
}

10
Assets/Mirror/Transports/Encryption/EncryptedConnection.cs.meta Normal file
View File

@ -0,0 +1,10 @@
fileFormatVersion: 2
guid: 28f3ac4ff1d346a895d0b4ff714fb57b
timeCreated: 1708111337
AssetOrigin:
serializedVersion: 1
productId: 129321
packageName: Mirror
packageVersion: 96.0.1
assetPath: Assets/Mirror/Transports/Encryption/EncryptedConnection.cs
uploadId: 736421

119
Assets/Mirror/Transports/Encryption/EncryptionCredentials.cs Normal file
View File

@ -0,0 +1,119 @@
using System;
using System.IO;
using Mirror.BouncyCastle.Asn1.Pkcs;
using Mirror.BouncyCastle.Asn1.X509;
using Mirror.BouncyCastle.Crypto;
using Mirror.BouncyCastle.Crypto.Digests;
using Mirror.BouncyCastle.Crypto.Generators;
using Mirror.BouncyCastle.X509;
using Mirror.BouncyCastle.Crypto.Parameters;
using Mirror.BouncyCastle.Pkcs;
using Mirror.BouncyCastle.Security;
using UnityEngine;
namespace Mirror.Transports.Encryption
{
public class EncryptionCredentials
{
const int PrivateKeyBits = 256;
// don't actually need to store this currently
// but we'll need to for loading/saving from file maybe?
// public ECPublicKeyParameters PublicKey;
// The serialized public key, in DER format
public byte[] PublicKeySerialized;
public ECPrivateKeyParameters PrivateKey;
public string PublicKeyFingerprint;
EncryptionCredentials() {}
// TODO: load from file
public static EncryptionCredentials Generate()
{
var generator = new ECKeyPairGenerator();
generator.Init(new KeyGenerationParameters(new SecureRandom(), PrivateKeyBits));
AsymmetricCipherKeyPair keyPair = generator.GenerateKeyPair();
var serialized = SerializePublicKey((ECPublicKeyParameters)keyPair.Public);
return new EncryptionCredentials
{
// see fields above
// PublicKey = (ECPublicKeyParameters)keyPair.Public,
PublicKeySerialized = serialized,
PublicKeyFingerprint = PubKeyFingerprint(new ArraySegment<byte>(serialized)),
PrivateKey = (ECPrivateKeyParameters)keyPair.Private
};
}
public static byte[] SerializePublicKey(AsymmetricKeyParameter publicKey)
{
// apparently the best way to transmit this public key over the network is to serialize it as a DER
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey);
return publicKeyInfo.ToAsn1Object().GetDerEncoded();
}
public static AsymmetricKeyParameter DeserializePublicKey(ArraySegment<byte> pubKey) =>
// And then we do this to deserialize from the DER (from above)
// the "new MemoryStream" actually saves an allocation, since otherwise the ArraySegment would be converted
// to a byte[] first and then shoved through a MemoryStream
PublicKeyFactory.CreateKey(new MemoryStream(pubKey.Array, pubKey.Offset, pubKey.Count, false));
public static byte[] SerializePrivateKey(AsymmetricKeyParameter privateKey)
{
// Serialize privateKey as a DER
PrivateKeyInfo privateKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey);
return privateKeyInfo.ToAsn1Object().GetDerEncoded();
}
public static AsymmetricKeyParameter DeserializePrivateKey(ArraySegment<byte> privateKey) =>
// And then we do this to deserialize from the DER (from above)
// the "new MemoryStream" actually saves an allocation, since otherwise the ArraySegment would be converted
// to a byte[] first and then shoved through a MemoryStream
PrivateKeyFactory.CreateKey(new MemoryStream(privateKey.Array, privateKey.Offset, privateKey.Count, false));
public static string PubKeyFingerprint(ArraySegment<byte> publicKeyBytes)
{
Sha256Digest digest = new Sha256Digest();
byte[] hash = new byte[digest.GetDigestSize()];
digest.BlockUpdate(publicKeyBytes.Array, publicKeyBytes.Offset, publicKeyBytes.Count);
digest.DoFinal(hash, 0);
return BitConverter.ToString(hash).Replace("-", "").ToLowerInvariant();
}
public void SaveToFile(string path)
{
string json = JsonUtility.ToJson(new SerializedPair
{
PublicKeyFingerprint = PublicKeyFingerprint,
PublicKey = Convert.ToBase64String(PublicKeySerialized),
PrivateKey= Convert.ToBase64String(SerializePrivateKey(PrivateKey))
});
File.WriteAllText(path, json);
}
public static EncryptionCredentials LoadFromFile(string path)
{
string json = File.ReadAllText(path);
SerializedPair serializedPair = JsonUtility.FromJson<SerializedPair>(json);
byte[] publicKeyBytes = Convert.FromBase64String(serializedPair.PublicKey);
byte[] privateKeyBytes = Convert.FromBase64String(serializedPair.PrivateKey);
if (serializedPair.PublicKeyFingerprint != PubKeyFingerprint(new ArraySegment<byte>(publicKeyBytes)))
throw new Exception("Saved public key fingerprint does not match public key.");
return new EncryptionCredentials
{
PublicKeySerialized = publicKeyBytes,
PublicKeyFingerprint = serializedPair.PublicKeyFingerprint,
PrivateKey = (ECPrivateKeyParameters) DeserializePrivateKey(new ArraySegment<byte>(privateKeyBytes))
};
}
class SerializedPair
{
public string PublicKeyFingerprint;
public string PublicKey;
public string PrivateKey;
}
}
}

10
Assets/Mirror/Transports/Encryption/EncryptionCredentials.cs.meta Normal file
View File

@ -0,0 +1,10 @@
fileFormatVersion: 2
guid: af6ae5f74f9548588cba5731643fabaf
timeCreated: 1708139579
AssetOrigin:
serializedVersion: 1
productId: 129321
packageName: Mirror
packageVersion: 96.0.1
assetPath: Assets/Mirror/Transports/Encryption/EncryptionCredentials.cs
uploadId: 736421

289
Assets/Mirror/Transports/Encryption/EncryptionTransport.cs Normal file
View File

@ -0,0 +1,289 @@
using System;
using System.Collections.Generic;
using Mirror.BouncyCastle.Crypto;
using UnityEngine;
using UnityEngine.Profiling;
using UnityEngine.Serialization;
namespace Mirror.Transports.Encryption
{
[HelpURL("https://mirror-networking.gitbook.io/docs/manual/transports/encryption-transport")]
public class EncryptionTransport : Transport, PortTransport
{
public override bool IsEncrypted => true;
public override string EncryptionCipher => "AES256-GCM";
[FormerlySerializedAs("inner")]
[HideInInspector]
public Transport Inner;
public ushort Port
{
get
{
if (Inner is PortTransport portTransport)
return portTransport.Port;
Debug.LogError($"EncryptionTransport can't get Port because {Inner} is not a PortTransport");
return 0;
}
set
{
if (Inner is PortTransport portTransport)
{
portTransport.Port = value;
return;
}
Debug.LogError($"EncryptionTransport can't set Port because {Inner} is not a PortTransport");
}
}
public enum ValidationMode
{
Off,
List,
Callback
}
[FormerlySerializedAs("clientValidateServerPubKey")]
[HideInInspector]
public ValidationMode ClientValidateServerPubKey;
[FormerlySerializedAs("clientTrustedPubKeySignatures")]
[HideInInspector]
[Tooltip("List of public key fingerprints the client will accept")]
public string[] ClientTrustedPubKeySignatures;
public Func<PubKeyInfo, bool> OnClientValidateServerPubKey;
[FormerlySerializedAs("serverLoadKeyPairFromFile")]
[HideInInspector]
public bool ServerLoadKeyPairFromFile;
[FormerlySerializedAs("serverKeypairPath")]
[HideInInspector]
public string ServerKeypairPath = "./server-keys.json";
EncryptedConnection client;
readonly Dictionary<int, EncryptedConnection> serverConnections = new Dictionary<int, EncryptedConnection>();
readonly List<EncryptedConnection> serverPendingConnections =
new List<EncryptedConnection>();
EncryptionCredentials credentials;
public string EncryptionPublicKeyFingerprint => credentials?.PublicKeyFingerprint;
public byte[] EncryptionPublicKey => credentials?.PublicKeySerialized;
void ServerRemoveFromPending(EncryptedConnection con)
{
for (int i = 0; i < serverPendingConnections.Count; i++)
if (serverPendingConnections[i] == con)
{
// remove by swapping with last
int lastIndex = serverPendingConnections.Count - 1;
serverPendingConnections[i] = serverPendingConnections[lastIndex];
serverPendingConnections.RemoveAt(lastIndex);
break;
}
}
void HandleInnerServerDisconnected(int connId)
{
if (serverConnections.TryGetValue(connId, out EncryptedConnection con))
{
ServerRemoveFromPending(con);
serverConnections.Remove(connId);
}
OnServerDisconnected?.Invoke(connId);
}
void HandleInnerServerError(int connId, TransportError type, string msg) => OnServerError?.Invoke(connId, type, $"inner: {msg}");
void HandleInnerServerDataReceived(int connId, ArraySegment<byte> data, int channel)
{
if (serverConnections.TryGetValue(connId, out EncryptedConnection c))
c.OnReceiveRaw(data, channel);
}
void HandleInnerServerConnected(int connId) => HandleInnerServerConnected(connId, Inner.ServerGetClientAddress(connId));
void HandleInnerServerConnected(int connId, string clientRemoteAddress)
{
Debug.Log($"[EncryptionTransport] New connection #{connId} from {clientRemoteAddress}");
EncryptedConnection ec = null;
ec = new EncryptedConnection(
credentials,
false,
(segment, channel) => Inner.ServerSend(connId, segment, channel),
(segment, channel) => OnServerDataReceived?.Invoke(connId, segment, channel),
() =>
{
Debug.Log($"[EncryptionTransport] Connection #{connId} is ready");
// ReSharper disable once AccessToModifiedClosure
ServerRemoveFromPending(ec);
OnServerConnectedWithAddress?.Invoke(connId, clientRemoteAddress);
},
(type, msg) =>
{
OnServerError?.Invoke(connId, type, msg);
ServerDisconnect(connId);
});
serverConnections.Add(connId, ec);
serverPendingConnections.Add(ec);
}
void HandleInnerClientDisconnected()
{
client = null;
OnClientDisconnected?.Invoke();
}
void HandleInnerClientError(TransportError arg1, string arg2) => OnClientError?.Invoke(arg1, $"inner: {arg2}");
void HandleInnerClientDataReceived(ArraySegment<byte> data, int channel) => client?.OnReceiveRaw(data, channel);
void HandleInnerClientConnected() =>
client = new EncryptedConnection(
credentials,
true,
(segment, channel) => Inner.ClientSend(segment, channel),
(segment, channel) => OnClientDataReceived?.Invoke(segment, channel),
() =>
{
OnClientConnected?.Invoke();
},
(type, msg) =>
{
OnClientError?.Invoke(type, msg);
ClientDisconnect();
},
HandleClientValidateServerPubKey);
bool HandleClientValidateServerPubKey(PubKeyInfo pubKeyInfo)
{
switch (ClientValidateServerPubKey)
{
case ValidationMode.Off:
return true;
case ValidationMode.List:
return Array.IndexOf(ClientTrustedPubKeySignatures, pubKeyInfo.Fingerprint) >= 0;
case ValidationMode.Callback:
return OnClientValidateServerPubKey(pubKeyInfo);
default:
throw new ArgumentOutOfRangeException();
}
}
void Awake() =>
// check if encryption via hardware acceleration is supported.
// this can be useful to know for low end devices.
//
// hardware acceleration requires netcoreapp3.0 or later:
// https://github.com/bcgit/bc-csharp/blob/449940429c57686a6fcf6bfbb4d368dec19d906e/crypto/src/crypto/AesUtilities.cs#L18
// because AesEngine_x86 requires System.Runtime.Intrinsics.X86:
// https://github.com/bcgit/bc-csharp/blob/449940429c57686a6fcf6bfbb4d368dec19d906e/crypto/src/crypto/engines/AesEngine_X86.cs
// which Unity does not support yet.
Debug.Log($"EncryptionTransport: IsHardwareAccelerated={AesUtilities.IsHardwareAccelerated}");
public override bool Available() => Inner.Available();
public override bool ClientConnected() => client != null && client.IsReady;
public override void ClientConnect(string address)
{
switch (ClientValidateServerPubKey)
{
case ValidationMode.Off:
break;
case ValidationMode.List:
if (ClientTrustedPubKeySignatures == null || ClientTrustedPubKeySignatures.Length == 0)
{
OnClientError?.Invoke(TransportError.Unexpected, "Validate Server Public Key is set to List, but the clientTrustedPubKeySignatures list is empty.");
return;
}
break;
case ValidationMode.Callback:
if (OnClientValidateServerPubKey == null)
{
OnClientError?.Invoke(TransportError.Unexpected, "Validate Server Public Key is set to Callback, but the onClientValidateServerPubKey handler is not set");
return;
}
break;
default:
throw new ArgumentOutOfRangeException();
}
credentials = EncryptionCredentials.Generate();
Inner.OnClientConnected = HandleInnerClientConnected;
Inner.OnClientDataReceived = HandleInnerClientDataReceived;
Inner.OnClientDataSent = (bytes, channel) => OnClientDataSent?.Invoke(bytes, channel);
Inner.OnClientError = HandleInnerClientError;
Inner.OnClientDisconnected = HandleInnerClientDisconnected;
Inner.ClientConnect(address);
}
public override void ClientSend(ArraySegment<byte> segment, int channelId = Channels.Reliable) =>
client?.Send(segment, channelId);
public override void ClientDisconnect() => Inner.ClientDisconnect();
public override Uri ServerUri() => Inner.ServerUri();
public override bool ServerActive() => Inner.ServerActive();
public override void ServerStart()
{
if (ServerLoadKeyPairFromFile)
credentials = EncryptionCredentials.LoadFromFile(ServerKeypairPath);
else
credentials = EncryptionCredentials.Generate();
#pragma warning disable CS0618 // Type or member is obsolete
Inner.OnServerConnected = HandleInnerServerConnected;
#pragma warning restore CS0618 // Type or member is obsolete
Inner.OnServerConnectedWithAddress = HandleInnerServerConnected;
Inner.OnServerDataReceived = HandleInnerServerDataReceived;
Inner.OnServerDataSent = (connId, bytes, channel) => OnServerDataSent?.Invoke(connId, bytes, channel);
Inner.OnServerError = HandleInnerServerError;
Inner.OnServerDisconnected = HandleInnerServerDisconnected;
Inner.ServerStart();
}
public override void ServerSend(int connectionId, ArraySegment<byte> segment, int channelId = Channels.Reliable)
{
if (serverConnections.TryGetValue(connectionId, out EncryptedConnection connection) && connection.IsReady)
connection.Send(segment, channelId);
}
public override void ServerDisconnect(int connectionId) =>
// cleanup is done via inners disconnect event
Inner.ServerDisconnect(connectionId);
public override string ServerGetClientAddress(int connectionId) => Inner.ServerGetClientAddress(connectionId);
public override void ServerStop() => Inner.ServerStop();
public override int GetMaxPacketSize(int channelId = Channels.Reliable) =>
Inner.GetMaxPacketSize(channelId) - EncryptedConnection.Overhead;
public override int GetBatchThreshold(int channelId = Channels.Reliable) => Inner.GetBatchThreshold(channelId) - EncryptedConnection.Overhead;
public override void Shutdown() => Inner.Shutdown();
public override void ClientEarlyUpdate() => Inner.ClientEarlyUpdate();
public override void ClientLateUpdate()
{
Inner.ClientLateUpdate();
Profiler.BeginSample("EncryptionTransport.ServerLateUpdate");
client?.TickNonReady(NetworkTime.localTime);
Profiler.EndSample();
}
public override void ServerEarlyUpdate() => Inner.ServerEarlyUpdate();
public override void ServerLateUpdate()
{
Inner.ServerLateUpdate();
Profiler.BeginSample("EncryptionTransport.ServerLateUpdate");
// Reverse iteration as entries can be removed while updating
for (int i = serverPendingConnections.Count - 1; i >= 0; i--)
serverPendingConnections[i].TickNonReady(NetworkTime.time);
Profiler.EndSample();
}
}
}

18
Assets/Mirror/Transports/Encryption/EncryptionTransport.cs.meta Normal file
View File

@ -0,0 +1,18 @@
fileFormatVersion: 2
guid: 0aa135acc32a4383ae9a5817f018cb06
MonoImporter:
externalObjects: {}
serializedVersion: 2
defaultReferences: []
executionOrder: 0
icon: {fileID: 2800000, guid: 7453abfe9e8b2c04a8a47eb536fe21eb, type: 3}
userData:
assetBundleName:
assetBundleVariant:
AssetOrigin:
serializedVersion: 1
productId: 129321
packageName: Mirror
packageVersion: 96.0.1
assetPath: Assets/Mirror/Transports/Encryption/EncryptionTransport.cs
uploadId: 736421

8
Assets/Mirror/Transports/Encryption/Plugins.meta Normal file
View File

@ -0,0 +1,8 @@
fileFormatVersion: 2
guid: 4048f5ff245dfa34abec0a401364e7c0
folderAsset: yes
DefaultImporter:
externalObjects: {}
userData:
assetBundleName:
assetBundleVariant:

8
Assets/Mirror/Transports/Encryption/Plugins/BouncyCastle.meta Normal file
View File

@ -0,0 +1,8 @@
fileFormatVersion: 2
guid: 31ff83bf6d2e72542adcbe2c21383f4a
folderAsset: yes
DefaultImporter:
externalObjects: {}
userData:
assetBundleName:
assetBundleVariant:

15
Assets/Mirror/Transports/Encryption/Plugins/BouncyCastle/LICENSE.md Normal file
View File

@ -0,0 +1,15 @@
Version with renamed namespaces to avoid conflicts lives here: https://github.com/MirrorNetworking/bc-csharp
Copyright (c) 2000-2024 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org).
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
associated documentation files (the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge, publish, distribute,
sub license, and/or sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions: The above copyright notice and this
permission notice shall be included in all copies or substantial portions of the Software.
**THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT
OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.**

14
Assets/Mirror/Transports/Encryption/Plugins/BouncyCastle/LICENSE.md.meta Normal file
View File

@ -0,0 +1,14 @@
fileFormatVersion: 2
guid: 2b45a99b5583cda419e1f1ec943fec4b
TextScriptImporter:
externalObjects: {}
userData:
assetBundleName:
assetBundleVariant:
AssetOrigin:
serializedVersion: 1
productId: 129321
packageName: Mirror
packageVersion: 96.0.1
assetPath: Assets/Mirror/Transports/Encryption/Plugins/BouncyCastle/LICENSE.md
uploadId: 736421

BIN
Assets/Mirror/Transports/Encryption/Plugins/BouncyCastle/Mirror.BouncyCastle.Cryptography.dll Normal file
View File

Binary file not shown.

40
Assets/Mirror/Transports/Encryption/Plugins/BouncyCastle/Mirror.BouncyCastle.Cryptography.dll.meta Normal file
View File

@ -0,0 +1,40 @@
fileFormatVersion: 2
guid: 03a89f29994a3b44cb3015b3c5ece010
PluginImporter:
externalObjects: {}
serializedVersion: 2
iconMap: {}
executionOrder: {}
defineConstraints: []
isPreloaded: 0
isOverridable: 0
isExplicitlyReferenced: 0
validateReferences: 1
platformData:
- first:
Any:
second:
enabled: 1
settings: {}
- first:
Editor: Editor
second:
enabled: 0
settings:
DefaultValueInitialized: true
- first:
Windows Store Apps: WindowsStoreApps
second:
enabled: 0
settings:
CPU: AnyCPU
userData:
assetBundleName:
assetBundleVariant:
AssetOrigin:
serializedVersion: 1
productId: 129321
packageName: Mirror
packageVersion: 96.0.1
assetPath: Assets/Mirror/Transports/Encryption/Plugins/BouncyCastle/Mirror.BouncyCastle.Cryptography.dll
uploadId: 736421

12
Assets/Mirror/Transports/Encryption/PubKeyInfo.cs Normal file
View File

@ -0,0 +1,12 @@
using System;
using Mirror.BouncyCastle.Crypto;
namespace Mirror.Transports.Encryption
{
public struct PubKeyInfo
{
public string Fingerprint;
public ArraySegment<byte> Serialized;
public AsymmetricKeyParameter Key;
}
}

10
Assets/Mirror/Transports/Encryption/PubKeyInfo.cs.meta Normal file
View File

@ -0,0 +1,10 @@
fileFormatVersion: 2
guid: e1e3744418024c02acf39f44c1d1bd20
timeCreated: 1708874062
AssetOrigin:
serializedVersion: 1
productId: 129321
packageName: Mirror
packageVersion: 96.0.1
assetPath: Assets/Mirror/Transports/Encryption/PubKeyInfo.cs
uploadId: 736421

281
Assets/Mirror/Transports/Encryption/ThreadedEncryptionKcpTransport.cs Normal file
View File

@ -0,0 +1,281 @@
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Net;
using kcp2k;
using Mirror.BouncyCastle.Crypto;
using UnityEngine;
using UnityEngine.Profiling;
using UnityEngine.Serialization;
using Debug = UnityEngine.Debug;
namespace Mirror.Transports.Encryption
{
[HelpURL("https://mirror-networking.gitbook.io/docs/manual/transports/encryption-transport")]
public class ThreadedEncryptionKcpTransport : ThreadedKcpTransport
{
public override bool IsEncrypted => true;
public override string EncryptionCipher => "AES256-GCM";
public override string ToString() => $"Encrypted {base.ToString()}";
public enum ValidationMode
{
Off,
List,
Callback
}
[HideInInspector]
public ValidationMode ClientValidateServerPubKey;
[Tooltip("List of public key fingerprints the client will accept")]
[HideInInspector]
public string[] ClientTrustedPubKeySignatures;
/// <summary>
/// Called when a client connects to a server
/// ATTENTION: NOT THREAD SAFE.
/// This will be called on the worker thread.
/// </summary>
public Func<PubKeyInfo, bool> OnClientValidateServerPubKey;
[HideInInspector]
[FormerlySerializedAs("serverLoadKeyPairFromFile")]
public bool ServerLoadKeyPairFromFile;
[HideInInspector]
[FormerlySerializedAs("serverKeypairPath")]
public string ServerKeypairPath = "./server-keys.json";
EncryptedConnection encryptedClient;
readonly Dictionary<int, EncryptedConnection> serverConnections = new Dictionary<int, EncryptedConnection>();
readonly List<EncryptedConnection> serverPendingConnections =
new List<EncryptedConnection>();
EncryptionCredentials credentials;
public string EncryptionPublicKeyFingerprint => credentials?.PublicKeyFingerprint;
public byte[] EncryptionPublicKey => credentials?.PublicKeySerialized;
// Used for threaded time keeping as unitys Time.time is not thread safe
Stopwatch stopwatch = Stopwatch.StartNew();
void ServerRemoveFromPending(EncryptedConnection con)
{
for (int i = 0; i < serverPendingConnections.Count; i++)
if (serverPendingConnections[i] == con)
{
// remove by swapping with last
int lastIndex = serverPendingConnections.Count - 1;
serverPendingConnections[i] = serverPendingConnections[lastIndex];
serverPendingConnections.RemoveAt(lastIndex);
break;
}
}
void HandleInnerServerDisconnected(int connId)
{
if (serverConnections.TryGetValue(connId, out EncryptedConnection con))
{
ServerRemoveFromPending(con);
serverConnections.Remove(connId);
}
OnThreadedServerDisconnected(connId);
}
void HandleInnerServerDataReceived(int connId, ArraySegment<byte> data, int channel)
{
if (serverConnections.TryGetValue(connId, out EncryptedConnection c))
c.OnReceiveRaw(data, channel);
}
void HandleInnerServerConnected(int connId, IPEndPoint clientRemoteAddress)
{
Debug.Log($"[ThreadedEncryptionKcpTransport] New connection #{connId} from {clientRemoteAddress}");
EncryptedConnection ec = null;
ec = new EncryptedConnection(
credentials,
false,
(segment, channel) =>
{
server.Send(connId, segment, KcpTransport.ToKcpChannel(channel));
OnThreadedServerSend(connId, segment,channel);
},
(segment, channel) => OnThreadedServerReceive(connId, segment, channel),
() =>
{
Debug.Log($"[ThreadedEncryptionKcpTransport] Connection #{connId} is ready");
// ReSharper disable once AccessToModifiedClosure
ServerRemoveFromPending(ec);
OnThreadedServerConnected(connId, clientRemoteAddress);
},
(type, msg) =>
{
OnThreadedServerError(connId, type, msg);
ServerDisconnect(connId);
});
serverConnections.Add(connId, ec);
serverPendingConnections.Add(ec);
}
void HandleInnerClientDisconnected()
{
encryptedClient = null;
OnThreadedClientDisconnected();
}
void HandleInnerClientDataReceived(ArraySegment<byte> data, int channel) => encryptedClient?.OnReceiveRaw(data, channel);
void HandleInnerClientConnected() =>
encryptedClient = new EncryptedConnection(
credentials,
true,
(segment, channel) =>
{
client.Send(segment, KcpTransport.ToKcpChannel(channel));
OnThreadedClientSend(segment, channel);
},
(segment, channel) => OnThreadedClientReceive(segment, channel),
() =>
{
OnThreadedClientConnected();
},
(type, msg) =>
{
OnThreadedClientError(type, msg);
ClientDisconnect();
},
HandleClientValidateServerPubKey);
bool HandleClientValidateServerPubKey(PubKeyInfo pubKeyInfo)
{
switch (ClientValidateServerPubKey)
{
case ValidationMode.Off:
return true;
case ValidationMode.List:
return Array.IndexOf(ClientTrustedPubKeySignatures, pubKeyInfo.Fingerprint) >= 0;
case ValidationMode.Callback:
return OnClientValidateServerPubKey(pubKeyInfo);
default:
throw new ArgumentOutOfRangeException();
}
}
protected override void Awake()
{
base.Awake();
// client (NonAlloc version is not necessary anymore)
client = new KcpClient(
HandleInnerClientConnected,
(message, channel) => HandleInnerClientDataReceived(message, KcpTransport.FromKcpChannel(channel)),
HandleInnerClientDisconnected,
(error, reason) => OnThreadedClientError(KcpTransport.ToTransportError(error), reason),
config
);
// server
server = new KcpServer(
HandleInnerServerConnected,
(connectionId, message, channel) => HandleInnerServerDataReceived(connectionId, message, KcpTransport.FromKcpChannel(channel)),
HandleInnerServerDisconnected,
(connectionId, error, reason) => OnThreadedServerError(connectionId, KcpTransport.ToTransportError(error), reason),
config
);
// check if encryption via hardware acceleration is supported.
// this can be useful to know for low end devices.
//
// hardware acceleration requires netcoreapp3.0 or later:
// https://github.com/bcgit/bc-csharp/blob/449940429c57686a6fcf6bfbb4d368dec19d906e/crypto/src/crypto/AesUtilities.cs#L18
// because AesEngine_x86 requires System.Runtime.Intrinsics.X86:
// https://github.com/bcgit/bc-csharp/blob/449940429c57686a6fcf6bfbb4d368dec19d906e/crypto/src/crypto/engines/AesEngine_X86.cs
// which Unity does not support yet.
Debug.Log($"ThreadedEncryptionKcpTransport: IsHardwareAccelerated={AesUtilities.IsHardwareAccelerated}");
}
protected override void ThreadedClientConnect(string address)
{
if (!SetupEncryptionForClient())
return;
base.ThreadedClientConnect(address);
}
bool SetupEncryptionForClient()
{
switch (ClientValidateServerPubKey)
{
case ValidationMode.Off:
break;
case ValidationMode.List:
if (ClientTrustedPubKeySignatures == null || ClientTrustedPubKeySignatures.Length == 0)
{
OnThreadedClientError(TransportError.Unexpected, "Validate Server Public Key is set to List, but the clientTrustedPubKeySignatures list is empty.");
return false;
}
break;
case ValidationMode.Callback:
if (OnClientValidateServerPubKey == null)
{
OnThreadedClientError(TransportError.Unexpected, "Validate Server Public Key is set to Callback, but the onClientValidateServerPubKey handler is not set");
return false;
}
break;
default:
throw new ArgumentOutOfRangeException();
}
credentials = EncryptionCredentials.Generate();
return true;
}
protected override void ThreadedClientConnect(Uri address)
{
if (!SetupEncryptionForClient())
return;
base.ThreadedClientConnect(address);
}
protected override void ThreadedClientSend(ArraySegment<byte> segment, int channelId)
{
encryptedClient?.Send(segment, channelId);
}
protected override void ThreadedServerStart()
{
if (ServerLoadKeyPairFromFile)
credentials = EncryptionCredentials.LoadFromFile(ServerKeypairPath);
else
credentials = EncryptionCredentials.Generate();
base.ThreadedServerStart();
}
protected override void ThreadedServerSend(int connectionId, ArraySegment<byte> segment, int channelId)
{
if (serverConnections.TryGetValue(connectionId, out EncryptedConnection connection) && connection.IsReady)
connection.Send(segment, channelId);
}
public override int GetMaxPacketSize(int channelId = Channels.Reliable) => base.GetMaxPacketSize(channelId) - EncryptedConnection.Overhead;
public override int GetBatchThreshold(int channelId) => base.GetBatchThreshold(channelId) - EncryptedConnection.Overhead;
protected override void ThreadedClientLateUpdate()
{
base.ThreadedClientLateUpdate();
Profiler.BeginSample("ThreadedEncryptionKcpTransport.ServerLateUpdate");
encryptedClient?.TickNonReady(stopwatch.Elapsed.TotalSeconds);
Profiler.EndSample();
}
protected override void ThreadedServerLateUpdate()
{
base.ThreadedServerLateUpdate();
Profiler.BeginSample("ThreadedEncryptionKcpTransport.ServerLateUpdate");
// Reverse iteration as entries can be removed while updating
for (int i = serverPendingConnections.Count - 1; i >= 0; i--)
serverPendingConnections[i].TickNonReady(stopwatch.Elapsed.TotalSeconds);
Profiler.EndSample();
}
}
}

18
Assets/Mirror/Transports/Encryption/ThreadedEncryptionKcpTransport.cs.meta Normal file
View File

@ -0,0 +1,18 @@
fileFormatVersion: 2
guid: 5d3e310924fb49c195391b9699f20809
MonoImporter:
externalObjects: {}
serializedVersion: 2
defaultReferences: []
executionOrder: 0
icon: {fileID: 2800000, guid: 7453abfe9e8b2c04a8a47eb536fe21eb, type: 3}
userData:
assetBundleName:
assetBundleVariant:
AssetOrigin:
serializedVersion: 1
productId: 129321
packageName: Mirror
packageVersion: 96.0.1
assetPath: Assets/Mirror/Transports/Encryption/ThreadedEncryptionKcpTransport.cs
uploadId: 736421