Changeset 314 for binary-improvements

Timestamp:

Jan 18, 2018, 5:00:29 PM (7 years ago)

Author:

alloc

Message:

Web: Fixed Steam OpenID server's SSL certificate validation

Location:

binary-improvements/MapRendering

Files:

• ModInfo.xml (modified) (1 diff)
• Web/OpenID.cs (modified) (2 diffs)
• Web/Web.cs (modified) (1 diff)
• WebAndMapRendering.csproj (modified) (3 diffs)
• steam-intermediate.cer (added)
• steam-rootca.cer (added)

binary-improvements/MapRendering/ModInfo.xml

@@ -5 +5 @@
                 <Description value="Render the game map to image map tiles as it is uncovered" />
                 <Author value="Christian 'Alloc' Illy" />
-                <Version value="22" />
+                <Version value="23" />
                 <Website value="http://7dtd.illy.bz" />
         </ModInfo>

binary-improvements/MapRendering/Web/OpenID.cs

@@ -7 +7 @@
 using System.Text;
 using System.Text.RegularExpressions;
+using System.Security.Cryptography.X509Certificates;
+using System.Reflection;
 
 namespace AllocsFixes.NetConnections.Servers.Web
@@ -14 +16 @@
                 private static Regex steamIdUrlMatcher = new Regex (@"^http:\/\/steamcommunity\.com\/openid\/id\/([0-9]{17,18})");
 
+                private static readonly X509Certificate2 caCert = new X509Certificate2 (Path.GetDirectoryName (Assembly.GetExecutingAssembly ().Location) + "/steam-rootca.cer");
+                private static readonly X509Certificate2 caIntermediateCert = new X509Certificate2 (Path.GetDirectoryName (Assembly.GetExecutingAssembly ().Location) + "/steam-intermediate.cer");
+
+                private static readonly bool verboseSsl = false;
+
                 static OpenID () {
                         ServicePointManager.ServerCertificateValidationCallback = (srvPoint, certificate, chain, errors) => {
-                                if (errors == SslPolicyErrors.None)
+                                if (errors == SslPolicyErrors.None) {
+                                        if (verboseSsl) {
+                                                Log.Out ("Steam certificate: No error (1)");
+                                        }
                                         return true;
+                                }
 
-                                Log.Out ("Steam certificate error: {0}", errors);
+                                X509Chain privateChain = new X509Chain ();
+                                privateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
 
+                                privateChain.ChainPolicy.ExtraStore.Add (caCert);
+                                privateChain.ChainPolicy.ExtraStore.Add (caIntermediateCert);
+
+                                if (privateChain.Build (new X509Certificate2 (certificate))) {
+                                        // No errors, immediately return
+                                        privateChain.Reset ();
+                                        if (verboseSsl) {
+                                                Log.Out ("Steam certificate: No error (2)");
+                                        }
+                                        return true;
+                                }
+
+                                if (privateChain.ChainStatus.Length == 0) {
+                                        // No errors, immediately return
+                                        privateChain.Reset ();
+                                        if (verboseSsl) {
+                                                Log.Out ("Steam certificate: No error (3)");
+                                        }
+                                        return true;
+                                }
+
+                                // Iterate all chain elements
+                                foreach (X509ChainElement chainEl in privateChain.ChainElements) {
+                                        if (verboseSsl) {
+                                                Log.Out ("Validating cert: " + chainEl.Certificate.Subject);
+                                        }
+                                        // Iterate all status flags of the current cert
+                                        foreach (X509ChainStatus chainStatus in chainEl.ChainElementStatus) {
+                                                if (verboseSsl) {
+                                                        Log.Out ("   Status: " + chainStatus.Status);
+                                                }
+                                                if (chainStatus.Status == X509ChainStatusFlags.NoError) {
+                                                        // This status is not an error, skip
+                                                        continue;
+                                                }
+                                                if (chainStatus.Status == X509ChainStatusFlags.UntrustedRoot && chainEl.Certificate == caCert) {
+                                                        // This status is about the cert being an untrusted root certificate but the certificate is one of those we added, ignore
+                                                        continue;
+                                                }
+                                                // This status is an error, print information
+                                                Log.Warning ("Steam certificate error: " + chainEl.Certificate.Subject + " ### Error: " + chainStatus.Status);
+                                                privateChain.Reset ();
+                                                return false;
+                                        }
+                                }
+
+                                foreach (X509ChainStatus chainStatus in privateChain.ChainStatus) {
+                                        if (chainStatus.Status != X509ChainStatusFlags.NoError && chainStatus.Status != X509ChainStatusFlags.UntrustedRoot) {
+                                                Log.Warning ("Steam certificate error: " + chainStatus.Status);
+                                                privateChain.Reset ();
+                                                return false;
+                                        }
+                                }
+
+                                // We didn't find any errors, chain is valid
+                                privateChain.Reset ();
+                                if (verboseSsl) {
+                                        Log.Out ("Steam certificate: No error (4)");
+                                }
                                 return true;
                         };

binary-improvements/MapRendering/Web/Web.cs

@@ -237 +237 @@
 
                         if (_req.Url.AbsolutePath.StartsWith ("/session/verify")) {
-                                ulong id = OpenID.Validate (_req);
-                                if (id > 0) {
-                                        WebConnection con = connectionHandler.LogIn (id, _req.RemoteEndPoint.Address.ToString ());
-                                        _con = con;
-                                        int level = GameManager.Instance.adminTools.GetAdminToolsClientInfo (id.ToString ()).PermissionLevel;
-                                        Log.Out ("Steam OpenID login from {0} with ID {1}, permission level {2}", _req.RemoteEndPoint.ToString (), con.SteamID, level);
-                                        return level;
-                                } else {
-                                        Log.Out ("Steam OpenID login failed from {0}", _req.RemoteEndPoint.ToString ());
+                                try {
+                                        ulong id = OpenID.Validate (_req);
+                                        if (id > 0) {
+                                                WebConnection con = connectionHandler.LogIn (id, _req.RemoteEndPoint.Address.ToString ());
+                                                _con = con;
+                                                int level = GameManager.Instance.adminTools.GetAdminToolsClientInfo (id.ToString ()).PermissionLevel;
+                                                Log.Out ("Steam OpenID login from {0} with ID {1}, permission level {2}", _req.RemoteEndPoint.ToString (), con.SteamID, level);
+                                                return level;
+                                        } else {
+                                                Log.Out ("Steam OpenID login failed from {0}", _req.RemoteEndPoint.ToString ());
+                                        }
+                                } catch (Exception e) {
+                                        Log.Error ("Error validating login:");
+                                        Log.Exception (e);
                                 }
                         }

binary-improvements/MapRendering/WebAndMapRendering.csproj

@@ -22 +22 @@
   </PropertyGroup>
   <ItemGroup>
-    <Reference Include="System">
-      <HintPath>..\7dtd-binaries\System.dll</HintPath>
-      <Private>False</Private>
-    </Reference>
     <Reference Include="LogLibrary">
       <HintPath>..\7dtd-binaries\LogLibrary.dll</HintPath>
@@ -44 +40 @@
     <Reference Include="System.Xml">
       <HintPath>..\7dtd-binaries\System.Xml.dll</HintPath>
+      <Private>False</Private>
+    </Reference>
+    <Reference Include="System">
+      <HintPath>..\7dtd-binaries\System.dll</HintPath>
       <Private>False</Private>
     </Reference>
@@ -103 +103 @@
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <None Include="steam-intermediate.cer">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+    <None Include="steam-rootca.cer">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
   </ItemGroup>
 </Project>