feat: sending secure hash of connect key

Using SHA256 to send key so that it isnt send a plain text, allows key to be used for simple passwords
MirageNet · Oct 20, 2023 · f8901c2 · f8901c2
1 parent 02e52f0
commit f8901c2
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 6 deletions.
diff --git a/Assets/Mirage/Runtime/SocketLayer/ConnectKeyValidator.cs b/Assets/Mirage/Runtime/SocketLayer/ConnectKeyValidator.cs
@@ -1,3 +1,4 @@
+using System.Security.Cryptography;
 using System.Text;
 
 namespace Mirage.SocketLayer
@@ -27,14 +28,24 @@ private static byte[] GetKeyBytes(string key)
                 key = $"Mirage V{version}";
             }
 
-            return Encoding.ASCII.GetBytes(key);
+            var bytes = Encoding.ASCII.GetBytes(key);
+            using (var sha = SHA256.Create())
+            {
+                var hash = sha.ComputeHash(bytes);
+                return hash;
+            }
         }
         public ConnectKeyValidator(string key) : this(GetKeyBytes(key))
         {
         }
 
-        public bool Validate(byte[] buffer)
+        public bool Validate(byte[] buffer, int length)
         {
+            // buffer is pooled, so might contain old data,
+            // check the length so we only process that new data (if it is correct length)
+            if (length != OFFSET + KeyLength)
+                return false;
+
             for (var i = 0; i < KeyLength; i++)
             {
                 var keyByte = buffer[i + OFFSET];

diff --git a/Assets/Mirage/Runtime/SocketLayer/Peer.cs b/Assets/Mirage/Runtime/SocketLayer/Peer.cs
@@ -375,7 +375,7 @@ private void HandleNewConnection(IEndPoint endPoint, Packet packet)
             {
                 RejectConnectionWithReason(endPoint, RejectReason.ServerFull);
             }
-            else if (!_connectKeyValidator.Validate(packet.Buffer.array))
+            else if (!_connectKeyValidator.Validate(packet.Buffer.array, packet.Length))
             {
                 RejectConnectionWithReason(endPoint, RejectReason.KeyInvalid);
             }

diff --git a/Assets/Tests/SocketLayer/ConnectKeyValidatorTest.cs b/Assets/Tests/SocketLayer/ConnectKeyValidatorTest.cs
@@ -5,13 +5,23 @@ namespace Mirage.SocketLayer.Tests
     [Category("SocketLayer")]
     [TestFixture("hello")]
     [TestFixture("Mirage V123")]
+    [TestFixture("Super secure password that no one will be able to guess")]
     public class ConnectKeyValidatorTest
     {
-        private ConnectKeyValidator validator;
+        private readonly ConnectKeyValidator validator;
+        private readonly int length;
 
         public ConnectKeyValidatorTest(string key)
         {
             validator = new ConnectKeyValidator(key);
+            length = validator.KeyLength + 2;
+        }
+
+        [Test]
+        [Description("Using sha256 so all keys should be 256 bits long")]
+        public void LengthIs265()
+        {
+            Assert.That(validator.KeyLength, Is.EqualTo(256 / 8));
         }
 
         [Test]
@@ -31,7 +41,7 @@ public void ValidateReturnsTrueIfKeyIsCorrect()
             var buffer = new byte[50];
             validator.CopyTo(buffer);
 
-            var valid = validator.Validate(buffer);
+            var valid = validator.Validate(buffer, length);
             Assert.IsTrue(valid);
         }
 
@@ -43,7 +53,7 @@ public void ValidateReturnsFalseIfKeyIsCorrect()
             // corrupt 1 byte
             buffer[4] = 0;
 
-            var valid = validator.Validate(buffer);
+            var valid = validator.Validate(buffer, length);
             Assert.IsFalse(valid);
         }