encryption for direct connect

Author: dooly123

Basis Server/BasisNetworkCore/BasisNetworkCore.csproj

@@ -16,5 +16,6 @@
 	<ItemGroup>
 	  <PackageReference Include="System.Threading.Tasks" Version="4.3.0" />
 		<ProjectReference Include="..\LiteNetLib\LiteNetLib.csproj" />
+		<ProjectReference Include="..\Contrib\Crypto\Crypto.csproj" />
 	</ItemGroup>
 </Project>

Basis Server/BasisNetworkCore/Encryption/BasisCryptoHandshake.cs

@@ -0,0 +1,88 @@
+#nullable enable
+
+using System;
+using System.Text;
+using Basis.Contrib.Crypto;
+
+namespace Basis.Network.Core
+{
+	/// X25519 + HKDF-SHA256 key agreement for the encrypted peer-to-peer (direct) link.
+	/// The two peers exchange ephemeral public keys through the server's signalling
+	/// channel and each derives the same two directional keys, because ECDH(myPriv,
+	/// peerPub) is symmetric; the transcript (both public keys) is folded into the HKDF
+	/// salt for channel binding.
+	public static class BasisCryptoHandshake
+	{
+		public const int PublicKeySize = BasisX25519.KeySize;
+		public const int PrivateKeySize = BasisX25519.KeySize;
+		public const int KeySize = BasisAeadCipher.KeySize;
+
+		private static readonly byte[] InfoAB = Encoding.ASCII.GetBytes("basis-crypto-v1-ab");
+		private static readonly byte[] InfoBA = Encoding.ASCII.GetBytes("basis-crypto-v1-ba");
+
+		public static void GenerateKeyPair(out byte[] privateKey, out byte[] publicKey)
+			=> BasisX25519.GenerateKeyPair(out privateKey, out publicKey);
+
+		/// Derives the directional keys for a peer-to-peer link. Role is decided by
+		/// public-key ordering so both ends agree without extra signalling.
+		public static bool DerivePeerKeys(
+			ReadOnlySpan<byte> myPrivate,
+			ReadOnlySpan<byte> myPublic,
+			ReadOnlySpan<byte> peerPublic,
+			out byte[] sendKey,
+			out byte[] recvKey)
+		{
+			sendKey = Array.Empty<byte>();
+			recvKey = Array.Empty<byte>();
+			try
+			{
+				int cmp = Compare(myPublic, peerPublic);
+				if (cmp == 0) return false;
+				bool iAmA = cmp < 0;
+
+				ReadOnlySpan<byte> aPub = iAmA ? myPublic : peerPublic;
+				ReadOnlySpan<byte> bPub = iAmA ? peerPublic : myPublic;
+
+				byte[] shared = BasisX25519.Agree(myPrivate, peerPublic);
+				byte[] salt = Concat(aPub, bPub);
+				byte[] keyAB = BasisHkdf.DeriveKey(shared, salt, InfoAB, KeySize);
+				byte[] keyBA = BasisHkdf.DeriveKey(shared, salt, InfoBA, KeySize);
+
+				if (iAmA)
+				{
+					sendKey = keyAB;
+					recvKey = keyBA;
+				}
+				else
+				{
+					sendKey = keyBA;
+					recvKey = keyAB;
+				}
+				return true;
+			}
+			catch
+			{
+				return false;
+			}
+		}
+
+		private static byte[] Concat(ReadOnlySpan<byte> a, ReadOnlySpan<byte> b)
+		{
+			var result = new byte[a.Length + b.Length];
+			a.CopyTo(result);
+			b.CopyTo(result.AsSpan(a.Length));
+			return result;
+		}
+
+		private static int Compare(ReadOnlySpan<byte> a, ReadOnlySpan<byte> b)
+		{
+			int n = Math.Min(a.Length, b.Length);
+			for (int i = 0; i < n; i++)
+			{
+				int d = a[i] - b[i];
+				if (d != 0) return d;
+			}
+			return a.Length - b.Length;
+		}
+	}
+}

Basis Server/BasisNetworkCore/Encryption/BasisCryptoLayer.cs

@@ -0,0 +1,197 @@
+#nullable enable
+
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Net;
+using System.Threading;
+using Basis.Contrib.Crypto;
+using LiteNetLib.Layers;
+
+namespace Basis.Network.Core
+{
+	/// Per-endpoint AEAD encryption applied at the LiteNetLib socket boundary.
+	/// Each connection has its own pair of ChaCha20-Poly1305 keys (one per
+	/// direction) established by an X25519 handshake; see <see cref="BasisCryptoHandshake"/>.
+	///
+	/// Only the user-data-bearing packet properties are encrypted (Unreliable,
+	/// Channeled, Merged). Connection setup, NAT, MTU and out-of-band probe packets
+	/// stay cleartext so the handshake itself never depends on a key being present.
+	///
+	/// Wire layout of an encrypted datagram:
+	///   [byte 0 : LiteNetLib header (cleartext, authenticated as AAD)]
+	///   [bytes 1..n : ciphertext]
+	///   [16 bytes : Poly1305 tag]
+	///   [8 bytes  : little-endian nonce counter]
+	public sealed class BasisCryptoLayer : PacketLayerBase
+	{
+		public const int CounterSize = 8;
+		public const int Overhead = BasisAeadCipher.TagSize + CounterSize;
+
+		private const byte PropertyMask = 0x1F;
+		// Mirrors LiteNetLib.PacketProperty: Unreliable = 0, Channeled = 1, Merged = 12.
+		private const byte PropUnreliable = 0;
+		private const byte PropChanneled = 1;
+		private const byte PropMerged = 12;
+
+		private sealed class Session
+		{
+			public BasisAeadCipher Send = null!;
+			public BasisAeadCipher Recv = null!;
+			public long SendCounter;
+		}
+
+		// Keyed by address+port only. NetPeer (seen outbound) and the plain IPEndPoint seen
+		// inbound / at install hash differently under non-native sockets; this comparer makes
+		// all three resolve to the same session without allocating per packet.
+		private readonly ConcurrentDictionary<IPEndPoint, Session> _sessions
+			= new ConcurrentDictionary<IPEndPoint, Session>(EndpointComparer.Instance);
+
+		public BasisCryptoLayer() : base(Overhead) { }
+
+		private sealed class EndpointComparer : IEqualityComparer<IPEndPoint>
+		{
+			public static readonly EndpointComparer Instance = new EndpointComparer();
+
+			public bool Equals(IPEndPoint x, IPEndPoint y)
+			{
+				if (ReferenceEquals(x, y)) return true;
+				if (x is null || y is null) return false;
+				return x.Port == y.Port && x.Address.Equals(y.Address);
+			}
+
+			public int GetHashCode(IPEndPoint ep)
+			{
+				if (ep is null) return 0;
+				unchecked { return (ep.Address.GetHashCode() * 397) ^ ep.Port; }
+			}
+		}
+
+		public int SessionCount => _sessions.Count;
+
+		/// <param name="initialSendCounter">
+		/// First nonce counter to use. Pass a value strictly greater than any counter
+		/// previously used with these keys when re-installing the same keys for a
+		/// reconnect, so a (key, nonce) pair is never reused.
+		/// </param>
+		public void SetEndpointKeys(IPEndPoint endpoint, byte[] sendKey, byte[] recvKey, long initialSendCounter = 0)
+		{
+			if (endpoint == null) return;
+			var session = new Session
+			{
+				Send = new BasisAeadCipher(sendKey),
+				Recv = new BasisAeadCipher(recvKey),
+				SendCounter = initialSendCounter
+			};
+			if (_sessions.TryRemove(endpoint, out var old)) DisposeSession(old);
+			_sessions[endpoint] = session;
+		}
+
+		public bool HasEndpoint(IPEndPoint endpoint) => endpoint != null && _sessions.ContainsKey(endpoint);
+
+		public void RemoveEndpoint(IPEndPoint endpoint)
+		{
+			if (endpoint != null && _sessions.TryRemove(endpoint, out var session)) DisposeSession(session);
+		}
+
+		public void RemapEndpoint(IPEndPoint oldEndpoint, IPEndPoint newEndpoint)
+		{
+			if (oldEndpoint == null || newEndpoint == null) return;
+			if (_sessions.TryRemove(oldEndpoint, out var session)) _sessions[newEndpoint] = session;
+		}
+
+		public override void ProcessOutBoundPacket(ref IPEndPoint endPoint, ref byte[] data, ref int offset, ref int length)
+		{
+			if (length < 1) return;
+			byte header = data[offset];
+			if (!IsEncryptable((byte)(header & PropertyMask))) return;
+			if (endPoint == null || !_sessions.TryGetValue(endPoint, out var session)) return;
+
+			long counter = Interlocked.Increment(ref session.SendCounter);
+			Span<byte> nonce = stackalloc byte[BasisAeadCipher.NonceSize];
+			WriteCounter(nonce, counter);
+
+			int tagOffset = offset + length;
+			session.Send.Seal(nonce, header, data, offset + 1, length - 1, data, tagOffset);
+			WriteCounterBytes(data, tagOffset + BasisAeadCipher.TagSize, counter);
+			length += Overhead;
+		}
+
+		public override void ProcessInboundPacket(ref IPEndPoint endPoint, ref byte[] data, ref int length)
+		{
+			if (length < 1) return;
+			byte header = data[0];
+			if (!IsEncryptable((byte)(header & PropertyMask))) return;
+			if (endPoint == null || !_sessions.TryGetValue(endPoint, out var session)) return;
+
+			if (length < 1 + Overhead)
+			{
+				length = 0;
+				return;
+			}
+
+			int tagOffset = length - Overhead;
+			int counterOffset = length - CounterSize;
+			long counter = ReadCounterBytes(data, counterOffset);
+			Span<byte> nonce = stackalloc byte[BasisAeadCipher.NonceSize];
+			WriteCounter(nonce, counter);
+
+			int payloadLength = tagOffset - 1;
+			if (!session.Recv.Open(nonce, header, data, 1, payloadLength, data, tagOffset))
+			{
+				length = 0;
+				return;
+			}
+			length -= Overhead;
+		}
+
+		private static bool IsEncryptable(byte property)
+			=> property == PropUnreliable || property == PropChanneled || property == PropMerged;
+
+		private static void DisposeSession(Session session)
+		{
+			session.Send.Dispose();
+			session.Recv.Dispose();
+		}
+
+		private static void WriteCounter(Span<byte> nonce, long counter)
+		{
+			nonce.Clear();
+			ulong c = (ulong)counter;
+			nonce[0] = (byte)c;
+			nonce[1] = (byte)(c >> 8);
+			nonce[2] = (byte)(c >> 16);
+			nonce[3] = (byte)(c >> 24);
+			nonce[4] = (byte)(c >> 32);
+			nonce[5] = (byte)(c >> 40);
+			nonce[6] = (byte)(c >> 48);
+			nonce[7] = (byte)(c >> 56);
+		}
+
+		private static void WriteCounterBytes(byte[] buffer, int offset, long counter)
+		{
+			ulong c = (ulong)counter;
+			buffer[offset] = (byte)c;
+			buffer[offset + 1] = (byte)(c >> 8);
+			buffer[offset + 2] = (byte)(c >> 16);
+			buffer[offset + 3] = (byte)(c >> 24);
+			buffer[offset + 4] = (byte)(c >> 32);
+			buffer[offset + 5] = (byte)(c >> 40);
+			buffer[offset + 6] = (byte)(c >> 48);
+			buffer[offset + 7] = (byte)(c >> 56);
+		}
+
+		private static long ReadCounterBytes(byte[] buffer, int offset)
+		{
+			ulong c = buffer[offset]
+				| ((ulong)buffer[offset + 1] << 8)
+				| ((ulong)buffer[offset + 2] << 16)
+				| ((ulong)buffer[offset + 3] << 24)
+				| ((ulong)buffer[offset + 4] << 32)
+				| ((ulong)buffer[offset + 5] << 40)
+				| ((ulong)buffer[offset + 6] << 48)
+				| ((ulong)buffer[offset + 7] << 56);
+			return (long)c;
+		}
+	}
+}

Basis Server/BasisNetworkCore/Serializable/BasisP2PMessages.cs

@@ -5,20 +5,45 @@ public static partial class SerializableBasis
     public struct BasisP2PSignalMessage
     {
         public const int MaxTokenLength = 64;
+        public const int PublicKeySize = 32;
 
         public ushort otherPlayerId;
         public string sessionToken;
+        /// <summary>
+        /// X25519 ephemeral public key of the sender, relayed by the server so the two
+        /// peers can derive a per-pair key and always encrypt the direct (P2P) link.
+        /// </summary>
+        public byte[] ephemeralPublicKey;
 
         public void Deserialize(NetDataReader reader)
         {
             otherPlayerId = reader.GetUShort();
             sessionToken = reader.GetString(MaxTokenLength);
+            byte hasKey = reader.GetByte();
+            if (hasKey == 1 && reader.AvailableBytes >= PublicKeySize)
+            {
+                ephemeralPublicKey = new byte[PublicKeySize];
+                reader.GetBytes(ephemeralPublicKey, PublicKeySize);
+            }
+            else
+            {
+                ephemeralPublicKey = null;
+            }
         }
 
         public void Serialize(NetDataWriter writer)
         {
             writer.Put(otherPlayerId);
             writer.Put(sessionToken ?? string.Empty, MaxTokenLength);
+            if (ephemeralPublicKey != null && ephemeralPublicKey.Length == PublicKeySize)
+            {
+                writer.Put((byte)1);
+                writer.Put(ephemeralPublicKey);
+            }
+            else
+            {
+                writer.Put((byte)0);
+            }
         }
     }
 }

Basis Server/BasisNetworkServer/BasisServerP2PBroker.cs

@@ -151,7 +151,7 @@ private static void HandleRequest(NetPeer sender, BasisP2PSignalMessage msg)
             TrackPeerSession(msg.otherPlayerId, msg.sessionToken);
 
             BNL.Log($"[P2P] Forwarding Request from peer {sender.Id} to peer {msg.otherPlayerId} (token {msg.sessionToken}).");
-            SendSub(target, BasisNetworkCommons.P2PSub_Request, msg.sessionToken, (ushort)sender.Id);
+            SendSub(target, BasisNetworkCommons.P2PSub_Request, msg.sessionToken, (ushort)sender.Id, msg.ephemeralPublicKey);
 
             // ServerArmed confirms registration before either side starts punching, avoiding a race.
             SendSub(sender, BasisNetworkCommons.P2PSub_ServerArmed, msg.sessionToken, msg.otherPlayerId);
@@ -175,7 +175,7 @@ private static void HandleAccept(NetPeer sender, BasisP2PSignalMessage msg)
             if (NetworkServer.AuthenticatedPeers.TryGetValue(s.InitiatorPeerId, out NetPeer initiator))
             {
                 BNL.Log($"[P2P] Accept from peer {sender.Id} (token {Preview(s.Token)}); session armed, forwarding to initiator {s.InitiatorPeerId}.");
-                SendSub(initiator, BasisNetworkCommons.P2PSub_Accept, s.Token, (ushort)sender.Id);
+                SendSub(initiator, BasisNetworkCommons.P2PSub_Accept, s.Token, (ushort)sender.Id, msg.ephemeralPublicKey);
             }
             else
             {
@@ -310,14 +310,15 @@ private static void UntrackPeerSession(int peerId, string token)
             }
         }
 
-        private static void SendSub(NetPeer to, byte sub, string token, ushort otherPlayerId)
+        private static void SendSub(NetPeer to, byte sub, string token, ushort otherPlayerId, byte[] ephemeralPublicKey = null)
         {
             NetDataWriter writer = NetworkServer.RentWriter();
             writer.Put(sub);
             var body = new BasisP2PSignalMessage
             {
                 otherPlayerId = otherPlayerId,
                 sessionToken = token ?? string.Empty,
+                ephemeralPublicKey = ephemeralPublicKey,
             };
             body.Serialize(writer);
             NetworkServer.TrySend(to, writer, BasisNetworkCommons.P2PChannel, DeliveryMethod.ReliableOrdered);