Friday, December 21, 2012

Portal connection

Portal connection


Time to dig into the specifics of Guild Wars 2's connection...

The portal connection starts off in clear text. The game client will connect, then send a /Sts/Connect command which will include information about the game client.

Example:


P /Sts/Connect STS/1.0
l:252

<Connect>
<ConnType>400</ConnType>
<Address>192.168.1.1</Address>
<ProductType>0</ProductType>
<ProductName>gw2</ProductName>
<AppIndex>1</AppIndex>
<Epoch>999999999</Epoch>
<Program>101</Program>
<Build>1002</Build>
<Process>9999</Process>
</Connect>
P /Auth/StartTls STS/1.0
s:1
l:11

This looks similar to how HTTP requests work. Th
e 'l:' specifies the length of the request and the 's:' is a sequence number. The server will reply and include a reference to this sequence number.

Example:

STS/1.0 400 Success
s:1R
l:46


<Error server="1001" module="2" line="1518"/>

The 's:1R' here, refers to the original client request. The 
/Auth/StartTls command starts the encryption handshake. From here the connection will switch from text to a binary protocol.

The client will begin by sending a buffer starting with:

16 03 03 xx xx

The first byte indicates what kind of packet this is:

14 = ack
15 = server error
16 = auth phase
17 = game packet

The 2 last bytes are the size of the sub buffer that follows.


So looking at the first response the client sends:
 

16 03 03 00 4e
01 00 00 4a 03 03 xx xx xx ...

Shows a subbuffer of size 0x4e (78 bytes). The first byte is the type of the buffer. If you look closely, it's apparent this buffer is also split up (ie. 0x00 0x4a is yet another size indicator of a sub part). I'm going to skip on some details, if you fire up wireshark you can more easily look at what's there.
There's 1 part that is important in this 0x01 sub buffer and that is a client seed that will be used further on. We need to save 0x20 bytes starting at xx as indicated above.

Also important, is that these sub buffers are used in the HMAC calculation, so we need to keep a sha256 hash of them, excluding the 0x14 sub buffer for digest1.

In code:

if (packet[0] != 0x14)
   digest1.process(packet);

digest2.process(packet);
The server will reply using a similar packet format. The first response is:
16 03 03 00 34

So we already know 00 34 is the size of the sub buffer, which contains:

02 00 00 30 03 03 xx xx xx
Like before, sub buffer 0x02 with a size of 0x30. Also similar as the client buffer, is that these first 0x20 bytes are a server seed, followed by some extra parameters which I'm going to skip here.

For what follows now, it's useful to read RFC5054 paragraph 2.2. and have a look at the SRP demo page.

The server follows up with a new large packet:

16 03 03 01 14
0c 00 01 10
   00 80 xx xx xx .....
   00 01 02
   08 yy yy yy yy yy yy yy yy
   00 80 zz zz zz .....
These are actually multi precision integers used for the SRP session server key exchange, more specifically the values N, g, s, B.
N = xx xx xx ...
g = 2
s = yy yy yy yy yy yy yy yy
B = zz zz zz ...
After these the server sends: 
16 03 03 00 04
   0e 00 00 00
The client will in return send it's A key to the server:
16 03 03 00 86
   10 00 00 82
      00 80 xx xx xx xx

 with A = xx xx xx ...


If you look at the SRP demo page (SRP-6a), you can see how all these values fit together. However GuildWars 2 uses a slightly different way to calculate value x, the RFC version uses:

x = H(salt || H(username||':'||password))

whereas Guild Wars 2 uses:

passhash = H(lowercase(unicode_pass||unicode_login))
Then converts this passhash buffer using htonl() and hashes it to form the password field to use in the calculation:
x = H(salt || H(lowercase(username)||':'||H(passhash)))

With all these values, we're able to calculate the shared key S.

The client will now activate encryption by sending the packet:

14 03 03 00 01 01
  
From now on, the buffers will be encrypted, however the shared key S isn't used as-is for the encryption. First a master key is generated from this and then a key expansion function is used to generate a send and a receive key.

But that's for another post...

No comments: