New HWID system prep (#5446)

* New HWID system prep

* Allow HWID to be disabled.

Both client and server can now request HWID to be disabled.

On the server via CVar, if disabled the client won't send it.

On the client via env var, if disabled it won't be sent to the client.

This involved moving legacy HWID to be sent in MsgEncryptionResponse instead of MsgLoginStart. This means the legacy HWID won't be available anymore if the connection isn't authenticated.

* Fix tests

* Fix another test

* Review

* Thanks Rider

Robust.Client/ClientIoC.cs

@@ -8,6 +8,7 @@
 using Robust.Client.GameStates;
 using Robust.Client.Graphics;
 using Robust.Client.Graphics.Clyde;
+using Robust.Client.HWId;
 using Robust.Client.Input;
 using Robust.Client.Map;
 using Robust.Client.Placement;
@@ -158,6 +159,7 @@ public static void RegisterIoC(GameController.DisplayMode mode, IDependencyColle
 
             deps.Register<IXamlProxyHelper, XamlProxyHelper>();
             deps.Register<MarkupTagManager>();
+            deps.Register<IHWId, BasicHWId>();
         }
     }
 }

Robust.Client/Console/Commands/LauncherAuthCommand.cs

@@ -20,8 +20,9 @@ public override void Execute(IConsoleShell shell, string argStr, string[] args)
         {
             var wantName = args.Length > 0 ? args[0] : null;
 
-            var basePath = Path.GetDirectoryName(UserDataDir.GetUserDataDir(_gameController))!;
-            var dbPath = Path.Combine(basePath, "launcher", "settings.db");
+            var basePath = UserDataDir.GetRootUserDataDir(_gameController);
+            var launcherDirName = Environment.GetEnvironmentVariable("SS14_LAUNCHER_APPDATA_NAME") ?? "launcher";
+            var dbPath = Path.Combine(basePath, launcherDirName, "settings.db");
 
 #if USE_SYSTEM_SQLITE
             SQLitePCL.raw.SetProvider(new SQLitePCL.SQLite3Provider_sqlite3());

Robust.Client/HWId/BasicHWId.cs

@@ -0,0 +1,86 @@
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using Microsoft.Win32;
+using Robust.Client.Utility;
+using Robust.Shared.IoC;
+using Robust.Shared.Network;
+
+namespace Robust.Client.HWId;
+
+internal sealed class BasicHWId : IHWId
+{
+    [Dependency] private readonly IGameControllerInternal _gameController = default!;
+
+    public const int LengthHwid = 32;
+
+    public byte[] GetLegacy()
+    {
+        if (OperatingSystem.IsWindows())
+            return GetWindowsHWid("Hwid");
+
+        return [];
+    }
+
+    public byte[] GetModern()
+    {
+        byte[] raw;
+
+        if (OperatingSystem.IsWindows())
+            raw = GetWindowsHWid("Hwid2");
+        else
+            raw = GetFileHWid();
+
+        return [0, ..raw];
+    }
+
+    private static byte[] GetWindowsHWid(string keyName)
+    {
+        const string keyPath = @"HKEY_CURRENT_USER\SOFTWARE\Space Wizards\Robust";
+
+        var regKey = Registry.GetValue(keyPath, keyName, null);
+        if (regKey is byte[] { Length: LengthHwid } bytes)
+            return bytes;
+
+        var newId = new byte[LengthHwid];
+        RandomNumberGenerator.Fill(newId);
+        Registry.SetValue(
+            keyPath,
+            keyName,
+            newId,
+            RegistryValueKind.Binary);
+
+        return newId;
+    }
+
+    private byte[] GetFileHWid()
+    {
+        var path = UserDataDir.GetRootUserDataDir(_gameController);
+        var hwidPath = Path.Combine(path, ".hwid");
+
+        var value = ReadHWidFile(hwidPath);
+        if (value != null)
+            return value;
+
+        value = RandomNumberGenerator.GetBytes(LengthHwid);
+        File.WriteAllBytes(hwidPath, value);
+
+        return value;
+    }
+
+    private static byte[]? ReadHWidFile(string path)
+    {
+        try
+        {
+            var value = File.ReadAllBytes(path);
+            if (value.Length == LengthHwid)
+                return value;
+        }
+        catch (FileNotFoundException)
+        {
+            // First time the file won't exist.
+        }
+
+        return null;
+    }
+}

Robust.Client/Utility/UserDataDir.cs

@@ -1,14 +1,19 @@
 using System;
 using System.IO;
 using JetBrains.Annotations;
-using Robust.Shared.IoC;
 
 namespace Robust.Client.Utility
 {
     internal static class UserDataDir
     {
         [Pure]
         public static string GetUserDataDir(IGameControllerInternal gameController)
+        {
+            return Path.Combine(GetRootUserDataDir(gameController), "data");
+        }
+
+        [Pure]
+        public static string GetRootUserDataDir(IGameControllerInternal gameController)
         {
             string appDataDir;
 
@@ -30,8 +35,7 @@ public static string GetUserDataDir(IGameControllerInternal gameController)
             appDataDir = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
 #endif
 
-            return Path.Combine(appDataDir, gameController.Options.UserDataDirectoryName, "data");
+            return Path.Combine(appDataDir, gameController.Options.UserDataDirectoryName);
         }
-
     }
 }

Robust.Server/ServerIoC.cs

@@ -97,6 +97,7 @@ internal static void RegisterIoC(IDependencyCollection deps)
             deps.Register<NetworkResourceManager>();
             deps.Register<IHttpClientHolder, HttpClientHolder>();
             deps.Register<UploadedContentManager>();
+             deps.Register<IHWId, DummyHWId>();
         }
     }
 }

Robust.Shared/CVars.cs

@@ -394,6 +394,18 @@ protected CVars()
         public static readonly CVarDef<int> NetEncryptionThreadChannelSize =
             CVarDef.Create("net.encryption_thread_channel_size", 16);
 
+        /// <summary>
+        /// Whether the server should request HWID system for client identification.
+        /// </summary>
+        /// <remarks>
+        /// <para>
+        /// Note that modern HWIDs are only available if the connection is authenticated.
+        /// </para>
+        /// </remarks>
+        public static readonly CVarDef<bool> NetHWId =
+            CVarDef.Create("net.hwid", true, CVar.SERVERONLY);
+
+
         /**
          * SUS
          */

Robust.Shared/Network/AuthManager.cs

@@ -15,6 +15,11 @@ internal interface IAuthManager
         string? Token { get; set; }
         string? PubKey { get; set; }
 
+        /// <summary>
+        /// If true, the user allows HWID information to be provided to servers.
+        /// </summary>
+        bool AllowHwid { get; set; }
+
         void LoadFromEnv();
     }
 
@@ -26,6 +31,7 @@ internal sealed class AuthManager : IAuthManager
         public string? Server { get; set; } = DefaultAuthServer;
         public string? Token { get; set; }
         public string? PubKey { get; set; }
+        public bool AllowHwid { get; set; } = true;
 
         public void LoadFromEnv()
         {
@@ -49,6 +55,11 @@ public void LoadFromEnv()
                 Token = token;
             }
 
+            if (TryGetVar("ROBUST_AUTH_ALLOW_HWID", out var allowHwid))
+            {
+                AllowHwid = allowHwid.Trim() == "1";
+            }
+
             static bool TryGetVar(string var, [NotNullWhen(true)] out string? val)
             {
                 val = Environment.GetEnvironmentVariable(var);

Robust.Shared/Network/IHWId.cs

@@ -0,0 +1,67 @@
+using System;
+using Robust.Shared.Console;
+using Robust.Shared.IoC;
+using Robust.Shared.Utility;
+
+namespace Robust.Shared.Network;
+
+/// <summary>
+/// Fetches HWID (hardware ID) unique identifiers for the local system.
+/// </summary>
+internal interface IHWId
+{
+    /// <summary>
+    /// Gets the "legacy" HWID.
+    /// </summary>
+    /// <remarks>
+    /// These are directly sent to servers and therefore susceptible to malicious spoofing.
+    /// They should not be relied on for the future.
+    /// </remarks>
+    /// <returns>
+    /// An opaque value that gets sent to the server to identify this computer,
+    /// or an empty array if legacy HWID is not supported on this platform.
+    /// </returns>
+    byte[] GetLegacy();
+
+    /// <summary>
+    /// Gets the "modern" HWID.
+    /// </summary>
+    /// <returns>
+    /// An opaque value that gets sent to the auth server to identify this computer,
+    /// or null if modern HWID is not supported on this platform.
+    /// </returns>
+    byte[]? GetModern();
+}
+
+/// <summary>
+/// Implementation of <see cref="IHWId"/> that does nothing, always returning an empty result.
+/// </summary>
+internal sealed class DummyHWId : IHWId
+{
+    public byte[] GetLegacy()
+    {
+        return [];
+    }
+
+    public byte[] GetModern()
+    {
+        return [];
+    }
+}
+
+#if DEBUG
+internal sealed class HwidCommand : LocalizedCommands
+{
+    [Dependency] private readonly IHWId _hwId = default!;
+
+    public override string Command => "hwid";
+
+    public override void Execute(IConsoleShell shell, string argStr, string[] args)
+    {
+        shell.WriteLine($"""
+            legacy: {Convert.ToBase64String(_hwId.GetLegacy(), Base64FormattingOptions.None)}
+            modern: {Base64Helpers.ToBase64Nullable(_hwId.GetModern())}
+            """);
+    }
+}
+#endif

Robust.Shared/Network/Messages/Handshake/MsgEncryptionRequest.cs

@@ -13,13 +13,15 @@ internal sealed class MsgEncryptionRequest : NetMessage
 
         public byte[] VerifyToken;
         public byte[] PublicKey;
+        public bool WantHwid;
 
         public override void ReadFromBuffer(NetIncomingMessage buffer, IRobustSerializer serializer)
         {
             var tokenLength = buffer.ReadVariableInt32();
             VerifyToken = buffer.ReadBytes(tokenLength);
             var keyLength = buffer.ReadVariableInt32();
             PublicKey = buffer.ReadBytes(keyLength);
+            WantHwid = buffer.ReadBoolean();
         }
 
         public override void WriteToBuffer(NetOutgoingMessage buffer, IRobustSerializer serializer)
@@ -28,6 +30,7 @@ public override void WriteToBuffer(NetOutgoingMessage buffer, IRobustSerializer
             buffer.Write(VerifyToken);
             buffer.WriteVariableInt32(PublicKey.Length);
             buffer.Write(PublicKey);
+            buffer.Write(WantHwid);
         }
     }
 }

Robust.Shared/Network/Messages/Handshake/MsgEncryptionResponse.cs

@@ -14,19 +14,24 @@ internal sealed class MsgEncryptionResponse : NetMessage
 
         public Guid UserId;
         public byte[] SealedData;
+        public byte[] LegacyHwid;
 
         public override void ReadFromBuffer(NetIncomingMessage buffer, IRobustSerializer serializer)
         {
             UserId = buffer.ReadGuid();
             var keyLength = buffer.ReadVariableInt32();
             SealedData = buffer.ReadBytes(keyLength);
+            var legacyHwidLength = buffer.ReadVariableInt32();
+            LegacyHwid = buffer.ReadBytes(legacyHwidLength);
         }
 
         public override void WriteToBuffer(NetOutgoingMessage buffer, IRobustSerializer serializer)
         {
             buffer.Write(UserId);
             buffer.WriteVariableInt32(SealedData.Length);
             buffer.Write(SealedData);
+            buffer.WriteVariableInt32(LegacyHwid.Length);
+            buffer.Write(LegacyHwid);
         }
     }
 }

Robust.Shared/Network/Messages/Handshake/MsgLoginStart.cs

@@ -16,16 +16,13 @@ internal sealed class MsgLoginStart : NetMessage
         public override MsgGroups MsgGroup => MsgGroups.Core;
 
         public string UserName;
-        public ImmutableArray<byte> HWId;
         public bool CanAuth;
         public bool NeedPubKey;
         public bool Encrypt;
 
         public override void ReadFromBuffer(NetIncomingMessage buffer, IRobustSerializer serializer)
         {
             UserName = buffer.ReadString();
-            var length = buffer.ReadByte();
-            HWId = ImmutableArray.Create(buffer.ReadBytes(length));
             CanAuth = buffer.ReadBoolean();
             NeedPubKey = buffer.ReadBoolean();
             Encrypt = buffer.ReadBoolean();
@@ -34,8 +31,6 @@ public override void ReadFromBuffer(NetIncomingMessage buffer, IRobustSerializer
         public override void WriteToBuffer(NetOutgoingMessage buffer, IRobustSerializer serializer)
         {
             buffer.Write(UserName);
-            buffer.Write((byte) HWId.Length);
-            buffer.Write(HWId.AsSpan());
             buffer.Write(CanAuth);
             buffer.Write(NeedPubKey);
             buffer.Write(Encrypt);