GameNetworkingSockets icon indicating copy to clipboard operation
GameNetworkingSockets copied to clipboard
verified publisher icon ValveSoftware

How to disable cert checking via the api?

Open Yorizuka opened this issue 3 years ago • 6 comments

I want to implement a "no auth" mode into my client & server where unauthenticated clients can join the server and the server will just accept any identity its given when in this mode, without any cert authority. (I need this for testing)

when I initialize via GameNetworkingSockets_Init if I leave the identity null then I have no problems connecting, after I configure IP_AllowWithoutAuth & Unencrypted via SetGlobalConfigValue.

but that is not a good solution for me. my game is persistent and I use the identity for selecting the correct user data for this session/connection.

[#3104342239 UDP [email protected]:25569 'PS client'] problem detected locally (5002): Need a cert authority!`
[#3104342239 UDP [email protected]:25569] problem (5002) Need a cert authority!, but connection already dead (0 5002 Need a cert authority!)

I can not figure out how to do this, if the api supports it, how do I do this, and if not then I think it should be able to. I think my use case is not that odd.

Yorizuka avatar Nov 21 '22 03:11 Yorizuka

I might need some help debugging this, as this is not a use case I work with regularly.

Can you tell me what happens in this code in CSteamNetworkConnectionBase::BThinkCryptoReady:

	// Check if we want to intentionally disable auth
	if ( AllowLocalUnsignedCert() == k_EUnsignedCert_Allow )
	{
		SetLocalCertUnsigned();
		return true;
	}

Step into AllowLocalUnsignedCert function:

EUnsignedCert CSteamNetworkConnectionBase::AllowLocalUnsignedCert()
{
	// Base class - we will not attempt connections without a local cert,
	// unless we are running in a way that is configured without one
	if ( !m_pSteamNetworkingSocketsInterface->BCanRequestCert() )
		return k_EUnsignedCert_Allow;
	else
		return k_EUnsignedCert_Disallow;
}

My expectation is that BCanRequestCert should return false, and then it should return k_EUnsignedCert_Allow. What are you seeing when you reproduce this problem?

zpostfacto avatar Nov 21 '22 16:11 zpostfacto

here is console output given via the debug print callback

Bug: src/steamnetworkingsockets/clientlib/steamnetworkingsockets_connections.cpp(2966): [#3019161547 UDP [email protected]:25569] problem (5002) Need a cert authority!, but connection already dead (0 5002 Need a cert authority!)
Bug: src/steamnetworkingsockets/clientlib/steamnetworkingsockets_connections.cpp(1158): Assertion Failed: false
Msg: [#3019161547 UDP [email protected]:25569 'PS client'] problem detected locally (5002): Need a cert authority!

stepping in bool CSteamNetworkConnectionBase::BThinkCryptoReady( SteamNetworkingMicroseconds usecNow ) the following checks did not return true.

  • we already have a cert?
  • If we are using an anonymous identity.
  • Already have a signed cert?
  • Check if we want to intentionally disable auth

and we reach "Otherwise, we don't have a signed cert (yet?)." and Msg: [#3019161547 UDP [email protected]:25569 'PS client'] problem detected locally (5002): Need a cert authority! is printed

Yorizuka avatar Nov 21 '22 21:11 Yorizuka

inside of EUnsignedCert CSteamNetworkConnectionUDP::AllowRemoteUnsignedCert()

int nAllow = m_connectionConfig.m_IP_AllowWithoutAuth.Get(); is a value of 1

EUnsignedCert CSteamNetworkConnectionUDP::AllowRemoteUnsignedCert()
{
	// NOTE: No special override for localhost.
	// Should we add a separate convar for this?
	// For the CSteamNetworkConnectionlocalhostLoopback connection,
	// we know both ends are us.  but if they are just connecting to
	// 127.0.0.1, it's not clear that we should handle this any
	// differently from any other connection

	// Enabled by convar?
	int nAllow = m_connectionConfig.m_IP_AllowWithoutAuth.Get();
	if ( nAllow > 1 )
		return k_EUnsignedCert_Allow;
	if ( nAllow == 1 )
		return k_EUnsignedCert_AllowWarn;

	// Lock it down
	return k_EUnsignedCert_Disallow;
}

that should return, k_EUnsignedCert_AllowWarn.

the stack (ignore 8 to 13):

#0  SteamNetworkingSocketsLib::CSteamNetworkConnectionUDP::AllowRemoteUnsignedCert(this = 0x5555565ea710) at /home/yori/Desktop/projects/runic/srcC/GNS/src/steamnetworkingsockets/clientlib/steamnetworkingsockets_udp.cpp:1776
#1  SteamNetworkingSocketsLib::CSteamNetworkConnectionUDP::AllowLocalUnsignedCert(this = 0x5555565ea710) at /home/yori/Desktop/projects/runic/srcC/GNS/src/steamnetworkingsockets/clientlib/steamnetworkingsockets_udp.cpp:1789
#2  SteamNetworkingSocketsLib::CSteamNetworkConnectionBase::BThinkCryptoReady(this = 0x5555565ea710, usecNow = 3000002271339) at /home/yori/Desktop/projects/runic/srcC/GNS/src/steamnetworkingsockets/clientlib/steamnetworkingsockets_connections.cpp:1149
#3  SteamNetworkingSocketsLib::CSteamNetworkConnectionBase::InitConnectionCrypto(this = 0x5555565ea710, usecNow = 3000002271339) at /home/yori/Desktop/projects/runic/srcC/GNS/src/steamnetworkingsockets/clientlib/steamnetworkingsockets_connections.cpp:1023
#4  SteamNetworkingSocketsLib::CSteamNetworkConnectionBase::BInitConnection(this = 0x5555565ea710, usecNow = 3000002271339, nOptions = 1, pOptions = 0x7fffffffddc0, errMsg = @0x7fffffffd8e0: ")\?\?\?\?\\?\?\\?\?\?\?\?\?\?\\?\?\?\?\?\?\?\?w\?UUU\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\\?\?e\?\?UUU\?\?\?\?\?\?\?\?\?\?\\?\?\?\?\?\?\?\\?\?\?\?\?\?\?\?\?\\vVUU\?\?\?\?\?\?\?\\?\?\?\?\?UUU\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\\a\?\?\?\?\?\?\?\?\?\?\?\?\?\?\? \?\?\?\?\\?\?\?\?\?\?\?\\?\?)\?\?UUU\?\?\?\?\\vVUU\?\?"...) at /home/yori/Desktop/projects/runic/srcC/GNS/src/steamnetworkingsockets/clientlib/steamnetworkingsockets_connections.cpp:981
#5  SteamNetworkingSocketsLib::CSteamNetworkConnectionUDP::BInitConnect(this = 0x5555565ea710, addressRemote = , nOptions = 1, pOptions = 0x7fffffffddc0, errMsg = @0x7fffffffd8e0: ")\?\?\?\?\\?\?\\?\?\?\?\?\?\?\\?\?\?\?\?\?\?\?w\?UUU\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\\?\?e\?\?UUU\?\?\?\?\?\?\?\?\?\?\\?\?\?\?\?\?\?\\?\?\?\?\?\?\?\?\?\\vVUU\?\?\?\?\?\?\?\\?\?\?\?\?UUU\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\\a\?\?\?\?\?\?\?\?\?\?\?\?\?\?\? \?\?\?\?\\?\?\?\?\?\?\?\\?\?)\?\?UUU\?\?\?\?\\vVUU\?\?"...) at /home/yori/Desktop/projects/runic/srcC/GNS/src/steamnetworkingsockets/clientlib/steamnetworkingsockets_udp.cpp:1169
#6  SteamNetworkingSocketsLib::CSteamNetworkingSockets::ConnectByIPAddress(this = 0x555556137a40, address = , nOptions = 1, pOptions = 0x7fffffffddc0) at /home/yori/Desktop/projects/runic/srcC/GNS/src/steamnetworkingsockets/clientlib/csteamnetworkingsockets.cpp:1113
#7  SteamAPI_ISteamNetworkingSockets_ConnectByIPAddress(self = 0x555556137a40, address = , nOptions = 1, pOptions = 0x7fffffffddc0) at /home/yori/Desktop/projects/runic/srcC/GNS/src/steamnetworkingsockets/clientlib/steamnetworkingsockets_flat.cpp:26
#8  _D4rune5steam10networking23ISteamNetworkingSockets18ConnectByIPAddressMFKxSQCvQCtQCq21SteamNetworkingIPAddrixPSQEfQEdQEa28SteamNetworkingConfigValue_tZSQFuQFsQFp19HSteamNetConnection(this = , pOptions = 0x7fffffffddc0, nOptions = 1, address = ) at src/rune/steam/networking.d:2898
#9  _D4rune3ent11play_spaces22PlaySpaceManagerClient10connect_toFNeAyaZv(connect_to = "127.0.0.1:25560") at src/rune/ent/play_spaces.d:322
#10  _D4rune10event_loop6game3d__T16Rune3dGameClientTS5runic6common10GameConfigZQBu18join_single_playerMFNeZv(this = 0x7ffff7b52060) at src/rune/event_loop/game3d.d:112
#11  _D4rune10event_loop6game3d__T16Rune3dGameClientTS5runic6common10GameConfigZQBu8on_startMFNeCQDmQDk4main13RuneGameMainIAyaE3std8typecons__T4FlagVQBaa10_546f446576576f726c64ZQBiZv(this = 0x7ffff7b52060, to_dev_world = true, direct_join_to = 0x0, rune_game_main = 0x7fffffffe0b8) at src/rune/event_loop/game3d.d:87
#12  _D4rune10event_loop4main__T18RuneGameMainStructTS5runic6common10GameConfigTCQBbQy11RunicClientTCQBvQBs11RunicServerZQDlQDwMFNeAAyaZv(this = 0x7fffffffe0a8, arguments = ) at src/rune/event_loop/main.d:141
#13  _Dmain(arguments = ) at src/rune/event_loop/main.d:173

that leads to CSteamNetworkConnectionBase::BThinkCryptoReady not use a unsigned cert.

// Check if we want to intentionally disable auth
if ( AllowLocalUnsignedCert() == k_EUnsignedCert_Allow )
{
	SetLocalCertUnsigned();
	return true;
}

my guess is that if ( AllowLocalUnsignedCert() == k_EUnsignedCert_Allow ) should become if ( AllowLocalUnsignedCert() != k_EUnsignedCert_Disallow )

Yorizuka avatar Nov 21 '22 23:11 Yorizuka

I see. I think the bug is actually in this function:

EUnsignedCert CSteamNetworkConnectionUDP::AllowLocalUnsignedCert()
{
	// Same logic actually applies for remote and local
	return AllowRemoteUnsignedCert();
}

It isn't using the base class behaviour which is checking whether we are running in an environment with no cert authority.

zpostfacto avatar Nov 21 '22 23:11 zpostfacto

I edited ( AllowLocalUnsignedCert() == k_EUnsignedCert_Allow ) to ( AllowLocalUnsignedCert() != k_EUnsignedCert_Disallow ) and it seems to be doing what I want, but, im not sure if this is a correct solution.

Yorizuka avatar Nov 21 '22 23:11 Yorizuka

That's a fine fix in your situation. I'm thinking through how things "should" work in all the different use cases and what the correct fix is. It might end up being exactly what you are suggesting. :)

zpostfacto avatar Nov 21 '22 23:11 zpostfacto