Make the server sets Steamids to clients after the validation by Steam servers

[Splatt581]

This pr fixes the Steam App Ownership Ticket hijacking/spoofing vulnerability and related exploits. Now the server will sets the steamid from the ticket only after the client connection has been validated by the Steam servers. Before this, the client will be assigned STEAM_ID_PENDING (sid 0).

In fact, the GoldSrc server followed similar logic before the Steamworks updates.

[Splatt581]

In a good way, we also needs to replace the SendUserConnectAndAuthenticate function with BeginAuthSession, which using in Source1/S2 engines. The SendUserConnectAndAuthenticate function is deprecated in the Steamworks SDK and has poor client auth ticket fields validation.

But for now in the local rebuild of rehlds, I have the the BeginAuthSession function returns k_EBeginAuthSessionResultInvalidTicket even with a valid auth ticket for appid 10.

[tupec]

You can't spoof someone's ticket, there's a reason why - it's RSA signed with a private key. You can only reuse them (until the expiration, which is 21 days).

[Splatt581]

You can't spoof someone's ticket, there's a reason why - it's RSA signed with a private key. You can only reuse them (until the expiration, which is 21 days).

That's right.

But in the future, attackers may obtain the private key or otherwise start signing tickets. GoldSrc game servers must be ready for this.

“Reusing” of a ticket not with the owner’s account has been the main exploit used by attackers for 10 years; by stealing a ticket from server admins (mostly using social engineering), they gain admin rights on the server.

There are also other exploits that allow you to hide your steam avatar in the scoreboard, as well as a complete bypass of the steamid ban via the banid engine command.

This pr fixes all currently known vulnerabilities with steam tickets on the server.