kovagoadi/openttd-client
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
openttd-client/docs/PROTOCOL.md
kovagoadi cb6849ed55
Some checks failed
Continuous Integration / lint-and-security (push) Successful in 4m14s
Details
Continuous Integration / tests-and-coverage (push) Successful in 33s
Details
CodeQL Analysis / Analyze (python) (push) Failing after 4m17s
Details
Initialized openttd-client repo
2026-06-05 23:18:09 +02:00

1.9 KiB
Raw Permalink Blame History

Protocol Internals

This client supports the modern OpenTTD Game Port protocol (TCP 3979), specifically as implemented in JGRPP.

X25519 PAKE Authentication

OpenTTD 14+ and JGRPP use a Password-Authenticated Key Exchange to prevent plaintext password leakage.

Key Derivation (KDF)

We use Blake2b (64-byte digest) to derive two 32-byte session keys.

  • Input: SharedSecret (32) + ServerPublicKey (32) + ClientPublicKey (32) + Password (string)
  • Output:
    • 0..31: Client-to-Server Key
    • 32..63: Server-to-Client Key

Handshake Nonces

The server provides a 24-byte nonce in the ServerAuthenticationRequest. This nonce is used for the AEAD challenge during the auth response and for the initial stream encryption setup.

Stream Encryption (AEAD)

Once ServerEnableEncryption is received, all subsequent packets use XChaCha20-Poly1305 (Authenticated Encryption with Associated Data).

Encrypted Packet Format

On the wire, encrypted packets have the following structure:

  1. Length (2 bytes): Big-endian uint16 of the entire remaining packet.
  2. MAC (16 bytes): The Poly1305 authentication tag.
  3. Ciphertext (variable): The encrypted payload.

Decryption Logic

The OpenTTDProtocol layer uses an IncrementalAuthenticatedEncryption state from the Monocypher library. It maintains the nonce state internally. If a MAC check fails (indicating corruption or a wrong key), the client immediately closes the connection (SocketClosed).

Keep-Alive (Simulation Synchronization)

OpenTTD is a lockstep simulation. The server sends ServerFrame packets periodically.

  • Client Requirement: You must respond with a ClientAck containing the frame number and a one-time token provided in the frame packet.
  • Timeout: If the server does not receive an ACK for several in-game days, it will disconnect the client with error code 17 (TimeoutComputer).