Core/Authserver: Split SRP6 into its own file (PR #25131)

8 files changed, 251 insertions, 5 deletions

diff --git a/src/common/Common.h b/src/common/Common.h
index 2d497b213f7..92c0453ddc0 100644
--- a/src/common/Common.h
+++ b/src/common/Common.h
@@ -19,6 +19,7 @@
 #define TRINITYCORE_COMMON_H
 
 #include "Define.h"
+#include <array>
 #include <memory>
 #include <string>
 #include <utility>
diff --git a/src/common/Cryptography/Authentication/AuthCrypt.cpp b/src/common/Cryptography/Authentication/AuthCrypt.cpp
index 9d50fb026c3..86126b3ba81 100644
--- a/src/common/Cryptography/Authentication/AuthCrypt.cpp
+++ b/src/common/Cryptography/Authentication/AuthCrypt.cpp
@@ -26,7 +26,7 @@ AuthCrypt::AuthCrypt() :
     _initialized(false)
 { }
 
-void AuthCrypt::Init(std::array<uint8, 40> const& K)
+void AuthCrypt::Init(SessionKey const& K)
 {
     uint8 ServerEncryptionKey[] = { 0xCC, 0x98, 0xAE, 0x04, 0xE8, 0x97, 0xEA, 0xCA, 0x12, 0xDD, 0xC0, 0x93, 0x42, 0x91, 0x53, 0x57 };
     _serverEncrypt.Init(Trinity::Crypto::HMAC_SHA1::GetDigestOf(ServerEncryptionKey, K));
diff --git a/src/common/Cryptography/Authentication/AuthCrypt.h b/src/common/Cryptography/Authentication/AuthCrypt.h
index cb1a217297a..86c186bef69 100644
--- a/src/common/Cryptography/Authentication/AuthCrypt.h
+++ b/src/common/Cryptography/Authentication/AuthCrypt.h
@@ -19,6 +19,7 @@
 #define _AUTHCRYPT_H
 
 #include "ARC4.h"
+#include "AuthDefines.h"
 #include <array>
 
 class TC_COMMON_API AuthCrypt
@@ -26,7 +27,7 @@ class TC_COMMON_API AuthCrypt
     public:
         AuthCrypt();
 
-        void Init(std::array<uint8, 40> const& K);
+        void Init(SessionKey const& K);
         void DecryptRecv(uint8* data, size_t len);
         void EncryptSend(uint8* data, size_t len);
 
diff --git a/src/common/Cryptography/Authentication/AuthDefines.h b/src/common/Cryptography/Authentication/AuthDefines.h
new file mode 100644
index 00000000000..a32de20dcc6
--- /dev/null
+++ b/src/common/Cryptography/Authentication/AuthDefines.h
@@ -0,0 +1,27 @@
+/*
+ * This file is part of the TrinityCore Project. See AUTHORS file for Copyright information
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef TRINITY_AUTHDEFINES_H
+#define TRINITY_AUTHDEFINES_H
+
+#include "Define.h"
+#include <array>
+
+constexpr size_t SESSION_KEY_LENGTH = 40;
+using SessionKey = std::array<uint8, SESSION_KEY_LENGTH>;
+
+#endif
diff --git a/src/common/Cryptography/Authentication/SRP6.cpp b/src/common/Cryptography/Authentication/SRP6.cpp
new file mode 100644
index 00000000000..de05ffd1693
--- /dev/null
+++ b/src/common/Cryptography/Authentication/SRP6.cpp
@@ -0,0 +1,118 @@
+/*
+ * This file is part of the TrinityCore Project. See AUTHORS file for Copyright information
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "SRP6.h"
+#include "CryptoRandom.h"
+#include "Util.h"
+#include <algorithm>
+#include <functional>
+
+using SHA1 = Trinity::Crypto::SHA1;
+using SRP6 = Trinity::Crypto::SRP6;
+
+/*static*/ std::array<uint8, 1> const SRP6::g = { 7 };
+/*static*/ std::array<uint8, 32> const SRP6::N = HexStrToByteArray<32>("894B645E89E1535BBDAD5B8B290650530801B18EBFBF5E8FAB3C82872A3E9BB7", true);
+/*static*/ BigNumber const SRP6::_g(SRP6::g);
+/*static*/ BigNumber const SRP6::_N(N);
+
+/*static*/ std::pair<SRP6::Salt, SRP6::Verifier> SRP6::MakeRegistrationData(std::string const& username, std::string const& password)
+{
+    std::pair<SRP6::Salt, SRP6::Verifier> res;
+    Crypto::GetRandomBytes(res.first); // random salt
+    res.second = CalculateVerifier(username, password, res.first);
+    return res;
+}
+
+/*static*/ std::pair<SRP6::Salt, SRP6::Verifier> SRP6::MakeRegistrationDataFromHash_DEPRECATED_DONOTUSE(SHA1::Digest const& hash)
+{
+    std::pair<SRP6::Salt, SRP6::Verifier> res;
+    Crypto::GetRandomBytes(res.first);
+    res.second = CalculateVerifierFromHash(hash, res.first);
+    return res;
+}
+
+/*static*/ SRP6::Verifier SRP6::CalculateVerifier(std::string const& username, std::string const& password, SRP6::Salt const& salt)
+{
+    // v = g ^ H(s || H(u || ':' || p)) mod N
+    return CalculateVerifierFromHash(SHA1::GetDigestOf(username, ":", password), salt);
+}
+
+// merge this into CalculateVerifier once the sha_pass hack finally gets nuked from orbit
+/*static*/ SRP6::Verifier SRP6::CalculateVerifierFromHash(SHA1::Digest const& hash, SRP6::Salt const& salt)
+{
+    return _g.ModExp(SHA1::GetDigestOf(salt, hash), _N).ToByteArray<32>(false);
+}
+
+/*static*/ SessionKey SRP6::SHA1Interleave(SRP6::EphemeralKey const& S)
+{
+    // split S into two buffers
+    std::array<uint8, EPHEMERAL_KEY_LENGTH/2> buf0, buf1;
+    for (size_t i = 0; i < EPHEMERAL_KEY_LENGTH/2; ++i)
+    {
+        buf0[i] = S[2 * i + 0];
+        buf1[i] = S[2 * i + 1];
+    }
+
+    // find position of first nonzero byte
+    size_t p = 0;
+    while (p < EPHEMERAL_KEY_LENGTH && !S[p]) ++p;
+    if (p & 1) ++p; // skip one extra byte if p is odd
+    p /= 2; // offset into buffers
+
+    // hash each of the halves, starting at the first nonzero byte
+    SHA1::Digest const hash0 = SHA1::GetDigestOf(buf0.data() + p, EPHEMERAL_KEY_LENGTH/2 - p);
+    SHA1::Digest const hash1 = SHA1::GetDigestOf(buf1.data() + p, EPHEMERAL_KEY_LENGTH/2 - p);
+
+    // stick the two hashes back together
+    SessionKey K;
+    for (size_t i = 0; i < SHA1::DIGEST_LENGTH; ++i)
+    {
+        K[2 * i + 0] = hash0[i];
+        K[2 * i + 1] = hash1[i];
+    }
+    return K;
+}
+
+SRP6::SRP6(std::string const& username, Salt const& salt, Verifier const& verifier)
+    : _I(SHA1::GetDigestOf(username)), _b(Crypto::GetRandomBytes<19>()), _v(verifier, false), s(salt), B(_B(_b, _v)) {}
+
+std::optional<SessionKey> SRP6::VerifyChallengeResponse(EphemeralKey const& A, SHA1::Digest const& clientM)
+{
+    ASSERT(!_used, "A single SRP6 object must only ever be used to verify ONCE!");
+    _used = true;
+
+    BigNumber const _A(A);
+    if ((_A % _N).IsZero())
+        return std::nullopt;
+
+    BigNumber const u(SHA1::GetDigestOf(A, B));
+    EphemeralKey const S = (_A * (_v.ModExp(u, _N))).ModExp(_b, N).ToByteArray<32>();
+
+    SessionKey K = SHA1Interleave(S);
+
+    // NgHash = H(N) xor H(g)
+    SHA1::Digest const NHash = SHA1::GetDigestOf(N);
+    SHA1::Digest const gHash = SHA1::GetDigestOf(g);
+    SHA1::Digest NgHash;
+    std::transform(NHash.begin(), NHash.end(), gHash.begin(), NgHash.begin(), std::bit_xor<>());
+
+    SHA1::Digest const ourM = SHA1::GetDigestOf(NgHash, _I, s, A, B, K);
+    if (ourM == clientM)
+        return K;
+    else
+        return std::nullopt;
+}
diff --git a/src/common/Cryptography/Authentication/SRP6.h b/src/common/Cryptography/Authentication/SRP6.h
new file mode 100644
index 00000000000..ab4dfc56889
--- /dev/null
+++ b/src/common/Cryptography/Authentication/SRP6.h
@@ -0,0 +1,89 @@
+/*
+ * This file is part of the TrinityCore Project. See AUTHORS file for Copyright information
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef TRINITY_SRP6_H
+#define TRINITY_SRP6_H
+
+#include "AuthDefines.h"
+#include "BigNumber.h"
+#include "Define.h"
+#include "Common.h"
+#include "CryptoHash.h"
+#include <array>
+#include <optional>
+
+namespace Trinity::Crypto
+{
+    class TC_COMMON_API SRP6
+    {
+        public:
+            static constexpr size_t SALT_LENGTH = 32;
+            using Salt = std::array<uint8, SALT_LENGTH>;
+            static constexpr size_t VERIFIER_LENGTH = 32;
+            using Verifier = std::array<uint8, VERIFIER_LENGTH>;
+            static constexpr size_t EPHEMERAL_KEY_LENGTH = 32;
+            using EphemeralKey = std::array<uint8, EPHEMERAL_KEY_LENGTH>;
+
+            static std::array<uint8, 1> const g;
+            static std::array<uint8, 32> const N;
+
+            // this is the old sha_pass_hash hack
+            // YOU SHOULD NEVER STORE THIS HASH, if you do you are breaking SRP6 guarantees
+            // use MakeRegistrationData instead
+            static std::pair<Salt, Verifier> MakeRegistrationDataFromHash_DEPRECATED_DONOTUSE(SHA1::Digest const& hash);
+
+            // username + password must be passed through Utf8ToUpperOnlyLatin FIRST!
+            static std::pair<Salt, Verifier> MakeRegistrationData(std::string const& username, std::string const& password);
+            // username + password must be passed through Utf8ToUpperOnlyLatin FIRST!
+            static bool CheckLogin(std::string const& username, std::string const& password, Salt const& salt, Verifier const& verifier)
+            {
+                return (verifier == CalculateVerifier(username, password, salt));
+            }
+
+            static SHA1::Digest GetSessionVerifier(EphemeralKey const& A, SHA1::Digest const& clientM, SessionKey const& K)
+            {
+                return SHA1::GetDigestOf(A, clientM, K);
+            }
+
+            SRP6(std::string const& username, Salt const& salt, Verifier const& verifier);
+            std::optional<SessionKey> VerifyChallengeResponse(EphemeralKey const& A, SHA1::Digest const& clientM);
+
+        private:
+            bool _used = false; // a single instance can only be used to verify once
+
+            static Verifier CalculateVerifier(std::string const& username, std::string const& password, Salt const& salt);
+            static Verifier CalculateVerifierFromHash(SHA1::Digest const& hash, Salt const& salt);
+            static SessionKey SHA1Interleave(EphemeralKey const& S);
+
+            /* global algorithm parameters */
+            static BigNumber const _g; // a [g]enerator for the ring of integers mod N, algorithm parameter
+            static BigNumber const _N; // the modulus, an algorithm parameter; all operations are mod this
+
+            static EphemeralKey _B(BigNumber const& b, BigNumber const& v) { return ((_g.ModExp(b,_N) + (v * 3)) % N).ToByteArray<EPHEMERAL_KEY_LENGTH>(); }
+
+            /* per-instantiation parameters, set on construction */
+            SHA1::Digest const _I; // H(I) - the username, all uppercase
+            BigNumber const _b; // b - randomly chosen by the server, 19 bytes, never given out
+            BigNumber const _v; // v - the user's password verifier, derived from s + H(USERNAME || ":" || PASSWORD)
+
+        public:
+            Salt const s; // s - the user's password salt, random, used to calculate v on registration
+            EphemeralKey const B; // B = 3v + g^b
+    };
+}
+
+#endif
diff --git a/src/common/Cryptography/BigNumber.cpp b/src/common/Cryptography/BigNumber.cpp
index 5b4e2942453..62e459c6dce 100644
--- a/src/common/Cryptography/BigNumber.cpp
+++ b/src/common/Cryptography/BigNumber.cpp
@@ -27,7 +27,7 @@ BigNumber::BigNumber()
 { }
 
 BigNumber::BigNumber(BigNumber const& bn)
-    : _bn(BN_dup(bn._bn))
+    : _bn(BN_dup(bn.BN()))
 { }
 
 BigNumber::~BigNumber()
@@ -35,6 +35,13 @@ BigNumber::~BigNumber()
     BN_free(_bn);
 }
 
+void BigNumber::SetDword(int32 val)
+{
+    SetDword(uint32(abs(val)));
+    if (val < 0)
+        BN_set_negative(_bn, 1);
+}
+
 void BigNumber::SetDword(uint32 val)
 {
     BN_set_word(_bn, val);
diff --git a/src/common/Cryptography/BigNumber.h b/src/common/Cryptography/BigNumber.h
index f269a813075..e61a8073c31 100644
--- a/src/common/Cryptography/BigNumber.h
+++ b/src/common/Cryptography/BigNumber.h
@@ -32,12 +32,14 @@ class TC_COMMON_API BigNumber
         BigNumber();
         BigNumber(BigNumber const& bn);
         BigNumber(uint32 v) : BigNumber() { SetDword(v); }
+        BigNumber(int32 v) : BigNumber() { SetDword(v); }
         BigNumber(std::string const& v) : BigNumber() { SetHexStr(v); }
         template <size_t Size>
         BigNumber(std::array<uint8, Size> const& v, bool littleEndian = true) : BigNumber() { SetBinary(v.data(), Size, littleEndian); }
 
         ~BigNumber();
 
+        void SetDword(int32);
         void SetDword(uint32);
         void SetQword(uint64);
         void SetBinary(uint8 const* bytes, int32 len, bool littleEndian = true);
@@ -107,7 +109,8 @@ class TC_COMMON_API BigNumber
 
         int32 GetNumBytes() const;
 
-        struct bignum_st *BN() { return _bn; }
+        struct bignum_st* BN() { return _bn; }
+        struct bignum_st const* BN() const { return _bn; }
 
         uint32 AsDword() const;
 
@@ -126,7 +129,7 @@ class TC_COMMON_API BigNumber
         std::string AsDecStr() const;
 
     private:
-        struct bignum_st *_bn;
+        struct bignum_st* _bn;
 
 };
 #endif