Core/Authserver: Re-organize the `accounts` table (PR #25135)

- no longer use sha_pass_hash for anything else core-side (.account, SOAP, RA) - salt/verifier/session_key are now binary - old s/v/sha_pass_hash fields kept around for backwards compatibility - sha_pass_hash is still updated (for now), s/v are not - sha_pass_hash is only read if s/v have been manually changed - SRP6 b now uses the full 32 bytes of randomness (instead of randomly only using 19) (cherry picked from commit 3164b58c7d170810b69378950c0891e5f5b8678b)
author: Treeston <treeston.mmoc@gmail.com> 2020-08-02 22:52:21 +0200
committer: Shauren <shauren.trinity@gmail.com> 2020-08-03 22:37:47 +0200
commit: 73922d2a857614d27ddb9dfa517687b8018e5d39 (patch)
tree: 2d1d2babf54728e4e784138b00105eaf042f35df /src/server/game/Accounts/AccountMgr.cpp
parent: 77380f032b772ff180b6b663d241079a12eb608b (diff)
1 files changed, 50 insertions, 28 deletions
diff --git a/src/server/game/Accounts/AccountMgr.cpp b/src/server/game/Accounts/AccountMgr.cpp
index d29b93e859b..7e5528136f5 100644
--- a/src/server/game/Accounts/AccountMgr.cpp
+++ b/src/server/game/Accounts/AccountMgr.cpp
@@ -24,6 +24,7 @@
 #include "Player.h"
 #include "Realm.h"
 #include "ScriptMgr.h"
+#include "SRP6.h"
 #include "Util.h"
 #include "World.h"
 #include "WorldSession.h"
@@ -59,18 +60,21 @@ AccountOpResult AccountMgr::CreateAccount(std::string username, std::string pass
     LoginDatabasePreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_INS_ACCOUNT);
 
     stmt->setString(0, username);
-    stmt->setString(1, CalculateShaPassHash(username, password));
-    stmt->setString(2, email);
+    std::pair<Trinity::Crypto::SRP6::Salt, Trinity::Crypto::SRP6::Verifier> registrationData = Trinity::Crypto::SRP6::MakeRegistrationData(username, password);
+    stmt->setBinary(1, registrationData.first);
+    stmt->setBinary(2, registrationData.second);
     stmt->setString(3, email);
+    stmt->setString(4, email);
+
     if (bnetAccountId && bnetIndex)
     {
-        stmt->setUInt32(4, bnetAccountId);
-        stmt->setUInt8(5, bnetIndex);
+        stmt->setUInt32(5, bnetAccountId);
+        stmt->setUInt8(6, bnetIndex);
     }
     else
     {
-        stmt->setNull(4);
         stmt->setNull(5);
+        stmt->setNull(6);
     }
 
     LoginDatabase.DirectExecute(stmt); // Enforce saving, otherwise AddGroup can fail
@@ -156,6 +160,13 @@ AccountOpResult AccountMgr::DeleteAccount(uint32 accountId)
     return AccountOpResult::AOR_OK;
 }
 
+// Do not use this. Use the appropriate methods on Trinity::Crypto::SRP6 to do whatever you are trying to do.
+// See issue #25157.
+static std::string CalculateShaPassHash_DEPRECATED_DONOTUSE(std::string const& name, std::string const& password)
+{
+    return ByteArrayToHexStr(Trinity::Crypto::SHA1::GetDigestOf(name, ":", password));
+}
+
 AccountOpResult AccountMgr::ChangeUsername(uint32 accountId, std::string newUsername, std::string newPassword)
 {
     // Check if accounts exists
@@ -176,13 +187,24 @@ AccountOpResult AccountMgr::ChangeUsername(uint32 accountId, std::string newUser
     Utf8ToUpperOnlyLatin(newPassword);
 
     stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_USERNAME);
-
     stmt->setString(0, newUsername);
-    stmt->setString(1, CalculateShaPassHash(newUsername, newPassword));
-    stmt->setUInt32(2, accountId);
+    stmt->setUInt32(1, accountId);
+    LoginDatabase.Execute(stmt);
 
+    std::pair<Trinity::Crypto::SRP6::Salt, Trinity::Crypto::SRP6::Verifier> registrationData = Trinity::Crypto::SRP6::MakeRegistrationData(newUsername, newPassword);
+    stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_LOGON);
+    stmt->setBinary(0, registrationData.first);
+    stmt->setBinary(1, registrationData.second);
+    stmt->setUInt32(2, accountId);
     LoginDatabase.Execute(stmt);
 
+    {
+        LoginDatabasePreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_LOGON_LEGACY);
+        stmt->setString(0, CalculateShaPassHash_DEPRECATED_DONOTUSE(newUsername, newPassword));
+        stmt->setUInt32(1, accountId);
+        LoginDatabase.Execute(stmt);
+    }
+
     return AccountOpResult::AOR_OK;
 }
 
@@ -204,22 +226,21 @@ AccountOpResult AccountMgr::ChangePassword(uint32 accountId, std::string newPass
 
     Utf8ToUpperOnlyLatin(username);
     Utf8ToUpperOnlyLatin(newPassword);
+    std::pair<Trinity::Crypto::SRP6::Salt, Trinity::Crypto::SRP6::Verifier> registrationData = Trinity::Crypto::SRP6::MakeRegistrationData(username, newPassword);
 
-    LoginDatabasePreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_PASSWORD);
-
-    stmt->setString(0, CalculateShaPassHash(username, newPassword));
-    stmt->setUInt32(1, accountId);
-
-    LoginDatabase.Execute(stmt);
-
-    stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_SV);
-
-    stmt->setString(0, "");
-    stmt->setString(1, "");
+    LoginDatabasePreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_LOGON);
+    stmt->setBinary(0, registrationData.first);
+    stmt->setBinary(1, registrationData.second);
     stmt->setUInt32(2, accountId);
-
     LoginDatabase.Execute(stmt);
 
+    {
+        LoginDatabasePreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_LOGON_LEGACY);
+        stmt->setString(0, CalculateShaPassHash_DEPRECATED_DONOTUSE(username, newPassword));
+        stmt->setUInt32(1, accountId);
+        LoginDatabase.Execute(stmt);
+    }
+
     sScriptMgr->OnPasswordChange(accountId);
     return AccountOpResult::AOR_OK;
 }
@@ -354,10 +375,16 @@ bool AccountMgr::CheckPassword(uint32 accountId, std::string password)
 
     LoginDatabasePreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_CHECK_PASSWORD);
     stmt->setUInt32(0, accountId);
-    stmt->setString(1, CalculateShaPassHash(username, password));
-    PreparedQueryResult result = LoginDatabase.Query(stmt);
 
-    return (result) ? true : false;
+    if (PreparedQueryResult result = LoginDatabase.Query(stmt))
+    {
+        Trinity::Crypto::SRP6::Salt salt = (*result)[0].GetBinary<Trinity::Crypto::SRP6::SALT_LENGTH>();
+        Trinity::Crypto::SRP6::Verifier verifier = (*result)[1].GetBinary<Trinity::Crypto::SRP6::VERIFIER_LENGTH>();
+        if (Trinity::Crypto::SRP6::CheckLogin(username, password, salt, verifier))
+            return true;
+    }
+
+    return false;
 }
 
 bool AccountMgr::CheckEmail(uint32 accountId, std::string newEmail)
@@ -387,11 +414,6 @@ uint32 AccountMgr::GetCharactersCount(uint32 accountId)
     return (result) ? (*result)[0].GetUInt64() : 0;
 }
 
-std::string AccountMgr::CalculateShaPassHash(std::string const& name, std::string const& password)
-{
-    return ByteArrayToHexStr(Trinity::Crypto::SHA1::GetDigestOf(name, ":", password));
-}
-
 bool AccountMgr::IsBannedAccount(std::string const& name)
 {
     LoginDatabasePreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_BANNED_BY_USERNAME);
author	Treeston <treeston.mmoc@gmail.com>	2020-08-02 22:52:21 +0200
committer	Shauren <shauren.trinity@gmail.com>	2020-08-03 22:37:47 +0200
commit	73922d2a857614d27ddb9dfa517687b8018e5d39 (patch)
tree	2d1d2babf54728e4e784138b00105eaf042f35df /src/server/game/Accounts/AccountMgr.cpp
parent	77380f032b772ff180b6b663d241079a12eb608b (diff)