diff --git a/src/common/length.h b/src/common/length.h index 99870ad..863ec57 100644 --- a/src/common/length.h +++ b/src/common/length.h @@ -17,6 +17,7 @@ enum EMisc EMPIRE_MAX_NUM = 4, BANWORD_MAX_LEN = 24, SOCIAL_ID_MAX_LEN = 18, + HASH_MAX_LEN = 255, GUILD_NAME_MAX_LEN = 12, diff --git a/src/common/tables.h b/src/common/tables.h index b623d9c..74b7909 100644 --- a/src/common/tables.h +++ b/src/common/tables.h @@ -47,7 +47,7 @@ typedef struct SAccountTable { uint32_t id; char login[LOGIN_MAX_LEN + 1]; - char passwd[PASSWD_MAX_LEN + 1]; + char passwd[HASH_MAX_LEN + 1]; char social_id[SOCIAL_ID_MAX_LEN + 1]; char status[ACCOUNT_STATUS_MAX_LEN + 1]; uint8_t bEmpire; diff --git a/src/db/CMakeLists.txt b/src/db/CMakeLists.txt index 578edd7..8609de5 100644 --- a/src/db/CMakeLists.txt +++ b/src/db/CMakeLists.txt @@ -13,6 +13,7 @@ target_link_libraries(db # external mariadbclient + sodium ) if (WIN32) diff --git a/src/db/Main.cpp b/src/db/Main.cpp index cd71952..caad597 100644 --- a/src/db/Main.cpp +++ b/src/db/Main.cpp @@ -1,4 +1,5 @@ #include "stdafx.h" +#include #include "Config.h" #include "Peer.h" #include "DBManager.h" @@ -60,6 +61,12 @@ int main() { log_init(); + if (sodium_init() < 0) + { + fprintf(stderr, "Could not initialize libsodium\n"); + return 1; + } + WriteVersion(); #ifdef OS_FREEBSD diff --git a/src/game/db.cpp b/src/game/db.cpp index 75757d6..6b73fa8 100644 --- a/src/game/db.cpp +++ b/src/game/db.cpp @@ -1,4 +1,5 @@ #include "stdafx.h" +#include #include #include "common/length.h" @@ -265,9 +266,8 @@ void DBManager::AnalyzeReturnQuery(SQLMsg * pMsg) MYSQL_ROW row = mysql_fetch_row(pMsg->Get()->pSQLResult); int col = 0; - // PASSWORD('%s'), password, securitycode, social_id, id, status - char szEncrytPassword[45 + 1]; - char szPassword[45 + 1]; + // password, social_id, id, status + char szPassword[crypto_pwhash_STRBYTES]; char szSocialID[SOCIAL_ID_MAX_LEN + 1]; char szStatus[ACCOUNT_STATUS_MAX_LEN + 1]; DWORD dwID = 0; @@ -279,15 +279,6 @@ void DBManager::AnalyzeReturnQuery(SQLMsg * pMsg) break; } - strlcpy(szEncrytPassword, row[col++], sizeof(szEncrytPassword)); - - if (!row[col]) - { - sys_err("error column %d", col); - M2_DELETE(pinfo); - break; - } - strlcpy(szPassword, row[col++], sizeof(szPassword)); if (!row[col]) @@ -360,7 +351,10 @@ void DBManager::AnalyzeReturnQuery(SQLMsg * pMsg) } } - int nPasswordDiff = strcmp(szEncrytPassword, szPassword); + int nPasswordDiff = crypto_pwhash_str_verify(szPassword, pinfo->passwd, strlen(pinfo->passwd)); + + // Wipe clear text password immediately + sodium_memzero(pinfo->passwd, sizeof(pinfo->passwd)); if (nPasswordDiff) { @@ -409,7 +403,7 @@ void DBManager::AnalyzeReturnQuery(SQLMsg * pMsg) r.id = dwID; trim_and_lower(pinfo->login, r.login, sizeof(r.login)); - strlcpy(r.passwd, pinfo->passwd, sizeof(r.passwd)); + strlcpy(r.passwd, "TEMP", sizeof(r.passwd)); strlcpy(r.social_id, szSocialID, sizeof(r.social_id)); DESC_MANAGER::instance().ConnectAccount(r.login, d); ClearLoginFailure(d->GetHostName()); diff --git a/src/game/input_auth.cpp b/src/game/input_auth.cpp index 6a2bb98..26ee9a2 100644 --- a/src/game/input_auth.cpp +++ b/src/game/input_auth.cpp @@ -236,9 +236,6 @@ void CInputAuth::Login(LPDESC d, const char * c_pData) TPacketCGLogin3 * p = M2_NEW TPacketCGLogin3; thecore_memcpy(p, pinfo, sizeof(TPacketCGLogin3)); - char szPasswd[PASSWD_MAX_LEN * 2 + 1]; - DBManager::instance().EscapeString(szPasswd, sizeof(szPasswd), passwd, strlen(passwd)); - char szLogin[LOGIN_MAX_LEN * 2 + 1]; DBManager::instance().EscapeString(szLogin, sizeof(szLogin), login, strlen(login)); @@ -248,7 +245,7 @@ void CInputAuth::Login(LPDESC d, const char * c_pData) sys_log(0, "ChannelServiceLogin [%s]", szLogin); DBManager::instance().ReturnQuery(QID_AUTH_LOGIN, dwKey, p, - "SELECT '%s',password,social_id,id,status,availDt - NOW() > 0," + "SELECT password,social_id,id,status,availDt - NOW() > 0," "UNIX_TIMESTAMP(silver_expire)," "UNIX_TIMESTAMP(gold_expire)," "UNIX_TIMESTAMP(safebox_expire)," @@ -259,13 +256,13 @@ void CInputAuth::Login(LPDESC d, const char * c_pData) "UNIX_TIMESTAMP(create_time)" " FROM account WHERE login='%s'", - szPasswd, szLogin); + szLogin); } // END_OF_CHANNEL_SERVICE_LOGIN else { DBManager::instance().ReturnQuery(QID_AUTH_LOGIN, dwKey, p, - "SELECT PASSWORD('%s'),password,social_id,id,status,availDt - NOW() > 0," + "SELECT password,social_id,id,status,availDt - NOW() > 0," "UNIX_TIMESTAMP(silver_expire)," "UNIX_TIMESTAMP(gold_expire)," "UNIX_TIMESTAMP(safebox_expire)," @@ -275,7 +272,7 @@ void CInputAuth::Login(LPDESC d, const char * c_pData) "UNIX_TIMESTAMP(money_drop_rate_expire)," "UNIX_TIMESTAMP(create_time)" " FROM account WHERE login='%s'", - szPasswd, szLogin); + szLogin); } } diff --git a/src/game/main.cpp b/src/game/main.cpp index bcedeab..87cf545 100644 --- a/src/game/main.cpp +++ b/src/game/main.cpp @@ -1,4 +1,5 @@ #include "stdafx.h" +#include #include "constants.h" #include "config.h" #include "event.h" @@ -516,6 +517,12 @@ int start(int argc, char **argv) config_init(st_localeServiceName); // END_OF_LOCALE_SERVICE + if (sodium_init() < 0) + { + fprintf(stderr, "Could not initialize libsodium\n"); + exit(0); + } + #ifdef OS_WINDOWS // In Windows dev mode, "verbose" option is [on] by default. bVerbose = true;