Skip to content

GitLab

Commit 4f4c8dad authored by Amin.MasterkinG's avatar Amin.MasterkinG
Browse files

Change password support SRP6. 

https://github.com/TrinityCore/TrinityCore/pull/25135
parent 74c83759
Hide whitespace changes
Inline Side-by-side
application/config/config.php.sample
View file @ 4f4c8dad
......@@ -50,7 +50,7 @@ If your server is WoD/Legion/BFA you should enable it!
$config['battlenet_support'] = false;
/*===================================================================
If your core password encryption is SRP6, you need to enable it.
For last versions of the TrinityCore(3.3.5) you need to enable it. https://git.io/JJRH4
For last versions of the TrinityCore(3.3.5/master) you need to enable it. https://git.io/JJRH4 and https://git.io/JJrxq
=====================================================================*/
$config['srp6_support'] = false;
/*===================================================================
......
application/include/functions.php
View file @ 4f4c8dad
......@@ -297,7 +297,7 @@ function calculateSRP6Verifier($username, $password, $salt)
$h1 = sha1(strtoupper($username . ':' . $password), TRUE);
// calculate second hash
$h2 = sha1($salt.$h1, TRUE);
$h2 = sha1($salt . $h1, TRUE);
// convert to integer (little-endian)
$h2 = gmp_import($h2, 1, GMP_LSW_FIRST);
......@@ -327,3 +327,17 @@ function getRegistrationData($username, $password)
// done - this is what you put in the account table!
return array($salt, $verifier);
}
//From TrinityCore/AOWOW
function verifySRP6($user, $pass, $salt, $verifier)
{
$g = gmp_init(7);
$N = gmp_init('894B645E89E1535BBDAD5B8B290650530801B18EBFBF5E8FAB3C82872A3E9BB7', 16);
$x = gmp_import(
sha1($salt . sha1(strtoupper($user . ':' . $pass), TRUE), TRUE),
1,
GMP_LSW_FIRST
);
$v = gmp_powm($g, $x, $N);
return ($verifier === str_pad(gmp_export($v, 1, GMP_LSW_FIRST), 32, chr(0), STR_PAD_RIGHT));
}
\ No newline at end of file
application/include/user.php
View file @ 4f4c8dad
......@@ -269,22 +269,40 @@ class user
return false;
}
$Old_hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $_POST['old_password'])));
$hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $_POST['password'])));
if (empty(get_config('srp6_support'))) {
$Old_hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $_POST['old_password'])));
$hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $_POST['password'])));
if (strtoupper($userinfo['sha_pass_hash']) != $Old_hashed_pass) {
error_msg('Old password is not valid.');
return false;
}
if (strtoupper($userinfo['sha_pass_hash']) != $Old_hashed_pass) {
error_msg('Old password is not valid.');
return false;
}
database::$auth->update('account', [
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'sessionkey' => '',
'v' => '',
's' => ''
], [
'id[=]' => $userinfo['id']
]);
database::$auth->update('account', [
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'sessionkey' => '',
'v' => '',
's' => ''
], [
'id[=]' => $userinfo['id']
]);
} else {
if (verifySRP6($userinfo['username'], $_POST['old_password'], $userinfo['salt'], $userinfo['verifier'])) {
error_msg('Old password is not valid.');
return false;
}
list($salt, $verifier) = getRegistrationData(strtoupper($userinfo['username']), $_POST['password']);
database::$auth->update('account', [
'salt' => $salt,
'verifier' => $verifier,
'sessionkey' => '',
'v' => '',
's' => ''
], [
'id[=]' => $userinfo['id']
]);
}
$bnet_hashed_pass = strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash('sha256', strtoupper(hash('sha256', strtoupper($userinfo['email'])) . ':' . strtoupper($_POST['password']))))))));
......@@ -334,21 +352,40 @@ class user
return false;
}
$Old_hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $_POST['old_password'])));
$hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $_POST['password'])));
if (strtoupper($userinfo['sha_pass_hash']) != $Old_hashed_pass) {
error_msg('Old password is not valid.');
return false;
}
database::$auth->update('account', [
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'sessionkey' => '',
'v' => '',
's' => ''
], [
'id[=]' => $userinfo['id']
]);
if (empty(get_config('srp6_support'))) {
$Old_hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $_POST['old_password'])));
$hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $_POST['password'])));
if (strtoupper($userinfo['sha_pass_hash']) != $Old_hashed_pass) {
error_msg('Old password is not valid.');
return false;
}
database::$auth->update('account', [
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'sessionkey' => '',
'v' => '',
's' => ''
], [
'id[=]' => $userinfo['id']
]);
} else {
if (verifySRP6($userinfo['username'], $_POST['old_password'], $userinfo['salt'], $userinfo['verifier'])) {
error_msg('Old password is not valid.');
return false;
}
list($salt, $verifier) = getRegistrationData(strtoupper($userinfo['username']), $_POST['password']);
database::$auth->update('account', [
'salt' => $salt,
'verifier' => $verifier,
'sessionkey' => '',
'v' => '',
's' => ''
], [
'id[=]' => $userinfo['id']
]);
}
success_msg('Password has been changed.');
return true;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment