Closed Shauren closed 8 months ago
Is your feature request related to a problem? Please describe. I have deprecated
sha_pass_hash
inbattlenet_accounts
in TrinityCore, new installations don't have this column at all and insteadsalt
andverifier
columns are present (existing installations get to keep this column to migrate their old data but it is not used during authentication at all). Today I got a user report about failed logins (and crashes) when FusionCMS was used by that user to create accountsDescribe the solution you'd like Switch to supported method of account creation
Describe alternatives you've considered N/A (unless you count telling users to stop using your software as alternative?)
Additional context SRP is now utilized by
battlenet_accounts
using sha256 as hash function with these constants srp_version = 1 (column in battlenet_accounts) N =86A7F6DEEB306CE519770FE37D556F29944132554DED0BD68205E27F3231FEF5A10108238A3150C59CAF7B0B6478691C13A6ACF5E1B5ADAFD4A943D4A21A142B800E8A55F8BFBAC700EB77A7235EE5A609E350EA9FC19F10D921C2FA832E4461B7125D38D254A0BE873DFC27858ACB3F8B9F258461E4373BC3A6C2A9634324AB
g =2
Expected length of salt is 32 bytes, verifier 128 bytes$h = gmp_import(hash('sha256', $salt . hash('sha256', strtoupper(hash('sha256', $email, false) . ':' . substr($password, 0, 16)), true), true), 1, GMP_LSW_FIRST);
Additionally, using worldserver console commands to create battlenet accounts will instead create srp_version = 2 which uses a different algorithm to create verifier values (
hash_pbkdf2
with sha512) which I will leave up to maintainers of this project to decide whether to support that instead of version 1 or not (compared to v1, v2 passwords are case sensitive and limited to 128 characters instead of 16) Reference C++ code for v2 https://github.com/TrinityCore/TrinityCore/blob/139051b0550e1b3e34aef9fd40de50071ef69422/src/common/Cryptography/Authentication/SRP6.cpp#L207-L221
formula you wrote in source is like this:
v = g ^ H(s || H(u || ':' || p)) mod N
But in example you gave, username is hashed separately and password is attached to it.
$h = gmp_import(hash('sha256', $salt . hash('sha256', strtoupper(hash('sha256', $email, false) . ':' . substr($password, 0, 16)), true), true), 1, GMP_LSW_FIRST);
But according to formula, it should be like this, right?
$h = gmp_import(hash('sha256', $salt . hash('sha256', strtoupper(hash('sha256', strtoupper($username) . ':' . substr($password, 0, 16), false)), true), true), 1, GMP_LSW_FIRST);
What you don't see in the c++ source snippet is that username passed to that function is already a hex string made by SHA256(UPPER(email)), not the raw email (uppercase or not)
Is your feature request related to a problem? Please describe. I have deprecated
sha_pass_hash
inbattlenet_accounts
in TrinityCore, new installations don't have this column at all and insteadsalt
andverifier
columns are present (existing installations get to keep this column to migrate their old data but it is not used during authentication at all). Today I got a user report about failed logins (and crashes) when FusionCMS was used by that user to create accountsDescribe the solution you'd like Switch to supported method of account creation
Describe alternatives you've considered N/A (unless you count telling users to stop using your software as alternative?)
Additional context SRP is now utilized by
battlenet_accounts
using sha256 as hash function with these constants srp_version = 1 (column in battlenet_accounts) N =86A7F6DEEB306CE519770FE37D556F29944132554DED0BD68205E27F3231FEF5A10108238A3150C59CAF7B0B6478691C13A6ACF5E1B5ADAFD4A943D4A21A142B800E8A55F8BFBAC700EB77A7235EE5A609E350EA9FC19F10D921C2FA832E4461B7125D38D254A0BE873DFC27858ACB3F8B9F258461E4373BC3A6C2A9634324AB
g =2
Expected length of salt is 32 bytes, verifier 128 bytes$h = gmp_import(hash('sha256', $salt . hash('sha256', strtoupper(hash('sha256', strtoupper($email), false) . ':' . substr($password, 0, 16)), true), true), 1, GMP_LSW_FIRST);
Additionally, using worldserver console commands to create battlenet accounts will instead create srp_version = 2 which uses a different algorithm to create verifier values (
hash_pbkdf2
with sha512) which I will leave up to maintainers of this project to decide whether to support that instead of version 1 or not (compared to v1, v2 passwords are case sensitive and limited to 128 characters instead of 16) Reference C++ code for v2 https://github.com/TrinityCore/TrinityCore/blob/139051b0550e1b3e34aef9fd40de50071ef69422/src/common/Cryptography/Authentication/SRP6.cpp#L207-L221