TrinityCore df (and classic_wotlk)

[Shauren]

Is your feature request related to a problem? Please describe. I have deprecated sha_pass_hash in battlenet_accounts in TrinityCore, new installations don't have this column at all and instead salt and verifier columns are present (existing installations get to keep this column to migrate their old data but it is not used during authentication at all). Today I got a user report about failed logins (and crashes) when FusionCMS was used by that user to create accounts

Describe the solution you'd like Switch to supported method of account creation

Describe alternatives you've considered N/A (unless you count telling users to stop using your software as alternative?)

Additional context SRP is now utilized by battlenet_accounts using sha256 as hash function with these constants srp_version = 1 (column in battlenet_accounts) N = 86A7F6DEEB306CE519770FE37D556F29944132554DED0BD68205E27F3231FEF5A10108238A3150C59CAF7B0B6478691C13A6ACF5E1B5ADAFD4A943D4A21A142B800E8A55F8BFBAC700EB77A7235EE5A609E350EA9FC19F10D921C2FA832E4461B7125D38D254A0BE873DFC27858ACB3F8B9F258461E4373BC3A6C2A9634324AB g = 2 Expected length of salt is 32 bytes, verifier 128 bytes $h = gmp_import(hash('sha256', $salt . hash('sha256', strtoupper(hash('sha256', strtoupper($email), false) . ':' . substr($password, 0, 16)), true), true), 1, GMP_LSW_FIRST);

Additionally, using worldserver console commands to create battlenet accounts will instead create srp_version = 2 which uses a different algorithm to create verifier values (hash_pbkdf2 with sha512) which I will leave up to maintainers of this project to decide whether to support that instead of version 1 or not (compared to v1, v2 passwords are case sensitive and limited to 128 characters instead of 16) Reference C++ code for v2 https://github.com/TrinityCore/TrinityCore/blob/139051b0550e1b3e34aef9fd40de50071ef69422/src/common/Cryptography/Authentication/SRP6.cpp#L207-L221

[Nightprince]

Is your feature request related to a problem? Please describe. I have deprecated sha_pass_hash in battlenet_accounts in TrinityCore, new installations don't have this column at all and instead salt and verifier columns are present (existing installations get to keep this column to migrate their old data but it is not used during authentication at all). Today I got a user report about failed logins (and crashes) when FusionCMS was used by that user to create accounts

Describe the solution you'd like Switch to supported method of account creation

Describe alternatives you've considered N/A (unless you count telling users to stop using your software as alternative?)

Additional context SRP is now utilized by battlenet_accounts using sha256 as hash function with these constants srp_version = 1 (column in battlenet_accounts) N = 86A7F6DEEB306CE519770FE37D556F29944132554DED0BD68205E27F3231FEF5A10108238A3150C59CAF7B0B6478691C13A6ACF5E1B5ADAFD4A943D4A21A142B800E8A55F8BFBAC700EB77A7235EE5A609E350EA9FC19F10D921C2FA832E4461B7125D38D254A0BE873DFC27858ACB3F8B9F258461E4373BC3A6C2A9634324AB g = 2 Expected length of salt is 32 bytes, verifier 128 bytes $h = gmp_import(hash('sha256', $salt . hash('sha256', strtoupper(hash('sha256', $email, false) . ':' . substr($password, 0, 16)), true), true), 1, GMP_LSW_FIRST);

Additionally, using worldserver console commands to create battlenet accounts will instead create srp_version = 2 which uses a different algorithm to create verifier values (hash_pbkdf2 with sha512) which I will leave up to maintainers of this project to decide whether to support that instead of version 1 or not (compared to v1, v2 passwords are case sensitive and limited to 128 characters instead of 16) Reference C++ code for v2 https://github.com/TrinityCore/TrinityCore/blob/139051b0550e1b3e34aef9fd40de50071ef69422/src/common/Cryptography/Authentication/SRP6.cpp#L207-L221

formula you wrote in source is like this:

v = g ^ H(s || H(u || ':' || p)) mod N

But in example you gave, username is hashed separately and password is attached to it.

$h = gmp_import(hash('sha256', $salt . hash('sha256', strtoupper(hash('sha256', $email, false) . ':' . substr($password, 0, 16)), true), true), 1, GMP_LSW_FIRST);

But according to formula, it should be like this, right?

$h = gmp_import(hash('sha256', $salt . hash('sha256', strtoupper(hash('sha256', strtoupper($username) . ':' . substr($password, 0, 16), false)), true), true), 1, GMP_LSW_FIRST);

[Shauren]

What you don't see in the c++ source snippet is that username passed to that function is already a hex string made by SHA256(UPPER(email)), not the raw email (uppercase or not)