diff options
| author | Yohann Ferreira <bertram@cegetel.net> | 2008-04-21 16:23:56 +0000 |
|---|---|---|
| committer | Yohann Ferreira <bertram@cegetel.net> | 2008-04-21 16:23:56 +0000 |
| commit | 5a341534a7de64c2a83ca06d594b982f373d7a1b (patch) | |
| tree | 2f46da8c1d76f01c3e113f0b06cf5f273ea59846 /src/account-server/accounthandler.cpp | |
| parent | 220f58528e5ae82203952de6a6df4855519917f4 (diff) | |
| download | manaserv-5a341534a7de64c2a83ca06d594b982f373d7a1b.tar.gz manaserv-5a341534a7de64c2a83ca06d594b982f373d7a1b.tar.bz2 manaserv-5a341534a7de64c2a83ca06d594b982f373d7a1b.tar.xz manaserv-5a341534a7de64c2a83ca06d594b982f373d7a1b.zip | |
Added password and email encryption server-side using SHA256.
Diffstat (limited to 'src/account-server/accounthandler.cpp')
| -rw-r--r-- | src/account-server/accounthandler.cpp | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/src/account-server/accounthandler.cpp b/src/account-server/accounthandler.cpp index dba3ca14..20b3b9be 100644 --- a/src/account-server/accounthandler.cpp +++ b/src/account-server/accounthandler.cpp @@ -40,6 +40,7 @@ #include "utils/stringfilter.h" #include "utils/tokencollector.hpp" #include "utils/tokendispenser.hpp" +#include "utils/encryption.h" class AccountHandler : public ConnectionHandler { @@ -293,8 +294,12 @@ static void handleRegisterMessage(AccountClient &computer, MessageIn &msg) { reply.writeByte(ERRMSG_INVALID_ARGUMENT); } - else if ((password.length() < MIN_PASSWORD_LENGTH) || - (password.length() > MAX_PASSWORD_LENGTH)) + else if (password.length() < MIN_PASSWORD_LENGTH || + password.length() > MAX_PASSWORD_LENGTH) + { + reply.writeByte(ERRMSG_INVALID_ARGUMENT); + } + else if (stringFilter->findDoubleQuotes(password)) { reply.writeByte(ERRMSG_INVALID_ARGUMENT); } @@ -313,7 +318,7 @@ static void handleRegisterMessage(AccountClient &computer, MessageIn &msg) reply.writeByte(REGISTER_EXISTS_USERNAME); } // Find out whether the email is already in use. - else if (storage->doesEmailAddressExist(email)) + else if (storage->doesEmailAddressExist(Encryption::GetSHA2Hash(email))) { reply.writeByte(REGISTER_EXISTS_EMAIL); } @@ -321,8 +326,12 @@ static void handleRegisterMessage(AccountClient &computer, MessageIn &msg) { Account *acc = new Account; acc->setName(username); - acc->setPassword(password); - acc->setEmail(email); + // We hash the password using the username + // as salt. + acc->setPassword(Encryption::GetSHA2Hash( + std::string(username+password))); + // We hash Email server-side without using a salt. + acc->setEmail(Encryption::GetSHA2Hash(email)); acc->setLevel(AL_NORMAL); storage->addAccount(acc); @@ -400,13 +409,13 @@ static void handleEmailChangeMessage(AccountClient &computer, MessageIn &msg) { reply.writeByte(ERRMSG_INVALID_ARGUMENT); } - else if (storage->doesEmailAddressExist(email)) + else if (storage->doesEmailAddressExist(Encryption::GetSHA2Hash(email))) { reply.writeByte(EMAILCHG_EXISTS_EMAIL); } else { - acc->setEmail(email); + acc->setEmail(Encryption::GetSHA2Hash(email)); // Keep the database up to date otherwise we will go out of sync storage->flush(acc); reply.writeByte(ERRMSG_OK); @@ -444,8 +453,7 @@ static void handlePasswordChangeMessage(AccountClient &computer, MessageIn &msg) { reply.writeByte(ERRMSG_NO_LOGIN); } - else if (newPassword.length() < MIN_PASSWORD_LENGTH || - newPassword.length() > MAX_PASSWORD_LENGTH) + else if (newPassword.length() != Encryption::SHA256HashLength) { reply.writeByte(ERRMSG_INVALID_ARGUMENT); } |