diff options
| -rw-r--r-- | src/account-server/account.h | 20 | ||||
| -rw-r--r-- | src/account-server/accountclient.cpp | 25 | ||||
| -rw-r--r-- | src/account-server/accountclient.h | 2 | ||||
| -rw-r--r-- | src/account-server/accounthandler.cpp | 73 | ||||
| -rw-r--r-- | src/common/manaserv_protocol.h | 2 |
5 files changed, 33 insertions, 89 deletions
diff --git a/src/account-server/account.h b/src/account-server/account.h index 4f4b807e..8a63e9f2 100644 --- a/src/account-server/account.h +++ b/src/account-server/account.h @@ -81,24 +81,6 @@ class Account const std::string &getPassword() const { return mPassword; } - /** - * Set the random salt. This salt is sent to the client, so the client - * can hash its password with this random salt. - * This will help to protect against replay attacks. - * - * @param the new random salt to be sent out next login - */ - void setRandomSalt(const std::string &salt) - { mRandomSalt = salt; } - - - /** - * Get the user random salt. - * - * @return the random salt used for next login. - */ - const std::string &getRandomSalt() const - { return mRandomSalt; } /** * Set the user email address. The email address is expected to be @@ -230,8 +212,6 @@ class Account std::string mName; /**< User name */ std::string mPassword; /**< User password (hashed with salt) */ - std::string mRandomSalt; /**< A random sequence sent to client to - protect against replay attacks.*/ std::string mEmail; /**< User email address (hashed) */ Characters mCharacters; /**< Character data */ int mID; /**< Unique id */ diff --git a/src/account-server/accountclient.cpp b/src/account-server/accountclient.cpp index df1b034c..822cbed5 100644 --- a/src/account-server/accountclient.cpp +++ b/src/account-server/accountclient.cpp @@ -20,9 +20,32 @@ #include "account-server/accountclient.h" +/** + * Generates a random string containing lowercase and uppercase characters as + * well as numbers. + */ +static std::string getRandomString(int length) +{ + std::string s; + s.resize(length); + for (int i = 0; i < length; ++i) + { + int r = rand() % 62; + if (r < 10) + s[i] = '0' + r; + else if (r < 36) + s[i] = 'a' + r - 10; + else + s[i] = 'A' + r - 36; + } + + return s; +} + AccountClient::AccountClient(ENetPeer *peer): NetComputer(peer), status(CLIENT_LOGIN), - version(0) + version(0), + token(getRandomString(8)) { } diff --git a/src/account-server/accountclient.h b/src/account-server/accountclient.h index 5ccb0f1d..6c64e2f6 100644 --- a/src/account-server/accountclient.h +++ b/src/account-server/accountclient.h @@ -51,7 +51,7 @@ class AccountClient : public NetComputer AccountClientStatus status; int version; - std::string stellarToken; + std::string token; private: std::unique_ptr<Account> mAccount; diff --git a/src/account-server/accounthandler.cpp b/src/account-server/accounthandler.cpp index e8161fcd..54fa2dbd 100644 --- a/src/account-server/accounthandler.cpp +++ b/src/account-server/accounthandler.cpp @@ -107,11 +107,6 @@ private: const std::string &email); void addServerInfo(MessageOut &msg); - /** List of all accounts which requested a random seed, but are not logged - * yet. This list will be regularly remove (after timeout) old accounts - */ - std::list<std::unique_ptr<Account>> mPendingAccounts; - /** List of attributes that the client can send at account creation. */ std::vector<int> mModifiableAttributes; @@ -322,52 +317,10 @@ static void sendFullCharacterData(AccountClient *client, client->send(msg); } -static std::string getRandomData(int length) +void AccountHandler::handleLoginRandTriggerMessage(AccountClient &client, MessageIn &) { - std::string s; - s.resize(length); - // No need to care about zeros. They can be handled. - // But care for endianness - for (int i = 0; i < length; ++i) - s[i] = (char)rand(); - - return s; -} - -/** - * Generates a random string containing lowercase and uppercase characters as - * well as numbers. - */ -static std::string getRandomString(int length) -{ - std::string s; - s.resize(length); - for (int i = 0; i < length; ++i) - { - int r = rand() % 62; - if (r < 10) - s[i] = '0' + r; - else if (r < 36) - s[i] = 'a' + r - 10; - else - s[i] = 'A' + r - 36; - } - - return s; -} - -void AccountHandler::handleLoginRandTriggerMessage(AccountClient &client, MessageIn &msg) -{ - std::string salt = getRandomData(4); - std::string username = msg.readString(); - - if (auto acc = storage->getAccount(username)) - { - acc->setRandomSalt(salt); - mPendingAccounts.push_back(std::move(acc)); - } MessageOut reply(APMSG_LOGIN_RNDTRGR_RESPONSE); - reply.writeString(salt); + reply.writeString(client.token); client.send(reply); } @@ -391,11 +344,9 @@ void AccountHandler::handleStellarLoginMessage(AccountClient &client, MessageIn return; } - client.stellarToken = getRandomString(8); - reply.writeInt8(ERRMSG_OK); - reply.writeString(client.stellarToken); - reply.writeString(mStellarLoginUrl + "?token=" + client.stellarToken); + reply.writeString(client.token); + reply.writeString(mStellarLoginUrl + "?token=" + client.token); client.send(reply); } @@ -457,19 +408,9 @@ void AccountHandler::handleLoginMessage(AccountClient &client, MessageIn &msg) } // Check if the account exists - auto accIt = std::find_if(mPendingAccounts.begin(), - mPendingAccounts.end(), - [&] (const std::unique_ptr<Account> &acc) { - return acc->getName() == username; - }); - - std::unique_ptr<Account> acc; - if (accIt != mPendingAccounts.end()) { - acc = std::move(*accIt); - mPendingAccounts.erase(accIt); - } + auto acc = storage->getAccount(username); - if (!acc || sha256(acc->getPassword() + acc->getRandomSalt()) != password) + if (!acc || sha256(acc->getPassword() + client.token) != password) { reply.writeInt8(ERRMSG_INVALID_ARGUMENT); client.send(reply); @@ -1087,7 +1028,7 @@ void AccountHandler::handleStellarLogin(const std::string &token, const std::str [token](NetComputer *client) -> bool { auto c = static_cast<AccountClient *>(client); - return c->stellarToken == token; + return c->token == token; }); if (it == clients.end()) diff --git a/src/common/manaserv_protocol.h b/src/common/manaserv_protocol.h index 9bb50337..67e812ac 100644 --- a/src/common/manaserv_protocol.h +++ b/src/common/manaserv_protocol.h @@ -77,7 +77,7 @@ enum { APMSG_LOGIN_RESPONSE = 0x0012, // B error, S updatehost, S Client data URL, B Character slots, {content of APMSG_CHAR_CREATE_RESPONSE (without error code)}* PAMSG_LOGOUT = 0x0013, // - APMSG_LOGOUT_RESPONSE = 0x0014, // B error - PAMSG_LOGIN_RNDTRGR = 0x0015, // S username + PAMSG_LOGIN_RNDTRGR = 0x0015, // - APMSG_LOGIN_RNDTRGR_RESPONSE = 0x0016, // S random seed PAMSG_STELLAR_LOGIN = 0x0017, // D version APMSG_STELLAR_LOGIN_RESPONSE = 0x0018, // B error, S token, S url |