All new accounts will now have their passwords stored in SHA256.

Supersedes all previous authentication methods, except VAULT TOKEN.
This is done on registration and when changing password.

1 files changed, 10 insertions, 7 deletions

diff --git a/src/elogin/parse.c b/src/elogin/parse.c
index 73e1ab1..2eb71f5 100644
--- a/src/elogin/parse.c
+++ b/src/elogin/parse.c
@@ -185,15 +185,15 @@ enum parsefunc_rcode elogin_parse_ping_pre(int *fd __attribute__ ((unused)),
 
 void elogin_parse_change_paassword(int fd)
 {
-    char actual_pass[24], new_pass[24];
+    char actual_pass[65], new_pass[65];
     int  status = 0;
     struct mmo_account acc;
     const int accountId = RFIFOL (fd, 2);
 
-    memcpy (actual_pass, RFIFOP (fd, 6), 24);
-    actual_pass[23] = '\0';
-    memcpy (new_pass, RFIFOP (fd, 30), 24);
-    new_pass[23] = '\0';
+    memcpy (actual_pass, RFIFOP (fd, 6), 65);
+    actual_pass[64] = '\0';
+    memcpy (new_pass, RFIFOP (fd, 30), 65);
+    new_pass[64] = '\0';
 
     if (!login->accounts->load_num(login->accounts, &acc, accountId))
     {
@@ -202,12 +202,15 @@ void elogin_parse_change_paassword(int fd)
         return;
     }
 
-    if (!strcmp(actual_pass, acc.pass) || pass_ok(actual_pass, acc.pass))
+    if (!strcmp(actual_pass, acc.pass) ||
+        pass_ok(actual_pass, acc.pass) ||
+        pass_sha256(actual_pass, acc.pass))
     {
         // changed ok
         status = 1;
         // Hash password
-        safestrncpy(acc.pass, MD5_saltcrypt(new_pass, make_salt()), sizeof(acc.pass));
+        //safestrncpy(acc.pass, MD5_saltcrypt(new_pass, make_salt()), sizeof(acc.pass));
+        safestrncpy(acc.pass, SHA256_CRYPT(new_pass), sizeof(acc.pass));
         login->accounts->save(login->accounts, &acc);
     }
     else