Skip to content

Commit

Permalink
Registration support SRP6 for TC.
Browse files Browse the repository at this point in the history 
TrinityCore/TrinityCore#25135
  • Loading branch information
@masterking32
masterking32 committed Aug 3, 2020
1 parent bcc998f commit b800347
Show file tree
Hide file tree
Showing 4 changed files with 152 additions and 44 deletions.
2 changes: 1 addition & 1 deletion application/config/config.php.sample
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,4 +288,4 @@ $config['realmlists'] = array( // Add your realmlist here



$config['script_version'] = '1.9.7';
$config['script_version'] = '1.9.7.5';
44 changes: 43 additions & 1 deletion application/include/functions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,4 +284,46 @@ function GetCaptchaHTML()
}

return '<div class="input-group"><span class="input-group">Captcha</span><input type="text" class="form-control" placeholder="Captcha" name="captcha"></div><p style="text-align: center;margin-top: 10px;"><img src="' . user::$captcha->inline() . '" style="border - radius: 5px;"/></p>';
}
}

// Its from Trinitycore/account-creator
function calculateSRP6Verifier($username, $password, $salt)
{
// algorithm constants
$g = gmp_init(7);
$N = gmp_init('894B645E89E1535BBDAD5B8B290650530801B18EBFBF5E8FAB3C82872A3E9BB7', 16);

// calculate first hash
$h1 = sha1(strtoupper($username . ':' . $password), TRUE);

// calculate second hash
$h2 = sha1($salt.$h1, TRUE);

// convert to integer (little-endian)
$h2 = gmp_import($h2, 1, GMP_LSW_FIRST);

// g^h2 mod N
$verifier = gmp_powm($g, $h2, $N);

// convert back to a byte array (little-endian)
$verifier = gmp_export($verifier, 1, GMP_LSW_FIRST);

// pad to 32 bytes, remember that zeros go on the end in little-endian!
$verifier = str_pad($verifier, 32, chr(0), STR_PAD_RIGHT);

// done!
return $verifier;
}

// Returns SRP6 parameters to register this username/password combination with
function getRegistrationData($username, $password)
{
// generate a random salt
$salt = random_bytes(32);

// calculate verifier using this salt
$verifier = calculateSRP6Verifier($username, $password, $salt);

// done - this is what you put in the account table!
return array($salt, $verifier);
}
148 changes: 107 additions & 41 deletions application/include/user.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,29 @@ public static function bnet_register()
return false;
}

if (empty(get_config('srp6_support'))) {
$bnet_hashed_pass = strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash('sha256', strtoupper(hash('sha256', strtoupper($_POST['email'])) . ':' . strtoupper($_POST['password']))))))));
database::$auth->insert('battlenet_accounts', [
'email' => $antiXss->xss_clean(strtoupper($_POST['email'])),
'sha_pass_hash' => $antiXss->xss_clean($bnet_hashed_pass)
]);

$bnet_account_id = database::$auth->id();
$username = $bnet_account_id . '#1';
$hashed_pass = strtoupper(sha1(strtoupper($username . ':' . $_POST['password'])));
database::$auth->insert('account', [
'username' => $antiXss->xss_clean(strtoupper($username)),
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'email' => $antiXss->xss_clean(strtoupper($_POST['email'])),
'expansion' => $antiXss->xss_clean(get_config('expansion')),
'battlenet_account' => $bnet_account_id,
'battlenet_index' => 1
]);
success_msg('Your account has been created.');
return true;
}

list($salt, $verifier) = getRegistrationData(strtoupper($_POST['username']), $_POST['password']);
$bnet_hashed_pass = strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash('sha256', strtoupper(hash('sha256', strtoupper($_POST['email'])) . ':' . strtoupper($_POST['password']))))))));
database::$auth->insert('battlenet_accounts', [
'email' => $antiXss->xss_clean(strtoupper($_POST['email'])),
Expand All @@ -92,10 +115,10 @@ public static function bnet_register()

$bnet_account_id = database::$auth->id();
$username = $bnet_account_id . '#1';
$hashed_pass = strtoupper(sha1(strtoupper($username . ':' . $_POST['password'])));
database::$auth->insert('account', [
'username' => $antiXss->xss_clean(strtoupper($username)),
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'salt' => $salt,
'verifier' => $verifier,
'email' => $antiXss->xss_clean(strtoupper($_POST['email'])),
'expansion' => $antiXss->xss_clean(get_config('expansion')),
'battlenet_account' => $bnet_account_id,
Expand Down Expand Up @@ -156,34 +179,49 @@ public static function normal_register()
}

if (empty(get_config('soap_for_register'))) {
$hashed_pass = strtoupper(sha1(strtoupper($_POST['username'] . ':' . $_POST['password'])));
if (empty(get_config('srp6_support'))) {
$hashed_pass = strtoupper(sha1(strtoupper($_POST['username'] . ':' . $_POST['password'])));
database::$auth->insert('account', [
'username' => $antiXss->xss_clean(strtoupper($_POST['username'])),
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'email' => $antiXss->xss_clean(strtoupper($_POST['email'])),
//'reg_mail' => $antiXss->xss_clean(strtoupper($_POST['email'])),
'expansion' => $antiXss->xss_clean(get_config('expansion'))
]);
success_msg('Your account has been created.');
return true;
}

list($salt, $verifier) = getRegistrationData(strtoupper($_POST['username']), $_POST['password']);
database::$auth->insert('account', [
'username' => $antiXss->xss_clean(strtoupper($_POST['username'])),
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'salt' => $salt,
'verifier' => $verifier,
'email' => $antiXss->xss_clean(strtoupper($_POST['email'])),
//'reg_mail' => $antiXss->xss_clean(strtoupper($_POST['email'])),
'expansion' => $antiXss->xss_clean(get_config('expansion'))
]);
success_msg('Your account has been created.');
} else {
$command = str_replace('{USERNAME}', $antiXss->xss_clean(strtoupper($_POST['username'])), get_config('soap_ca_command'));
$command = str_replace('{PASSWORD}', $antiXss->xss_clean($_POST['password']), $command);
$command = str_replace('{EMAIL}', $antiXss->xss_clean(strtoupper($_POST['email'])), $command);
if (RemoteCommandWithSOAP($command)) {
if (!empty(get_config('soap_asa_command'))) {
$command_addon = str_replace('{USERNAME}', $antiXss->xss_clean(strtoupper($_POST['username'])), get_config('soap_asa_command'));
$command_addon = str_replace('{EXPANSION}', get_config('expansion'), $command_addon);
RemoteCommandWithSOAP($command_addon);
}

database::$auth->update('account', [
'email' => $antiXss->xss_clean(strtoupper($_POST['email']))
], ['username' => Medoo::raw('UPPER(:username)', [':username' => $antiXss->xss_clean(strtoupper($_POST['username']))])]);
return true;
}

success_msg('Your account has been created.');
} else {
error_msg('ERROR!, Please try again!');
$command = str_replace('{USERNAME}', $antiXss->xss_clean(strtoupper($_POST['username'])), get_config('soap_ca_command'));
$command = str_replace('{PASSWORD}', $antiXss->xss_clean($_POST['password']), $command);
$command = str_replace('{EMAIL}', $antiXss->xss_clean(strtoupper($_POST['email'])), $command);
if (RemoteCommandWithSOAP($command)) {
if (!empty(get_config('soap_asa_command'))) {
$command_addon = str_replace('{USERNAME}', $antiXss->xss_clean(strtoupper($_POST['username'])), get_config('soap_asa_command'));
$command_addon = str_replace('{EXPANSION}', get_config('expansion'), $command_addon);
RemoteCommandWithSOAP($command_addon);
}

database::$auth->update('account', [
'email' => $antiXss->xss_clean(strtoupper($_POST['email']))
], ['username' => Medoo::raw('UPPER(:username)', [':username' => $antiXss->xss_clean(strtoupper($_POST['username']))])]);

success_msg('Your account has been created.');
} else {
error_msg('ERROR!, Please try again!');
}

return true;
Expand Down Expand Up @@ -421,26 +459,7 @@ public static function restorepassword_setnewpw($user_data, $restore_key)

if (get_config('battlenet_support')) {
$message = 'Your new account information : <br>Email: ' . strtolower($userinfo['email']) . '<br>Password: ' . $new_password;
$hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $new_password)));
database::$auth->update('account', [
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'sessionkey' => '',
'v' => '',
's' => '',
'restore_key' => '1'
], [
'id[=]' => $userinfo['id']
]);

$bnet_hashed_pass = strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash('sha256', strtoupper(hash('sha256', strtoupper($userinfo['email'])) . ':' . strtoupper($new_password))))))));
database::$auth->update('battlenet_accounts', [
'sha_pass_hash' => $antiXss->xss_clean($bnet_hashed_pass)
], [
'id[=]' => $userinfo['battlenet_account']
]);
} else {
$message = 'Your new account information : <br>Username: ' . strtolower($userinfo['username']) . '<br>Password: ' . $new_password;
if (empty(get_config('soap_for_register'))) {
if (empty(get_config('srp6_support'))) {
$hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $new_password)));
database::$auth->update('account', [
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
Expand All @@ -451,6 +470,53 @@ public static function restorepassword_setnewpw($user_data, $restore_key)
], [
'id[=]' => $userinfo['id']
]);
} else {
list($salt, $verifier) = getRegistrationData(strtoupper($userinfo['username']), $new_password);
database::$auth->update('account', [
'salt' => $salt,
'verifier' => $verifier,
'sessionkey' => '',
'v' => '',
's' => '',
'restore_key' => '1'
], [
'id[=]' => $userinfo['id']
]);
}

$bnet_hashed_pass = strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash('sha256', strtoupper(hash('sha256', strtoupper($userinfo['email'])) . ':' . strtoupper($new_password))))))));
database::$auth->update('battlenet_accounts', [
'sha_pass_hash' => $antiXss->xss_clean($bnet_hashed_pass)
], [
'id[=]' => $userinfo['battlenet_account']
]);
} else {
$message = 'Your new account information : <br>Username: ' . strtolower($userinfo['username']) . '<br>Password: ' . $new_password;
if (empty(get_config('soap_for_register'))) {
if (empty(get_config('srp6_support'))) {
$hashed_pass = strtoupper(sha1(strtoupper($userinfo['username'] . ':' . $new_password)));
database::$auth->update('account', [
'sha_pass_hash' => $antiXss->xss_clean($hashed_pass),
'sessionkey' => '',
'v' => '',
's' => '',
'restore_key' => '1'
], [
'id[=]' => $userinfo['id']
]);
} else {
list($salt, $verifier) = getRegistrationData(strtoupper($userinfo['username']), $new_password);
database::$auth->update('account', [
'salt' => $salt,
'verifier' => $verifier,
'sessionkey' => '',
'v' => '',
's' => '',
'restore_key' => '1'
], [
'id[=]' => $userinfo['id']
]);
}
} else {
$command = str_replace('{USERNAME}', $antiXss->xss_clean(strtoupper($userinfo['username'])), get_config('soap_cp_command'));
$command = str_replace('{PASSWORD}', $antiXss->xss_clean($new_password), $command);
Expand Down
2 changes: 1 addition & 1 deletion application/loader.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
$antiXss = new AntiXSS();
if (!empty(get_config('script_version'))) {
/* @TODO Add online version check! */
if(version_compare(get_config('script_version'), '1.9.7', '<') )
if(version_compare(get_config('script_version'), '1.9.8', '<') )
{
echo 'Use last version of config.php file.';
exit();
Expand Down

0 comments on commit b800347

Please sign in to comment.