From e0151d1054c9923630b8ae9cdae36efa261756d3 Mon Sep 17 00:00:00 2001 From: est31 Date: Wed, 9 Mar 2016 03:12:22 +0100 Subject: [PATCH] Much better API for auth.{cpp, h} * No function overloading * Adhere coding style and with method names following lowercase_underscore_style * Use std::string in external API, handling these is much more fun --- src/client.cpp | 26 +++---- src/network/serverpackethandler.cpp | 36 ++++----- src/script/lua_api/l_util.cpp | 2 +- src/util/auth.cpp | 116 +++++++++++++++------------- src/util/auth.h | 35 ++++++--- 5 files changed, 112 insertions(+), 103 deletions(-) diff --git a/src/client.cpp b/src/client.cpp index e13344ec..41468f0f 100644 --- a/src/client.cpp +++ b/src/client.cpp @@ -399,7 +399,7 @@ void Client::step(float dtime) memset(pName, 0, PLAYERNAME_SIZE * sizeof(char)); memset(pPassword, 0, PASSWORD_SIZE * sizeof(char)); - std::string hashed_password = translatePassword(myplayer->getName(), m_password); + std::string hashed_password = translate_password(myplayer->getName(), m_password); snprintf(pName, PLAYERNAME_SIZE, "%s", myplayer->getName()); snprintf(pPassword, PASSWORD_SIZE, "%s", hashed_password.c_str()); @@ -1031,18 +1031,14 @@ void Client::startAuth(AuthMechanism chosen_auth_mechanism) switch (chosen_auth_mechanism) { case AUTH_MECHANISM_FIRST_SRP: { // send srp verifier to server + std::string verifier; + std::string salt; + generate_srp_verifier_and_salt(getPlayerName(), m_password, + &verifier, &salt); + NetworkPacket resp_pkt(TOSERVER_FIRST_SRP, 0); - char *salt, *bytes_v; - std::size_t len_salt, len_v; - salt = NULL; - getSRPVerifier(getPlayerName(), m_password, - &salt, &len_salt, &bytes_v, &len_v); - resp_pkt - << std::string((char*)salt, len_salt) - << std::string((char*)bytes_v, len_v) - << (u8)((m_password == "") ? 1 : 0); - free(salt); - free(bytes_v); + resp_pkt << salt << verifier << (u8)((m_password == "") ? 1 : 0); + Send(&resp_pkt); break; } @@ -1051,7 +1047,7 @@ void Client::startAuth(AuthMechanism chosen_auth_mechanism) u8 based_on = 1; if (chosen_auth_mechanism == AUTH_MECHANISM_LEGACY_PASSWORD) { - m_password = translatePassword(getPlayerName(), m_password); + m_password = translate_password(getPlayerName(), m_password); based_on = 0; } @@ -1197,8 +1193,8 @@ void Client::sendChangePassword(const std::string &oldpassword, m_new_password = newpassword; startAuth(choseAuthMech(m_sudo_auth_methods)); } else { - std::string oldpwd = translatePassword(playername, oldpassword); - std::string newpwd = translatePassword(playername, newpassword); + std::string oldpwd = translate_password(playername, oldpassword); + std::string newpwd = translate_password(playername, newpassword); NetworkPacket pkt(TOSERVER_PASSWORD_LEGACY, 2 * PASSWORD_SIZE); diff --git a/src/network/serverpackethandler.cpp b/src/network/serverpackethandler.cpp index ef99a634..ac00b1d8 100644 --- a/src/network/serverpackethandler.cpp +++ b/src/network/serverpackethandler.cpp @@ -261,9 +261,9 @@ void Server::handleCommand_Init(NetworkPacket* pkt) auth_mechs |= AUTH_MECHANISM_FIRST_SRP; } else { // Take care of default passwords. - client->enc_pwd = getSRPVerifier(playerName, default_password); + client->enc_pwd = get_encoded_srp_verifier(playerName, default_password); auth_mechs |= AUTH_MECHANISM_SRP; - // Create auth, but only on successful login + // Allocate player in db, but only on successful login. client->create_player_on_auth_success = true; } } @@ -549,7 +549,7 @@ void Server::handleCommand_Init_Legacy(NetworkPacket* pkt) std::string raw_default_password = g_settings->get("default_password"); std::string initial_password = - translatePassword(playername, raw_default_password); + translate_password(playername, raw_default_password); // If default_password is empty, allow any initial password if (raw_default_password.length() == 0) @@ -1831,7 +1831,7 @@ void Server::handleCommand_FirstSrp(NetworkPacket* pkt) std::string initial_ver_key; - initial_ver_key = encodeSRPVerifier(verification_key, salt); + initial_ver_key = encode_srp_verifier(verification_key, salt); m_script->createAuth(playername, initial_ver_key); acceptAuth(pkt->getPeerId(), false); @@ -1843,7 +1843,7 @@ void Server::handleCommand_FirstSrp(NetworkPacket* pkt) return; } m_clients.event(pkt->getPeerId(), CSE_SudoLeave); - std::string pw_db_field = encodeSRPVerifier(verification_key, salt); + std::string pw_db_field = encode_srp_verifier(verification_key, salt); bool success = m_script->setPassword(playername, pw_db_field); if (success) { actionstream << playername << " changes password" << std::endl; @@ -1917,22 +1917,14 @@ void Server::handleCommand_SrpBytesA(NetworkPacket* pkt) client->chosen_mech = chosen; - std::string bytes_s; - std::string bytes_v; + std::string salt; + std::string verifier; if (based_on == 0) { - char *p_bytes_s = 0; - size_t len_s = 0; - char *p_bytes_v = 0; - size_t len_v = 0; - getSRPVerifier(client->getName(), client->enc_pwd, - &p_bytes_s, &len_s, - &p_bytes_v, &len_v); - bytes_s = std::string(p_bytes_s, len_s); - bytes_v = std::string(p_bytes_v, len_v); - free(p_bytes_s); - free(p_bytes_v); - } else if (!decodeSRPVerifier(client->enc_pwd, &bytes_s, &bytes_v)) { + + generate_srp_verifier_and_salt(client->getName(), client->enc_pwd, + &verifier, &salt); + } else if (!decode_srp_verifier_and_salt(client->enc_pwd, &verifier, &salt)) { // Non-base64 errors should have been catched in the init handler actionstream << "Server: User " << client->getName() << " tried to log in, but srp verifier field" @@ -1946,8 +1938,8 @@ void Server::handleCommand_SrpBytesA(NetworkPacket* pkt) client->auth_data = srp_verifier_new(SRP_SHA256, SRP_NG_2048, client->getName().c_str(), - (const unsigned char *) bytes_s.c_str(), bytes_s.size(), - (const unsigned char *) bytes_v.c_str(), bytes_v.size(), + (const unsigned char *) salt.c_str(), salt.size(), + (const unsigned char *) verifier.c_str(), verifier.size(), (const unsigned char *) bytes_A.c_str(), bytes_A.size(), NULL, 0, (unsigned char **) &bytes_B, &len_B, NULL, NULL); @@ -1966,7 +1958,7 @@ void Server::handleCommand_SrpBytesA(NetworkPacket* pkt) } NetworkPacket resp_pkt(TOCLIENT_SRP_BYTES_S_B, 0, pkt->getPeerId()); - resp_pkt << bytes_s << std::string(bytes_B, len_B); + resp_pkt << salt << std::string(bytes_B, len_B); Send(&resp_pkt); } diff --git a/src/script/lua_api/l_util.cpp b/src/script/lua_api/l_util.cpp index f990dacf..c3e6c896 100644 --- a/src/script/lua_api/l_util.cpp +++ b/src/script/lua_api/l_util.cpp @@ -251,7 +251,7 @@ int ModApiUtil::l_get_password_hash(lua_State *L) NO_MAP_LOCK_REQUIRED; std::string name = luaL_checkstring(L, 1); std::string raw_password = luaL_checkstring(L, 2); - std::string hash = translatePassword(name, raw_password); + std::string hash = translate_password(name, raw_password); lua_pushstring(L, hash.c_str()); return 1; } diff --git a/src/util/auth.cpp b/src/util/auth.cpp index 0c17a923..91298725 100644 --- a/src/util/auth.cpp +++ b/src/util/auth.cpp @@ -1,6 +1,6 @@ /* Minetest -Copyright (C) 2015 est31 +Copyright (C) 2015, 2016 est31 This program is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by @@ -31,7 +31,7 @@ with this program; if not, write to the Free Software Foundation, Inc., // their password. (Exception : if the password field is // blank, we send a blank password - this is for backwards // compatibility with password-less players). -std::string translatePassword(const std::string &name, +std::string translate_password(const std::string &name, const std::string &password) { if (password.length() == 0) @@ -46,7 +46,11 @@ std::string translatePassword(const std::string &name, return pwd; } -void getSRPVerifier(const std::string &name, +// Call lower level SRP code to generate a verifier with the +// given pointers. Contains the preparations, call parameters +// and error checking common to all srp verifier generation code. +// See docs of srp_create_salted_verification_key for more info. +static inline void gen_srp_v(const std::string &name, const std::string &password, char **salt, size_t *salt_len, char **bytes_v, size_t *len_v) { @@ -58,72 +62,76 @@ void getSRPVerifier(const std::string &name, FATAL_ERROR_IF(res != SRP_OK, "Couldn't create salted SRP verifier"); } -// Get a db-ready SRP verifier -// If the salt param is NULL, one is automatically generated. -// Please free() it afterwards. You shouldn't use it for other purposes, -// as you will need the contents of salt_len too. -inline static std::string getSRPVerifier(const std::string &name, - const std::string &password, char ** salt, size_t salt_len) -{ - char * bytes_v = NULL; - size_t len_v; - getSRPVerifier(name, password, salt, &salt_len, - &bytes_v, &len_v); - assert(*salt); // usually, srp_create_salted_verification_key promises us to return SRP_ERR when *salt == NULL - std::string ret_val = encodeSRPVerifier(std::string(bytes_v, len_v), - std::string(*salt, salt_len)); - free(bytes_v); - return ret_val; -} - -// Get a db-ready SRP verifier -std::string getSRPVerifier(const std::string &name, - const std::string &password) -{ - char * salt = NULL; - std::string ret_val = getSRPVerifier(name, - password, &salt, 0); - free(salt); - return ret_val; -} - -// Get a db-ready SRP verifier -std::string getSRPVerifier(const std::string &name, +/// Creates a verification key with given salt and password. +std::string generate_srp_verifier(const std::string &name, const std::string &password, const std::string &salt) { - // The implementation won't change the salt if its set, - // therefore we can cast. - char *salt_cstr = (char *)salt.c_str(); - return getSRPVerifier(name, password, - &salt_cstr, salt.size()); + size_t salt_len = salt.size(); + // The API promises us that the salt doesn't + // get modified if &salt_ptr isn't NULL. + char *salt_ptr = (char *)salt.c_str(); + + char *bytes_v = NULL; + size_t verifier_len = 0; + gen_srp_v(name, password, &salt_ptr, &salt_len, &bytes_v, &verifier_len); + std::string verifier = std::string(bytes_v, verifier_len); + free(bytes_v); + return verifier; } -// Make a SRP verifier db-ready -std::string encodeSRPVerifier(const std::string &verifier, +/// Creates a verification key and salt with given password. +void generate_srp_verifier_and_salt(const std::string &name, + const std::string &password, std::string *verifier, + std::string *salt) +{ + char *bytes_v = NULL; + size_t verifier_len; + char *salt_ptr = NULL; + size_t salt_len; + gen_srp_v(name, password, &salt_ptr, &salt_len, &bytes_v, &verifier_len); + *verifier = std::string(bytes_v, verifier_len); + *salt = std::string(salt_ptr, salt_len); + free(bytes_v); + free(salt_ptr); +} + +/// Gets an SRP verifier, generating a salt, +/// and encodes it as DB-ready string. +std::string get_encoded_srp_verifier(const std::string &name, + const std::string &password) +{ + std::string verifier; + std::string salt; + generate_srp_verifier_and_salt(name, password, &verifier, &salt); + return encode_srp_verifier(verifier, salt); +} + +/// Converts the passed SRP verifier into a DB-ready format. +std::string encode_srp_verifier(const std::string &verifier, const std::string &salt) { std::ostringstream ret_str; ret_str << "#1#" - << base64_encode((unsigned char*) salt.c_str(), salt.size()) << "#" - << base64_encode((unsigned char*) verifier.c_str(), verifier.size()); + << base64_encode((unsigned char *)salt.c_str(), salt.size()) << "#" + << base64_encode((unsigned char *)verifier.c_str(), verifier.size()); return ret_str.str(); } -bool decodeSRPVerifier(const std::string &enc_pwd, - std::string *salt, std::string *bytes_v) +/// Reads the DB-formatted SRP verifier and gets the verifier +/// and salt components. +bool decode_srp_verifier_and_salt(const std::string &encoded, + std::string *verifier, std::string *salt) { - std::vector pwd_components = str_split(enc_pwd, '#'); + std::vector components = str_split(encoded, '#'); - if ((pwd_components.size() != 4) - || (pwd_components[1] != "1") // 1 means srp - || !base64_is_valid(pwd_components[2]) - || !base64_is_valid(pwd_components[3])) + if ((components.size() != 4) + || (components[1] != "1") // 1 means srp + || !base64_is_valid(components[2]) + || !base64_is_valid(components[3])) return false; - std::string salt_str = base64_decode(pwd_components[2]); - std::string bytes_v_str = base64_decode(pwd_components[3]); - *salt = salt_str; - *bytes_v = bytes_v_str; + *salt = base64_decode(components[2]); + *verifier = base64_decode(components[3]); return true; } diff --git a/src/util/auth.h b/src/util/auth.h index 36d8c20a..1fd6ab45 100644 --- a/src/util/auth.h +++ b/src/util/auth.h @@ -1,6 +1,6 @@ /* Minetest -Copyright (C) 2015 est31 +Copyright (C) 2015, 2016 est31 This program is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by @@ -20,18 +20,31 @@ with this program; if not, write to the Free Software Foundation, Inc., #ifndef AUTH_H #define AUTH_H -std::string translatePassword(const std::string &name, +/// Gets the base64 encoded legacy password db entry. +std::string translate_password(const std::string &name, const std::string &password); -void getSRPVerifier(const std::string &name, - const std::string &password, char **salt, size_t *salt_len, - char **bytes_v, size_t *len_v); -std::string getSRPVerifier(const std::string &name, - const std::string &password); -std::string getSRPVerifier(const std::string &name, + +/// Creates a verification key with given salt and password. +std::string generate_srp_verifier(const std::string &name, const std::string &password, const std::string &salt); -std::string encodeSRPVerifier(const std::string &verifier, + +/// Creates a verification key and salt with given password. +void generate_srp_verifier_and_salt(const std::string &name, + const std::string &password, std::string *verifier, + std::string *salt); + +/// Gets an SRP verifier, generating a salt, +/// and encodes it as DB-ready string. +std::string get_encoded_srp_verifier(const std::string &name, + const std::string &password); + +/// Converts the passed SRP verifier into a DB-ready format. +std::string encode_srp_verifier(const std::string &verifier, const std::string &salt); -bool decodeSRPVerifier(const std::string &enc_pwd, + +/// Reads the DB-formatted SRP verifier and gets the verifier +/// and salt components. +bool decode_srp_verifier_and_salt(const std::string &encoded, std::string *salt, std::string *bytes_v); -#endif \ No newline at end of file +#endif