gptbot/0ad
1
0
Fork 0
forked from mirrors/0ad
Code Pull Requests Activity

Additional entropy when hashing match passwords.

Browse Source 
The purpose of our client-side hashing for lobby game passwords is to
prevent malicious hosts from getting valuable passwords from clients
(e.g. accidentally typing their lobby password instead of the game, or
even their email password, etc).
However, the hashing was deterministic (and rather simple), making it
possible to compute rainbow tables and recover user passwords anyways.

By adding more variation, including some that cannot so easily be
controlled by the host (the client name), this becomes impractical. The
password hashing function used is rather fast, but given the base low
probability of mistypes, this seems fine.

Differential Revision: https://code.wildfiregames.com/D3459
This was SVN commit r25459.
This commit is contained in:
wraitii
2021-05-18 14:47:36 +00:00
parent 40f9372d29
commit 7bfcd9f78b
13 changed files with 221 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
source/network/NetClient.cpp
+10 -2
View File
@@ -33,6 +33,7 @@
#include "ps/Compress.h"
#include "ps/CStr.h"
#include "ps/Game.h"
#include "ps/Hashing.h"
#include "ps/Loader.h"
#include "ps/Profile.h"
#include "ps/Threading.h"
@@ -184,7 +185,9 @@ void CNetClient::SetHostJID(const CStr& jid)
void CNetClient::SetGamePassword(const CStr& hashedPassword)
{
m_Password = hashedPassword;
// Hash on top with the user's name, to make sure not all
// hashing data is in control of the host.
m_Password = HashCryptographically(hashedPassword, m_UserName.ToUTF8());
}
void CNetClient::SetControllerSecret(const std::string& secret)
@@ -202,6 +205,11 @@ bool CNetClient::SetupConnection(ENetHost* enetClient)
return ok;
}
void CNetClient::SetupConnectionViaLobby()
{
g_XmppClient->SendIqGetConnectionData(m_HostJID, m_Password, m_UserName.ToUTF8(), false);
}
void CNetClient::SetupServerData(CStr address, u16 port, bool stun)
{
ENSURE(!m_Session);
@@ -268,7 +276,7 @@ bool CNetClient::TryToConnect(const CStr& hostJID)
// To work around that, send again a connection data request, but for internal IP this time.
if (ip == m_ServerAddress)
{
g_XmppClient->SendIqGetConnectionData(m_HostJID, m_Password, true);
g_XmppClient->SendIqGetConnectionData(m_HostJID, m_Password, m_UserName.ToUTF8(), true);
// Return true anyways - we're on a success path here.
return true;
}