Added bcrypt support. (#136)

* Added bcrypt support. bcrypt is the modern hashing method. SHA-1 is considered completely deprecated (like MD5) and SHA-256 isn't as beneficial as bcrypt. * Updated .gitignore to not track and stage binary files. * Fixed flipped variables. * Added ServerConstants.AUTOMATIC_REGISTER The automatic registration uses the bcrypt hashing method. * Drop MyISAM support, for InnoDB As of MySQL 5.6 and above (or MariaDB equivalent), MyISAM has no benefits over InnoDB. InnoDB is faster. It has row-level locking. It has better crash recovery. It supports transactions, foreign keys and relationship constraints. * Fixed a memory leak in MapleClient.login * Added automatic migration from SHA-1 and SHA-512 to bcrypt. * Made indentation consistent
2017-11-29 02:41:50 +02:00
parent 46924812b0
commit d502a4ba33
8 changed files with 866 additions and 35 deletions
--- a/src/net/server/Server.java
+++ b/src/net/server/Server.java
@@ -365,7 +365,7 @@ public class Server implements Runnable {
    }

    public static void main(String args[]) {
-	System.setProperty("wzpath", "wz");
+        System.setProperty("wzpath", "wz");
        Server.getInstance().run();
    }

--- a/src/net/server/handlers/login/LoginPasswordHandler.java
+++ b/src/net/server/handlers/login/LoginPasswordHandler.java
@@ -21,11 +21,16 @@
 */
 package net.server.handlers.login;

+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.SQLException;
 import java.util.Calendar;

+import constants.ServerConstants;
 import net.MaplePacketHandler;
 import net.server.Server;
-import server.TimerManager;
+import tools.BCrypt;
+import tools.DatabaseConnection;
 import tools.MaplePacketCreator;
 import tools.data.input.SeekableLittleEndianAccessor;
 import client.MapleClient;
@@ -36,17 +41,51 @@ public final class LoginPasswordHandler implements MaplePacketHandler {
    public boolean validateState(MapleClient c) {
        return !c.isLoggedIn();
    }
-    
+

    @Override
    public final void handlePacket(SeekableLittleEndianAccessor slea, MapleClient c) {
-    	
+
        String login = slea.readMapleAsciiString();
        String pwd = slea.readMapleAsciiString();
+        String bcryptedpass = BCrypt.hashpw(pwd, BCrypt.gensalt(12));
        c.setAccountName(login);
-        
+
        int loginok = c.login(login, pwd);
-        
+
+        Connection con = null;
+        PreparedStatement ps = null;
+
+        if (ServerConstants.AUTOMATIC_REGISTER && loginok == 5) {
+            try {
+                con = DatabaseConnection.getConnection();
+                ps = con.prepareStatement("INSERT INTO accounts (name, password) VALUES (?, ?);");
+                ps.setString(1, login);
+                ps.setString(2, bcryptedpass);
+                ps.executeUpdate();
+            } catch (SQLException e) {
+                e.printStackTrace();
+            } finally {
+                disposeSql(con, ps);
+                loginok = c.login(login, pwd);
+            }
+        }
+
+        if (ServerConstants.BCRYPT_MIGRATION && (loginok <= -10)) { // -10 means migration to bcrypt, -23 means TOS wasn't accepted
+            try {
+                con = DatabaseConnection.getConnection();
+                ps = con.prepareStatement("UPDATE accounts SET password = ? WHERE name = ?;");
+                ps.setString(1, bcryptedpass);
+                ps.setString(2, login);
+                ps.executeUpdate();
+            } catch (SQLException e) {
+                e.printStackTrace();
+            } finally {
+                disposeSql(con, ps);
+                loginok = (loginok == -10) ? 0 : 23;
+            }
+        }
+
        if (c.hasBannedIP() || c.hasBannedMac()) {
            c.announce(MaplePacketCreator.getLoginFailed(3));
            return;
@@ -71,10 +110,24 @@ public final class LoginPasswordHandler implements MaplePacketHandler {
            c.announce(MaplePacketCreator.getLoginFailed(7));
        }
    }
-    
+
    private static void login(MapleClient c){
        c.announce(MaplePacketCreator.getAuthSuccess(c));//why the fk did I do c.getAccountName()?
-        
+
        Server.getInstance().registerLoginState(c);
    }
+
+    private static void disposeSql(Connection con, PreparedStatement ps) {
+        try {
+            if (con != null) {
+                con.close();
+            }
+
+            if (ps != null) {
+                ps.close();
+            }
+        } catch (SQLException e) {
+            e.printStackTrace();
+        }
+    }
 }