SHA512 Implementation **Must reset password on worldservers and accounts**

Fixes #10

LS database:
- md5 no longer used, now use sha2('password',512) instead for mysql/mariadb
- account table passwd expanded to 256 chars
- login_worldservers password field expanded to 256 chars

manual update:

\u eq2ls
alter table account modify column passwd varchar(256) not null default '';
alter table login_worldservers modify column password varchar(256) not null default '';

DB/currentlsdb.sql

@@ -25,7 +25,7 @@ DROP TABLE IF EXISTS `account`;
 CREATE TABLE `account` (
   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
   `name` varchar(64) COLLATE latin1_general_ci NOT NULL DEFAULT '',
-  `passwd` varchar(64) COLLATE latin1_general_ci NOT NULL DEFAULT '',
+  `passwd` varchar(256) COLLATE latin1_general_ci NOT NULL DEFAULT '',
   `ip_address` varchar(50) COLLATE latin1_general_ci NOT NULL DEFAULT '0',
   `email_address` varchar(50) COLLATE latin1_general_ci NOT NULL DEFAULT 'Unknown',
   `created_date` int(10) NOT NULL DEFAULT 0,
@@ -362,7 +362,7 @@ CREATE TABLE `login_worldservers` (
   `chat_shortname` varchar(20) COLLATE latin1_general_ci NOT NULL DEFAULT '',
   `description` text COLLATE latin1_general_ci NOT NULL,
   `server_type` varchar(15) COLLATE latin1_general_ci NOT NULL DEFAULT '0',
-  `password` varchar(32) COLLATE latin1_general_ci NOT NULL,
+  `password` varchar(256) COLLATE latin1_general_ci NOT NULL,
   `serverop` varchar(64) COLLATE latin1_general_ci NOT NULL DEFAULT '',
   `lastseen` int(10) unsigned NOT NULL DEFAULT 0,
   `admin_id` int(11) unsigned NOT NULL DEFAULT 0,
@@ -388,19 +388,9 @@ CREATE TABLE `login_worldservers` (
   PRIMARY KEY (`id`),
   UNIQUE KEY `account` (`account`),
   UNIQUE KEY `NameIDX` (`name`)
-) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;
+) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
---
--- Dumping data for table `login_worldservers`
---
-
-LOCK TABLES `login_worldservers` WRITE;
-/*!40000 ALTER TABLE `login_worldservers` DISABLE KEYS */;
-INSERT INTO `login_worldservers` VALUES (1,'Zeklabs',0,'zeklabs','','zeklabs','0','ed8acc7338a6ba5072472ae4554c16','admin',1582775680,1,0,0,'0','','10.1.1.2',0,1387650563,1,1,1,1,'','Standard','Admin',0,NULL,0,0,'0.7.3-dev');
-/*!40000 ALTER TABLE `login_worldservers` ENABLE KEYS */;
-UNLOCK TABLES;
-
 --
 -- Table structure for table `login_worldstats`
 --

EQ2/source/LoginServer/LoginDatabase.cpp

@@ -451,7 +451,7 @@ LoginAccount* LoginDatabase::LoadAccount(const char* name, const char* password)
 	query.escaped_name = getEscapeString(name);
 	query.escaped_pass = getEscapeString(password);
 	MYSQL_ROW row;
-	MYSQL_RES* result = query.RunQuery2(Q_SELECT, "SELECT id from account where name='%s' and passwd=md5('%s')", query.escaped_name, query.escaped_pass);
+	MYSQL_RES* result = query.RunQuery2(Q_SELECT, "SELECT id from account where name='%s' and passwd=sha2('%s',512)", query.escaped_name, query.escaped_pass);
 	if(result){
 		if (mysql_num_rows(result) == 1){
 			row = mysql_fetch_row(result);

EQ2/source/WorldServer/LoginServer.cpp

@@ -26,9 +26,9 @@ using namespace std;
 #include <iomanip>
 using namespace std;
 #include <stdlib.h>
-#include "../common/md5.h"
 #include "../common/version.h"
 #include "../common/GlobalHeaders.h"
+#include "../common/sha512.h"
 
 #ifdef WIN32
 #include <process.h>
@@ -885,13 +885,8 @@ void LoginServer::SendInfo() {
 	lsi->servertype = 4;
 #endif
 	int8 tmppass[16];
-	MD5::Generate((uchar*)net.GetWorldPassword(), strlen(net.GetWorldPassword()), tmppass);
-	char* ptr = lsi->password;
-	for(int i=0;i<15;i++){
-		sprintf(ptr, "%02x", tmppass[i]);
-		ptr += 2;
-	}
-	//memcpy(lsi->password, tmppass, 16);
+	string passwdSha512 = sha512(net.GetWorldPassword());
+	memcpy(lsi->password, (char*)passwdSha512.c_str(), passwdSha512.length());
 	strcpy(lsi->address, net.GetWorldAddress());
 	SendPacket(pack);
 	delete pack;

EQ2/source/WorldServer/zoneserver.cpp

@@ -57,7 +57,6 @@ extern int errno;
 #include "races.h"
 #include "classes.h"
 #include "../common/seperator.h"
-#include "../common/md5.h"
 #include "../common/EQStream.h"
 #include "../common/EQStreamFactory.h"
 #include "../common/opcodemgr.h"

EQ2/source/WorldServer/zoneserver.h

@@ -27,7 +27,6 @@
 #include "../common/TCPConnection.h"
 #include "WorldTCPConnection.h"
 #include "../common/Mutex.h"
-#include "../common/md5.h"
 #include "../common/DataBuffer.h"
 #include "net.h"
 #include "Player.h"

EQ2/source/common/servertalk.h

@@ -228,7 +228,7 @@ struct ServerLSInfo_Struct {
 	char	name[201];				// name the worldserver wants
 	char	address[250];			// DNS address of the server
 	char	account[31];			// account name for the worldserver
-	char	password[31];			// password for the name
+	char	password[256];			// password for the name
 	char	protocolversion[25];	// Major protocol version number
 	char	serverversion[64];		// minor server software version number
 	int8	servertype;				// 0=world, 1=chat, 2=login, 3=MeshLogin, 4=World Debug

EQ2/source/common/sha512.cpp

@@ -0,0 +1,155 @@
+#include <cstring>
+#include <fstream>
+#include "sha512.h"
+ 
+const unsigned long long SHA512::sha512_k[80] = //ULL = uint64
+            {0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
+             0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
+             0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+             0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
+             0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
+             0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+             0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
+             0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
+             0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+             0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
+             0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
+             0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+             0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
+             0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
+             0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+             0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
+             0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
+             0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+             0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
+             0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
+             0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+             0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
+             0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
+             0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+             0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
+             0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
+             0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+             0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
+             0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
+             0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+             0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
+             0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
+             0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+             0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
+             0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
+             0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+             0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
+             0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
+             0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+             0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL};
+ 
+void SHA512::transform(const unsigned char *message, unsigned int block_nb)
+{
+    uint64 w[80];
+    uint64 wv[8];
+    uint64 t1, t2;
+    const unsigned char *sub_block;
+    int i, j;
+    for (i = 0; i < (int) block_nb; i++) {
+        sub_block = message + (i << 7);
+        for (j = 0; j < 16; j++) {
+            SHA2_PACK64(&sub_block[j << 3], &w[j]);
+        }
+        for (j = 16; j < 80; j++) {
+            w[j] =  SHA512_F4(w[j -  2]) + w[j -  7] + SHA512_F3(w[j - 15]) + w[j - 16];
+        }
+        for (j = 0; j < 8; j++) {
+            wv[j] = m_h[j];
+        }
+        for (j = 0; j < 80; j++) {
+            t1 = wv[7] + SHA512_F2(wv[4]) + SHA2_CH(wv[4], wv[5], wv[6])
+                + sha512_k[j] + w[j];
+            t2 = SHA512_F1(wv[0]) + SHA2_MAJ(wv[0], wv[1], wv[2]);
+            wv[7] = wv[6];
+            wv[6] = wv[5];
+            wv[5] = wv[4];
+            wv[4] = wv[3] + t1;
+            wv[3] = wv[2];
+            wv[2] = wv[1];
+            wv[1] = wv[0];
+            wv[0] = t1 + t2;
+        }
+        for (j = 0; j < 8; j++) {
+            m_h[j] += wv[j];
+        }
+ 
+    }
+}
+ 
+void SHA512::init()
+{
+    m_h[0] = 0x6a09e667f3bcc908ULL;
+    m_h[1] = 0xbb67ae8584caa73bULL;
+    m_h[2] = 0x3c6ef372fe94f82bULL;
+    m_h[3] = 0xa54ff53a5f1d36f1ULL;
+    m_h[4] = 0x510e527fade682d1ULL;
+    m_h[5] = 0x9b05688c2b3e6c1fULL;
+    m_h[6] = 0x1f83d9abfb41bd6bULL; 
+    m_h[7] = 0x5be0cd19137e2179ULL;
+    m_len = 0;
+    m_tot_len = 0;
+}
+ 
+void SHA512::update(const unsigned char *message, unsigned int len)
+{
+    unsigned int block_nb;
+    unsigned int new_len, rem_len, tmp_len;
+    const unsigned char *shifted_message;
+    tmp_len = SHA384_512_BLOCK_SIZE - m_len;
+    rem_len = len < tmp_len ? len : tmp_len;
+    memcpy(&m_block[m_len], message, rem_len);
+    if (m_len + len < SHA384_512_BLOCK_SIZE) {
+        m_len += len;
+        return;
+    }
+    new_len = len - rem_len;
+    block_nb = new_len / SHA384_512_BLOCK_SIZE;
+    shifted_message = message + rem_len;
+    transform(m_block, 1);
+    transform(shifted_message, block_nb);
+    rem_len = new_len % SHA384_512_BLOCK_SIZE;
+    memcpy(m_block, &shifted_message[block_nb << 7], rem_len);
+    m_len = rem_len;
+    m_tot_len += (block_nb + 1) << 7;
+}
+ 
+void SHA512::final(unsigned char *digest)
+{
+    unsigned int block_nb;
+    unsigned int pm_len;
+    unsigned int len_b;
+    int i;
+    block_nb = 1 + ((SHA384_512_BLOCK_SIZE - 17)
+                     < (m_len % SHA384_512_BLOCK_SIZE));
+    len_b = (m_tot_len + m_len) << 3;
+    pm_len = block_nb << 7;
+    memset(m_block + m_len, 0, pm_len - m_len);
+    m_block[m_len] = 0x80;
+    SHA2_UNPACK32(len_b, m_block + pm_len - 4);
+    transform(m_block, block_nb);
+    for (i = 0 ; i < 8; i++) {
+        SHA2_UNPACK64(m_h[i], &digest[i << 3]);
+    }
+}
+ 
+std::string sha512(std::string input)
+{
+    unsigned char digest[SHA512::DIGEST_SIZE];
+    memset(digest,0,SHA512::DIGEST_SIZE);
+    SHA512 ctx = SHA512();
+    ctx.init();
+    ctx.update((unsigned char*)input.c_str(), input.length());
+    ctx.final(digest);
+ 
+    char buf[2*SHA512::DIGEST_SIZE+1];
+    buf[2*SHA512::DIGEST_SIZE] = 0;
+    for (int i = 0; i < SHA512::DIGEST_SIZE; i++)
+        sprintf(buf+i*2, "%02x", digest[i]);
+    return std::string(buf);
+}

EQ2/source/common/sha512.h

@@ -0,0 +1,71 @@
+#ifndef SHA512_H
+#define SHA512_H
+#include <string>
+ 
+class SHA512
+{
+protected:
+    typedef unsigned char uint8;
+    typedef unsigned int uint32;
+    typedef unsigned long long uint64;
+ 
+    const static uint64 sha512_k[];
+    static const unsigned int SHA384_512_BLOCK_SIZE = (1024/8);
+ 
+public:
+    void init();
+    void update(const unsigned char *message, unsigned int len);
+    void final(unsigned char *digest);
+    static const unsigned int DIGEST_SIZE = ( 512 / 8);
+ 
+protected:
+    void transform(const unsigned char *message, unsigned int block_nb);
+    unsigned int m_tot_len;
+    unsigned int m_len;
+    unsigned char m_block[2 * SHA384_512_BLOCK_SIZE];
+    uint64 m_h[8];
+};
+ 
+ 
+std::string sha512(std::string input);
+ 
+#define SHA2_SHFR(x, n)    (x >> n)
+#define SHA2_ROTR(x, n)   ((x >> n) | (x << ((sizeof(x) << 3) - n)))
+#define SHA2_ROTL(x, n)   ((x << n) | (x >> ((sizeof(x) << 3) - n)))
+#define SHA2_CH(x, y, z)  ((x & y) ^ (~x & z))
+#define SHA2_MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
+#define SHA512_F1(x) (SHA2_ROTR(x, 28) ^ SHA2_ROTR(x, 34) ^ SHA2_ROTR(x, 39))
+#define SHA512_F2(x) (SHA2_ROTR(x, 14) ^ SHA2_ROTR(x, 18) ^ SHA2_ROTR(x, 41))
+#define SHA512_F3(x) (SHA2_ROTR(x,  1) ^ SHA2_ROTR(x,  8) ^ SHA2_SHFR(x,  7))
+#define SHA512_F4(x) (SHA2_ROTR(x, 19) ^ SHA2_ROTR(x, 61) ^ SHA2_SHFR(x,  6))
+#define SHA2_UNPACK32(x, str)                 \
+{                                             \
+    *((str) + 3) = (uint8) ((x)      );       \
+    *((str) + 2) = (uint8) ((x) >>  8);       \
+    *((str) + 1) = (uint8) ((x) >> 16);       \
+    *((str) + 0) = (uint8) ((x) >> 24);       \
+}
+#define SHA2_UNPACK64(x, str)                 \
+{                                             \
+    *((str) + 7) = (uint8) ((x)      );       \
+    *((str) + 6) = (uint8) ((x) >>  8);       \
+    *((str) + 5) = (uint8) ((x) >> 16);       \
+    *((str) + 4) = (uint8) ((x) >> 24);       \
+    *((str) + 3) = (uint8) ((x) >> 32);       \
+    *((str) + 2) = (uint8) ((x) >> 40);       \
+    *((str) + 1) = (uint8) ((x) >> 48);       \
+    *((str) + 0) = (uint8) ((x) >> 56);       \
+}
+#define SHA2_PACK64(str, x)                   \
+{                                             \
+    *(x) =   ((uint64) *((str) + 7)      )    \
+           | ((uint64) *((str) + 6) <<  8)    \
+           | ((uint64) *((str) + 5) << 16)    \
+           | ((uint64) *((str) + 4) << 24)    \
+           | ((uint64) *((str) + 3) << 32)    \
+           | ((uint64) *((str) + 2) << 40)    \
+           | ((uint64) *((str) + 1) << 48)    \
+           | ((uint64) *((str) + 0) << 56);   \
+}
+ 
+#endif

EQ2/win/VC10Projects/EQ2World.vcxproj

@@ -396,6 +396,7 @@
   <ItemGroup>
     <ClCompile Include="..\..\source\common\DatabaseNew.cpp" />
     <ClCompile Include="..\..\source\common\DatabaseResult.cpp" />
+    <ClCompile Include="..\..\source\common\sha512.cpp" />
     <ClCompile Include="..\..\source\LUA\lapi.c" />
     <ClCompile Include="..\..\source\LUA\lauxlib.c" />
     <ClCompile Include="..\..\source\LUA\lbaselib.c" />
@@ -536,6 +537,7 @@
   <ItemGroup>
     <ClInclude Include="..\..\source\common\DatabaseNew.h" />
     <ClInclude Include="..\..\source\common\DatabaseResult.h" />
+    <ClInclude Include="..\..\source\common\sha512.h" />
     <ClInclude Include="..\..\source\LUA\lapi.h" />
     <ClInclude Include="..\..\source\LUA\lauxlib.h" />
     <ClInclude Include="..\..\source\LUA\lcode.h" />

README.md

@@ -48,10 +48,10 @@ Note: These instructions for now will be primarily based in Windows, but any Lin
 4. Add Game Account / World Account: Using the same MySQL Client, continue on creating your accounts
     - Game Login Account:
 	
-		insert into account set name='test',passwd=md5('test');
+		insert into account set name='test',passwd=sha2('test',512);
     - World Server Login Account (Used in Step 5): 
 	
-		insert into login_worldservers set name='TestLabs',account='testlabs',description='TestLabs',password=md5('testpass'),note='',login_version='0.7.3-dev';
+		insert into login_worldservers set name='TestLabs',account='testlabs',description='TestLabs',password=sha2('testpass',512),note='',login_version='0.7.3-dev';
 
 5. Open the C:\\[YOUREQ2EMUGITSRC]\server\LoginServer.ini file (Notepad or other flavor editor)