Make password hashing case-insensitive to comply with jabberd specification.
Needs RevisionPublic
Actions

Authored by wraitii on May 18 2020, 6:25 PM.

Details

Reviewers

Dunedan
user1
Itms

Trac Tickets

#5727

Summary

As reported by user1 and via elexis in #5727, once logged-in, one can change the case of their nickname and still log-in (so long as one doesn't actually retype their password).

This is because jabberd usernames are case-normalised when comparing : https://xmpp.org/extensions/xep-0029.html
However, our password hashing uses the raw username.

To fix this, we should canonify usernames that go into hashing. However, this will break all existing passwords.

It seems like a good time to do the migration to a stronger encryption scheme, which this diff doesn't attempt yet. If anybody wants to commandeer, feel free.

Test Plan

Agree with the above.

Diff Detail

Repository

rP 0 A.D. Public Repository

Branch

temp

Lint

Lint OK

Unit

No Unit Test Coverage

Build Status

Buildable 11718
Build 21680: Vulcan Build	Jenkins
Build 21679: Vulcan Build (macOS)	Jenkins
Build 21678: Vulcan Build (Windows)	Jenkins
Build 21677: arc lint + arc unit

Event Timeline

wraitii created this revision.May 18 2020, 6:25 PM

Also _> Remember to check why we salt with the username and not the password, that seems wrong at a glance but I'm no expert.

cc @user1 @Dunedan

Successful build - Chance fights ever on the side of the prudent.

Link to build: https://jenkins.wildfiregames.com/job/docker-differential/2155/display/redirect

Harbormaster completed remote builds in B11718: Diff 11916.May 18 2020, 6:45 PM

Looks good given the current constraints for the password generation logic. 👍

This revision is now accepted and ready to land.May 18 2020, 9:06 PM

user1 added a reviewer: user1.May 18 2020, 11:01 PM

I do not want to break all current passwords unless we have a plan in place to address that.

This revision now requires changes to proceed.May 18 2020, 11:07 PM

In D2747#116000, @user1 wrote:

I do not want to break all current passwords unless we have a plan in place to address that.

Indeed, before merging this we need a proper plan.

If it needs to be a breaking change anyway, why not to remove the whole logic for generating the actual password by hashing the username and password and instead just using the password as password? Wouldn't this result in the same logic as other XMPP clients use as well?

cannot we create option to change the password and all users would be required to change it?
That function would try to hash password both ways to verify old one but saving only with the new way.

Just for the record, a way to alleviate the above issue is:

Try both hashing methods and match either.
Store the 'new' hashed password in the DB
Then at some point we can just compare to the new passwords and be done with it, only breaking the accounts of inactive players.

Note that a disruption in this method has been planned for quite some time and it would be good to perform both changes at once.

source/lobby/scripting/JSInterface_Lobby.cpp
491–500	If/when this salting change is performed, it would be good to combine it with the change described here, to avoid disturbing the users twice.

Revision Contents
Changeset List

Path

Size

source/

lobby/

scripting/

JSInterface_Lobby.cpp

5 lines

Diff 11916

View Options

source/lobby/scripting/JSInterface_Lobby.cpp

Make password hashing case-insensitive to comply with jabberd specification.Needs RevisionPublicActions