Revision: 7688
http://armagetronad.svn.sourceforge.net/armagetronad/?rev=7688&view=rev
Author: z-man
Date: 2008-01-28 15:55:17 -0800 (Mon, 28 Jan 2008)
Log Message:
-----------
Adding fully qualified user name to the PASSWORD_OK output.
Modified Paths:
--------------
armagetronad/branches/0.2.8-auth/armagetronad/batch/authentication_reference.php
Modified: armagetronad/branches/0.2.8-auth/armagetronad/batch/authentication_reference.php
===================================================================
--- armagetronad/branches/0.2.8-auth/armagetronad/batch/authentication_reference.php 2008-01-28 22:19:38 UTC (rev 7687)
+++ armagetronad/branches/0.2.8-auth/armagetronad/batch/authentication_reference.php 2008-01-28 23:55:17 UTC (rev 7688)
@@ -14,20 +14,6 @@
//
////////////////////////////////////////////////////
-// these two functions return prefix and suffix for the md5
-// hash method. They are prepended/appended to the password
-// before md5 is applied on it. Adapt them if you like.
-
-function getPrefix()
-{
- return "%u:aaauth:";
-}
-
-function getSuffix()
-{
- return "";
-}
-
// however, before they are used, %u is replaced by the username.
function substitutions( $fix, $user )
@@ -52,23 +38,27 @@
// report error code in header
header("Status: $statusCode", true, $statusCode);
+ header("Content-Type: text/plain");
// print message
die("$msg\n");
}
+// read authority from gloval variables
+$authority = $_SERVER['HTTP_HOST'];
+
////////////////////////////////////////////////////
// Bits you need to change follow.
////////////////////////////////////////////////////
-// you should definitely check that the hostname the game
+// You should definitely check that the hostname the game
// server used to contact you is the one you intend it
// to use; otherwise, there may be problems with web
// servers known under different names. You should uncomment
// this and add your real authority hostname.
/*
-if ( $_SERVER['HTTP_HOST'] != "authority" )
+if ( $authority != "authority" )
conclude( 404, "WRONG_HOST" );
*/
@@ -84,10 +74,42 @@
$passwords= array (
'test' => 'password' // clever choice there, test
);
-
- return $passwords[$user];
+
+ $password = $passwords[ $user ];
+ if ( NULL == $password )
+ return NULL;
+
+ // return a pair of username and password.
+ // it is important that you return the username
+ // exactly as it appeared in the database.
+ // If the username lookup is case insensitive,
+ // the rest of the script and the game servers
+ // need to know what the correct form of the name
+ // is.
+ return array( $user, $password );
}
+// these two functions return prefix and suffix for the md5
+// hash method. They are prepended/appended to the password
+// before md5 is applied on it. Adapt them to the way your
+// md5 password hash is stored in your database.
+
+// IMPORTANT: if you want to keep the %u (a good idea for
+// security, prevents precomputation attacks on the passwords)
+// user name lookup needs to be case sensitive, or there will
+// be unexplainable password failures.
+
+function getPrefix()
+{
+ return "%u:aaauth:";
+}
+
+function getSuffix()
+{
+ global $authority;
+ return ":$authority";
+}
+
// You do not need plain text passwords. The
// checks on the passwords are done to a hash function
// thereof. You can just as well precompute the
@@ -99,10 +121,20 @@
function getPasswordHash( $user, $method )
{
// fetch the plaintext password
- $password = getPassword( $user );
- if ( NULL == $password )
+ $userInfo = getPassword( $user );
+ if ( NULL == $userInfo )
return NULL;
+ // unpack the data
+ $trueUser = $userInfo[0];
+ $password = $userInfo[1];
+
+ // check that neither prefix nor suffix conain %u if $trueUser != $user
+ if ( $trueUser != $user && ( strpos( getPrefix(), '%u' ) !== FALSE || strpos( getPrefix(), '%u' ) !== FALSE ) )
+ {
+ conclude(404, 'UNKNOWN_USER ' . $user . ' Do not use %u in pre/suffix if your user database is making case-insensitive lookups.');
+ }
+
// two methods are currently supported
// by server and client, bmd5 (broken md5)
// and md5. Both use the md5 hash algorithm.
@@ -122,13 +154,13 @@
// method. If you set the prefix and suffix to empty
// strings, the resulting hash will be the one found
// in phpBB user databases.
- $password = substitutions( getPrefix(), $user ) . "$password" . substitutions( getSuffix(), $user );
+ $password = substitutions( getPrefix(), $trueUser ) . "$password" . substitutions( getSuffix(), $trueUser );
break;
}
// after that, both methods just calculate the md5 hash
// and return that.
- return md5( $password );
+ return array( $trueUser, md5( $password ) );
}
// comma separated lists of methods you support. If, for example,
@@ -204,14 +236,18 @@
// first, the client computed a hash of the password
// with method-specific rules. <TV cook mode> we have
// already prepared that here. </TV cook mode>.
- $correctPasswordHash = getPasswordHash( $user, $method );
+ $userInfo = getPasswordHash( $user, $method );
// check if user exists in the first place.
- if ( $correctPasswordHash == NULL )
+ if ( $userInfo == NULL )
{
conclude(404, 'UNKNOWN_USER ' . $user );
}
+ // unpack user info
+ $trueUser = $userInfo[0];
+ $correctPasswordHash = $userInfo[1];
+
// the operations the AA client did were not on the hex-encoded
// hashes we have so far, but on binary packed variants thereof:
$packedSalt = pack("H*", $salt);
@@ -224,8 +260,8 @@
// well, let's see if the client got it right!
if (strcasecmp($hash, $correctHash) === 0)
{
- // he did!
- conclude(200, 'PASSWORD_OK');
+ // he did! Return OK, followed by the user's full name.
+ conclude(200, 'PASSWORD_OK ' . $trueUser . '@' . $authority );
}
// he didn't.
@@ -243,7 +279,7 @@
default:
// we don't know what the server wants from us
// if execution ends up here.
- conclude(404, 'UNKNOWN_QUERY' );
+ conclude(404, 'UNKNOWN_QUERY');
}
?>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|