From 36a57c5f029af7e59873d2d622fa6f3b9d16b95a Mon Sep 17 00:00:00 2001 From: ljacqu Date: Sun, 10 Jan 2016 00:02:00 +0100 Subject: [PATCH 1/3] Fix format of messages_zhcn.yml - Possibly broken in b8abe71? --- src/main/resources/messages/messages_zhcn.yml | Bin 5205 -> 5156 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/src/main/resources/messages/messages_zhcn.yml b/src/main/resources/messages/messages_zhcn.yml index 76d1b840578cca916a30b13f98d557ebe4ee9b94..897c052da91766e45017764652a0a6912a85f8da 100644 GIT binary patch literal 5156 zcmb_g-%s0C6n^Kg@Kg=9hqZ50RiR2#Rc+NasavP5(ll94aKLI}qc|b$TS6)MMM$~= zB_stx3r(Sc6bhtCfIp_W*Y;EYg`Ink?S_C;kd_BT9N+JpdwzW9yZ4IlM_5wzpcK)< zH-zXt%`XO(fIOy!WZ|2!NM!uRwQKm`YDoT8xH53%)PldHh#bCuE9z7H0_Pi}uKI&#R$|sFwXDbc)|=;MEsY((I$nf) zK?ivv`f2SI_CDLu;jVG;46_4>P*7Mwyp#dR8>Od|or?Qh&F8g9NP5WJ^F+0Gd*?1G z*U5`GcxNT%fF{sEI^XCtGFGv`eN;7ZTn>jkv3w9Y%pw2?x582&qNt-k{VZTb8pUJd z^-~}?y0UJRv*zX|U7V#0KmZ3Eo>zq@c)%#O8FBIMgR(TYvSuo2Y*&oJH0zJhBA11b+xoHv1oKkZP)aU52GxbXSO%FvIV35;|KBW@v&*f{*Dh|2 zs{M+mmtFbWJ-p4qfLulYn56dY5~v=RIB4lT&6l7#>}KRcpsVBTf$Lc z3z!XOEiaYReBy}~Kmr1iGTv^GLW-|d)Qj;d6fPT>*3vB9-nZvGOaWkmm&;hkMlDT_ zpLD-w>=)>Z6>f&5UsLD!dl^;r>@t}OwuZ6A& zxWZ|f3rGN@F5Az~)CK*fMI)ZUW31rjl`RITVw0XOg=BXOoUfTkVFpMO2?Xqep0N@c z`0B)lS6d(MJ!Ktt>{w^X7lX3*M06$rFFq7(n16F4Pqvq=`9sp&upJ3%lJ@}cVa!kq zn$;RCCi#r3`9Rsg*f!fB+t$hUj4{8)K_f~??iX06u;RzGILTL_9>PX*O4~CpT#j~0 zqtnZTVKbF+#MUsl=lsw6S!Idq7doaGf%)92=eEu{p&OMSdOF#QLke3ULAl8NU{>FC zK4h6fc+0ZD#APGP)It)}r2P}!$uYY9{q~RI?fXLm(g=tT#-*MHeJ~mT!=@ds0gSCI z$?eg@7Rjt4MdGY!SKl26j*{vLsL!1+P)n^xit zi|9fdhu5!g#jXfF)3JMkFrSS-qnP>2O=ZXEkFdP|^Z{gaTa6SO#kDC39c#y`kx*g>k94e3| zF_w7ja1FZeaC-uo&e69OgyOM9>c5D6nvUZ-2&0Qi7k7-Q3Y|~EL!4?4Kn#lkEj*!& zv+(#yX%)&4YW>eUcOCh}#t0jUj_Bu};KFDy2tpLH%@@&?PP4B2HM2 zf?g7|R8?Niri=O#4HK2GO zGJu=#BEatJGk`pJHdKGb>E#S~%V=)yLl=}TtDc45&7Yl<3LIzHes`uo=pe(ud56y7 z8ON`|T?tUKPf}Iyc%6H)C-oe9Ov+g}-_v}db6f&3L{q!$4j^0P?n-Jz@xi5z6pd)2 ztoFS^uoidOjlr80x>g5TFsfP7%roCht2CL0+au5w8b%JR`Dk@{1JCX_RbKjG_;KvL6I S0d6T~@ZQ5pz=^KRo%s)bU;@+t literal 5205 zcmb_g-EJF26rLirsBVOcgep;ix~&AUg46^gR2opF0)-eW}qcqvXo3#_!*+l-? zq!O)mmdr=&|e(`+m)yZKk=g*ZkoB7_I+O*2y*8@#QZD3Ud+K$@8 zoO~?xdO?90qnK;pT-sW~Il_@F6yl?tkJ-vraSE5PnXh_<3z)4JDCL^}U61Q<6mM|0 zCo-vP7t&g|Ht>toChoQ!si9gg{CPan=qHZ@@)No?RyMFQ0bNUL-i5YpP`1>wjK&}- zAwrU(ocG3kUbiyoh^@ zsHps#O-%gwfGc=#)%%|DDt$`JjFrZpp$ePvL7v`d8M)#I+V4sf=rAhYeMOZ?n`ON)}4Sueht@ zU_Lyn(IeWU%mx{A?n*pbsp3S>2XiHy>(`gR#zltcpTKi1NM}wklRNlrYY$ipZZ&^D z2F+5`NF}Y_URy8x`_r!_W(;%B=qEg_hb<4#uZkzKS(d=&0RE=W@2e2Gu#Jo}baiAV zD3hyeIG35DxbA+wV=cyg6x5=KdlhxTAcUA3y;*IvXyA8z!lLa5@F_B{}6!~ z^L<31t+Rl&$Qo$txNIXPO(!19_@{@;2|*VF@um?mFGWEQxWIo|%Q61nK|Xn!zo(JT zl_Nf#EZs#*|24yxYB2~!w`w=kljr*5fJF-sQp z1-CRt;mN1HMIx09{~qW?HglcWLO<_h<+Uz1zG^IjLRQ*H7_I8midfsxSoGq#Erf~) z`T>{zrS6l8u&||gmVtz1yE+Sv;OVn$v(B6Bu=9d=%EqBfQRK6v4cs%_*}@nH`F7R# z?Z$w=0Dgev-hu>f0wZ7y;D5{Nc(w|(JcIW01xlro*Uk6czhRkSUVJJ$;i{17OdB>EtR{0AGIteta@wowZ z?uZ7j1+G2JV3+@R%S?RTeSz)C9_n85#riMXsLkSkcU`*c4HV-`hFI#p7G!BGZ|C*E z;b2i#9$HJYe8$N(mbuuTrLxio-gRWp)-N|6vLX_T3e6PT0=$H>$xCogRF>D*5KXwJ zmK2*v&}k&cwG=UL4ARBqXj=Z8sfS#?J>X6YyEL;xa>McmZS7H$UNIanC04|SlN(2y z4MCdShErY1YaQ=Ts{(M9aYk!K+vWA#b{4K=7j@2-@2*axYEjWv;?T3n8Vpy$*;))! zWbzAIh`bmv+RxOjd>XJBCz4i>7u-j;)B-40;d40Fv4D3EBNIV>FvudbKC`Gn5r)mLo7eq$u75>B7Y6_8RKXD$j?7cjmrlM z@L0mJA}yN)gM@4_YGBDPRU10h_?AR9hrf!98vY3w&NuXzGXKi=xLNy{Uwr)OEgTFeK#6R`R{GWRCw9^Z%tAdLs-F4)>ENkL{0@WhR^{npEp4uH{{d&e B-RJ-S From 4042ced5f2b06b056a7aff392c2403f1079ebec1 Mon Sep 17 00:00:00 2001 From: Xephi59 Date: Sun, 10 Jan 2016 22:32:35 +0100 Subject: [PATCH 2/3] Fix #433 --- src/main/java/fr/xephi/authme/AuthMe.java | 51 +++++++++++------------ 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/src/main/java/fr/xephi/authme/AuthMe.java b/src/main/java/fr/xephi/authme/AuthMe.java index 70c8bfd6..69ad8db8 100644 --- a/src/main/java/fr/xephi/authme/AuthMe.java +++ b/src/main/java/fr/xephi/authme/AuthMe.java @@ -1,9 +1,34 @@ package fr.xephi.authme; +import java.io.IOException; +import java.net.URL; +import java.util.Calendar; +import java.util.Collection; +import java.util.Date; +import java.util.List; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import java.util.logging.Logger; + +import org.apache.logging.log4j.LogManager; +import org.bukkit.Bukkit; +import org.bukkit.Location; +import org.bukkit.Server; +import org.bukkit.World; +import org.bukkit.command.Command; +import org.bukkit.command.CommandSender; +import org.bukkit.entity.Player; +import org.bukkit.plugin.PluginManager; +import org.bukkit.plugin.java.JavaPlugin; +import org.bukkit.scheduler.BukkitTask; +import org.mcstats.Metrics; +import org.mcstats.Metrics.Graph; + import com.earth2me.essentials.Essentials; import com.google.common.base.Charsets; import com.google.common.io.Resources; import com.onarandombox.MultiverseCore.MultiverseCore; + import fr.xephi.authme.api.API; import fr.xephi.authme.api.NewAPI; import fr.xephi.authme.cache.auth.PlayerAuth; @@ -53,29 +78,6 @@ import fr.xephi.authme.util.StringUtils; import fr.xephi.authme.util.Utils; import fr.xephi.authme.util.Wrapper; import net.minelink.ctplus.CombatTagPlus; -import org.apache.logging.log4j.LogManager; -import org.bukkit.Bukkit; -import org.bukkit.Location; -import org.bukkit.Server; -import org.bukkit.World; -import org.bukkit.command.Command; -import org.bukkit.command.CommandSender; -import org.bukkit.entity.Player; -import org.bukkit.plugin.PluginManager; -import org.bukkit.plugin.java.JavaPlugin; -import org.bukkit.scheduler.BukkitTask; -import org.mcstats.Metrics; -import org.mcstats.Metrics.Graph; - -import java.io.IOException; -import java.net.URL; -import java.util.Calendar; -import java.util.Collection; -import java.util.Date; -import java.util.List; -import java.util.Set; -import java.util.concurrent.ConcurrentHashMap; -import java.util.logging.Logger; /** * The AuthMe main class. @@ -515,8 +517,6 @@ public class AuthMe extends JavaPlugin { Collection players = Utils.getOnlinePlayers(); for (Player player : players) { savePlayer(player); - // TODO: add a MessageKey - player.kickPlayer("Server is restarting or AuthMe plugin was disabled."); } // Do backup on stop if enabled @@ -742,7 +742,6 @@ public class AuthMe extends JavaPlugin { } } PlayerCache.getInstance().removePlayer(name); - player.saveData(); } // Select the player to kick when a vip player join the server when full From 391e1b04a2bd091637a76e2fa08ea6a0ede56087 Mon Sep 17 00:00:00 2001 From: ljacqu Date: Thu, 14 Jan 2016 21:55:09 +0100 Subject: [PATCH 3/3] Fix #440 Hash algo's sometimes skipped for old algorithm support - Fix check that discards potentially trying all encryption methods if password didn't match - Wrap call to encryption method properly to avoid calling methods with hasSeparateSalt() = true and a null salt --- .../authme/security/PasswordSecurity.java | 27 ++++++++++++------- .../fr/xephi/authme/security/crypts/WBB4.java | 9 ++++++- .../authme/security/PasswordSecurityTest.java | 4 ++- 3 files changed, 29 insertions(+), 11 deletions(-) diff --git a/src/main/java/fr/xephi/authme/security/PasswordSecurity.java b/src/main/java/fr/xephi/authme/security/PasswordSecurity.java index 552b64dd..1946df6a 100644 --- a/src/main/java/fr/xephi/authme/security/PasswordSecurity.java +++ b/src/main/java/fr/xephi/authme/security/PasswordSecurity.java @@ -41,15 +41,8 @@ public class PasswordSecurity { public boolean comparePassword(String password, HashedPassword hashedPassword, String playerName) { EncryptionMethod method = initializeEncryptionMethod(algorithm, playerName); - // User is not in data source, so the result will invariably be wrong because an encryption - // method with hasSeparateSalt() == true NEEDS the salt to evaluate the password - String salt = hashedPassword.getSalt(); - if (method.hasSeparateSalt() && salt == null) { - return false; - } - String playerLowerCase = playerName.toLowerCase(); - return method.comparePassword(password, hashedPassword, playerLowerCase) + return methodMatches(method, password, hashedPassword, playerLowerCase) || supportOldAlgorithm && compareWithAllEncryptionMethods(password, hashedPassword, playerLowerCase); } @@ -69,7 +62,7 @@ public class PasswordSecurity { for (HashAlgorithm algorithm : HashAlgorithm.values()) { if (!HashAlgorithm.CUSTOM.equals(algorithm)) { EncryptionMethod method = initializeEncryptionMethodWithoutEvent(algorithm); - if (method != null && method.comparePassword(password, hashedPassword, playerName)) { + if (methodMatches(method, password, hashedPassword, playerName)) { hashPasswordForNewAlgorithm(password, playerName); return true; } @@ -78,6 +71,22 @@ public class PasswordSecurity { return false; } + /** + * Verify with the given encryption method whether the password matches the hash after checking that + * the method can be called safely with the given data. + * + * @param method The encryption method to use + * @param password The password to check + * @param hashedPassword The hash to check against + * @param playerName The name of the player + * @return True if the password matched, false otherwise + */ + private static boolean methodMatches(EncryptionMethod method, String password, + HashedPassword hashedPassword, String playerName) { + return method != null && (!method.hasSeparateSalt() || hashedPassword.getSalt() != null) + && method.comparePassword(password, hashedPassword, playerName); + } + /** * Get the encryption method from the given {@link HashAlgorithm} value and emit a * {@link PasswordEncryptionEvent}. The encryption method from the event is then returned, diff --git a/src/main/java/fr/xephi/authme/security/crypts/WBB4.java b/src/main/java/fr/xephi/authme/security/crypts/WBB4.java index 9c7d13d3..cbd77fc6 100644 --- a/src/main/java/fr/xephi/authme/security/crypts/WBB4.java +++ b/src/main/java/fr/xephi/authme/security/crypts/WBB4.java @@ -1,7 +1,9 @@ package fr.xephi.authme.security.crypts; +import fr.xephi.authme.ConsoleLogger; import fr.xephi.authme.security.crypts.description.Recommendation; import fr.xephi.authme.security.crypts.description.Usage; +import fr.xephi.authme.util.StringUtils; @Recommendation(Usage.DOES_NOT_WORK) public class WBB4 extends HexSaltedMethod { @@ -13,7 +15,12 @@ public class WBB4 extends HexSaltedMethod { @Override public boolean comparePassword(String password, HashedPassword hashedPassword, String playerName) { - return BCRYPT.checkpw(password, hashedPassword.getHash(), 2); + try { + return BCRYPT.checkpw(password, hashedPassword.getHash(), 2); + } catch (IllegalArgumentException e) { + ConsoleLogger.showError("WBB4 compare password returned: " + StringUtils.formatException(e)); + } + return false; } @Override diff --git a/src/test/java/fr/xephi/authme/security/PasswordSecurityTest.java b/src/test/java/fr/xephi/authme/security/PasswordSecurityTest.java index d36810ab..cf15eb5f 100644 --- a/src/test/java/fr/xephi/authme/security/PasswordSecurityTest.java +++ b/src/test/java/fr/xephi/authme/security/PasswordSecurityTest.java @@ -7,6 +7,7 @@ import fr.xephi.authme.security.crypts.HashedPassword; import fr.xephi.authme.security.crypts.EncryptionMethod; import fr.xephi.authme.security.crypts.JOOMLA; import fr.xephi.authme.security.crypts.PHPBB; +import fr.xephi.authme.util.WrapperMock; import org.bukkit.event.Event; import org.bukkit.plugin.PluginManager; import org.junit.Before; @@ -42,6 +43,7 @@ public class PasswordSecurityTest { @Before public void setUpMocks() { + WrapperMock.createInstance(); pluginManager = mock(PluginManager.class); dataSource = mock(DataSource.class); method = mock(EncryptionMethod.class); @@ -209,7 +211,7 @@ public class PasswordSecurityTest { HashedPassword hashedPassword = new HashedPassword("~T!est#Hash"); given(method.computeHash(password, username)).willReturn(hashedPassword); given(method.hasSeparateSalt()).willReturn(true); - PasswordSecurity security = new PasswordSecurity(dataSource, HashAlgorithm.XAUTH, pluginManager, true); + PasswordSecurity security = new PasswordSecurity(dataSource, HashAlgorithm.XAUTH, pluginManager, false); // when boolean result = security.comparePassword(password, hashedPassword, username);