Add BCrypt implementation opt-in

Author: Quackster

Diff for: Kepler-Server/build.gradle

@@ -59,6 +59,9 @@ dependencies {
 
     implementation 'com.goterl.lazycode:lazysodium-java:3.3.0'
     implementation 'com.github.bhlangonijr:chesslib:1.1.1'
+
+    // https://mvnrepository.com/artifact/at.favre.lib/bcrypt
+    compile group: 'at.favre.lib', name: 'bcrypt', version: '0.9.0'
 }
 
 // Create fat jar with libraries inside of it.

Diff for: Kepler-Server/src/main/java/org/alexdev/kepler/Kepler.java

@@ -1,7 +1,11 @@
 package org.alexdev.kepler;
 
+import at.favre.lib.crypto.bcrypt.BCrypt;
+import com.goterl.lazycode.lazysodium.LazySodiumJava;
+import com.goterl.lazycode.lazysodium.SodiumJava;
 import io.netty.util.ResourceLeakDetector;
 import org.alexdev.kepler.dao.Storage;
+import org.alexdev.kepler.dao.mysql.PlayerDao;
 import org.alexdev.kepler.dao.mysql.SettingsDao;
 import org.alexdev.kepler.game.GameScheduler;
 import org.alexdev.kepler.game.bot.BotManager;
@@ -16,13 +20,15 @@
 import org.alexdev.kepler.game.item.ItemManager;
 import org.alexdev.kepler.game.moderation.ChatManager;
 import org.alexdev.kepler.game.navigator.NavigatorManager;
+import org.alexdev.kepler.game.player.PlayerDetails;
 import org.alexdev.kepler.game.player.PlayerManager;
 import org.alexdev.kepler.game.recycler.RecyclerManager;
 import org.alexdev.kepler.game.room.RoomManager;
 import org.alexdev.kepler.game.room.models.RoomModelManager;
 import org.alexdev.kepler.game.room.public_rooms.walkways.WalkwaysManager;
 import org.alexdev.kepler.game.texts.TextsManager;
 import org.alexdev.kepler.messages.MessageHandler;
+import org.alexdev.kepler.messages.incoming.register.REGISTER;
 import org.alexdev.kepler.server.mus.MusServer;
 import org.alexdev.kepler.server.netty.NettyServer;
 import org.alexdev.kepler.server.rcon.RconServer;
@@ -35,6 +41,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.Console;
 import java.io.IOException;
 import java.net.UnknownHostException;
 
@@ -58,6 +65,8 @@ public class Kepler {
     private static RconServer rconServer;
     private static Logger log;
 
+    private static LazySodiumJava LIB_SODIUM;
+
     /**
      * Main call of Java application
      * @param args System arguments
@@ -115,6 +124,13 @@ public static void main(String[] args) {
             // Update players online back to 0
             SettingsDao.updateSetting("players.online", "0");
 
+            if (ServerConfiguration.getStringOrDefault("password.hashing.library", "argon2").equalsIgnoreCase("argon2")) {
+                log.info("Using Argon2 password hashing algorithim");
+                LIB_SODIUM  = new LazySodiumJava(new SodiumJava());
+            } else {
+                log.info("Using BCrypt password hashing algorithim");
+            }
+
             setupMus();
             setupRcon();
             setupServer();
@@ -298,4 +314,8 @@ public static long getStartupTime() {
     public static boolean isShuttingdown() {
         return isShutdown;
     }
+
+    public static LazySodiumJava getLibSodium() {
+        return LIB_SODIUM;
+    }
 }

Diff for: Kepler-Server/src/main/java/org/alexdev/kepler/dao/mysql/PlayerDao.java

@@ -1,19 +1,20 @@
 package org.alexdev.kepler.dao.mysql;
 
+import at.favre.lib.crypto.bcrypt.BCrypt;
 import com.goterl.lazycode.lazysodium.LazySodiumJava;
 import com.goterl.lazycode.lazysodium.SodiumJava;
 import com.goterl.lazycode.lazysodium.interfaces.PwHash;
+import org.alexdev.kepler.Kepler;
 import org.alexdev.kepler.dao.Storage;
 import org.alexdev.kepler.game.player.Player;
 import org.alexdev.kepler.game.player.PlayerDetails;
 import org.alexdev.kepler.util.DateUtil;
 
+import java.lang.constant.Constable;
 import java.nio.charset.StandardCharsets;
 import java.sql.*;
 
 public class PlayerDao {
-    public static final LazySodiumJava LIB_SODIUM = new LazySodiumJava(new SodiumJava());
-
     /**
      * Logs the IP address for a given user
      *
@@ -188,7 +189,7 @@ public static boolean loginTicket(Player player, String ssoTicket) {
      * @param password password
      * @return true, if successful
      */
-    public static boolean login(PlayerDetails player, String username, String password) {
+    public static boolean login(PlayerDetails player, String username, String password, boolean useLibSodium, boolean useBcrypt) {
         boolean success = false;
 
         Connection sqlConnection = null;
@@ -202,14 +203,28 @@ public static boolean login(PlayerDetails player, String username, String passwo
             resultSet = preparedStatement.executeQuery();
 
             if (resultSet.next()) {
-                byte[] hashedPassword = (resultSet.getString("password") + '\0').getBytes(StandardCharsets.UTF_8);
-                byte[] pass = password.getBytes(StandardCharsets.UTF_8);
+                if (useLibSodium) {
+                    byte[] hashedPassword = (resultSet.getString("password") + '\0').getBytes(StandardCharsets.UTF_8);
+                    byte[] pass = password.getBytes(StandardCharsets.UTF_8);
+
+                    PwHash.Native pwHash = (PwHash.Native) Kepler.getLibSodium();
+                    success = pwHash.cryptoPwHashStrVerify(hashedPassword, pass, pass.length);
+
+                    if (success) {
+                        fill(player, resultSet);
+                    }
+                }
+
+                if (useBcrypt) {
+                    var hashedPassword = resultSet.getString("password");
+
+                    BCrypt.Result result = BCrypt.verifyer().verify(password.toCharArray(), hashedPassword);
+                    success = result.verified;
 
-                PwHash.Native pwHash = (PwHash.Native) LIB_SODIUM;
-                success = pwHash.cryptoPwHashStrVerify(hashedPassword, pass, pass.length);
+                    if (success) {
+                        fill(player, resultSet);
 
-                if (success) {
-                    fill(player, resultSet);
+                    }
                 }
             }
 

Diff for: Kepler-Server/src/main/java/org/alexdev/kepler/messages/incoming/handshake/TRY_LOGIN.java

@@ -6,6 +6,7 @@
 import org.alexdev.kepler.messages.types.MessageEvent;
 import org.alexdev.kepler.server.netty.streams.NettyRequest;
 import org.alexdev.kepler.util.StringUtil;
+import org.alexdev.kepler.util.config.ServerConfiguration;
 
 public class TRY_LOGIN implements MessageEvent {
 
@@ -18,7 +19,10 @@ public void handle(Player player, NettyRequest reader) {
         String username = StringUtil.filterInput(reader.readString(), true);
         String password = StringUtil.filterInput(reader.readString(), true);
 
-        if (!PlayerDao.login(player.getDetails(), username, password)) {
+        if (!PlayerDao.login(player.getDetails(), username, password,
+                ServerConfiguration.getStringOrDefault("password.hashing.library", "argon2").equalsIgnoreCase("argon2"),
+                ServerConfiguration.getStringOrDefault("password.hashing.library", "argon2").equalsIgnoreCase("bcrypt")
+        )) {
             player.send(new LOCALISED_ERROR("Login incorrect"));
         } else {
             player.login();

Diff for: Kepler-Server/src/main/java/org/alexdev/kepler/messages/incoming/register/REGISTER.java

@@ -1,11 +1,14 @@
 package org.alexdev.kepler.messages.incoming.register;
 
+import at.favre.lib.crypto.bcrypt.BCrypt;
 import com.goterl.lazycode.lazysodium.interfaces.PwHash;
+import org.alexdev.kepler.Kepler;
 import org.alexdev.kepler.dao.mysql.PlayerDao;
 import org.alexdev.kepler.game.player.Player;
 import org.alexdev.kepler.messages.types.MessageEvent;
 import org.alexdev.kepler.server.netty.NettyPlayerNetwork;
 import org.alexdev.kepler.server.netty.streams.NettyRequest;
+import org.alexdev.kepler.util.config.ServerConfiguration;
 
 public class REGISTER implements MessageEvent {
     @Override
@@ -67,28 +70,39 @@ public void handle(Player player, NettyRequest reader) throws Exception {
             return;
         }
 
-        PlayerDao.register(username, createPassword(password), figure, gender);
+        var hashedPassword = createPassword(password);
+
+        if (hashedPassword == null)
+            return;
+
+        PlayerDao.register(username, hashedPassword, figure, gender);
         //System.out.println(name + " / " + figure + " / " + gender + " / " + email + " / " + birthday + " / " + password);
     }
 
     public static String createPassword(String password) throws Exception {
-        byte[] pw = password.getBytes();
-        byte[] outputHash = new byte[PwHash.STR_BYTES];
-        PwHash.Native pwHash = (PwHash.Native) PlayerDao.LIB_SODIUM;
-        boolean success = pwHash.cryptoPwHashStr(
-                outputHash,
-                pw,
-                pw.length,
-                PwHash.OPSLIMIT_INTERACTIVE,
-                PwHash.MEMLIMIT_INTERACTIVE
-        );
-
-        if (!success) {
-            throw new Exception("Password creation was a failure!");
+        if (ServerConfiguration.getStringOrDefault("password.hashing.library", "argon2").equalsIgnoreCase("argon2")) {
+            byte[] pw = password.getBytes();
+            byte[] outputHash = new byte[PwHash.STR_BYTES];
+            PwHash.Native pwHash = (PwHash.Native) Kepler.getLibSodium();
+            boolean success = pwHash.cryptoPwHashStr(
+                    outputHash,
+                    pw,
+                    pw.length,
+                    PwHash.OPSLIMIT_INTERACTIVE,
+                    PwHash.MEMLIMIT_INTERACTIVE
+            );
+
+            if (!success) {
+                throw new Exception("Password creation was a failure!");
+            }
+
+            return new String(outputHash).replace((char) 0 + "", "");
         }
 
-        return new String(outputHash).replace((char)0 + "", "");
-    }
-
+        if (ServerConfiguration.getStringOrDefault("password.hashing.library", "argon2").equalsIgnoreCase("bcrypt")) {
+            return BCrypt.withDefaults().hashToString(12, password.toCharArray());
+        }
 
+        return null;
+    }
 }

Diff for: Kepler-Server/src/main/java/org/alexdev/kepler/server/mus/MusConnectionHandler.java

@@ -30,6 +30,7 @@
 import org.alexdev.kepler.server.netty.NettyPlayerNetwork;
 import org.alexdev.kepler.util.DateUtil;
 import org.alexdev.kepler.util.StringUtil;
+import org.alexdev.kepler.util.config.ServerConfiguration;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -109,7 +110,10 @@ public void channelRead0(ChannelHandlerContext ctx, MusMessage message) {
 
                     PlayerDetails playerDetails = new PlayerDetails();
 
-                    if (PlayerDao.login(playerDetails, username, password)) {
+                    if (PlayerDao.login(playerDetails, username, password,
+                            ServerConfiguration.getStringOrDefault("password.hashing.library", "argon2").equalsIgnoreCase("argon2"),
+                            ServerConfiguration.getStringOrDefault("password.hashing.library", "argon2").equalsIgnoreCase("bcrypt")
+                    )) {
                         player =  PlayerManager.getInstance().getPlayerById(playerDetails.getId());
                         userId = playerDetails.getId();
                     } else {

Diff for: Kepler-Server/src/main/java/org/alexdev/kepler/util/config/ServerConfiguration.java

@@ -58,6 +58,16 @@ public static String getString(String key) {
         return config.getOrDefault(key, key);
     }
 
+    /**
+     * Get value from configuration
+     *
+     * @param key the key to use
+     * @return value
+     */
+    public static String getStringOrDefault(String key, String value) {
+        return config.getOrDefault(key, value);
+    }
+
     /**
      * Get value from configuration and cast to an Integer
      *

Diff for: Kepler-Server/src/main/java/org/alexdev/kepler/util/config/writer/DefaultConfigWriter.java

@@ -35,6 +35,7 @@ public Map<String, String>  setConfigurationDefaults() {
         config.put("v21.version.port", "0");
         config.put("v26.version.port", "0");
 
+        config.put("password.hashing.library", "argon2");
         config.put("debug", "false");
         return config;
     }
@@ -68,6 +69,8 @@ public void setConfigurationData(Map<String, String> config, PrintWriter writer)
         writer.println("mysql.password=" + config.get("mysql.password"));
         writer.println("mysql.database=" + config.get("mysql.database"));
         writer.println("");
+        writer.println("password.hashing.library=" + config.get("password.hashing.library"));
+        writer.println("");
         writer.println("[Logging]");
         writer.println("log.received.packets=" + config.get("log.received.packets"));
         writer.println("log.sent.packets=" + config.get("log.sent.packets"));