Use proper KDF (Argon2) to hash password

VS2015, linux is not tested yet.

src/servers/Server_REST/CMakeLists.txt

@@ -30,6 +30,7 @@ if(UNIX)
     endif()
   endif()
 else()
+  add_definitions(-DSODIUM_STATIC)
   add_definitions(-D_WIN32_WINNT=0x601)
   add_definitions(-D_CRT_SECURE_NO_WARNINGS)
   include_directories("${CMAKE_CURRENT_SOURCE_DIR}/../../libraries/external/MySQL/")
@@ -57,10 +58,13 @@ endif()
 
 
 include_directories(${Boost_INCLUDE_DIR})
+include_directories(${CMAKE_CURRENT_SOURCE_DIR}/../../libraries/external/libsodium/include)
 
 link_directories(${BOOST_LIBRARYDIR})
 link_directories(${SERVER_COMMON_DIR})
 link_directories(${CMAKE_CURRENT_SOURCE_DIR}/../../libraries/sapphire/datReader)
+link_directories(${CMAKE_CURRENT_SOURCE_DIR}/../../libraries/external/libsodium/x64/Release/v141/static)
+
 
 if(CMAKE_SIZEOF_VOID_P EQUAL 4)
   # 32 bit link
@@ -89,7 +93,7 @@ set_target_properties(server_rest PROPERTIES
 if (UNIX)
   target_link_libraries (server_rest Common xivdat pthread mysqlclient dl z)
 else()
-  target_link_libraries (server_rest Common xivdat libmysql zlib1)
+  target_link_libraries (server_rest Common xivdat libmysql zlib1 libsodium)
 endif()
 
 target_link_libraries( server_rest ${Boost_LIBRARIES} ${Boost_LIBRARIES} )

src/servers/Server_REST/SapphireAPI.cpp

@@ -13,6 +13,8 @@
 #include <boost/shared_ptr.hpp>
 #include <boost/make_shared.hpp>
 
+#include <sodium.h>
+
 extern Core::Db::Database g_database;
 
 Core::Network::SapphireAPI::SapphireAPI()
@@ -27,7 +29,7 @@ Core::Network::SapphireAPI::~SapphireAPI()
 
 bool Core::Network::SapphireAPI::login( const std::string& username, const std::string& pass, std::string& sId )
 {
-   std::string query = "SELECT account_id FROM accounts WHERE account_name = '" + username + "' AND account_pass = '" + pass + "';";
+   std::string query = "SELECT account_id, account_pass FROM accounts WHERE account_name = '" + username + "';";
    
    // check if a user with that name / password exists
    auto pQR = g_database.query( query );
@@ -35,6 +37,15 @@ bool Core::Network::SapphireAPI::login( const std::string& username, const std::
    if( !pQR )
       return false;
 
+   // id is assumed to be verified with SQL
+   // check password here
+   auto const accountPass = pQR->fetch()[1].getString();
+   if ( crypto_pwhash_argon2i_str_verify( accountPass, pass.c_str(), pass.length()) != 0 )
+   {
+      return false;
+   }
+
+
    // user found, proceed
    int32_t accountId = pQR->fetch()[0].getUInt32();
 
@@ -98,11 +109,19 @@ bool Core::Network::SapphireAPI::createAccount( const std::string& username, con
    pQR = g_database.query( "SELECT MAX(account_id) FROM accounts;" );
    int32_t accountId = pQR->fetch()[0].getUInt32() + 1;
 
+
+   char hash[crypto_pwhash_STRBYTES];
+   if (crypto_pwhash_argon2i_str(hash, pass.c_str(), pass.length(), crypto_pwhash_OPSLIMIT_INTERACTIVE, crypto_pwhash_MEMLIMIT_INTERACTIVE) != 0)
+   {
+      // Failed to allocate memory
+      return false;
+   }
+
    // store the account to the db
    g_database.execute( "INSERT INTO accounts (account_Id, account_name, account_pass, account_created) VALUE(%i, '%s', '%s', %i);",
                         accountId,
                         username.c_str(),
-                        pass.c_str(),
+                        hash,
                         time( NULL ) );
 
    

src/servers/Server_REST/main.cpp

@@ -29,6 +29,8 @@
 #include "SapphireAPI.h"
 
 
+#include <sodium.h>
+
 Core::Logger g_log;
 Core::Db::Database g_database;
 Core::Data::ExdData g_exdData;
@@ -173,6 +175,12 @@ int main(int argc, char* argv[])
    g_log.info( "Compiled: " __DATE__ " " __TIME__ );
    g_log.info( "===========================================================" );
 
+   if ( sodium_init() == -1 )
+   {
+      g_log.fatal("Failed to initialize libsodium");
+   }
+   g_log.info("Initialized libsodium");
+
    if (!loadSettings(argc, argv))
    {
       throw std::exception();