[quake3-bugzilla] [Bug 4810] New: Using a MD5 hash instead of clear-text password

Fri Dec 3 08:03:39 EST 2010

http://bugzilla.icculus.org/show_bug.cgi?id=4810

           Summary: Using a MD5 hash instead of clear-text password
           Product: ioquake3
           Version: SVN HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: Misc
        AssignedTo: zakk at icculus.org
        ReportedBy: uzu at qlone.org
         QAContact: quake3-bugzilla at icculus.org

Created an attachment (id=2497)
 --> (http://bugzilla.icculus.org/attachment.cgi?id=2497)
Adds Com_MD5String() and sv_MD5 to use a MD5 hash instead of clear-text
rconPaswsword

Here is a small patch to slightly improve the security by proposing an
alternative to sending a clear-text password over the network.

This small patch introduces the possibility to avoid sending a clear-text
password over the network by using a MD5 hash instead; the provided code uses
this facility with the 'rconPassword'.

The compatibility with legacy clients or servers is also maintained, ie
a MD5-enabled server still allows legacy clients to send a clear-text
'rconPassword' and vice-versa.

Basically, the patch introduces a new function, Com_MD5String(), which
take a string with an optionnal prefix and returns the calculated MD5 hash. A
new cvar, 'sv_MD5', is added in the server and propagated through the server
infostring to let any clients know about the MD5 availibility.

To avoid sending the password by itself (either in plain-text or its MD5
counterpart), the MD5 hash is created using the 'rconPassword' prefixed by the
client's current challenge; 2 clients on the same server will then send 2
different MD5 hashes.

-- 
Configure bugmail: http://bugzilla.icculus.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.