Help me with this implementation?

[sephiro]

Hi, I'm trying to update my site to the new RSP6 template, but I'm failing miserably.

This is the current code that worked:

<?php
if (!isset($_SESSION)){ session_start(); }
include 'config/conect.php';
include 'config/functions.php'; // This is already part of the implementation attempt.
if(isset($_POST["user"]) and isset($_POST["pass"]) and isset($_POST["login"])){
if((empty($_POST['user'])) || (empty($_POST['pass']))){
?>
<BODY onLoad="window.alert('You have not filled in all fields.\All fields are required!\nPlease try again.')">
<?php
}else{
if(strpos($_SERVER['HTTP_REFERER'],$end)) {
$login = mysqli_real_escape_string($db,trim($_POST['user']));
$passw = strtoupper(sha1(strtoupper($_POST['user'] . ':' . $_POST['pass'])));
$query = mysqli_query($db,"SELECT id, username, gmlevel, nostalrius_token, expansion, name, last_ip FROM `account` WHERE (`username` = '". $login ."') AND (`sha_pass_hash` = '". $passw ."') LIMIT 1") or die(mysqli_error($db));
if (mysqli_num_rows($query) != 1) {
?>
<BODY onLoad="window.alert('Incorrect login or password!')">
<?php
} else {
$resultado = mysqli_fetch_assoc($query);
$_SESSION['UserId'] = $resultado['id'];
$_SESSION['UserLogin'] = $resultado['username'];
$_SESSION['UserLevel'] = $resultado['gmlevel'];
$_SESSION['UserName'] = $resultado['name'];
$_SESSION['UserIp'] = $resultado['last_ip'];
}
}
}
}

$nick = isset($_SESSION["UserName"]) ? $_SESSION["UserName"] : "No Name";
$ipultimo = isset($_SESSION["UserIp"]) ? $_SESSION["UserIp"] : "0.0.0.0";
$usuarioid = isset($_SESSION["UserId"]) ? $_SESSION["UserId"] : "0";

if(isset($_POST["logoff"])){
if(strpos($_SERVER['HTTP_REFERER'],$end)) {
session_destroy();
header('location: index.php');
exit;
}
}
?>

Could someone help/teach me, how to make this login code work on the SRP6 model? My knowledge is limited.

This is the functions.php file:

<?php
// Its from Trinitycore/account-creator
function calculateSRP6Verifier($login, $passw, $salt)
{
// algorithm constants
$g = gmp_init(7);
$N = gmp_init('894B645E89E1535BBDAD5B8B290650530801B18EBFBF5E8FAB3C82872A3E9BB7', 16);

// calculate first hash
$h1 = sha1(strtoupper($login . ':' . $passw), TRUE);

// calculate second hash
$h2 = sha1(strrev($salt) . $h1, TRUE); // From haukw

// convert to integer (little-endian)
$h2 = gmp_import($h2, 1, GMP_LSW_FIRST);

// g^h2 mod N
$verifier = gmp_powm($g, $h2, $N);

// convert back to a byte array (little-endian)
$verifier = gmp_export($verifier, 1, GMP_LSW_FIRST);

// pad to 32 bytes, remember that zeros go on the end in little-endian!
$verifier = str_pad($verifier, 32, chr(0), STR_PAD_RIGHT);

// done!
return strrev($verifier); // From haukw
}

// Returns SRP6 parameters to register this username/password combination with
function getRegistrationData($login, $passw)
{
// generate a random salt
$salt = random_bytes(32);

// calculate verifier using this salt
$verifier = calculateSRP6Verifier($login, $passw, $salt);

// done - this is what you put in the account table!

$salt = strtoupper(bin2hex($salt)); // From haukw
$verifier = strtoupper(bin2hex($verifier)); // From haukw


return array($salt, $verifier);
}

//From TrinityCore/AOWOW
function verifySRP6($login, $passw, $salt, $verifier)
{
$g = gmp_init(7);
$N = gmp_init('894B645E89E1535BBDAD5B8B290650530801B18EBFBF5E8FAB3C82872A3E9BB7', 16);
$x = gmp_import(
sha1($salt . sha1(strtoupper($login . ':' . $passw), TRUE), TRUE),
1,
GMP_LSW_FIRST
);
$v = gmp_powm($g, $x, $N);
return ($verifier === str_pad(gmp_export($v, 1, GMP_LSW_FIRST), 32, chr(0), STR_PAD_RIGHT));
}