Fix LOGON_CHALLENGE security flags buffer corruption and improve auth diagnostics

Account for PIN/matrix/authenticator extra data in packet size calculation to prevent receive buffer corruption. Add hex dump of raw auth packets and show actual server error codes.
2026-05-03 00:03:50 +00:00 · 2026-02-05 13:26:24 -08:00 · 2026-02-05 13:26:24 -08:00 · 61147a08af
commit 61147a08af
parent 738dafb65b
3 changed files with 55 additions and 12 deletions
--- a/src/auth/auth_handler.cpp
+++ b/src/auth/auth_handler.cpp
@ -2,6 +2,8 @@
 #include "network/tcp_socket.hpp"
 #include "network/packet.hpp"
 #include "core/logger.hpp"
+#include <sstream>
+#include <iomanip>

 namespace wowee {
 namespace auth {
@ -114,6 +116,16 @@ void AuthHandler::handleLogonChallengeResponse(network::Packet& packet) {
        return;
    }

+    if (response.securityFlags != 0) {
+        LOG_WARNING("Server sent security flags: 0x", std::hex, (int)response.securityFlags, std::dec);
+        if (response.securityFlags & 0x01) LOG_WARNING("  PIN required (not supported)");
+        if (response.securityFlags & 0x02) LOG_WARNING("  Matrix card required (not supported)");
+        if (response.securityFlags & 0x04) LOG_WARNING("  Authenticator required (not supported)");
+    }
+
+    LOG_INFO("Challenge: N=", response.N.size(), "B g=", response.g.size(), "B salt=",
+             response.salt.size(), "B secFlags=0x", std::hex, (int)response.securityFlags, std::dec);
+
    // Feed SRP with server challenge data
    srp->feed(response.B, response.g, response.N, response.salt);

@ -145,7 +157,9 @@ void AuthHandler::handleLogonProofResponse(network::Packet& packet) {
    }

    if (!response.isSuccess()) {
-        fail("Login failed - incorrect username or password");
+        std::string reason = "Login failed: ";
+        reason += getAuthResultString(static_cast<AuthResult>(response.status));
+        fail(reason);
        return;
    }

@ -227,7 +241,16 @@ void AuthHandler::handlePacket(network::Packet& packet) {

    AuthOpcode opcode = static_cast<AuthOpcode>(opcodeValue);

-    LOG_DEBUG("Received auth packet, opcode: 0x", std::hex, (int)opcodeValue, std::dec);
+    // Hex dump first bytes for diagnostics
+    {
+        const auto& raw = packet.getData();
+        std::ostringstream hs;
+        for (size_t i = 0; i < std::min<size_t>(raw.size(), 40); ++i)
+            hs << std::hex << std::setfill('0') << std::setw(2) << (int)raw[i];
+        if (raw.size() > 40) hs << "...";
+        LOG_INFO("Auth pkt 0x", std::hex, (int)opcodeValue, std::dec,
+                 " (", raw.size(), "B): ", hs.str());
+    }

    switch (opcode) {
        case AuthOpcode::LOGON_CHALLENGE:
--- a/src/auth/srp.cpp
+++ b/src/auth/srp.cpp
@ -3,6 +3,8 @@
 #include "core/logger.hpp"
 #include <algorithm>
 #include <cctype>
+#include <sstream>
+#include <iomanip>

 namespace wowee {
 namespace auth {
@ -68,7 +70,20 @@ void SRP::feed(const std::vector<uint8_t>& B_bytes,
    // 5. Compute proofs (M1, M2)
    computeProofs(stored_username);

-    LOG_INFO("SRP authentication data ready!");
+    // Log key values for debugging auth issues
+    auto hexStr = [](const std::vector<uint8_t>& v, size_t maxBytes = 8) -> std::string {
+        std::ostringstream ss;
+        for (size_t i = 0; i < std::min(v.size(), maxBytes); ++i)
+            ss << std::hex << std::setfill('0') << std::setw(2) << (int)v[i];
+        if (v.size() > maxBytes) ss << "...";
+        return ss.str();
+    };
+    auto A_wire = A.toArray(true, 32);
+    auto s_dbg = s.toArray(true);
+    auto B_dbg = B.toArray(true);
+    LOG_INFO("SRP ready: A=", hexStr(A_wire), " M1=", hexStr(M1),
+             " s_nat=", s_dbg.size(), " A_nat=", A.toArray(true).size(),
+             " B_nat=", B_dbg.size());
 }

 std::vector<uint8_t> SRP::computeAuthHash(const std::string& username,