Login

For a client to be able to join a server and select a character, it first has to login through the login server and set up a session key. This session key will be used later to secure (in a very weak way) the messages between the world server and the client. The authentication is made with the SRP protocol.

Login message exchange:

1. Client asks for a login challenge by sending its build number and account name
2. Server sends SRP authentication data
3. Client sends SRP proof
4. Server accepts this proof and send its own, or reject and close the connection

When the client is accepted by the server, it can send reconnect challenges to keep connected with the same session key.

1. Client asks for a reconnection challenge with the same data as login challenge
2. Server sends a reconnection challenge (16 random bytes)
3. Client sends proof data with its own client proof
4. Server accepts or not this proof.

To check the client proof, the server has to SHA1 the concatenation of: the account name, the proof data received, the reconnection challenge and the session key. This hash should match the client proof received to be valid.

It's worth noting that, for build 4125, the client automatically disconnect after a successful login challenge and proof exchange and sends a reconnect packet right away instead of asking for the realm list.

External resources about SRP and how to implement it:

• SRP6 RFC
• Wikipedia page
• An overview of the Login Packets.

When connecting to a realm the client starts a TCP connection to the string specified in the realm list address and then:

1. The client waits for the server to send SMSG_AUTH_CHALLENGE, interrupting with CMSG_PING if no response is gotten.
2. After receiving the SMSG_AUTH_CHALLENGE the client replies with a CMSG_AUTH_SESSION.
3. Packets are now (weakly) encrypted from now on.
4. The server sends a SMSG_AUTH_RESPONSE.
5. The client sends a CMSG_CHAR_ENUM.
6. The server sends a SMSG_CHAR_ENUM.