Implementing secure user authentication in a C++ game using OpenSSL
I'm not sure how to approach I've been struggling with this for a few days now and could really use some help... Currently developing an indie game where security is a major consideration, particularly around user authentication and data integrity. I’m looking to implement a robust authentication system using OpenSSL. My initial approach involved using `EVP_EncryptInit_ex` for symmetric encryption of user credentials, but I’m unsure about how to securely handle the passwords and manage their lifecycle. I’ve read about hashing functions like SHA-256 but also want to ensure that I’m using salting effectively to protect against rainbow table attacks. Here’s a snippet of what I’ve attempted so far: ```cpp #include <openssl/evp.h> #include <openssl/rand.h> #include <openssl/sha.h> #include <iostream> #include <vector> void hashPassword(const std::string& password, std::vector<unsigned char>& salt, std::vector<unsigned char>& hashed) { salt.resize(16); RAND_bytes(salt.data(), salt.size()); // Create a random salt std::string saltedPassword = password + std::string(salt.begin(), salt.end()); SHA256(reinterpret_cast<const unsigned char*>(saltedPassword.c_str()), saltedPassword.length(), hashed.data()); } int main() { std::vector<unsigned char> salt; std::vector<unsigned char> hashed(SHA256_DIGEST_LENGTH); hashPassword("my_secure_password", salt, hashed); // Store salt and hashed password securely } ``` One major consideration is how I should be storing the salt and hash after computation. Should these be stored in plain text in a database, or is there a more secure method? Additionally, during testing, I’m looking to avoid any potential memory leaks, especially since I’m using low-level C++ memory management. I’ve tried utilizing smart pointers but am unsure if that's sufficient given the OpenSSL context. Also, any best practices on error handling for OpenSSL functions would be appreciated, as I have found that debugging can be quite tricky when the library returns error codes that don’t seem immediately clear. Overall, I'm seeking a holistic view on implementing this securely from both design and code perspective. Any insights or resources would be highly valued! I'm developing on Linux with C++. How would you solve this? This is my first time working with C++ stable.