pegasus/anope
1
0
Fork 0
mirror of https://github.com/anope/anope.git synced 2026-06-26 19:36:38 +02:00
Code Activity

Ensure that verify-only encryption modules can never encrypt passwords.

Browse Source 
If another module was loaded first and then later unloaded it was
possible for a deprecated module to encrypt passwords.
This commit is contained in:
Sadie Powell
2024-03-10 20:06:53 +00:00
parent 9a984a8148
commit e2df7d4d01
6 changed files with 68 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/encryption/enc_none.cpp
+13 -22
View File
@@ -13,44 +13,35 @@ class ENone final
: public Module
{
public:
ENone(const Anope::string &modname, const Anope::string &creator) : Module(modname, creator, ENCRYPTION | VENDOR)
ENone(const Anope::string &modname, const Anope::string &creator)
: Module(modname, creator, ENCRYPTION | VENDOR)
{
if (ModuleManager::FindFirstOf(ENCRYPTION) == this)
throw ModuleException("enc_none is deprecated and can not be used as a primary encryption method");
}
EventReturn OnEncrypt(const Anope::string &src, Anope::string &dest) override
{
Anope::string buf = "plain:";
Anope::string cpass;
Anope::B64Encode(src, cpass);
buf += cpass;
Log(LOG_DEBUG_2) << "(enc_none) hashed password from [" << src << "] to [" << buf << "]";
dest = buf;
return EVENT_ALLOW;
}
void OnCheckAuthentication(User *, IdentifyRequest *req) override
{
const NickAlias *na = NickAlias::Find(req->GetAccount());
if (na == NULL)
const auto *na = NickAlias::Find(req->GetAccount());
if (!na)
return;
NickCore *nc = na->nc;
size_t pos = nc->pass.find(':');
NickCore *nc = na->nc;
auto pos = nc->pass.find(':');
if (pos == Anope::string::npos)
return;
Anope::string hash_method(nc->pass.begin(), nc->pass.begin() + pos);
if (!hash_method.equals_cs("plain"))
return;
Anope::string buf;
this->OnEncrypt(req->GetPassword(), buf);
if (nc->pass.equals_cs(buf))
Anope::string b64pass;
Anope::B64Encode(req->GetPassword(), b64pass);
auto enc = "plain:" + b64pass;
if (nc->pass.equals_cs(enc))
{
/* if we are NOT the first module in the list,
* we want to re-encrypt the pass with the new encryption
*/
// If we are NOT the first encryption module we want to re-encrypt
// the password with the primary encryption method.
if (ModuleManager::FindFirstOf(ENCRYPTION) != this)
Anope::Encrypt(req->GetPassword(), nc->pass);
req->Success(this);