pegasus/anope
1
0
Fork 0
mirror of https://github.com/anope/anope.git synced 2026-06-26 23:16:39 +02:00
Code Activity

Ensure that verify-only encryption modules can never encrypt passwords.

Browse Source 
If another module was loaded first and then later unloaded it was
possible for a deprecated module to encrypt passwords.
This commit is contained in:
Sadie Powell
2024-03-10 20:06:53 +00:00
parent 9a984a8148
commit e2df7d4d01
6 changed files with 68 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/encryption/enc_old.cpp
+23 -27
View File
@@ -18,6 +18,26 @@ class EOld final
private:
ServiceReference<Encryption::Provider> md5;
Anope::string EncryptInternal(const Anope::string &src)
{
if (!md5)
return {};
char digest[32];
memset(digest, 0, sizeof(digest));
auto hash = md5->Encrypt(src);
if (hash.length() != sizeof(digest))
return {}; // Probably a bug?
memcpy(digest, hash.data(), hash.length());
char digest2[16];
for (size_t i = 0; i < sizeof(digest); i += 2)
digest2[i / 2] = XTOI(digest[i]) << 4 | XTOI(digest[i + 1]);
return Anope::Hex(digest2, sizeof(digest2));
}
inline static char XTOI(char c)
{
return c > 9 ? c - 'A' + 10 : c - '0';
@@ -36,32 +56,9 @@ public:
throw ModuleException("Unable to find md5 reference");
}
EventReturn OnEncrypt(const Anope::string &src, Anope::string &dest) override
{
if (!md5)
return EVENT_CONTINUE;
char digest[32];
memset(digest, 0, sizeof(digest));
auto hash = md5->Encrypt(src);
if (hash.length() != sizeof(digest))
return EVENT_CONTINUE; // Probably a bug?
memcpy(digest, hash.data(), hash.length());
char digest2[16];
for (size_t i = 0; i < sizeof(digest); i += 2)
digest2[i / 2] = XTOI(digest[i]) << 4 | XTOI(digest[i + 1]);
auto enc = "oldmd5:" + Anope::Hex(digest2, sizeof(digest2));
Log(LOG_DEBUG_2) << "(enc_old) hashed password from [" << src << "] to [" << enc << "]";
dest = enc;
return EVENT_ALLOW;
}
void OnCheckAuthentication(User *, IdentifyRequest *req) override
{
const NickAlias *na = NickAlias::Find(req->GetAccount());
const auto *na = NickAlias::Find(req->GetAccount());
if (!na)
return;
@@ -74,9 +71,8 @@ public:
if (!hash_method.equals_cs("oldmd5"))
return;
Anope::string buf;
this->OnEncrypt(req->GetPassword(), buf);
if (nc->pass.equals_cs(buf))
auto enc = EncryptInternal(req->GetPassword());
if (!enc.empty() && nc->pass.equals_cs(enc))
{
// If we are NOT the first encryption module we want to re-encrypt
// the password with the primary encryption method.