pegasus/anope
1
0
Fork 0
mirror of https://github.com/anope/anope.git synced 2026-06-28 10:46:38 +02:00
Code Activity

Ensure that verify-only encryption modules can never encrypt passwords.

Browse Source 
If another module was loaded first and then later unloaded it was
possible for a deprecated module to encrypt passwords.
This commit is contained in:
Sadie Powell
2024-03-10 20:06:53 +00:00
parent 9a984a8148
commit e2df7d4d01
6 changed files with 68 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/encryption/enc_sha256.cpp
+20 -25
View File
@@ -48,16 +48,7 @@ private:
PACK32(reinterpret_cast<unsigned char *>(&buf2[i << 2]), &iv[i]);
}
public:
ESHA256(const Anope::string &modname, const Anope::string &creator)
: Module(modname, creator, ENCRYPTION | VENDOR)
{
use_iv = false;
if (ModuleManager::FindFirstOf(ENCRYPTION) == this)
throw ModuleException("enc_sha256 is deprecated and can not be used as a primary encryption method");
}
EventReturn OnEncrypt(const Anope::string &src, Anope::string &dest) override
Anope::string EncryptInternal(const Anope::string &src)
{
if (!use_iv)
NewRandomIV();
@@ -73,36 +64,40 @@ public:
sha256_final(&ctx, digest);
Anope::string hash(reinterpret_cast<const char *>(&digest), sizeof(digest));
std::stringstream buf;
buf << "sha256:" << Anope::Hex(hash) << ":" << GetIVString();
Log(LOG_DEBUG_2) << "(enc_sha256) hashed password from [" << src << "] to [" << buf.str() << " ]";
dest = buf.str();
return EVENT_ALLOW;
return Anope::Hex(hash) + ":" + GetIVString();
}
public:
ESHA256(const Anope::string &modname, const Anope::string &creator)
: Module(modname, creator, ENCRYPTION | VENDOR)
{
use_iv = false;
if (ModuleManager::FindFirstOf(ENCRYPTION) == this)
throw ModuleException("enc_sha256 is deprecated and can not be used as a primary encryption method");
}
void OnCheckAuthentication(User *, IdentifyRequest *req) override
{
const NickAlias *na = NickAlias::Find(req->GetAccount());
if (na == NULL)
const auto *na = NickAlias::Find(req->GetAccount());
if (!na)
return;
NickCore *nc = na->nc;
size_t pos = nc->pass.find(':');
NickCore *nc = na->nc;
auto pos = nc->pass.find(':');
if (pos == Anope::string::npos)
return;
Anope::string hash_method(nc->pass.begin(), nc->pass.begin() + pos);
if (!hash_method.equals_cs("sha256"))
return;
GetIVFromPass(nc->pass);
use_iv = true;
Anope::string buf;
this->OnEncrypt(req->GetPassword(), buf);
if (nc->pass.equals_cs(buf))
auto enc = EncryptInternal(req->GetPassword());
if (nc->pass.equals_cs(enc))
{
/* if we are NOT the first module in the list or we are using a default IV
* we want to re-encrypt the pass with the new encryption
*/
// If we are NOT the first encryption module we want to re-encrypt
// the password with the primary encryption method.
if (ModuleManager::FindFirstOf(ENCRYPTION) != this)
Anope::Encrypt(req->GetPassword(), nc->pass);
req->Success(this);