mirror of
https://github.com/anope/anope.git
synced 2026-06-24 08:56:37 +02:00
Sadie Powell
f9911dde52
We used to return NULL from these methods but now we return an empty block so this can never actually be null now.
187 lines
4.7 KiB
C++
187 lines
4.7 KiB
C++
/* Module for providing bcrypt hashing
|
|
*
|
|
* (C) 2003-2025 Anope Team
|
|
* Contact us at team@anope.org
|
|
*
|
|
* This program is free but copyrighted software; see the file COPYING for
|
|
* details.
|
|
*
|
|
*/
|
|
|
|
|
|
#include <climits>
|
|
#include <random>
|
|
|
|
#include "bcrypt/crypt_blowfish.c"
|
|
|
|
#include "module.h"
|
|
#include "modules/encryption.h"
|
|
|
|
class BCryptContext final
|
|
: public Encryption::Context
|
|
{
|
|
private:
|
|
Anope::string buffer;
|
|
|
|
Anope::string GenerateSalt()
|
|
{
|
|
static std::random_device device;
|
|
static std::mt19937 engine(device());
|
|
static std::uniform_int_distribution<int> dist(CHAR_MIN, CHAR_MAX);
|
|
char entropy[16];
|
|
for (size_t i = 0; i < sizeof(entropy); ++i)
|
|
entropy[i] = static_cast<char>(dist(engine));
|
|
|
|
char salt[32];
|
|
if (!_crypt_gensalt_blowfish_rn("$2a$", rounds, entropy, sizeof(entropy), salt, sizeof(salt)))
|
|
{
|
|
Log(LOG_DEBUG) << "Unable to generate a salt for Bcrypt: " << strerror(errno);
|
|
return {};
|
|
}
|
|
return salt;
|
|
}
|
|
|
|
public:
|
|
static unsigned long rounds;
|
|
|
|
static Anope::string Hash(const Anope::string &data, const Anope::string &salt)
|
|
{
|
|
char hash[64];
|
|
if (!_crypt_blowfish_rn(data.c_str(), salt.c_str(), hash, sizeof(hash)))
|
|
{
|
|
Log(LOG_DEBUG) << "Unable to generate a hash for Bcrypt: " << strerror(errno);
|
|
return {};
|
|
}
|
|
return hash;
|
|
}
|
|
|
|
void Update(const unsigned char *data, size_t len) override
|
|
{
|
|
buffer.append(reinterpret_cast<const char *>(data), len);
|
|
}
|
|
|
|
Anope::string Finalize() override
|
|
{
|
|
auto salt = GenerateSalt();
|
|
if (salt.empty())
|
|
return {};
|
|
return Hash(this->buffer, salt);
|
|
}
|
|
};
|
|
|
|
unsigned long BCryptContext::rounds = 10;
|
|
|
|
class BCryptProvider final
|
|
: public Encryption::Provider
|
|
{
|
|
public:
|
|
BCryptProvider(Module *creator)
|
|
: Encryption::Provider(creator, "bcrypt", 0, 0)
|
|
{
|
|
}
|
|
|
|
bool Compare(const Anope::string &hash, const Anope::string &plain) override
|
|
{
|
|
auto newhash = BCryptContext::Hash(plain, hash);
|
|
return !newhash.empty() && hash.equals_cs(newhash);
|
|
}
|
|
|
|
std::unique_ptr<Encryption::Context> CreateContext() override
|
|
{
|
|
return std::make_unique<BCryptContext>();
|
|
}
|
|
|
|
Anope::string ToPrintable(const Anope::string &hash) override
|
|
{
|
|
// The crypt_blowfish library does not expose a raw form.
|
|
return hash;
|
|
}
|
|
};
|
|
|
|
|
|
class EBCrypt final
|
|
: public Module
|
|
{
|
|
private:
|
|
BCryptProvider bcryptprovider;
|
|
|
|
public:
|
|
EBCrypt(const Anope::string &modname, const Anope::string &creator)
|
|
: Module(modname, creator, ENCRYPTION | VENDOR)
|
|
, bcryptprovider(this)
|
|
{
|
|
bcryptprovider.Check({
|
|
{ "$2a$10$c9lUAuJmTYXEfNuLOiyIp.lZTMM.Rw5qsSAyZhvGT9EC3JevkUuOu", "" },
|
|
{ "$2a$10$YV4jDSGs0ZtQbpL6IHtNO.lt5Q.uzghIohCcnERQVBGyw7QJMfyhe", "The quick brown fox jumps over the lazy dog" },
|
|
});
|
|
}
|
|
|
|
EventReturn OnEncrypt(const Anope::string &src, Anope::string &dest) override
|
|
{
|
|
// Bcrypt can not generate passwords longer than 71 characters.
|
|
if (src.length() > 71)
|
|
return EVENT_CONTINUE;
|
|
|
|
dest = "bcrypt:" + bcryptprovider.Encrypt(src);
|
|
Log(LOG_DEBUG_2) << "(enc_bcrypt) hashed password from [" << src << "] to [" << dest << "]";
|
|
return EVENT_ALLOW;
|
|
}
|
|
|
|
void OnCheckAuthentication(User *, IdentifyRequest *req) override
|
|
{
|
|
const auto *na = NickAlias::Find(req->GetAccount());
|
|
if (!na)
|
|
return;
|
|
|
|
NickCore *nc = na->nc;
|
|
auto pos = nc->pass.find(':');
|
|
if (pos == Anope::string::npos)
|
|
return;
|
|
|
|
Anope::string hash_method(nc->pass.begin(), nc->pass.begin() + pos);
|
|
if (!hash_method.equals_cs("bcrypt"))
|
|
return;
|
|
|
|
Anope::string hash_value(nc->pass.begin() + pos + 1, nc->pass.end());
|
|
if (bcryptprovider.Compare(hash_value, req->GetPassword()))
|
|
{
|
|
unsigned long rounds = 0;
|
|
|
|
// Try to extract the rounds count to check if we need to
|
|
// re-encrypt the password.
|
|
pos = hash_value.find('$', 4);
|
|
if (pos != Anope::string::npos)
|
|
rounds = Anope::Convert<unsigned long>(hash_value.substr(4, pos - 4), 0);
|
|
|
|
if (!rounds)
|
|
Log(LOG_DEBUG) << "Unable to determine the rounds of a bcrypt hash: " << hash_value;
|
|
|
|
// If we are NOT the first encryption module or the Bcrypt rounds
|
|
// are different we want to re-encrypt the password with the primary
|
|
// encryption method.
|
|
if (ModuleManager::FindFirstOf(ENCRYPTION) != this || (rounds && rounds != BCryptContext::rounds))
|
|
Anope::Encrypt(req->GetPassword(), nc->pass);
|
|
req->Success(this);
|
|
}
|
|
}
|
|
|
|
void OnReload(Configuration::Conf &conf) override
|
|
{
|
|
auto &block = conf.GetModule(this);
|
|
|
|
auto rounds = block.Get<unsigned long>("rounds", "10");
|
|
if (rounds < 10 || rounds > 32)
|
|
{
|
|
Log(this) << "Bcrypt rounds MUST be between 10 and 32 inclusive; using 10 instead of " << rounds << '.';
|
|
BCryptContext::rounds = 10;
|
|
return;
|
|
}
|
|
|
|
if (rounds > 14)
|
|
Log(this) << "Bcrypt rounds higher than 14 are very CPU intensive; are you sure you want to use " << rounds << '?';
|
|
BCryptContext::rounds = rounds;
|
|
}
|
|
};
|
|
|
|
MODULE_INIT(EBCrypt)
|