diff options
| author | Sadie Powell <sadie@witchery.services> | 2024-03-18 22:07:31 +0000 |
|---|---|---|
| committer | Sadie Powell <sadie@witchery.services> | 2024-03-18 22:17:14 +0000 |
| commit | 5a72d8783ec5ac12d0a0c33e0b4f7e928a51157b (patch) | |
| tree | d2428715124f6a077f635143e9ee56b16e57323b | |
| parent | e6770bc2fd090ea60751a66492912b953e2979f8 (diff) | |
Add verify-only support for POSIX crypt() hashes from Atheme.
| -rw-r--r-- | .github/workflows/ci-alpine.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/ci-linux.yml | 2 | ||||
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | data/anope.example.conf | 3 | ||||
| -rw-r--r-- | modules/database/db_atheme.cpp | 9 | ||||
| -rw-r--r-- | modules/extra/enc_posix.cpp | 51 |
6 files changed, 62 insertions, 6 deletions
diff --git a/.github/workflows/ci-alpine.yml b/.github/workflows/ci-alpine.yml index 6a0466e44..c2a679303 100644 --- a/.github/workflows/ci-alpine.yml +++ b/.github/workflows/ci-alpine.yml @@ -37,7 +37,7 @@ jobs: - name: Enable extras run: | - for MODULE in enc_argon2 ldap mysql regex_pcre2 regex_posix regex_tre sqlite ssl_gnutls ssl_openssl + for MODULE in enc_argon2 enc_posix ldap mysql regex_pcre2 regex_posix regex_tre sqlite ssl_gnutls ssl_openssl do ln -s $PWD/modules/extra/$MODULE.cpp $PWD/modules done diff --git a/.github/workflows/ci-linux.yml b/.github/workflows/ci-linux.yml index d102be965..7af1b136a 100644 --- a/.github/workflows/ci-linux.yml +++ b/.github/workflows/ci-linux.yml @@ -32,7 +32,7 @@ jobs: - name: Enable extras run: | - for MODULE in ldap mysql regex_pcre2 regex_posix regex_tre sqlite ssl_gnutls ssl_openssl + for MODULE in enc_argon2 enc_posix ldap mysql regex_pcre2 regex_posix regex_tre sqlite ssl_gnutls ssl_openssl do ln -s ${{ github.workspace }}/modules/extra/$MODULE.cpp ${{ github.workspace }}/modules done diff --git a/.gitignore b/.gitignore index cf096b4d5..87e372936 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ build/ config.cache include/sysconf.h modules/enc_argon2.cpp +modules/enc_posix.cpp modules/ldap.cpp modules/mysql.cpp modules/regex_pcre2.cpp diff --git a/data/anope.example.conf b/data/anope.example.conf index f0e80597b..c48e74e6a 100644 --- a/data/anope.example.conf +++ b/data/anope.example.conf @@ -1308,7 +1308,7 @@ module } /* - * [DEPRECATED] enc_md5, enc_none, enc_old, enc_sha1, enc_sha256 + * [DEPRECATED] enc_md5, enc_none, enc_old, enc_posix, enc_sha1, enc_sha256 * * These modules are deprecated can *ONLY* be used as a verify-only encryption * module to retain compatibility with old Anope databases. They will be removed @@ -1317,6 +1317,7 @@ module #module { name = "enc_md5" } #module { name = "enc_none" } #module { name = "enc_old" } +#module { name = "enc_posix" } #module { name = "enc_sha1" } #module { name = "enc_sha256" } diff --git a/modules/database/db_atheme.cpp b/modules/database/db_atheme.cpp index c0a628bfd..ca53e955b 100644 --- a/modules/database/db_atheme.cpp +++ b/modules/database/db_atheme.cpp @@ -411,9 +411,9 @@ private: // base64 Converted to the first encryption algorithm // bcrypt Converted to enc_bcrypt // crypt3-des NO - // crypt3-md5 NO - // crypt3-sha2-256 NO - // crypt3-sha2-512 NO + // crypt3-md5 Converted to enc_posix + // crypt3-sha2-256 Converted to enc_posix + // crypt3-sha2-512 Converted to enc_posix // ircservices Converted to enc_old // pbkdf2 NO // pbkdf2v2 NO @@ -462,6 +462,9 @@ private: else if (pass.compare(0, 11, "$rawsha512$", 11) == 0) nc->pass = "raw-sha512:" + pass.substr(11); + else if (pass.compare(0, 3, "$1$", 3) == 0 || pass.compare(0, 3, "$5", 3) == 0 || pass.compare(0, 3, "$6", 3) == 0) + nc->pass = "posix:" + pass; + else if (pass.compare(0, 4, "$2a$", 4) == 0 || pass.compare(0, 4, "$2b$", 4) == 0) nc->pass = "bcrypt:" + pass; diff --git a/modules/extra/enc_posix.cpp b/modules/extra/enc_posix.cpp new file mode 100644 index 000000000..a33f272fc --- /dev/null +++ b/modules/extra/enc_posix.cpp @@ -0,0 +1,51 @@ +/* Module for providing POSIX crypt() hashing + * + * (C) 2003-2024 Anope Team + * Contact us at team@anope.org + * + * This program is free but copyrighted software; see the file COPYING for + * details. + * + */ + +/* RequiredLibraries: crypt */ + +#include "module.h" + +class EPOSIX final + : public Module +{ +public: + EPOSIX(const Anope::string &modname, const Anope::string &creator) + : Module(modname, creator, ENCRYPTION | VENDOR) + { + } + + void OnCheckAuthentication(User *, IdentifyRequest *req) override + { + const auto *na = NickAlias::Find(req->GetAccount()); + if (!na) + return; + + NickCore *nc = na->nc; + auto pos = nc->pass.find(':'); + if (pos == Anope::string::npos) + return; + + Anope::string hash_method(nc->pass.begin(), nc->pass.begin() + pos); + if (!hash_method.equals_cs("posix")) + return; + + Anope::string pass_hash(nc->pass.begin() + pos + 1, nc->pass.end()); + if (pass_hash.equals_cs(crypt(req->GetPassword().c_str(), pass_hash.c_str()))) + { + // If we are NOT the first encryption module we want to re-encrypt + // the password with the primary encryption method. + if (ModuleManager::FindFirstOf(ENCRYPTION) != this) + Anope::Encrypt(req->GetPassword(), nc->pass); + req->Success(this); + } + } +}; + +MODULE_INIT(EPOSIX) |