Implement verify-only support for raw SHA-2 passwords.

3 files changed, 34 insertions, 19 deletions

diff --git a/modules/database/db_atheme.cpp b/modules/database/db_atheme.cpp
index 5871605a8..3e613562b 100644
--- a/modules/database/db_atheme.cpp
+++ b/modules/database/db_atheme.cpp
@@ -428,8 +428,8 @@ private:
 		// pbkdf2v2          NO
 		// rawmd5            Converted to enc_md5
 		// rawsha1           Converted to enc_sha1
-		// rawsha2-256       Converted to enc_sha256
-		// rawsha2-512       NO
+		// rawsha2-256       Converted to enc_sha2
+		// rawsha2-512       Converted to enc_sha2
 		// scrypt            NO
 		if (pass.compare(0, 18, "$anope$enc_sha256$", 18) == 0)
 		{
@@ -466,7 +466,10 @@ private:
 			nc->pass = "sha1:" + pass.substr(9);
 
 		else if (pass.compare(0, 11, "$rawsha256$", 11) == 0)
-			nc->pass = "sha256:" + pass.substr(11) + ":6a09e667bb67ae853c6ef372a54ff53a510e527f9b05688c1f83d9ab5be0cd19";
+			nc->pass = "raw-sha256:" + pass.substr(11);
+
+		else if (pass.compare(0, 11, "$rawsha512$", 11) == 0)
+			nc->pass = "raw-sha512:" + pass.substr(11);
 
 		else if (pass.compare(0, 4, "$2a$", 4) == 0 || pass.compare(0, 4, "$2b$", 4) == 0)
 			nc->pass = "bcrypt:" + pass;
diff --git a/modules/encryption/enc_sha2.cpp b/modules/encryption/enc_sha2.cpp
index 4dbbcd9de..4a9f12b09 100644
--- a/modules/encryption/enc_sha2.cpp
+++ b/modules/encryption/enc_sha2.cpp
@@ -156,29 +156,41 @@ public:
 			return;
 
 		Anope::string hash_method(nc->pass.begin(), nc->pass.begin() + apos);
-		if (hash_method.compare(0, 5, "hmac-", 5))
-			return; // Not a HMAC hash.
+		bool is_hmac = !hash_method.compare(0, 5, "hmac-", 5);
+		if (!is_hmac && hash_method.compare(0, 4, "raw-", 4))
+			return; // Not a SHA-2 password.
 
 		auto provider = GetAlgorithm(hash_method.substr(5));
 		if (!provider)
 			return; // Not a hash for this module.
 
-		auto bpos = nc->pass.find(':', apos + 1);
-		if (bpos == Anope::string::npos)
-			return; // No HMAC key.
+		auto valid = false;
+		if (is_hmac)
+		{
+			auto bpos = nc->pass.find(':', apos + 1);
+			if (bpos == Anope::string::npos)
+				return; // No HMAC key.
+
+			Anope::string pass_hex(nc->pass.begin() + apos + 1, nc->pass.begin() + bpos);
+			Anope::string key_hex(nc->pass.begin() + bpos + 1, nc->pass.end());
+			Anope::string key;
+			Anope::Unhex(key_hex, key);
 
-		Anope::string pass_hex(nc->pass.begin() + apos + 1, nc->pass.begin() + bpos);
-		Anope::string key_hex(nc->pass.begin() + bpos + 1, nc->pass.end());
-		Anope::string key;
-		Anope::Unhex(key_hex, key);
+			auto enc = Anope::Hex(provider->HMAC(key, req->GetPassword()));
+			valid = pass_hex.equals_cs(enc);
+		}
+		else
+		{
+			Anope::string pass_hex(nc->pass.begin() + apos + 1, nc->pass.end());
+			valid = provider->Compare(pass_hex, req->GetPassword());
+		}
 
-		auto enc = Anope::Hex(provider->HMAC(key, req->GetPassword()));
-		if (pass_hex.equals_cs(enc))
+		if (valid)
 		{
-			// If we are NOT the first encryption module or the algorithm is
-			// different we want to re-encrypt the password with the primary
-			// encryption method.
-			if (ModuleManager::FindFirstOf(ENCRYPTION) != this || provider != defaultprovider)
+			// If we are NOT the first encryption module, the password is a raw
+			// hash, or the algorithm is different we want to re-encrypt the
+			// password with the primary encryption method.
+			if (ModuleManager::FindFirstOf(ENCRYPTION) != this || !is_hmac || provider != defaultprovider)
 				Anope::Encrypt(req->GetPassword(), nc->pass);
 			req->Success(this);
 		}
diff --git a/modules/encryption/enc_sha256.cpp b/modules/encryption/enc_sha256.cpp
index c9c3187e0..1377cfcb6 100644
--- a/modules/encryption/enc_sha256.cpp
+++ b/modules/encryption/enc_sha256.cpp
@@ -103,7 +103,7 @@ public:
 			/* if we are NOT the first module in the list or we are using a default IV
 			 * we want to re-encrypt the pass with the new encryption
 			 */
-			if (ModuleManager::FindFirstOf(ENCRYPTION) != this || !memcmp(iv, sha256_h0, 8))
+			if (ModuleManager::FindFirstOf(ENCRYPTION) != this)
 				Anope::Encrypt(req->GetPassword(), nc->pass);
 			req->Success(this);
 		}