1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
/* Module for providing bcrypt hashing
*
* (C) 2003-2024 Anope Team
* Contact us at team@anope.org
*
* This program is free but copyrighted software; see the file COPYING for
* details.
*
*/
#include "module.h"
#include "modules/encryption.h"
#include "bcrypt/crypt_blowfish.c"
class EBCRYPT final
: public Module
{
unsigned int rounds;
Anope::string Salt()
{
char entropy[16];
for (auto &chr : entropy)
chr = static_cast<char>(rand() % 0xFF);
char salt[32];
if (!_crypt_gensalt_blowfish_rn("$2a$", rounds, entropy, sizeof(entropy), salt, sizeof(salt)))
return "";
return salt;
}
Anope::string Generate(const Anope::string& data, const Anope::string& salt)
{
char hash[64];
_crypt_blowfish_rn(data.c_str(), salt.c_str(), hash, sizeof(hash));
return hash;
}
bool Compare(const Anope::string& string, const Anope::string& hash)
{
Anope::string ret = Generate(string, hash);
if (ret.empty())
return false;
return (ret == hash);
}
public:
EBCRYPT(const Anope::string &modname, const Anope::string &creator) : Module(modname, creator, ENCRYPTION | VENDOR),
rounds(10)
{
// Test a pre-calculated hash
bool test = Compare("Test!", "$2a$10$x9AQFAQScY0v9KF2suqkEOepsHFrG.CXHbIXI.1F28SfSUb56A/7K");
Anope::string salt;
Anope::string hash;
// Make sure it's working
if (!test || (salt = Salt()).empty() || (hash = Generate("Test!", salt)).empty() || !Compare("Test!", hash))
throw ModuleException("BCrypt could not load!");
}
EventReturn OnEncrypt(const Anope::string &src, Anope::string &dest) override
{
dest = "bcrypt:" + Generate(src, Salt());
Log(LOG_DEBUG_2) << "(enc_bcrypt) hashed password from [" << src << "] to [" << dest << "]";
return EVENT_ALLOW;
}
void OnCheckAuthentication(User *, IdentifyRequest *req) override
{
const NickAlias *na = NickAlias::Find(req->GetAccount());
if (na == NULL)
return;
NickCore *nc = na->nc;
size_t pos = nc->pass.find(':');
if (pos == Anope::string::npos)
return;
Anope::string hash_method(nc->pass.begin(), nc->pass.begin() + pos);
if (hash_method != "bcrypt")
return;
if (Compare(req->GetPassword(), nc->pass.substr(7)))
{
/* if we are NOT the first module in the list,
* we want to re-encrypt the pass with the new encryption
*/
unsigned int hashrounds = 0;
try
{
size_t roundspos = nc->pass.find('$', 11);
if (roundspos == Anope::string::npos)
throw ConvertException("Could not find hashrounds");
hashrounds = convertTo<unsigned int>(nc->pass.substr(11, roundspos - 11));
}
catch (const ConvertException &)
{
Log(this) << "Could not get the round size of a hash. This is probably a bug. Hash: " << nc->pass;
}
if (ModuleManager::FindFirstOf(ENCRYPTION) != this || (hashrounds && hashrounds != rounds))
Anope::Encrypt(req->GetPassword(), nc->pass);
req->Success(this);
}
}
void OnReload(Configuration::Conf *conf) override
{
Configuration::Block *block = conf->GetModule(this);
rounds = block->Get<unsigned int>("rounds", "10");
if (rounds == 0)
{
rounds = 10;
Log(this) << "Rounds can't be 0! Setting ignored.";
}
else if (rounds < 10)
{
Log(this) << "10 to 12 rounds is recommended.";
}
else if (rounds >= 32)
{
rounds = 10;
Log(this) << "The maximum number of rounds supported is 31. Ignoring setting and using 10.";
}
else if (rounds >= 14)
{
Log(this) << "Are you sure you want to use " << stringify(rounds) << " in your bcrypt settings? This is very CPU intensive! Recommended rounds is 10-12.";
}
}
};
MODULE_INIT(EBCRYPT)
|
