From 5c7db14a557d7f980dfaa8c10d40c1ccc554b35d Mon Sep 17 00:00:00 2001 From: Daniel Vassdal Date: Wed, 2 Jul 2014 20:55:33 +0200 Subject: Hashing: Redo API * Don't assume the printable output of hashes is hex * Add virtual Compare() function, usable for KDFs like BCrypt Some changes and bugfixes are by @attilamolnar, original PR #767 --- src/modules/m_cloaking.cpp | 2 +- src/modules/m_md5.cpp | 18 ++---------------- src/modules/m_password_hash.cpp | 19 ++++++++++++++++--- src/modules/m_ripemd160.cpp | 4 ++-- src/modules/m_sha256.cpp | 4 ++-- src/modules/m_sqlauth.cpp | 4 ++-- src/modules/m_sqloper.cpp | 2 +- 7 files changed, 26 insertions(+), 27 deletions(-) (limited to 'src') diff --git a/src/modules/m_cloaking.cpp b/src/modules/m_cloaking.cpp index 5d62c9cf6..e0f3f01ef 100644 --- a/src/modules/m_cloaking.cpp +++ b/src/modules/m_cloaking.cpp @@ -192,7 +192,7 @@ class ModuleCloaking : public Module input.append(1, '\0'); // null does not terminate a C++ string input.append(item); - std::string rv = Hash->sum(input).substr(0,len); + std::string rv = Hash->Generate(input).substr(0,len); for(int i=0; i < len; i++) { // this discards 3 bits per byte. We have an diff --git a/src/modules/m_md5.cpp b/src/modules/m_md5.cpp index ecf76d07c..6e6f5006f 100644 --- a/src/modules/m_md5.cpp +++ b/src/modules/m_md5.cpp @@ -244,29 +244,15 @@ class MD5Provider : public HashProvider MD5Final((unsigned char*)dest, &context); } - - void GenHash(const char* src, char* dest, const char* xtab, unsigned int* ikey, size_t srclen) - { - unsigned char bytes[16]; - - MyMD5((char*)bytes, (void*)src, srclen, ikey); - - for (int i = 0; i < 16; i++) - { - *dest++ = xtab[bytes[i] / 16]; - *dest++ = xtab[bytes[i] % 16]; - } - *dest++ = 0; - } public: - std::string sum(const std::string& data) + std::string GenerateRaw(const std::string& data) { char res[16]; MyMD5(res, (void*)data.data(), data.length(), NULL); return std::string(res, 16); } - MD5Provider(Module* parent) : HashProvider(parent, "hash/md5", 16, 64) {} + MD5Provider(Module* parent) : HashProvider(parent, "md5", 16, 64) {} }; class ModuleMD5 : public Module diff --git a/src/modules/m_password_hash.cpp b/src/modules/m_password_hash.cpp index 37effc79e..3cdd2b3ce 100644 --- a/src/modules/m_password_hash.cpp +++ b/src/modules/m_password_hash.cpp @@ -43,6 +43,13 @@ class CommandMkpasswd : public Command user->WriteNotice("Unknown hash type"); return; } + + if (hp->IsKDF()) + { + user->WriteNotice(type + " does not support HMAC"); + return; + } + std::string salt = ServerInstance->GenRandomStr(hp->out_size, false); std::string target = hp->hmac(salt, stuff); std::string str = BinToBase64(salt) + "$" + BinToBase64(target, NULL, 0); @@ -54,7 +61,7 @@ class CommandMkpasswd : public Command if (hp) { /* Now attempt to generate a hash */ - std::string hexsum = hp->hexsum(stuff); + std::string hexsum = hp->Generate(stuff); user->WriteNotice(algo + " hashed password for " + stuff + " is " + hexsum); } else @@ -88,6 +95,13 @@ class ModuleOperHash : public Module HashProvider* hp = ServerInstance->Modules->FindDataService("hash/" + type); if (!hp) return MOD_RES_PASSTHRU; + + if (hp->IsKDF()) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Tried to use HMAC with %s, which does not support HMAC", type.c_str()); + return MOD_RES_DENY; + } + // this is a valid hash, from here on we either accept or deny std::string::size_type sep = data.find('$'); if (sep == std::string::npos) @@ -106,8 +120,7 @@ class ModuleOperHash : public Module /* Is this a valid hash name? */ if (hp) { - // Use the timing-safe compare function to compare the hashes - if (InspIRCd::TimingSafeCompare(data, hp->hexsum(input))) + if (hp->Compare(input, data)) return MOD_RES_ALLOW; else /* No match, and must be hashed, forbid */ diff --git a/src/modules/m_ripemd160.cpp b/src/modules/m_ripemd160.cpp index 261cd1e27..8d3131bc0 100644 --- a/src/modules/m_ripemd160.cpp +++ b/src/modules/m_ripemd160.cpp @@ -434,13 +434,13 @@ class RIProv : public HashProvider return (byte *)hashcode; } public: - std::string sum(const std::string& data) + std::string GenerateRaw(const std::string& data) { char* rv = (char*)RMD((byte*)data.data(), data.length(), NULL); return std::string(rv, RMDsize / 8); } - RIProv(Module* m) : HashProvider(m, "hash/ripemd160", 20, 64) {} + RIProv(Module* m) : HashProvider(m, "ripemd160", 20, 64) {} }; class ModuleRIPEMD160 : public Module diff --git a/src/modules/m_sha256.cpp b/src/modules/m_sha256.cpp index d2755bacc..48bfc0041 100644 --- a/src/modules/m_sha256.cpp +++ b/src/modules/m_sha256.cpp @@ -247,14 +247,14 @@ class HashSHA256 : public HashProvider } public: - std::string sum(const std::string& data) + std::string GenerateRaw(const std::string& data) { unsigned char bytes[SHA256_DIGEST_SIZE]; SHA256(data.data(), bytes, data.length()); return std::string((char*)bytes, SHA256_DIGEST_SIZE); } - HashSHA256(Module* parent) : HashProvider(parent, "hash/sha256", 32, 64) {} + HashSHA256(Module* parent) : HashProvider(parent, "sha256", 32, 64) {} }; class ModuleSHA256 : public Module diff --git a/src/modules/m_sqlauth.cpp b/src/modules/m_sqlauth.cpp index 1ffb3305a..8a0b80ce1 100644 --- a/src/modules/m_sqlauth.cpp +++ b/src/modules/m_sqlauth.cpp @@ -124,11 +124,11 @@ class ModuleSQLAuth : public Module HashProvider* md5 = ServerInstance->Modules->FindDataService("hash/md5"); if (md5) - userinfo["md5pass"] = md5->hexsum(user->password); + userinfo["md5pass"] = md5->Generate(user->password); HashProvider* sha256 = ServerInstance->Modules->FindDataService("hash/sha256"); if (sha256) - userinfo["sha256pass"] = sha256->hexsum(user->password); + userinfo["sha256pass"] = sha256->Generate(user->password); const std::string certfp = SSLClientCert::GetFingerprint(&user->eh); userinfo["certfp"] = certfp; diff --git a/src/modules/m_sqloper.cpp b/src/modules/m_sqloper.cpp index d6581682c..bc46bd7e7 100644 --- a/src/modules/m_sqloper.cpp +++ b/src/modules/m_sqloper.cpp @@ -147,7 +147,7 @@ public: ParamM userinfo; SQL->PopulateUserInfo(user, userinfo); userinfo["username"] = username; - userinfo["password"] = hash ? hash->hexsum(password) : password; + userinfo["password"] = hash ? hash->Generate(password) : password; SQL->submit(new OpMeQuery(this, user->uuid, username, password), query, userinfo); } -- cgit v1.2.3