Overhaul extensions/m_mkpasswd. It now allows SHA256/SHA512 hashes. DES support is removed, as it is insecure and can be broken on my desktop in about 20 minutes.

This commit is contained in:
Elizabeth Jennifer Myers 2011-01-06 01:41:57 -05:00
parent 08c2568cb9
commit f924ea40a3

View file

@ -1,28 +1,14 @@
/* /*
* m_mkpasswd.c: Encrypts a password online, DES or MD5. * m_mkpasswd.c: Encrypts a password online.
* *
* Copyright 2002 W. Campbell and the ircd-ratbox development team * Based on mkpasswd.c, originally by Nelson Minar (minar@reed.edu)
* Based on mkpasswd.c, originally by Nelson Minar (minar@reed.edu) * You can use this code in any way as long as these names remain.
*
* You can use this code in any way as long as these names remain.
*
* $Id: m_mkpasswd.c 3161 2007-01-25 07:23:01Z nenolod $
*/ */
/* List of ircd includes from ../include/ */
#include "stdinc.h" #include "stdinc.h"
#include "client.h" #include "client.h"
#include "common.h" /* FALSE bleah */
#include "ircd.h"
#include "match.h"
#include "numeric.h" #include "numeric.h"
#include "s_newconf.h"
#include "s_conf.h" #include "s_conf.h"
#include "logger.h"
#include "s_serv.h"
#include "send.h"
#include "msg.h"
#include "parse.h"
#include "modules.h" #include "modules.h"
#include <string.h> #include <string.h>
@ -31,11 +17,15 @@ static int m_mkpasswd(struct Client *client_p, struct Client *source_p,
int parc, const char *parv[]); int parc, const char *parv[]);
static int mo_mkpasswd(struct Client *client_p, struct Client *source_p, static int mo_mkpasswd(struct Client *client_p, struct Client *source_p,
int parc, const char *parv[]); int parc, const char *parv[]);
static char *make_salt(void);
static char *make_md5_salt(void);
static char saltChars[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./"; static char *make_md5_salt(int);
static char *make_sha256_salt(int);
static char *make_sha512_salt(int);
static char *generate_random_salt(char *, int);
static char *generate_poor_salt(char *, int);
static char saltChars[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
/* 0 .. 63, ascii - 64 */
struct Message mkpasswd_msgtab = { struct Message mkpasswd_msgtab = {
"MKPASSWD", 0, 0, 0, MFLG_SLOW, "MKPASSWD", 0, 0, 0, MFLG_SLOW,
@ -44,14 +34,31 @@ struct Message mkpasswd_msgtab = {
mapi_clist_av1 mkpasswd_clist[] = { &mkpasswd_msgtab, NULL }; mapi_clist_av1 mkpasswd_clist[] = { &mkpasswd_msgtab, NULL };
DECLARE_MODULE_AV1(mkpasswd, NULL, NULL, mkpasswd_clist, NULL, NULL, "$Revision: 3161 $"); DECLARE_MODULE_AV1(mkpasswd, NULL, NULL, mkpasswd_clist, NULL, NULL, "$Revision$");
/* m_mkpasswd - mkpasswd message handler
* parv[1] = password
* parv[2] = type
*/
static int static int
m_mkpasswd(struct Client *client_p, struct Client *source_p, int parc, const char *parv[]) m_mkpasswd(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
{ {
static time_t last_used = 0; static time_t last_used = 0;
int is_md5 = 0; char *salt;
const char *hashtype;
const char hashdefault[] = "SHA512";
if(EmptyString(parv[1]))
{
sendto_one(source_p, form_str(ERR_NEEDMOREPARAMS), me.name, source_p->name, "MKPASSWD");
return 0;
}
if(parc < 3)
hashtype = hashdefault;
else
hashtype = parv[2];
if((last_used + ConfigFileEntry.pace_wait) > rb_current_time()) if((last_used + ConfigFileEntry.pace_wait) > rb_current_time())
{ {
@ -60,101 +67,150 @@ m_mkpasswd(struct Client *client_p, struct Client *source_p, int parc, const cha
return 0; return 0;
} }
else else
{
last_used = rb_current_time(); last_used = rb_current_time();
}
if(parc == 3) if(!irccmp(hashtype, "SHA256"))
{ salt = make_sha256_salt(16);
if(!irccmp(parv[2], "MD5")) else if(!irccmp(hashtype, "SHA512"))
{ salt = make_sha512_salt(16);
is_md5 = 1; else if(!irccmp(hashtype, "MD5"))
} salt = make_md5_salt(8);
else if(!irccmp(parv[2], "DES"))
{
/* Not really needed, but we may want to have a default encryption
* setting somewhere down the road
*/
is_md5 = 0;
}
else
{
sendto_one_notice(source_p, ":MKPASSWD syntax error: MKPASSWD pass [DES|MD5]");
return 0;
}
}
if(parc == 1)
sendto_one(source_p, form_str(ERR_NEEDMOREPARAMS), me.name, source_p->name, "MKPASSWD");
else else
sendto_one_notice(source_p, ":Encryption for [%s]: %s", {
parv[1], rb_crypt(parv[1], sendto_one_notice(source_p,
is_md5 ? make_md5_salt() : ":MKPASSWD syntax error: MKPASSWD pass [SHA256|SHA512|MD5]");
make_salt())); return 0;
}
sendto_one_notice(source_p, ":Hash [%s] for %s: %s", hashtype, parv[1], rb_crypt(parv[1], salt));
return 0; return 0;
} }
/* /* mo_mkpasswd - mkpasswd message handler
** mo_test * parv[1] = password
** parv[1] = parameter * parv[2] = type
*/ */
static int static int
mo_mkpasswd(struct Client *client_p, struct Client *source_p, int parc, const char *parv[]) mo_mkpasswd(struct Client *client_p, struct Client *source_p, int parc, const char *parv[])
{ {
int is_md5 = 0; char *salt;
const char *hashtype;
const char hashdefault[] = "SHA512";
if(parc == 3) if(EmptyString(parv[1]))
{ {
if(!irccmp(parv[2], "MD5")) sendto_one(source_p, form_str(ERR_NEEDMOREPARAMS), me.name, source_p->name, "MKPASSWD");
{ return 0;
is_md5 = 1;
}
else if(!irccmp(parv[2], "DES"))
{
/* Not really needed, but we may want to have a default encryption
* setting somewhere down the road
*/
is_md5 = 0;
}
else
{
sendto_one_notice(source_p,
":MKPASSWD syntax error: MKPASSWD pass [DES|MD5]");
return 0;
}
} }
if(parc == 1) if(parc < 3)
sendto_one(source_p, form_str(ERR_NEEDMOREPARAMS), me.name, source_p->name, "MKPASSWD"); hashtype = hashdefault;
else else
sendto_one_notice(source_p, ":Encryption for [%s]: %s", hashtype = parv[2];
parv[1], rb_crypt(parv[1], is_md5 ? make_md5_salt() : make_salt()));
if(!irccmp(hashtype, "SHA256"))
salt = make_sha256_salt(16);
else if(!irccmp(hashtype, "SHA512"))
salt = make_sha512_salt(16);
else if(!irccmp(hashtype, "MD5"))
salt = make_md5_salt(8);
else
{
sendto_one_notice(source_p,
":MKPASSWD syntax error: MKPASSWD pass [SHA256|SHA512|MD5]");
return 0;
}
sendto_one_notice(source_p, ":Hash [%s] for %s: %s", hashtype, parv[1], rb_crypt(parv[1], salt));
return 0; return 0;
} }
static char * char *
make_salt(void) make_md5_salt(int length)
{ {
static char salt[3]; static char salt[21];
salt[0] = saltChars[random() % 64]; if(length > 16)
salt[1] = saltChars[random() % 64]; {
salt[2] = '\0'; printf("MD5 salt length too long\n");
return salt; exit(0);
} }
static char *
make_md5_salt(void)
{
static char salt[13];
int i;
salt[0] = '$'; salt[0] = '$';
salt[1] = '1'; salt[1] = '1';
salt[2] = '$'; salt[2] = '$';
for(i = 3; i < 11; i++) generate_random_salt(&salt[3], length);
salt[i] = saltChars[random() % 64]; salt[length + 3] = '$';
salt[11] = '$'; salt[length + 4] = '\0';
salt[12] = '\0';
return salt; return salt;
} }
char *
make_sha256_salt(int length)
{
static char salt[21];
if(length > 16)
{
printf("SHA256 salt length too long\n");
exit(0);
}
salt[0] = '$';
salt[1] = '5';
salt[2] = '$';
generate_random_salt(&salt[3], length);
salt[length + 3] = '$';
salt[length + 4] = '\0';
return salt;
}
char *
make_sha512_salt(int length)
{
static char salt[21];
if(length > 16)
{
printf("SHA512 salt length too long\n");
exit(0);
}
salt[0] = '$';
salt[1] = '6';
salt[2] = '$';
generate_random_salt(&salt[3], length);
salt[length + 3] = '$';
salt[length + 4] = '\0';
return salt;
}
char *
generate_poor_salt(char *salt, int length)
{
int i;
srand(time(NULL));
for(i = 0; i < length; i++)
{
salt[i] = saltChars[rand() % 64];
}
return (salt);
}
char *
generate_random_salt(char *salt, int length)
{
char *buf;
int fd, i;
if((fd = open("/dev/random", O_RDONLY)) < 0)
{
return (generate_poor_salt(salt, length));
}
buf = calloc(1, length);
if(read(fd, buf, length) != length)
{
free(buf);
return (generate_poor_salt(salt, length));
}
for(i = 0; i < length; i++)
{
salt[i] = saltChars[abs(buf[i]) % 64];
}
free(buf);
return (salt);
}