diff options
author | danieldg <danieldg@e03df62e-2008-0410-955e-edbf42e46eb7> | 2010-02-21 17:08:54 +0000 |
---|---|---|
committer | danieldg <danieldg@e03df62e-2008-0410-955e-edbf42e46eb7> | 2010-02-21 17:08:54 +0000 |
commit | 527c492cf1c86ede062c49d45ebda17c8c6dfc68 (patch) | |
tree | 2204d2bffcec36925ca8b5dfd710b9d4edef9b63 | |
parent | f91a61fa22b239384c31526fd11da1e3030aaa96 (diff) |
Add HMAC implementation to HashProvider
git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@12508 e03df62e-2008-0410-955e-edbf42e46eb7
-rw-r--r-- | src/modules/hash.h (renamed from src/modules/m_hash.h) | 25 | ||||
-rw-r--r-- | src/modules/m_cloaking.cpp | 2 | ||||
-rw-r--r-- | src/modules/m_md5.cpp | 5 | ||||
-rw-r--r-- | src/modules/m_password_hash.cpp | 29 | ||||
-rw-r--r-- | src/modules/m_ripemd160.cpp | 5 | ||||
-rw-r--r-- | src/modules/m_sha256.cpp | 8 | ||||
-rw-r--r-- | src/modules/m_spanningtree/hmac.cpp | 44 | ||||
-rw-r--r-- | src/modules/m_spanningtree/treesocket1.cpp | 1 | ||||
-rw-r--r-- | src/modules/m_sqlauth.cpp | 3 | ||||
-rw-r--r-- | src/modules/m_sqloper.cpp | 3 |
10 files changed, 57 insertions, 68 deletions
diff --git a/src/modules/m_hash.h b/src/modules/hash.h index edc9688b8..7e93f0ddc 100644 --- a/src/modules/m_hash.h +++ b/src/modules/hash.h @@ -16,13 +16,13 @@ #include "modules.h" -#define SHA256_DIGEST_SIZE (256 / 8) -#define SHA256_BLOCK_SIZE (512 / 8) - class HashProvider : public DataProvider { public: - HashProvider(Module* mod, const std::string& Name) : DataProvider(mod, Name) {} + const unsigned int out_size; + const unsigned int block_size; + HashProvider(Module* mod, const std::string& Name, int osiz, int bsiz) + : DataProvider(mod, Name), out_size(osiz), block_size(bsiz) {} virtual std::string sum(const std::string& data) = 0; inline std::string hexsum(const std::string& data) { @@ -47,6 +47,23 @@ class HashProvider : public DataProvider * \endcode */ virtual std::string sumIV(unsigned int* IV, const char* HexMap, const std::string &sdata) = 0; + + /** HMAC algorithm, RFC 2104 */ + std::string hmac(const std::string& key, const std::string& msg) + { + std::string hmac1, hmac2; + std::string kbuf = key.length() > block_size ? sum(key) : key; + kbuf.resize(block_size); + + for (size_t n = 0; n < block_size; n++) + { + hmac1.push_back(static_cast<char>(kbuf[n] ^ 0x5C)); + hmac2.push_back(static_cast<char>(kbuf[n] ^ 0x36)); + } + hmac2.append(msg); + hmac1.append(sum(hmac2)); + return sum(hmac1); + } }; #endif diff --git a/src/modules/m_cloaking.cpp b/src/modules/m_cloaking.cpp index 56a2f5d43..0d6e2b00a 100644 --- a/src/modules/m_cloaking.cpp +++ b/src/modules/m_cloaking.cpp @@ -12,7 +12,7 @@ */ #include "inspircd.h" -#include "m_hash.h" +#include "hash.h" /* $ModDesc: Provides masking of user hostnames */ diff --git a/src/modules/m_md5.cpp b/src/modules/m_md5.cpp index c6761926a..a6df62dd9 100644 --- a/src/modules/m_md5.cpp +++ b/src/modules/m_md5.cpp @@ -12,13 +12,12 @@ */ /* $ModDesc: Allows for MD5 encrypted oper passwords */ -/* $ModDep: m_hash.h */ #include "inspircd.h" #ifdef HAS_STDINT #include <stdint.h> #endif -#include "m_hash.h" +#include "hash.h" /* The four core functions - F1 is optimized somewhat */ #define F1(x, y, z) (z ^ (x & (y ^ z))) @@ -273,7 +272,7 @@ class MD5Provider : public HashProvider return res; } - MD5Provider(Module* parent) : HashProvider(parent, "hash/md5") {} + MD5Provider(Module* parent) : HashProvider(parent, "hash/md5", 16, 64) {} }; class ModuleMD5 : public Module diff --git a/src/modules/m_password_hash.cpp b/src/modules/m_password_hash.cpp index d27856b3e..7d2b9fc79 100644 --- a/src/modules/m_password_hash.cpp +++ b/src/modules/m_password_hash.cpp @@ -14,20 +14,7 @@ /* $ModDesc: Allows for hashed oper passwords */ #include "inspircd.h" -#include "m_hash.h" - -static std::string hmac(HashProvider* hp, const std::string& key, const std::string& msg) -{ - std::string hmac1, hmac2; - for (size_t n = 0; n < key.length(); n++) - { - hmac1.push_back(static_cast<char>(key[n] ^ 0x5C)); - hmac2.push_back(static_cast<char>(key[n] ^ 0x36)); - } - hmac2.append(msg); - hmac1.append(hp->sum(hmac2)); - return hp->sum(hmac1); -} +#include "hash.h" /* Handle /MKPASSWD */ @@ -51,8 +38,8 @@ class CommandMkpasswd : public Command user->WriteServ("NOTICE %s :Unknown hash type", user->nick.c_str()); return; } - std::string salt = GenRandomStr(6, false); - std::string target = hmac(hp, salt, stuff); + std::string salt = ServerInstance->GenRandomStr(6, false); + std::string target = hp->hmac(salt, stuff); std::string str = BinToBase64(salt) + "$" + BinToBase64(target, NULL, 0); user->WriteServ("NOTICE %s :%s hashed password for %s is %s", @@ -109,15 +96,7 @@ class ModuleOperHash : public Module std::string salt = Base64ToBin(data.substr(0, sep)); std::string target = Base64ToBin(data.substr(sep + 1)); - std::string hmac1, hmac2; - for (size_t n = 0; n < salt.length(); n++) - { - hmac1.push_back(static_cast<char>(salt[n] ^ 0x5C)); - hmac2.push_back(static_cast<char>(salt[n] ^ 0x36)); - } - hmac2.append(input); - hmac1.append(hp->sum(hmac2)); - if (target == hp->sum(hmac1)) + if (target == hp->hmac(salt, input)) return MOD_RES_ALLOW; else return MOD_RES_DENY; diff --git a/src/modules/m_ripemd160.cpp b/src/modules/m_ripemd160.cpp index 44e16c86f..c126db661 100644 --- a/src/modules/m_ripemd160.cpp +++ b/src/modules/m_ripemd160.cpp @@ -48,7 +48,6 @@ /* $ModDesc: Allows for RIPEMD-160 encrypted oper passwords */ -/* $ModDep: m_hash.h */ /* macro definitions */ @@ -56,7 +55,7 @@ #ifdef HAS_STDINT #include <stdint.h> #endif -#include "m_hash.h" +#include "hash.h" #define RMDsize 160 @@ -448,7 +447,7 @@ public: return ""; } - RIProv(Module* m) : HashProvider(m, "hash/ripemd160") {} + RIProv(Module* m) : HashProvider(m, "hash/ripemd160", 20, 64) {} }; class ModuleRIPEMD160 : public Module diff --git a/src/modules/m_sha256.cpp b/src/modules/m_sha256.cpp index 679a97ae0..707853a49 100644 --- a/src/modules/m_sha256.cpp +++ b/src/modules/m_sha256.cpp @@ -48,18 +48,20 @@ */ /* $ModDesc: Allows for SHA-256 encrypted oper passwords */ -/* $ModDep: m_hash.h */ #include "inspircd.h" #ifdef HAS_STDINT #include <stdint.h> #endif -#include "m_hash.h" +#include "hash.h" #ifndef HAS_STDINT typedef unsigned int uint32_t; #endif +#define SHA256_DIGEST_SIZE (256 / 8) +#define SHA256_BLOCK_SIZE (512 / 8) + /** An sha 256 context, used by m_opersha256 */ class SHA256Context @@ -257,7 +259,7 @@ class HashSHA256 : public HashProvider return ""; } - HashSHA256(Module* parent) : HashProvider(parent, "hash/sha256") {} + HashSHA256(Module* parent) : HashProvider(parent, "hash/sha256", 32, 64) {} }; class ModuleSHA256 : public Module diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp index 52128b17b..e339598af 100644 --- a/src/modules/m_spanningtree/hmac.cpp +++ b/src/modules/m_spanningtree/hmac.cpp @@ -14,7 +14,7 @@ #include "inspircd.h" #include "socket.h" #include "xline.h" -#include "../m_hash.h" +#include "../hash.h" #include "../ssl.h" #include "socketengine.h" @@ -56,31 +56,23 @@ std::string TreeSocket::MakePass(const std::string &password, const std::string HashProvider* sha256 = ServerInstance->Modules->FindDataService<HashProvider>("hash/sha256"); if (Utils->ChallengeResponse && sha256 && !challenge.empty()) { - /* This is how HMAC is supposed to be done: - * - * sha256( (pass xor 0x5c) + sha256((pass xor 0x36) + m) ) - * - * 5c and 36 were chosen as part of the HMAC standard, because they - * flip the bits in a way likely to strengthen the function. - */ - std::string hmac1, hmac2; - - for (size_t n = 0; n < password.length(); n++) + if (proto_version < 1202) { - hmac1.push_back(static_cast<char>(password[n] ^ 0x5C)); - hmac2.push_back(static_cast<char>(password[n] ^ 0x36)); - } + /* This is how HMAC is done in InspIRCd 1.2: + * + * sha256( (pass xor 0x5c) + sha256((pass xor 0x36) + m) ) + * + * 5c and 36 were chosen as part of the HMAC standard, because they + * flip the bits in a way likely to strengthen the function. + */ + std::string hmac1, hmac2; + + for (size_t n = 0; n < password.length(); n++) + { + hmac1.push_back(static_cast<char>(password[n] ^ 0x5C)); + hmac2.push_back(static_cast<char>(password[n] ^ 0x36)); + } - if (proto_version >= 1202) - { - hmac2.append(challenge); - std::string hmac = sha256->hexsum(hmac1 + sha256->sum(hmac2)); - - return "AUTH:" + hmac; - } - else - { - // version 1.2 used a weaker HMAC, using hex output in the intermediate step hmac2.append(challenge); hmac2 = sha256->hexsum(hmac2); @@ -89,6 +81,10 @@ std::string TreeSocket::MakePass(const std::string &password, const std::string return "HMAC-SHA256:"+ hmac; } + else + { + return "AUTH:" + BinToBase64(sha256->hmac(password, challenge)); + } } else if (!challenge.empty() && !sha256) ServerInstance->Logs->Log("m_spanningtree",DEFAULT,"Not authenticating to server using SHA256/HMAC because we don't have m_sha256 loaded!"); diff --git a/src/modules/m_spanningtree/treesocket1.cpp b/src/modules/m_spanningtree/treesocket1.cpp index 596f31041..f1925afad 100644 --- a/src/modules/m_spanningtree/treesocket1.cpp +++ b/src/modules/m_spanningtree/treesocket1.cpp @@ -14,7 +14,6 @@ #include "inspircd.h" #include "socket.h" #include "xline.h" -#include "../m_hash.h" #include "socketengine.h" #include "main.h" diff --git a/src/modules/m_sqlauth.cpp b/src/modules/m_sqlauth.cpp index 88de06d1a..59faf0c3d 100644 --- a/src/modules/m_sqlauth.cpp +++ b/src/modules/m_sqlauth.cpp @@ -14,10 +14,9 @@ #include "inspircd.h" #include "m_sqlv2.h" #include "m_sqlutils.h" -#include "m_hash.h" +#include "hash.h" /* $ModDesc: Allow/Deny connections based upon an arbitary SQL table */ -/* $ModDep: m_sqlv2.h m_sqlutils.h m_hash.h */ class ModuleSQLAuth : public Module { diff --git a/src/modules/m_sqloper.cpp b/src/modules/m_sqloper.cpp index b4cdc760a..871ef7d46 100644 --- a/src/modules/m_sqloper.cpp +++ b/src/modules/m_sqloper.cpp @@ -14,10 +14,9 @@ #include "inspircd.h" #include "m_sqlv2.h" #include "m_sqlutils.h" -#include "m_hash.h" +#include "hash.h" /* $ModDesc: Allows storage of oper credentials in an SQL table */ -/* $ModDep: m_sqlv2.h m_sqlutils.h m_hash.h */ typedef std::map<irc::string, Module*> hashymodules; |