aboutsummaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorGravatar Sadie Powell2025-03-28 11:24:04 +0000
committerGravatar Sadie Powell2025-03-28 11:27:53 +0000
commitfca156dbaf436c3e6779398a7e57ea5a40f94d50 (patch)
tree6b646832f05a66157c531740bb102b90a5e815c1 /modules
parentRemove more v3 config compat. (diff)
Remove support for in-query password comparison in sqlauth.
The only hashing systems that support this are wildly insecure and having two ways of doing this just makes it less clear for users.
Diffstat (limited to 'modules')
-rw-r--r--modules/sqlauth.cpp71
1 files changed, 25 insertions, 46 deletions
diff --git a/modules/sqlauth.cpp b/modules/sqlauth.cpp
index 2c8196ff7..c10949e20 100644
--- a/modules/sqlauth.cpp
+++ b/modules/sqlauth.cpp
@@ -64,43 +64,37 @@ public:
if (res.Rows())
{
- if (!kdf.empty())
+ HashProvider* hashprov = ServerInstance->Modules.FindDataService<HashProvider>("hash/" + kdf);
+ if (!hashprov)
{
- HashProvider* hashprov = ServerInstance->Modules.FindDataService<HashProvider>("hash/" + kdf);
- if (!hashprov)
- {
- if (verbose)
- ServerInstance->SNO.WriteGlobalSno('a', "Forbidden connection from {} (a provider for {} was not loaded)", user->GetRealMask(), kdf);
- pendingExt.Set(user, AUTH_STATE_FAIL);
- return;
- }
-
- size_t colindex = 0;
- if (!pwcolumn.empty() && !res.HasColumn(pwcolumn, colindex))
- {
- if (verbose)
- ServerInstance->SNO.WriteGlobalSno('a', "Forbidden connection from {} (the column specified ({}) was not returned)", user->GetRealMask(), pwcolumn);
- pendingExt.Set(user, AUTH_STATE_FAIL);
- return;
- }
-
- SQL::Row row;
- while (res.GetRow(row))
- {
- if (row[colindex].has_value() && hashprov->Compare(user->password, *row[colindex]))
- {
- pendingExt.Set(user, AUTH_STATE_NONE);
- return;
- }
- }
+ if (verbose)
+ ServerInstance->SNO.WriteGlobalSno('a', "Forbidden connection from {} (a provider for {} was not loaded)", user->GetRealMask(), kdf);
+ pendingExt.Set(user, AUTH_STATE_FAIL);
+ return;
+ }
+ size_t colindex = 0;
+ if (!pwcolumn.empty() && !res.HasColumn(pwcolumn, colindex))
+ {
if (verbose)
- ServerInstance->SNO.WriteGlobalSno('a', "Forbidden connection from {} (password from the SQL query did not match the user provided password)", user->GetRealMask());
+ ServerInstance->SNO.WriteGlobalSno('a', "Forbidden connection from {} (the column specified ({}) was not returned)", user->GetRealMask(), pwcolumn);
pendingExt.Set(user, AUTH_STATE_FAIL);
return;
}
- pendingExt.Set(user, AUTH_STATE_NONE);
+ SQL::Row row;
+ while (res.GetRow(row))
+ {
+ if (row[colindex].has_value() && hashprov->Compare(user->password, *row[colindex]))
+ {
+ pendingExt.Set(user, AUTH_STATE_NONE);
+ return;
+ }
+ }
+
+ if (verbose)
+ ServerInstance->SNO.WriteGlobalSno('a', "Forbidden connection from {} (password from the SQL query did not match the user provided password)", user->GetRealMask());
+ pendingExt.Set(user, AUTH_STATE_FAIL);
}
else
{
@@ -132,7 +126,6 @@ class ModuleSQLAuth final
std::string killreason;
std::vector<std::string> exemptions;
bool verbose;
- std::vector<std::string> hash_algos;
std::string kdf;
std::string pwcolumn;
@@ -156,7 +149,7 @@ public:
freeformquery = conf->getString("query");
killreason = conf->getString("killreason");
verbose = conf->getBool("verbose");
- kdf = conf->getString("kdf");
+ kdf = conf->getString("kdf", conf->getString("hash", "bcrypt"));
pwcolumn = conf->getString("column");
exemptions.clear();
@@ -166,12 +159,6 @@ public:
if (!mask.empty())
exemptions.push_back(mask);
}
-
- hash_algos.clear();
- irc::commasepstream algos(conf->getString("hash", "sha1,sha256"));
- std::string algo;
- while (algos.GetToken(algo))
- hash_algos.push_back(algo);
}
ModResult OnUserRegister(LocalUser* user) override
@@ -200,16 +187,8 @@ public:
SQL::ParamMap userinfo;
SQL::PopulateUserInfo(user, userinfo);
- userinfo["pass"] = user->password;
userinfo["sslfp"] = sslapi ? sslapi->GetFingerprint(user) : "";
- for (const auto& algo : hash_algos)
- {
- HashProvider* hashprov = ServerInstance->Modules.FindDataService<HashProvider>("hash/" + algo);
- if (hashprov && !hashprov->IsKDF())
- userinfo[algo + "pass"] = hashprov->Generate(user->password);
- }
-
SQL->Submit(new AuthQuery(this, user->uuid, pendingExt, verbose, kdf, pwcolumn), freeformquery, userinfo);
return MOD_RES_PASSTHRU;