Warn if the server config contains an unhashed password.

This will be made a hard failure in v4.
2025-03-09 18:49:03 -04:00 · 2020-03-11 14:32:46 +00:00 · 2020-03-11 14:32:46 +00:00 · 0a67b8861a
commit 0a67b8861a
parent 55882c39f1
6 changed files with 42 additions and 5 deletions
--- a/include/users.h
+++ b/include/users.h
@ -149,6 +149,12 @@ struct CoreExport ConnectClass : public refcountbase
 	 */
 	insp::flat_set<int> ports;

+	/** If non-empty then the password a user must specify in PASS to be assigned to this class. */
+	std::string password;
+
+	/** If non-empty then the hash algorithm that the password field is hashed with. */
+	std::string passwordhash;
+
 	/** Create a new connect class with no settings.
 	 */
 	ConnectClass(ConfigTag* tag, char type, const std::string& mask);
--- a/src/configreader.cpp
+++ b/src/configreader.cpp
@ -304,6 +304,14 @@ void ServerConfig::CrossCheckConnectBlocks(ServerConfig* current)
 			me->maxconnwarn = tag->getBool("maxconnwarn", me->maxconnwarn);
 			me->limit = tag->getUInt("limit", me->limit);
 			me->resolvehostnames = tag->getBool("resolvehostnames", me->resolvehostnames);
+			me->password = tag->getString("password", me->password);
+
+			me->passwordhash = tag->getString("hash", me->passwordhash);
+			if (!me->password.empty() && (me->passwordhash.empty() || stdalgo::string::equalsci(me->passwordhash, "plaintext")))
+			{
+				ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEFAULT, "<connect> tag '%s' at %s contains an plain text password, this is insecure!",
+					name.c_str(), tag->getTagLocation().c_str());
+			}

 			std::string ports = tag->getString("port");
 			if (!ports.empty())
--- a/src/modules/m_cgiirc.cpp
+++ b/src/modules/m_cgiirc.cpp
@ -307,12 +307,19 @@ class ModuleCgiIRC
 				// The IP address will be received via the WEBIRC command.
 				const std::string fingerprint = tag->getString("fingerprint");
 				const std::string password = tag->getString("password");
+				const std::string passwordhash = tag->getString("hash", "plaintext", 1);

 				// WebIRC blocks require a password.
 				if (fingerprint.empty() && password.empty())
 					throw ModuleException("When using <cgihost type=\"webirc\"> either the fingerprint or password field is required, at " + tag->getTagLocation());

-				webirchosts.push_back(WebIRCHost(mask, fingerprint, password, tag->getString("hash")));
+				if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext"))
+				{
+					ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "<cgihost> tag at %s contains an plain text password, this is insecure!",
+						tag->getTagLocation().c_str());
+				}
+
+				webirchosts.push_back(WebIRCHost(mask, fingerprint, password, passwordhash));
 			}
 			else
 			{
--- a/src/modules/m_customtitle.cpp
+++ b/src/modules/m_customtitle.cpp
@ -136,7 +136,13 @@ class ModuleCustomTitle : public Module, public Whois::LineEventListener
 			if (pass.empty())
 				throw ModuleException("<title:password> is empty at " + tag->getTagLocation());

-			std::string hash = tag->getString("hash");
+			const std::string hash = tag->getString("hash", "plaintext", 1);
+			if (stdalgo::string::equalsci(hash, "plaintext"))
+			{
+				ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "<title> tag for %s at %s contains an plain text password, this is insecure!",
+					name.c_str(), tag->getTagLocation().c_str());
+			}
+
 			std::string host = tag->getString("host", "*@*");
 			std::string title = tag->getString("title");
 			std::string vhost = tag->getString("vhost");
--- a/src/modules/m_vhost.cpp
+++ b/src/modules/m_vhost.cpp
@ -103,13 +103,21 @@ class ModuleVHost : public Module
 			std::string mask = tag->getString("host");
 			if (mask.empty())
 				throw ModuleException("<vhost:host> is empty! at " + tag->getTagLocation());
+
 			std::string username = tag->getString("user");
 			if (username.empty())
 				throw ModuleException("<vhost:user> is empty! at " + tag->getTagLocation());
+
 			std::string pass = tag->getString("pass");
 			if (pass.empty())
 				throw ModuleException("<vhost:pass> is empty! at " + tag->getTagLocation());
-			std::string hash = tag->getString("hash");
+
+			const std::string hash = tag->getString("hash", "plaintext", 1);
+			if (stdalgo::string::equalsci(hash, "plaintext"))
+			{
+				ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "<vhost> tag for %s at %s contains an plain text password, this is insecure!",
+					username.c_str(), tag->getTagLocation().c_str());
+			}

 			CustomVhost vhost(username, pass, hash, mask);
 			newhosts.insert(std::make_pair(username, vhost));
--- a/src/users.cpp
+++ b/src/users.cpp
@ -1155,9 +1155,9 @@ void LocalUser::SetClass(const std::string &explicit_name)
 				}
 			}

-			if (regdone && !c->config->getString("password").empty())
+			if (regdone && !c->password.empty())
 			{
-				if (!ServerInstance->PassCompare(this, c->config->getString("password"), password, c->config->getString("hash")))
+				if (!ServerInstance->PassCompare(this, c->password, password, c->passwordhash))
 				{
 					ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "Bad password, skipping");
 					continue;
@ -1290,4 +1290,6 @@ void ConnectClass::Update(const ConnectClass* src)
 	limit = src->limit;
 	resolvehostnames = src->resolvehostnames;
 	ports = src->ports;
+	password = src->password;
+	passwordhash = src->passwordhash;
 }