[IRCServices] ircservices-5.0.57 convert-db utility crashes when converting from anope db.

Andrew Church achurch at achurch.org
Wed Jun 21 12:49:17 PDT 2006 

     Okay, I took a look and (with a pointer from Craig McLure) discovered
that Anope still has the bug present in old versions of IRC Services (and
fixed in Services 4.5) which causes passwords to be encrypted incorrectly.
Try applying the patch below to your copy of Services; if it works, I'll
release a new version of Services with the patch included.

  --Andrew Church
    achurch at achurch.org
    http://achurch.org/

---------------------------------------------------------------------------

Index: defs.h
===================================================================
RCS file: /var/local/cvsroot/ircservices/defs.h,v
retrieving revision 2.29.2.3
diff -u -r2.29.2.3 defs.h
--- defs.h	8 Jan 2006 16:48:11 -0000	2.29.2.3
+++ defs.h	21 Jun 2006 04:05:47 -0000
@@ -41,6 +41,14 @@
  * only).  These commands are undocumented; "use the source, Luke!" */
 #define DEBUG_COMMANDS
 
+
+/******** Other configuration ********/
+
+/* Define this to enable compatibility mode for encrypted passwords as
+ * used in the Epona and Anope (through at least version 1.7.14) programs.
+ * Note that this may have a detrimental effect on password security. */
+#define ANOPE_MD5_HACK
+
 /*************************************************************************/
 /******************* END OF USER-CONFIGURABLE SECTION ********************/
 /*************************************************************************/
Index: modules/encryption/md5.c
===================================================================
RCS file: /var/local/cvsroot/ircservices/modules/encryption/md5.c,v
retrieving revision 2.11.2.4
diff -u -r2.11.2.4 md5.c
--- modules/encryption/md5.c	8 Jan 2006 16:48:13 -0000	2.11.2.4
+++ modules/encryption/md5.c	21 Jun 2006 04:05:47 -0000
@@ -16,6 +16,10 @@
 
 static Module *module;
 
+#ifdef ANOPE_MD5_HACK
+# define XTOI(c) ((c)>9 ? (c)-'A'+10 : (c)-'0')
+#endif
+
 /*************************************************************************/
 
 /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
@@ -335,8 +339,6 @@
 
 /* Our own high-level routines.  See encrypt.h for documentation. */
 
-#define XTOI(c) ((c)>9 ? (c)-'A'+10 : (c)-'0')
-
 static int md5_encrypt(const char *src, int len, char *dest, int size)
 {
     MD5_CTX context;
@@ -376,11 +378,21 @@
 static int md5_check_password(const char *plaintext, const char *password)
 {
     char buf[BUFSIZE];
+#ifdef ANOPE_MD5_HACK
+    char tmpbuf[8];
+    int i;
+#endif
 
     if (encrypt(plaintext, strlen(plaintext), buf, sizeof(buf)) < 0)
 	return -1;
     if (memcmp(buf, password, 16) == 0)
 	return 1;
+#ifdef ANOPE_MD5_HACK
+    for (i = 0; i < 16; i += 2)
+	tmpbuf[i/2] = XTOI(buf[i])<<4 | XTOI(buf[i+1]);
+    if (memcmp(tmpbuf, password, 8) == 0)
+	return 1;
+#endif
     return 0;
 }