From 95c908e83cbdfa95d4803121d28a510e94671fa1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Fri, 17 Apr 2020 23:27:26 +0200 Subject: [PATCH] relay: rename configuration options and keywords in handshake command (weechat protocol) Configuration options renamed: * relay.network.auth_password -> relay.network.password_hash_algo * relay.network.hash_iterations -> relay.network.password_hash_iterations Handshake command options renamed: * password -> password_hash_algo Handshake reply keys renamed: * auth_password -> password_hash_algo * hash_iterations -> password_hash_iterations --- ChangeLog.adoc | 2 +- doc/en/weechat_relay_protocol.en.adoc | 23 +++--- doc/fr/weechat_relay_protocol.fr.adoc | 28 +++---- doc/ja/weechat_relay_protocol.ja.adoc | 23 +++--- src/plugins/relay/relay-auth.c | 40 +++++----- src/plugins/relay/relay-auth.h | 20 ++--- src/plugins/relay/relay-client.c | 42 +++++----- src/plugins/relay/relay-client.h | 4 +- src/plugins/relay/relay-config.c | 79 ++++++++++--------- src/plugins/relay/relay-config.h | 6 +- .../relay/weechat/relay-weechat-protocol.c | 34 ++++---- 11 files changed, 150 insertions(+), 151 deletions(-) diff --git a/ChangeLog.adoc b/ChangeLog.adoc index 0470390c4..2012667a1 100644 --- a/ChangeLog.adoc +++ b/ChangeLog.adoc @@ -21,7 +21,7 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes] New features:: * buflist: evaluate option buflist.look.sort so that sort can be customized for each of the three buflist bar items (issue #1465) - * relay: add command "handshake" in weechat relay protocol and nonce to prevent replay attacks, add options relay.network.auth_password, relay.network.hash_iterations, relay.network.nonce_size (issue #1474) + * relay: add command "handshake" in weechat relay protocol and nonce to prevent replay attacks, add options relay.network.password_hash_algo, relay.network.password_hash_iterations, relay.network.nonce_size (issue #1474) * relay: add option relay.network.auth_timeout * relay: update default colors for client status * relay: add status "waiting_auth" in irc and weechat protocols (issue #1358) diff --git a/doc/en/weechat_relay_protocol.en.adoc b/doc/en/weechat_relay_protocol.en.adoc index 3206177a3..f9260ef40 100644 --- a/doc/en/weechat_relay_protocol.en.adoc +++ b/doc/en/weechat_relay_protocol.en.adoc @@ -120,8 +120,8 @@ Syntax: Arguments: * _option_: one of following options: -** _password_: list of hash algorithms supported by the client (separated by colons), - allowed values are: +** _password_hash_algo_: list of hash algorithms supported by the client + (separated by colons), allowed values are: *** _plain_: plain text password (no hash) *** _sha256_: password salted and hashed with SHA256 algorithm *** _sha512_: password salted and hashed with SHA512 algorithm @@ -132,7 +132,7 @@ Arguments: (enabled by default if _relay_ supports _zlib_ compression) *** _off_: disable compression -Notes about option _password_: +Notes about option _password_hash_algo_: * If the option is not given (of if the _handshake_ command is not sent by the client), _relay_ uses automatically _plain_ authentication (if allowed on @@ -147,25 +147,26 @@ Notes about option _password_: WeeChat replies with a hashtable containing the following keys and values: -* _auth_password_: the password authentication negotiated: supported by both - the client and _relay_: +* _password_hash_algo_: the password authentication negotiated: supported by + both the client and _relay_: ** (empty value): negotiation failed, password authentication is *NOT* possible ** _plain_ ** _sha256_ ** _sha512_ ** _pbkdf2+sha256_ ** _pbkdf2+sha512_ -* _hash_iterations_: number of iterations for hash (for the PBKDF2 algorithm only) +* _password_hash_iterations_: number of iterations for hash + (for the PBKDF2 algorithm only) * _totp_: ** _on_: Time-based One-Time Password (TOTP) is configured and expected in the _init_ command ** _off_: Time-based One-Time Password (TOTP) is not enabled and not needed in the _init_ command * _nonce_: a buffer of unpredictable bytes, sent as hexadecimal, to prevent - replay attacks; if _auth_password_ is a hash algorithm, the client must compute - the hash of password on this nonce, concatenated with a client nonce and the - user password (the _relay_ nonce + the client nonce is the salt used in the - password hash algorithm) + replay attacks; if _password_hash_algo_ is a hash algorithm, the client must + compute the hash of password on this nonce, concatenated with a client nonce + and the user password (the _relay_ nonce + the client nonce is the salt used + in the password hash algorithm) Examples: @@ -186,7 +187,7 @@ Example of response: [source,python] ---- id: 'handshake' -htb: {'auth_password': 'pbkdf2+sha256', 'hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'} +htb: {'password_hash_algo': 'pbkdf2+sha256', 'password_hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'} ---- The client can authenticate with this command (see <>), diff --git a/doc/fr/weechat_relay_protocol.fr.adoc b/doc/fr/weechat_relay_protocol.fr.adoc index a5ba27204..dbd40b2f9 100644 --- a/doc/fr/weechat_relay_protocol.fr.adoc +++ b/doc/fr/weechat_relay_protocol.fr.adoc @@ -125,8 +125,8 @@ Syntaxe : Paramètres : * _option_ : une des options suivantes : -** _password_ : liste d'algorithmes de hachage supportés par le client (séparés par - des deux-points), les valeurs autorisées sont : +** _password_hash_algo_ : liste d'algorithmes de hachage supportés par le client + (séparés par des deux-points), les valeurs autorisées sont : *** _plain_ : mot de passe en clair (pas de hachage) *** _sha256_ : mot de passe salé et haché avec l'algorithme SHA256 *** _sha512_ : mot de passe salé et haché avec l'algorithme SHA512 @@ -139,11 +139,11 @@ Paramètres : (activée par défaut si _relay_ supporte la compression _zlib_) *** _off_ : désactiver la compression -Notes à propos de l'option _password_ : +Notes à propos de l'option _password_hash_algo_ : -* Si l'option _password_ n'est pas donnée (ou si la commande _handshake_ n'est - pas envoyée par le client), _relay_ utilise automatiquement l'authentification - _plain_ (si elle est autorisée côté _relay_). +* Si l'option n'est pas donnée (ou si la commande _handshake_ n'est pas envoyée + par le client), _relay_ utilise automatiquement l'authentification _plain_ + (si elle est autorisée côté _relay_). * _Relay_ choisit l'algorithme le plus sûr disponible à la fois côté client et _relay_, par ordre de priorité du premier (plus sûr) au dernier utilisé : . _pbkdf2+sha512_ @@ -152,15 +152,11 @@ Notes à propos de l'option _password_ : . _sha256_ . _plain_ -[NOTE] -Si l'option _password_ n'est pas donnée, WeeChat utilise automatiquement -l'authentification _plain_ (si autorisée par _relay_). - WeeChat répond avec une table de hachage qui contient les clés et valeurs suivantes : -* _auth_password_ : l'authentification mot de passe négociée : supportée par le - client et _relay_ : +* _password_hash_algo_ : l'authentification mot de passe négociée : supportée + par le client et _relay_ : ** (valeur vide) : la négociation a échoué, l'authentification par mot de passe n'est *PAS* possible ** _plain_ @@ -168,15 +164,15 @@ suivantes : ** _sha512_ ** _pbkdf2+sha256_ ** _pbkdf2+sha512_ -* _hash_iterations_ : nombre d'itérations pour le hachage (pour l'algorithme - PBKDF2 seulement) +* _password_hash_iterations_ : nombre d'itérations pour le hachage + (pour l'algorithme PBKDF2 seulement) * _totp_: ** _on_ : le mot de passe à usage unique basé sur le temps (TOTP : Time-based One-Time Password) est configuré et est attendu dans la commande _init_ ** _off_ : le mot de passe à usage unique basé sur le temps (TOTP : Time-based One-Time Password) n'est pas activé et pas nécessaire dans la commande _init_ * _nonce_ : un tampon d'octets non prédictibles, envoyé en hexadécimal, pour - empêcher les attaques par rejeu ; si _auth_password_ est un algorithme de + empêcher les attaques par rejeu ; si _password_hash_algo_ est un algorithme de hachage, le client doit calculer le mot de passe haché avec ce nonce, concaténé avec un nonce client et le mot de passe utilisateur (le nonce _relay_ + le nonce client constituent le sel utilisé dans l'algorithme de @@ -201,7 +197,7 @@ Exemple de réponse : [source,python] ---- id: 'handshake' -htb: {'auth_password': 'pbkdf2+sha256', 'hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'} +htb: {'password_hash_algo': 'pbkdf2+sha256', 'password_hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'} ---- Le client peut s'authentifier avec cette commande (voir la <>), diff --git a/doc/ja/weechat_relay_protocol.ja.adoc b/doc/ja/weechat_relay_protocol.ja.adoc index 1b45e5d2f..dd71384de 100644 --- a/doc/ja/weechat_relay_protocol.ja.adoc +++ b/doc/ja/weechat_relay_protocol.ja.adoc @@ -129,8 +129,8 @@ Syntax: Arguments: * _option_: one of following options: -** _password_: list of hash algorithms supported by the client (separated by colons), - allowed values are: +** _password_hash_algo_: list of hash algorithms supported by the client + (separated by colons), allowed values are: *** _plain_: plain text password (no hash) *** _sha256_: password salted and hashed with SHA256 algorithm *** _sha512_: password salted and hashed with SHA512 algorithm @@ -141,7 +141,7 @@ Arguments: (enabled by default if _relay_ supports _zlib_ compression) *** _off_: disable compression -Notes about option _password_: +Notes about option _password_hash_algo_: * If the option is not given (of if the _handshake_ command is not sent by the client), _relay_ uses automatically _plain_ authentication (if allowed on @@ -156,25 +156,26 @@ Notes about option _password_: WeeChat replies with a hashtable containing the following keys and values: -* _auth_password_: the password authentication negotiated: supported by both - the client and _relay_: +* _password_hash_algo_: the password authentication negotiated: supported by + both the client and _relay_: ** (empty value): negotiation failed, password authentication is *NOT* possible ** _plain_ ** _sha256_ ** _sha512_ ** _pbkdf2+sha256_ ** _pbkdf2+sha512_ -* _hash_iterations_: number of iterations for hash (for the PBKDF2 algorithm only) +* _password_hash_iterations_: number of iterations for hash + (for the PBKDF2 algorithm only) * _totp_: ** _on_: Time-based One-Time Password (TOTP) is configured and expected in the _init_ command ** _off_: Time-based One-Time Password (TOTP) is not enabled and not needed in the _init_ command * _nonce_: a buffer of unpredictable bytes, sent as hexadecimal, to prevent - replay attacks; if _auth_password_ is a hash algorithm, the client must compute - the hash of password on this nonce, concatenated with a client nonce and the - user password (the _relay_ nonce + the client nonce is the salt used in the - password hash algorithm) + replay attacks; if _password_hash_algo_ is a hash algorithm, the client must + compute the hash of password on this nonce, concatenated with a client nonce + and the user password (the _relay_ nonce + the client nonce is the salt used + in the password hash algorithm) Examples: @@ -195,7 +196,7 @@ Example of response: [source,python] ---- id: 'handshake' -htb: {'auth_password': 'pbkdf2+sha256', 'hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'} +htb: {'password_hash_algo': 'pbkdf2+sha256', 'password_hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'} ---- The client can authenticate with this command (see <>), diff --git a/src/plugins/relay/relay-auth.c b/src/plugins/relay/relay-auth.c index 5cbb6c0fd..4ef43db65 100644 --- a/src/plugins/relay/relay-auth.c +++ b/src/plugins/relay/relay-auth.c @@ -37,29 +37,29 @@ * during negotiation with the client, the highest value in this list matching * the client supported values is used */ -char *relay_auth_password_name[] = +char *relay_auth_password_hash_algo_name[] = { "plain", "sha256", "sha512", "pbkdf2+sha256", "pbkdf2+sha512" }; /* - * Searches for a password authentication. + * Searches for a password hash algorithm. * - * Returns index in enum t_relay_auth_password, - * -1 if password authentication is not found. + * Returns index in enum t_relay_auth_password_hash_algo, + * -1 if password hash algorithm is not found. */ int -relay_auth_password_search (const char *name) +relay_auth_password_hash_algo_search (const char *name) { int i; - for (i = 0; i < RELAY_NUM_PASSWORD_AUTHS; i++) + for (i = 0; i < RELAY_NUM_PASSWORD_HASH_ALGOS; i++) { - if (strcmp (relay_auth_password_name[i], name) == 0) + if (strcmp (relay_auth_password_hash_algo_name[i], name) == 0) return i; } - /* authentication password type found */ + /* password hash algorithm not found */ return -1; } @@ -126,7 +126,7 @@ int relay_auth_password (struct t_relay_client *client, const char *password, const char *relay_password) { - if (client->auth_password != RELAY_AUTH_PASSWORD_PLAIN) + if (client->password_hash_algo != RELAY_AUTH_PASSWORD_HASH_PLAIN) return 0; return relay_auth_check_password_plain (password, relay_password); @@ -376,14 +376,14 @@ relay_auth_password_hash (struct t_relay_client *client, const char *pos_hash; char *str_hash_algo; char *hash_pbkdf2_algo, *salt_hexa, *salt, *hash_sha, *hash_pbkdf2; - int rc, auth_password, salt_size, iterations; + int rc, hash_algo, salt_size, iterations; rc = 0; str_hash_algo = NULL; /* no authentication supported at all? */ - if (client->auth_password < 0) + if (client->password_hash_algo < 0) goto end; if (!hashed_password || !relay_password) @@ -400,15 +400,15 @@ relay_auth_password_hash (struct t_relay_client *client, pos_hash++; - auth_password = relay_auth_password_search (str_hash_algo); + hash_algo = relay_auth_password_hash_algo_search (str_hash_algo); - if (auth_password != client->auth_password) + if (hash_algo != client->password_hash_algo) goto end; - switch (auth_password) + switch (hash_algo) { - case RELAY_AUTH_PASSWORD_SHA256: - case RELAY_AUTH_PASSWORD_SHA512: + case RELAY_AUTH_PASSWORD_HASH_SHA256: + case RELAY_AUTH_PASSWORD_HASH_SHA512: relay_auth_parse_sha (pos_hash, &salt_hexa, &salt, &salt_size, &hash_sha); if (relay_auth_check_salt (client, salt_hexa) @@ -424,12 +424,12 @@ relay_auth_password_hash (struct t_relay_client *client, if (hash_sha) free (hash_sha); break; - case RELAY_AUTH_PASSWORD_PBKDF2_SHA256: - case RELAY_AUTH_PASSWORD_PBKDF2_SHA512: + case RELAY_AUTH_PASSWORD_HASH_PBKDF2_SHA256: + case RELAY_AUTH_PASSWORD_HASH_PBKDF2_SHA512: hash_pbkdf2_algo = strdup (str_hash_algo + 7); relay_auth_parse_pbkdf2 (pos_hash, &salt_hexa, &salt, &salt_size, &iterations, &hash_pbkdf2); - if ((iterations == client->hash_iterations) + if ((iterations == client->password_hash_iterations) && relay_auth_check_salt (client, salt_hexa) && relay_auth_check_hash_pbkdf2 (hash_pbkdf2_algo, salt, salt_size, iterations, @@ -446,7 +446,7 @@ relay_auth_password_hash (struct t_relay_client *client, if (hash_pbkdf2) free (hash_pbkdf2); break; - case RELAY_NUM_PASSWORD_AUTHS: + case RELAY_NUM_PASSWORD_HASH_ALGOS: break; } diff --git a/src/plugins/relay/relay-auth.h b/src/plugins/relay/relay-auth.h index 1b5cc597e..dd3286356 100644 --- a/src/plugins/relay/relay-auth.h +++ b/src/plugins/relay/relay-auth.h @@ -22,20 +22,20 @@ struct t_relay_client; -enum t_relay_auth_password +enum t_relay_auth_password_hash_algo { - RELAY_AUTH_PASSWORD_PLAIN = 0, - RELAY_AUTH_PASSWORD_SHA256, - RELAY_AUTH_PASSWORD_SHA512, - RELAY_AUTH_PASSWORD_PBKDF2_SHA256, - RELAY_AUTH_PASSWORD_PBKDF2_SHA512, - /* number of password auths */ - RELAY_NUM_PASSWORD_AUTHS, + RELAY_AUTH_PASSWORD_HASH_PLAIN = 0, + RELAY_AUTH_PASSWORD_HASH_SHA256, + RELAY_AUTH_PASSWORD_HASH_SHA512, + RELAY_AUTH_PASSWORD_HASH_PBKDF2_SHA256, + RELAY_AUTH_PASSWORD_HASH_PBKDF2_SHA512, + /* number of password hash algos */ + RELAY_NUM_PASSWORD_HASH_ALGOS, }; -extern char *relay_auth_password_name[]; +extern char *relay_auth_password_hash_algo_name[]; -extern int relay_auth_password_search (const char *name); +extern int relay_auth_password_hash_algo_search (const char *name); extern char *relay_auth_generate_nonce (); extern int relay_auth_check_password_plain (const char *password, const char *relay_password); diff --git a/src/plugins/relay/relay-client.c b/src/plugins/relay/relay-client.c index 2f0f5a5da..d833e647b 100644 --- a/src/plugins/relay/relay-client.c +++ b/src/plugins/relay/relay-client.c @@ -1298,12 +1298,12 @@ relay_client_new (int sock, const char *address, struct t_relay_server *server) new_client->protocol_string = (server->protocol_string) ? strdup (server->protocol_string) : NULL; new_client->protocol_args = (server->protocol_args) ? strdup (server->protocol_args) : NULL; plain_text_password = weechat_string_match_list ( - relay_auth_password_name[0], - (const char **)relay_config_network_auth_password_list, + relay_auth_password_hash_algo_name[0], + (const char **)relay_config_network_password_hash_algo_list, 1); - new_client->auth_password = (plain_text_password) ? 0 : -1; - new_client->hash_iterations = weechat_config_integer ( - relay_config_network_hash_iterations); + new_client->password_hash_algo = (plain_text_password) ? 0 : -1; + new_client->password_hash_iterations = weechat_config_integer ( + relay_config_network_password_hash_iterations); new_client->nonce = relay_auth_generate_nonce (); new_client->listen_start_time = server->start_time; new_client->start_time = time (NULL); @@ -1506,17 +1506,17 @@ relay_client_new_with_infolist (struct t_infolist *infolist) new_client->protocol_string = (str) ? strdup (str) : NULL; str = weechat_infolist_string (infolist, "protocol_args"); new_client->protocol_args = (str) ? strdup (str) : NULL; - /* "auth_password" is new in WeeChat 2.9 */ - if (weechat_infolist_search_var (infolist, "auth_password")) - new_client->auth_password = weechat_infolist_integer (infolist, "auth_password"); + /* "password_hash_algo" is new in WeeChat 2.9 */ + if (weechat_infolist_search_var (infolist, "password_hash_algo")) + new_client->password_hash_algo = weechat_infolist_integer (infolist, "password_hash_algo"); else - new_client->auth_password = RELAY_AUTH_PASSWORD_PLAIN; - /* "hash_iterations" is new in WeeChat 2.9 */ - if (weechat_infolist_search_var (infolist, "hash_iterations")) - new_client->hash_iterations = weechat_infolist_integer (infolist, "hash_iterations"); + new_client->password_hash_algo = RELAY_AUTH_PASSWORD_HASH_PLAIN; + /* "password_hash_iterations" is new in WeeChat 2.9 */ + if (weechat_infolist_search_var (infolist, "password_hash_iterations")) + new_client->password_hash_iterations = weechat_infolist_integer (infolist, "password_hash_iterations"); else - new_client->hash_iterations = weechat_config_integer ( - relay_config_network_hash_iterations); + new_client->password_hash_iterations = weechat_config_integer ( + relay_config_network_password_hash_iterations); /* "nonce" is new in WeeChat 2.9 */ if (weechat_infolist_search_var (infolist, "nonce")) new_client->nonce = strdup (weechat_infolist_string (infolist, "nonce")); @@ -1857,9 +1857,9 @@ relay_client_add_to_infolist (struct t_infolist *infolist, return 0; if (!weechat_infolist_new_var_string (ptr_item, "protocol_args", client->protocol_args)) return 0; - if (!weechat_infolist_new_var_integer (ptr_item, "auth_password", client->auth_password)) + if (!weechat_infolist_new_var_integer (ptr_item, "password_hash_algo", client->password_hash_algo)) return 0; - if (!weechat_infolist_new_var_integer (ptr_item, "hash_iterations", client->hash_iterations)) + if (!weechat_infolist_new_var_integer (ptr_item, "password_hash_iterations", client->password_hash_iterations)) return 0; if (!weechat_infolist_new_var_string (ptr_item, "nonce", client->nonce)) return 0; @@ -1939,11 +1939,11 @@ relay_client_print_log () relay_protocol_string[ptr_client->protocol]); weechat_log_printf (" protocol_string . . . : '%s'", ptr_client->protocol_string); weechat_log_printf (" protocol_args . . . . : '%s'", ptr_client->protocol_args); - weechat_log_printf (" auth_password . . . . : %d (%s)", - ptr_client->auth_password, - (ptr_client->auth_password >= 0) ? - relay_auth_password_name[ptr_client->auth_password] : ""); - weechat_log_printf (" hash_iterations . . . : %d", ptr_client->hash_iterations); + weechat_log_printf (" password_hash_algo. . : %d (%s)", + ptr_client->password_hash_algo, + (ptr_client->password_hash_algo >= 0) ? + relay_auth_password_hash_algo_name[ptr_client->password_hash_algo] : ""); + weechat_log_printf (" password_hash_iterations: %d", ptr_client->password_hash_iterations); weechat_log_printf (" nonce . . . . . . . . : '%s'", ptr_client->nonce); weechat_log_printf (" listen_start_time . . : %lld", (long long)ptr_client->listen_start_time); weechat_log_printf (" start_time. . . . . . : %lld", (long long)ptr_client->start_time); diff --git a/src/plugins/relay/relay-client.h b/src/plugins/relay/relay-client.h index 368386a41..1790de639 100644 --- a/src/plugins/relay/relay-client.h +++ b/src/plugins/relay/relay-client.h @@ -106,8 +106,8 @@ struct t_relay_client char *protocol_string; /* example: "ipv6.ssl.irc.freenode" */ char *protocol_args; /* arguments used for protocol */ /* example: server for irc protocol */ - int auth_password; /* password auth (negotiated/client) */ - int hash_iterations; /* hash iterations */ + int password_hash_algo; /* password hash algo (negotiated) */ + int password_hash_iterations; /* password hash iterations */ char *nonce; /* nonce used in salt of hashed pwd */ time_t listen_start_time; /* when listening started */ time_t start_time; /* time of client connection */ diff --git a/src/plugins/relay/relay-config.c b/src/plugins/relay/relay-config.c index af17284b3..f1d475cf5 100644 --- a/src/plugins/relay/relay-config.c +++ b/src/plugins/relay/relay-config.c @@ -60,16 +60,16 @@ struct t_config_option *relay_config_color_text_selected; struct t_config_option *relay_config_network_allow_empty_password; struct t_config_option *relay_config_network_allowed_ips; -struct t_config_option *relay_config_network_auth_password; struct t_config_option *relay_config_network_auth_timeout; struct t_config_option *relay_config_network_bind_address; struct t_config_option *relay_config_network_clients_purge_delay; struct t_config_option *relay_config_network_compression_level; -struct t_config_option *relay_config_network_hash_iterations; struct t_config_option *relay_config_network_ipv6; struct t_config_option *relay_config_network_max_clients; struct t_config_option *relay_config_network_nonce_size; struct t_config_option *relay_config_network_password; +struct t_config_option *relay_config_network_password_hash_algo; +struct t_config_option *relay_config_network_password_hash_iterations; struct t_config_option *relay_config_network_ssl_cert_key; struct t_config_option *relay_config_network_ssl_priorities; struct t_config_option *relay_config_network_totp_secret; @@ -94,7 +94,7 @@ struct t_config_option *relay_config_weechat_commands; regex_t *relay_config_regex_allowed_ips = NULL; regex_t *relay_config_regex_websocket_allowed_origins = NULL; struct t_hashtable *relay_config_hashtable_irc_backlog_tags = NULL; -char **relay_config_network_auth_password_list = NULL; +char **relay_config_network_password_hash_algo_list = NULL; /* @@ -154,26 +154,27 @@ relay_config_change_network_allowed_ips (const void *pointer, void *data, } /* - * Callback for changes on option "relay.network.auth_password". + * Callback for changes on option "relay.network.password_hash_algo". */ void -relay_config_change_network_auth_password (const void *pointer, void *data, - struct t_config_option *option) +relay_config_change_network_password_hash_algo (const void *pointer, + void *data, + struct t_config_option *option) { /* make C compiler happy */ (void) pointer; (void) data; (void) option; - if (relay_config_network_auth_password_list) + if (relay_config_network_password_hash_algo_list) { - weechat_string_free_split (relay_config_network_auth_password_list); - relay_config_network_auth_password_list = NULL; + weechat_string_free_split (relay_config_network_password_hash_algo_list); + relay_config_network_password_hash_algo_list = NULL; } - relay_config_network_auth_password_list = weechat_string_split ( - weechat_config_string (relay_config_network_auth_password), + relay_config_network_password_hash_algo_list = weechat_string_split ( + weechat_config_string (relay_config_network_password_hash_algo), ",", NULL, WEECHAT_STRING_SPLIT_STRIP_LEFT @@ -1066,20 +1067,6 @@ relay_config_init () NULL, NULL, NULL, &relay_config_change_network_allowed_ips, NULL, NULL, NULL, NULL, NULL); - relay_config_network_auth_password = weechat_config_new_option ( - relay_config_file, ptr_section, - "auth_password", "string", - N_("comma separated list of hash algorithms used for password " - "authentication in weechat protocol, among these values: \"plain\" " - "(password in plain text, not hashed), \"sha256\", \"sha512\", " - "\"pbkdf2+sha256\", \"pbkdf2+sha512\"), \"*\" means all algorithms, " - "a name beginning with \"!\" is a negative value to prevent an " - "algorithm from being used, wildcard \"*\" is allowed in names " - "(examples: \"*\", \"pbkdf2*\", \"*,!plain\")"), - NULL, 0, 0, "*", NULL, 0, - NULL, NULL, NULL, - &relay_config_change_network_auth_password, NULL, NULL, - NULL, NULL, NULL); relay_config_network_auth_timeout = weechat_config_new_option ( relay_config_file, ptr_section, "auth_timeout", "integer", @@ -1114,16 +1101,6 @@ relay_config_init () "compression)"), NULL, 0, 9, "6", NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); - relay_config_network_hash_iterations = weechat_config_new_option ( - relay_config_file, ptr_section, - "hash_iterations", "integer", - N_("number of iterations asked to the client in weechat protocol " - "when a hashed password with algorithm PBKDF2 is used for " - "authentication; more iterations is better in term of security but " - "is slower to compute; this number should not be too high if your " - "CPU is slow"), - NULL, 1, 1000000, "100000", NULL, 0, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); relay_config_network_ipv6 = weechat_config_new_option ( relay_config_file, ptr_section, "ipv6", "boolean", @@ -1158,6 +1135,30 @@ relay_config_init () "see /help eval)"), NULL, 0, 0, "", NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); + relay_config_network_password_hash_algo = weechat_config_new_option ( + relay_config_file, ptr_section, + "password_hash_algo", "string", + N_("comma separated list of hash algorithms used for password " + "authentication in weechat protocol, among these values: \"plain\" " + "(password in plain text, not hashed), \"sha256\", \"sha512\", " + "\"pbkdf2+sha256\", \"pbkdf2+sha512\"), \"*\" means all algorithms, " + "a name beginning with \"!\" is a negative value to prevent an " + "algorithm from being used, wildcard \"*\" is allowed in names " + "(examples: \"*\", \"pbkdf2*\", \"*,!plain\")"), + NULL, 0, 0, "*", NULL, 0, + NULL, NULL, NULL, + &relay_config_change_network_password_hash_algo, NULL, NULL, + NULL, NULL, NULL); + relay_config_network_password_hash_iterations = weechat_config_new_option ( + relay_config_file, ptr_section, + "password_hash_iterations", "integer", + N_("number of iterations asked to the client in weechat protocol " + "when a hashed password with algorithm PBKDF2 is used for " + "authentication; more iterations is better in term of security but " + "is slower to compute; this number should not be too high if your " + "CPU is slow"), + NULL, 1, 1000000, "100000", NULL, 0, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); relay_config_network_ssl_cert_key = weechat_config_new_option ( relay_config_file, ptr_section, "ssl_cert_key", "string", @@ -1361,7 +1362,7 @@ relay_config_read () if (rc == WEECHAT_CONFIG_READ_OK) { relay_config_change_network_allowed_ips (NULL, NULL, NULL); - relay_config_change_network_auth_password (NULL, NULL, NULL); + relay_config_change_network_password_hash_algo (NULL, NULL, NULL); relay_config_change_irc_backlog_tags (NULL, NULL, NULL); } return rc; @@ -1406,9 +1407,9 @@ relay_config_free () relay_config_hashtable_irc_backlog_tags = NULL; } - if (relay_config_network_auth_password_list) + if (relay_config_network_password_hash_algo_list) { - weechat_string_free_split (relay_config_network_auth_password_list); - relay_config_network_auth_password_list = NULL; + weechat_string_free_split (relay_config_network_password_hash_algo_list); + relay_config_network_password_hash_algo_list = NULL; } } diff --git a/src/plugins/relay/relay-config.h b/src/plugins/relay/relay-config.h index bc9b5a554..e6c4327f4 100644 --- a/src/plugins/relay/relay-config.h +++ b/src/plugins/relay/relay-config.h @@ -39,16 +39,16 @@ extern struct t_config_option *relay_config_color_text_selected; extern struct t_config_option *relay_config_network_allow_empty_password; extern struct t_config_option *relay_config_network_allowed_ips; -extern struct t_config_option *relay_config_network_auth_password; extern struct t_config_option *relay_config_network_auth_timeout; extern struct t_config_option *relay_config_network_bind_address; extern struct t_config_option *relay_config_network_clients_purge_delay; extern struct t_config_option *relay_config_network_compression_level; -extern struct t_config_option *relay_config_network_hash_iterations; extern struct t_config_option *relay_config_network_ipv6; extern struct t_config_option *relay_config_network_max_clients; extern struct t_config_option *relay_config_network_nonce_size; extern struct t_config_option *relay_config_network_password; +extern struct t_config_option *relay_config_network_password_hash_algo; +extern struct t_config_option *relay_config_network_password_hash_iterations; extern struct t_config_option *relay_config_network_ssl_cert_key; extern struct t_config_option *relay_config_network_ssl_priorities; extern struct t_config_option *relay_config_network_totp_secret; @@ -67,7 +67,7 @@ extern struct t_config_option *relay_config_weechat_commands; extern regex_t *relay_config_regex_allowed_ips; extern regex_t *relay_config_regex_websocket_allowed_origins; extern struct t_hashtable *relay_config_hashtable_irc_backlog_tags; -extern char **relay_config_network_auth_password_list; +extern char **relay_config_network_password_hash_algo_list; extern int relay_config_check_network_totp_secret (const void *pointer, void *data, diff --git a/src/plugins/relay/weechat/relay-weechat-protocol.c b/src/plugins/relay/weechat/relay-weechat-protocol.c index 533c3e4ab..4c0da2940 100644 --- a/src/plugins/relay/weechat/relay-weechat-protocol.c +++ b/src/plugins/relay/weechat/relay-weechat-protocol.c @@ -183,13 +183,13 @@ relay_weechat_protocol_handshake_reply (struct t_relay_client *client, { weechat_hashtable_set ( hashtable, - "auth_password", - (client->auth_password >= 0) ? - relay_auth_password_name[client->auth_password] : ""); - snprintf (string, sizeof (string), "%d", client->hash_iterations); + "password_hash_algo", + (client->password_hash_algo >= 0) ? + relay_auth_password_hash_algo_name[client->password_hash_algo] : ""); + snprintf (string, sizeof (string), "%d", client->password_hash_iterations); weechat_hashtable_set ( hashtable, - "hash_iterations", + "password_hash_iterations", string); weechat_hashtable_set ( hashtable, @@ -226,7 +226,7 @@ relay_weechat_protocol_handshake_reply (struct t_relay_client *client, RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake) { char **options, **auths, *pos; - int i, j, index_auth, auth_found, auth_allowed, compression; + int i, j, index_hash_algo, hash_algo_found, auth_allowed, compression; int password_received, plain_text_password; RELAY_WEECHAT_PROTOCOL_MIN_ARGS(0); @@ -234,7 +234,7 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake) if (client->status != RELAY_STATUS_WAITING_AUTH) return WEECHAT_RC_OK; - auth_found = -1; + hash_algo_found = -1; password_received = 0; options = (argc > 0) ? @@ -248,7 +248,7 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake) { pos[0] = '\0'; pos++; - if (strcmp (options[i], "password") == 0) + if (strcmp (options[i], "password_hash_algo") == 0) { password_received = 1; auths = weechat_string_split ( @@ -264,16 +264,16 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake) { for (j = 0; auths[j]; j++) { - index_auth = relay_auth_password_search ( + index_hash_algo = relay_auth_password_hash_algo_search ( auths[j]); - if ((index_auth >= 0) && (index_auth > auth_found)) + if ((index_hash_algo >= 0) && (index_hash_algo > hash_algo_found)) { auth_allowed = weechat_string_match_list ( - relay_auth_password_name[index_auth], - (const char **)relay_config_network_auth_password_list, + relay_auth_password_hash_algo_name[index_hash_algo], + (const char **)relay_config_network_password_hash_algo_list, 1); if (auth_allowed) - auth_found = index_auth; + hash_algo_found = index_hash_algo; } } weechat_string_free_split (auths); @@ -293,14 +293,14 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake) if (!password_received) { plain_text_password = weechat_string_match_list ( - relay_auth_password_name[0], - (const char **)relay_config_network_auth_password_list, + relay_auth_password_hash_algo_name[0], + (const char **)relay_config_network_password_hash_algo_list, 1); if (plain_text_password) - auth_found = 0; + hash_algo_found = 0; } - client->auth_password = auth_found; + client->password_hash_algo = hash_algo_found; relay_weechat_protocol_handshake_reply (client, id);