blackbeard420/weechat
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

relay: rename configuration options and keywords in handshake command (weechat protocol)

Browse Source 
Configuration options renamed:

* relay.network.auth_password -> relay.network.password_hash_algo
* relay.network.hash_iterations -> relay.network.password_hash_iterations

Handshake command options renamed:

* password -> password_hash_algo

Handshake reply keys renamed:

* auth_password -> password_hash_algo
* hash_iterations -> password_hash_iterations
This commit is contained in:
Sébastien Helleu 2020-04-17 23:27:26 +02:00
parent 86a941e28e
commit 95c908e83c
11 changed files with 150 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog.adoc
View File

@ -21,7 +21,7 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes]
New features::
* buflist: evaluate option buflist.look.sort so that sort can be customized for each of the three buflist bar items (issue #1465)
* relay: add command "handshake" in weechat relay protocol and nonce to prevent replay attacks, add options relay.network.auth_password, relay.network.hash_iterations, relay.network.nonce_size (issue #1474)
* relay: add command "handshake" in weechat relay protocol and nonce to prevent replay attacks, add options relay.network.password_hash_algo, relay.network.password_hash_iterations, relay.network.nonce_size (issue #1474)
* relay: add option relay.network.auth_timeout
* relay: update default colors for client status
* relay: add status "waiting_auth" in irc and weechat protocols (issue #1358)

23
doc/en/weechat_relay_protocol.en.adoc
View File

@ -120,8 +120,8 @@ Syntax:
Arguments:
* _option_: one of following options:
** _password_: list of hash algorithms supported by the client (separated by colons),
allowed values are:
** _password_hash_algo_: list of hash algorithms supported by the client
(separated by colons), allowed values are:
*** _plain_: plain text password (no hash)
*** _sha256_: password salted and hashed with SHA256 algorithm
*** _sha512_: password salted and hashed with SHA512 algorithm
@ -132,7 +132,7 @@ Arguments:
(enabled by default if _relay_ supports _zlib_ compression)
*** _off_: disable compression
Notes about option _password_:
Notes about option _password_hash_algo_:
* If the option is not given (of if the _handshake_ command is not sent by the
client), _relay_ uses automatically _plain_ authentication (if allowed on
@ -147,25 +147,26 @@ Notes about option _password_:
WeeChat replies with a hashtable containing the following keys and values:
* _auth_password_: the password authentication negotiated: supported by both
the client and _relay_:
* _password_hash_algo_: the password authentication negotiated: supported by
both the client and _relay_:
** (empty value): negotiation failed, password authentication is *NOT* possible
** _plain_
** _sha256_
** _sha512_
** _pbkdf2+sha256_
** _pbkdf2+sha512_
* _hash_iterations_: number of iterations for hash (for the PBKDF2 algorithm only)
* _password_hash_iterations_: number of iterations for hash
(for the PBKDF2 algorithm only)
* _totp_:
** _on_: Time-based One-Time Password (TOTP) is configured and expected
in the _init_ command
** _off_: Time-based One-Time Password (TOTP) is not enabled and not needed
in the _init_ command
* _nonce_: a buffer of unpredictable bytes, sent as hexadecimal, to prevent
replay attacks; if _auth_password_ is a hash algorithm, the client must compute
the hash of password on this nonce, concatenated with a client nonce and the
user password (the _relay_ nonce + the client nonce is the salt used in the
password hash algorithm)
replay attacks; if _password_hash_algo_ is a hash algorithm, the client must
compute the hash of password on this nonce, concatenated with a client nonce
and the user password (the _relay_ nonce + the client nonce is the salt used
in the password hash algorithm)
Examples:
@ -186,7 +187,7 @@ Example of response:
[source,python]
----
id: 'handshake'
htb: {'auth_password': 'pbkdf2+sha256', 'hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'}
htb: {'password_hash_algo': 'pbkdf2+sha256', 'password_hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'}
----
The client can authenticate with this command (see <<command_init,init command>>),

28
doc/fr/weechat_relay_protocol.fr.adoc
View File

@ -125,8 +125,8 @@ Syntaxe :
Paramètres :
* _option_ : une des options suivantes :
** _password_ : liste d'algorithmes de hachage supportés par le client (séparés par
des deux-points), les valeurs autorisées sont :
** _password_hash_algo_ : liste d'algorithmes de hachage supportés par le client
(séparés par des deux-points), les valeurs autorisées sont :
*** _plain_ : mot de passe en clair (pas de hachage)
*** _sha256_ : mot de passe salé et haché avec l'algorithme SHA256
*** _sha512_ : mot de passe salé et haché avec l'algorithme SHA512
@ -139,11 +139,11 @@ Paramètres :
(activée par défaut si _relay_ supporte la compression _zlib_)
*** _off_ : désactiver la compression
Notes à propos de l'option _password_ :
Notes à propos de l'option _password_hash_algo_ :
* Si l'option _password_ n'est pas donnée (ou si la commande _handshake_ n'est
pas envoyée par le client), _relay_ utilise automatiquement l'authentification
_plain_ (si elle est autorisée côté _relay_).
* Si l'option n'est pas donnée (ou si la commande _handshake_ n'est pas envoyée
par le client), _relay_ utilise automatiquement l'authentification _plain_
(si elle est autorisée côté _relay_).
* _Relay_ choisit l'algorithme le plus sûr disponible à la fois côté client et
_relay_, par ordre de priorité du premier (plus sûr) au dernier utilisé :
. _pbkdf2+sha512_
@ -152,15 +152,11 @@ Notes à propos de l'option _password_ :
. _sha256_
. _plain_
[NOTE]
Si l'option _password_ n'est pas donnée, WeeChat utilise automatiquement
l'authentification _plain_ (si autorisée par _relay_).
WeeChat répond avec une table de hachage qui contient les clés et valeurs
suivantes :
* _auth_password_ : l'authentification mot de passe négociée : supportée par le
client et _relay_ :
* _password_hash_algo_ : l'authentification mot de passe négociée : supportée
par le client et _relay_ :
** (valeur vide) : la négociation a échoué, l'authentification par mot de passe
n'est *PAS* possible
** _plain_
@ -168,15 +164,15 @@ suivantes :
** _sha512_
** _pbkdf2+sha256_
** _pbkdf2+sha512_
* _hash_iterations_ : nombre d'itérations pour le hachage (pour l'algorithme
PBKDF2 seulement)
* _password_hash_iterations_ : nombre d'itérations pour le hachage
(pour l'algorithme PBKDF2 seulement)
* _totp_:
** _on_ : le mot de passe à usage unique basé sur le temps (TOTP : Time-based
One-Time Password) est configuré et est attendu dans la commande _init_
** _off_ : le mot de passe à usage unique basé sur le temps (TOTP : Time-based
One-Time Password) n'est pas activé et pas nécessaire dans la commande _init_
* _nonce_ : un tampon d'octets non prédictibles, envoyé en hexadécimal, pour
empêcher les attaques par rejeu ; si _auth_password_ est un algorithme de
empêcher les attaques par rejeu ; si _password_hash_algo_ est un algorithme de
hachage, le client doit calculer le mot de passe haché avec ce nonce,
concaténé avec un nonce client et le mot de passe utilisateur (le nonce
_relay_ + le nonce client constituent le sel utilisé dans l'algorithme de
@ -201,7 +197,7 @@ Exemple de réponse :
[source,python]
----
id: 'handshake'
htb: {'auth_password': 'pbkdf2+sha256', 'hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'}
htb: {'password_hash_algo': 'pbkdf2+sha256', 'password_hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'}
----
Le client peut s'authentifier avec cette commande (voir la <<command_init,commande init>>),

23
doc/ja/weechat_relay_protocol.ja.adoc
View File

@ -129,8 +129,8 @@ Syntax:
Arguments:
* _option_: one of following options:
** _password_: list of hash algorithms supported by the client (separated by colons),
allowed values are:
** _password_hash_algo_: list of hash algorithms supported by the client
(separated by colons), allowed values are:
*** _plain_: plain text password (no hash)
*** _sha256_: password salted and hashed with SHA256 algorithm
*** _sha512_: password salted and hashed with SHA512 algorithm
@ -141,7 +141,7 @@ Arguments:
(enabled by default if _relay_ supports _zlib_ compression)
*** _off_: disable compression
Notes about option _password_:
Notes about option _password_hash_algo_:
* If the option is not given (of if the _handshake_ command is not sent by the
client), _relay_ uses automatically _plain_ authentication (if allowed on
@ -156,25 +156,26 @@ Notes about option _password_:
WeeChat replies with a hashtable containing the following keys and values:
* _auth_password_: the password authentication negotiated: supported by both
the client and _relay_:
* _password_hash_algo_: the password authentication negotiated: supported by
both the client and _relay_:
** (empty value): negotiation failed, password authentication is *NOT* possible
** _plain_
** _sha256_
** _sha512_
** _pbkdf2+sha256_
** _pbkdf2+sha512_
* _hash_iterations_: number of iterations for hash (for the PBKDF2 algorithm only)
* _password_hash_iterations_: number of iterations for hash
(for the PBKDF2 algorithm only)
* _totp_:
** _on_: Time-based One-Time Password (TOTP) is configured and expected
in the _init_ command
** _off_: Time-based One-Time Password (TOTP) is not enabled and not needed
in the _init_ command
* _nonce_: a buffer of unpredictable bytes, sent as hexadecimal, to prevent
replay attacks; if _auth_password_ is a hash algorithm, the client must compute
the hash of password on this nonce, concatenated with a client nonce and the
user password (the _relay_ nonce + the client nonce is the salt used in the
password hash algorithm)
replay attacks; if _password_hash_algo_ is a hash algorithm, the client must
compute the hash of password on this nonce, concatenated with a client nonce
and the user password (the _relay_ nonce + the client nonce is the salt used
in the password hash algorithm)
Examples:
@ -195,7 +196,7 @@ Example of response:
[source,python]
----
id: 'handshake'
htb: {'auth_password': 'pbkdf2+sha256', 'hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'}
htb: {'password_hash_algo': 'pbkdf2+sha256', 'password_hash_iterations': '100000', 'totp': 'on', 'nonce': '85B1EE00695A5B254E14F4885538DF0D'}
----
The client can authenticate with this command (see <<command_init,init command>>),

40
src/plugins/relay/relay-auth.c
View File

@ -37,29 +37,29 @@
* during negotiation with the client, the highest value in this list matching
* the client supported values is used
*/
char *relay_auth_password_name[] =
char *relay_auth_password_hash_algo_name[] =
{ "plain", "sha256", "sha512", "pbkdf2+sha256", "pbkdf2+sha512" };
/*
* Searches for a password authentication.
* Searches for a password hash algorithm.
*
* Returns index in enum t_relay_auth_password,
* -1 if password authentication is not found.
* Returns index in enum t_relay_auth_password_hash_algo,
* -1 if password hash algorithm is not found.
*/
int
relay_auth_password_search (const char *name)
relay_auth_password_hash_algo_search (const char *name)
{
int i;
for (i = 0; i < RELAY_NUM_PASSWORD_AUTHS; i++)
for (i = 0; i < RELAY_NUM_PASSWORD_HASH_ALGOS; i++)
{
if (strcmp (relay_auth_password_name[i], name) == 0)
if (strcmp (relay_auth_password_hash_algo_name[i], name) == 0)
return i;
}
/* authentication password type found */
/* password hash algorithm not found */
return -1;
}
@ -126,7 +126,7 @@ int
relay_auth_password (struct t_relay_client *client,
const char *password, const char *relay_password)
{
if (client->auth_password != RELAY_AUTH_PASSWORD_PLAIN)
if (client->password_hash_algo != RELAY_AUTH_PASSWORD_HASH_PLAIN)
return 0;
return relay_auth_check_password_plain (password, relay_password);
@ -376,14 +376,14 @@ relay_auth_password_hash (struct t_relay_client *client,
const char *pos_hash;
char *str_hash_algo;
char *hash_pbkdf2_algo, *salt_hexa, *salt, *hash_sha, *hash_pbkdf2;
int rc, auth_password, salt_size, iterations;
int rc, hash_algo, salt_size, iterations;
rc = 0;
str_hash_algo = NULL;
/* no authentication supported at all? */
if (client->auth_password < 0)
if (client->password_hash_algo < 0)
goto end;
if (!hashed_password || !relay_password)
@ -400,15 +400,15 @@ relay_auth_password_hash (struct t_relay_client *client,
pos_hash++;
auth_password = relay_auth_password_search (str_hash_algo);
hash_algo = relay_auth_password_hash_algo_search (str_hash_algo);
if (auth_password != client->auth_password)
if (hash_algo != client->password_hash_algo)
goto end;
switch (auth_password)
switch (hash_algo)
{
case RELAY_AUTH_PASSWORD_SHA256:
case RELAY_AUTH_PASSWORD_SHA512:
case RELAY_AUTH_PASSWORD_HASH_SHA256:
case RELAY_AUTH_PASSWORD_HASH_SHA512:
relay_auth_parse_sha (pos_hash, &salt_hexa, &salt, &salt_size,
&hash_sha);
if (relay_auth_check_salt (client, salt_hexa)
@ -424,12 +424,12 @@ relay_auth_password_hash (struct t_relay_client *client,
if (hash_sha)
free (hash_sha);
break;
case RELAY_AUTH_PASSWORD_PBKDF2_SHA256:
case RELAY_AUTH_PASSWORD_PBKDF2_SHA512:
case RELAY_AUTH_PASSWORD_HASH_PBKDF2_SHA256:
case RELAY_AUTH_PASSWORD_HASH_PBKDF2_SHA512:
hash_pbkdf2_algo = strdup (str_hash_algo + 7);
relay_auth_parse_pbkdf2 (pos_hash, &salt_hexa, &salt, &salt_size,
&iterations, &hash_pbkdf2);
if ((iterations == client->hash_iterations)
if ((iterations == client->password_hash_iterations)
&& relay_auth_check_salt (client, salt_hexa)
&& relay_auth_check_hash_pbkdf2 (hash_pbkdf2_algo, salt,
salt_size, iterations,
@ -446,7 +446,7 @@ relay_auth_password_hash (struct t_relay_client *client,
if (hash_pbkdf2)
free (hash_pbkdf2);
break;
case RELAY_NUM_PASSWORD_AUTHS:
case RELAY_NUM_PASSWORD_HASH_ALGOS:
break;
}

20
src/plugins/relay/relay-auth.h
View File

@ -22,20 +22,20 @@
struct t_relay_client;
enum t_relay_auth_password
enum t_relay_auth_password_hash_algo
{
RELAY_AUTH_PASSWORD_PLAIN = 0,
RELAY_AUTH_PASSWORD_SHA256,
RELAY_AUTH_PASSWORD_SHA512,
RELAY_AUTH_PASSWORD_PBKDF2_SHA256,
RELAY_AUTH_PASSWORD_PBKDF2_SHA512,
/* number of password auths */
RELAY_NUM_PASSWORD_AUTHS,
RELAY_AUTH_PASSWORD_HASH_PLAIN = 0,
RELAY_AUTH_PASSWORD_HASH_SHA256,
RELAY_AUTH_PASSWORD_HASH_SHA512,
RELAY_AUTH_PASSWORD_HASH_PBKDF2_SHA256,
RELAY_AUTH_PASSWORD_HASH_PBKDF2_SHA512,
/* number of password hash algos */
RELAY_NUM_PASSWORD_HASH_ALGOS,
};
extern char *relay_auth_password_name[];
extern char *relay_auth_password_hash_algo_name[];
extern int relay_auth_password_search (const char *name);
extern int relay_auth_password_hash_algo_search (const char *name);
extern char *relay_auth_generate_nonce ();
extern int relay_auth_check_password_plain (const char *password,
const char *relay_password);

42
src/plugins/relay/relay-client.c
View File

@ -1298,12 +1298,12 @@ relay_client_new (int sock, const char *address, struct t_relay_server *server)
new_client->protocol_string = (server->protocol_string) ? strdup (server->protocol_string) : NULL;
new_client->protocol_args = (server->protocol_args) ? strdup (server->protocol_args) : NULL;
plain_text_password = weechat_string_match_list (
relay_auth_password_name[0],
(const char **)relay_config_network_auth_password_list,
relay_auth_password_hash_algo_name[0],
(const char **)relay_config_network_password_hash_algo_list,
1);
new_client->auth_password = (plain_text_password) ? 0 : -1;
new_client->hash_iterations = weechat_config_integer (
relay_config_network_hash_iterations);
new_client->password_hash_algo = (plain_text_password) ? 0 : -1;
new_client->password_hash_iterations = weechat_config_integer (
relay_config_network_password_hash_iterations);
new_client->nonce = relay_auth_generate_nonce ();
new_client->listen_start_time = server->start_time;
new_client->start_time = time (NULL);
@ -1506,17 +1506,17 @@ relay_client_new_with_infolist (struct t_infolist *infolist)
new_client->protocol_string = (str) ? strdup (str) : NULL;
str = weechat_infolist_string (infolist, "protocol_args");
new_client->protocol_args = (str) ? strdup (str) : NULL;
/* "auth_password" is new in WeeChat 2.9 */
if (weechat_infolist_search_var (infolist, "auth_password"))
new_client->auth_password = weechat_infolist_integer (infolist, "auth_password");
/* "password_hash_algo" is new in WeeChat 2.9 */
if (weechat_infolist_search_var (infolist, "password_hash_algo"))
new_client->password_hash_algo = weechat_infolist_integer (infolist, "password_hash_algo");
else
new_client->auth_password = RELAY_AUTH_PASSWORD_PLAIN;
/* "hash_iterations" is new in WeeChat 2.9 */
if (weechat_infolist_search_var (infolist, "hash_iterations"))
new_client->hash_iterations = weechat_infolist_integer (infolist, "hash_iterations");
new_client->password_hash_algo = RELAY_AUTH_PASSWORD_HASH_PLAIN;
/* "password_hash_iterations" is new in WeeChat 2.9 */
if (weechat_infolist_search_var (infolist, "password_hash_iterations"))
new_client->password_hash_iterations = weechat_infolist_integer (infolist, "password_hash_iterations");
else
new_client->hash_iterations = weechat_config_integer (
relay_config_network_hash_iterations);
new_client->password_hash_iterations = weechat_config_integer (
relay_config_network_password_hash_iterations);
/* "nonce" is new in WeeChat 2.9 */
if (weechat_infolist_search_var (infolist, "nonce"))
new_client->nonce = strdup (weechat_infolist_string (infolist, "nonce"));
@ -1857,9 +1857,9 @@ relay_client_add_to_infolist (struct t_infolist *infolist,
return 0;
if (!weechat_infolist_new_var_string (ptr_item, "protocol_args", client->protocol_args))
return 0;
if (!weechat_infolist_new_var_integer (ptr_item, "auth_password", client->auth_password))
if (!weechat_infolist_new_var_integer (ptr_item, "password_hash_algo", client->password_hash_algo))
return 0;
if (!weechat_infolist_new_var_integer (ptr_item, "hash_iterations", client->hash_iterations))
if (!weechat_infolist_new_var_integer (ptr_item, "password_hash_iterations", client->password_hash_iterations))
return 0;
if (!weechat_infolist_new_var_string (ptr_item, "nonce", client->nonce))
return 0;
@ -1939,11 +1939,11 @@ relay_client_print_log ()
relay_protocol_string[ptr_client->protocol]);
weechat_log_printf (" protocol_string . . . : '%s'", ptr_client->protocol_string);
weechat_log_printf (" protocol_args . . . . : '%s'", ptr_client->protocol_args);
weechat_log_printf (" auth_password . . . . : %d (%s)",
ptr_client->auth_password,
(ptr_client->auth_password >= 0) ?
relay_auth_password_name[ptr_client->auth_password] : "");
weechat_log_printf (" hash_iterations . . . : %d", ptr_client->hash_iterations);
weechat_log_printf (" password_hash_algo. . : %d (%s)",
ptr_client->password_hash_algo,
(ptr_client->password_hash_algo >= 0) ?
relay_auth_password_hash_algo_name[ptr_client->password_hash_algo] : "");
weechat_log_printf (" password_hash_iterations: %d", ptr_client->password_hash_iterations);
weechat_log_printf (" nonce . . . . . . . . : '%s'", ptr_client->nonce);
weechat_log_printf (" listen_start_time . . : %lld", (long long)ptr_client->listen_start_time);
weechat_log_printf (" start_time. . . . . . : %lld", (long long)ptr_client->start_time);

4
src/plugins/relay/relay-client.h
View File

@ -106,8 +106,8 @@ struct t_relay_client
char *protocol_string; /* example: "ipv6.ssl.irc.freenode" */
char *protocol_args; /* arguments used for protocol */
/* example: server for irc protocol */
int auth_password; /* password auth (negotiated/client) */
int hash_iterations; /* hash iterations */
int password_hash_algo; /* password hash algo (negotiated) */
int password_hash_iterations; /* password hash iterations */
char *nonce; /* nonce used in salt of hashed pwd */
time_t listen_start_time; /* when listening started */
time_t start_time; /* time of client connection */

79
src/plugins/relay/relay-config.c
View File

@ -60,16 +60,16 @@ struct t_config_option *relay_config_color_text_selected;
struct t_config_option *relay_config_network_allow_empty_password;
struct t_config_option *relay_config_network_allowed_ips;
struct t_config_option *relay_config_network_auth_password;
struct t_config_option *relay_config_network_auth_timeout;
struct t_config_option *relay_config_network_bind_address;
struct t_config_option *relay_config_network_clients_purge_delay;
struct t_config_option *relay_config_network_compression_level;
struct t_config_option *relay_config_network_hash_iterations;
struct t_config_option *relay_config_network_ipv6;
struct t_config_option *relay_config_network_max_clients;
struct t_config_option *relay_config_network_nonce_size;
struct t_config_option *relay_config_network_password;
struct t_config_option *relay_config_network_password_hash_algo;
struct t_config_option *relay_config_network_password_hash_iterations;
struct t_config_option *relay_config_network_ssl_cert_key;
struct t_config_option *relay_config_network_ssl_priorities;
struct t_config_option *relay_config_network_totp_secret;
@ -94,7 +94,7 @@ struct t_config_option *relay_config_weechat_commands;
regex_t *relay_config_regex_allowed_ips = NULL;
regex_t *relay_config_regex_websocket_allowed_origins = NULL;
struct t_hashtable *relay_config_hashtable_irc_backlog_tags = NULL;
char **relay_config_network_auth_password_list = NULL;
char **relay_config_network_password_hash_algo_list = NULL;
/*
@ -154,26 +154,27 @@ relay_config_change_network_allowed_ips (const void *pointer, void *data,
}
/*
* Callback for changes on option "relay.network.auth_password".
* Callback for changes on option "relay.network.password_hash_algo".
*/
void
relay_config_change_network_auth_password (const void *pointer, void *data,
struct t_config_option *option)
relay_config_change_network_password_hash_algo (const void *pointer,
void *data,
struct t_config_option *option)
{
/* make C compiler happy */
(void) pointer;
(void) data;
(void) option;
if (relay_config_network_auth_password_list)
if (relay_config_network_password_hash_algo_list)
{
weechat_string_free_split (relay_config_network_auth_password_list);
relay_config_network_auth_password_list = NULL;
weechat_string_free_split (relay_config_network_password_hash_algo_list);
relay_config_network_password_hash_algo_list = NULL;
}
relay_config_network_auth_password_list = weechat_string_split (
weechat_config_string (relay_config_network_auth_password),
relay_config_network_password_hash_algo_list = weechat_string_split (
weechat_config_string (relay_config_network_password_hash_algo),
",",
NULL,
WEECHAT_STRING_SPLIT_STRIP_LEFT
@ -1066,20 +1067,6 @@ relay_config_init ()
NULL, NULL, NULL,
&relay_config_change_network_allowed_ips, NULL, NULL,
NULL, NULL, NULL);
relay_config_network_auth_password = weechat_config_new_option (
relay_config_file, ptr_section,
"auth_password", "string",
N_("comma separated list of hash algorithms used for password "
"authentication in weechat protocol, among these values: \"plain\" "
"(password in plain text, not hashed), \"sha256\", \"sha512\", "
"\"pbkdf2+sha256\", \"pbkdf2+sha512\"), \"*\" means all algorithms, "
"a name beginning with \"!\" is a negative value to prevent an "
"algorithm from being used, wildcard \"*\" is allowed in names "
"(examples: \"*\", \"pbkdf2*\", \"*,!plain\")"),
NULL, 0, 0, "*", NULL, 0,
NULL, NULL, NULL,
&relay_config_change_network_auth_password, NULL, NULL,
NULL, NULL, NULL);
relay_config_network_auth_timeout = weechat_config_new_option (
relay_config_file, ptr_section,
"auth_timeout", "integer",
@ -1114,16 +1101,6 @@ relay_config_init ()
"compression)"),
NULL, 0, 9, "6", NULL, 0,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
relay_config_network_hash_iterations = weechat_config_new_option (
relay_config_file, ptr_section,
"hash_iterations", "integer",
N_("number of iterations asked to the client in weechat protocol "
"when a hashed password with algorithm PBKDF2 is used for "
"authentication; more iterations is better in term of security but "
"is slower to compute; this number should not be too high if your "
"CPU is slow"),
NULL, 1, 1000000, "100000", NULL, 0,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
relay_config_network_ipv6 = weechat_config_new_option (
relay_config_file, ptr_section,
"ipv6", "boolean",
@ -1158,6 +1135,30 @@ relay_config_init ()
"see /help eval)"),
NULL, 0, 0, "", NULL, 0,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
relay_config_network_password_hash_algo = weechat_config_new_option (
relay_config_file, ptr_section,
"password_hash_algo", "string",
N_("comma separated list of hash algorithms used for password "
"authentication in weechat protocol, among these values: \"plain\" "
"(password in plain text, not hashed), \"sha256\", \"sha512\", "
"\"pbkdf2+sha256\", \"pbkdf2+sha512\"), \"*\" means all algorithms, "
"a name beginning with \"!\" is a negative value to prevent an "
"algorithm from being used, wildcard \"*\" is allowed in names "
"(examples: \"*\", \"pbkdf2*\", \"*,!plain\")"),
NULL, 0, 0, "*", NULL, 0,
NULL, NULL, NULL,
&relay_config_change_network_password_hash_algo, NULL, NULL,
NULL, NULL, NULL);
relay_config_network_password_hash_iterations = weechat_config_new_option (
relay_config_file, ptr_section,
"password_hash_iterations", "integer",
N_("number of iterations asked to the client in weechat protocol "
"when a hashed password with algorithm PBKDF2 is used for "
"authentication; more iterations is better in term of security but "
"is slower to compute; this number should not be too high if your "
"CPU is slow"),
NULL, 1, 1000000, "100000", NULL, 0,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
relay_config_network_ssl_cert_key = weechat_config_new_option (
relay_config_file, ptr_section,
"ssl_cert_key", "string",
@ -1361,7 +1362,7 @@ relay_config_read ()
if (rc == WEECHAT_CONFIG_READ_OK)
{
relay_config_change_network_allowed_ips (NULL, NULL, NULL);
relay_config_change_network_auth_password (NULL, NULL, NULL);
relay_config_change_network_password_hash_algo (NULL, NULL, NULL);
relay_config_change_irc_backlog_tags (NULL, NULL, NULL);
}
return rc;
@ -1406,9 +1407,9 @@ relay_config_free ()
relay_config_hashtable_irc_backlog_tags = NULL;
}
if (relay_config_network_auth_password_list)
if (relay_config_network_password_hash_algo_list)
{
weechat_string_free_split (relay_config_network_auth_password_list);
relay_config_network_auth_password_list = NULL;
weechat_string_free_split (relay_config_network_password_hash_algo_list);
relay_config_network_password_hash_algo_list = NULL;
}
}

6
src/plugins/relay/relay-config.h
View File

@ -39,16 +39,16 @@ extern struct t_config_option *relay_config_color_text_selected;
extern struct t_config_option *relay_config_network_allow_empty_password;
extern struct t_config_option *relay_config_network_allowed_ips;
extern struct t_config_option *relay_config_network_auth_password;
extern struct t_config_option *relay_config_network_auth_timeout;
extern struct t_config_option *relay_config_network_bind_address;
extern struct t_config_option *relay_config_network_clients_purge_delay;
extern struct t_config_option *relay_config_network_compression_level;
extern struct t_config_option *relay_config_network_hash_iterations;
extern struct t_config_option *relay_config_network_ipv6;
extern struct t_config_option *relay_config_network_max_clients;
extern struct t_config_option *relay_config_network_nonce_size;
extern struct t_config_option *relay_config_network_password;
extern struct t_config_option *relay_config_network_password_hash_algo;
extern struct t_config_option *relay_config_network_password_hash_iterations;
extern struct t_config_option *relay_config_network_ssl_cert_key;
extern struct t_config_option *relay_config_network_ssl_priorities;
extern struct t_config_option *relay_config_network_totp_secret;
@ -67,7 +67,7 @@ extern struct t_config_option *relay_config_weechat_commands;
extern regex_t *relay_config_regex_allowed_ips;
extern regex_t *relay_config_regex_websocket_allowed_origins;
extern struct t_hashtable *relay_config_hashtable_irc_backlog_tags;
extern char **relay_config_network_auth_password_list;
extern char **relay_config_network_password_hash_algo_list;
extern int relay_config_check_network_totp_secret (const void *pointer,
void *data,

34
src/plugins/relay/weechat/relay-weechat-protocol.c
View File

@ -183,13 +183,13 @@ relay_weechat_protocol_handshake_reply (struct t_relay_client *client,
{
weechat_hashtable_set (
hashtable,
"auth_password",
(client->auth_password >= 0) ?
relay_auth_password_name[client->auth_password] : "");
snprintf (string, sizeof (string), "%d", client->hash_iterations);
"password_hash_algo",
(client->password_hash_algo >= 0) ?
relay_auth_password_hash_algo_name[client->password_hash_algo] : "");
snprintf (string, sizeof (string), "%d", client->password_hash_iterations);
weechat_hashtable_set (
hashtable,
"hash_iterations",
"password_hash_iterations",
string);
weechat_hashtable_set (
hashtable,
@ -226,7 +226,7 @@ relay_weechat_protocol_handshake_reply (struct t_relay_client *client,
RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake)
{
char **options, **auths, *pos;
int i, j, index_auth, auth_found, auth_allowed, compression;
int i, j, index_hash_algo, hash_algo_found, auth_allowed, compression;
int password_received, plain_text_password;
RELAY_WEECHAT_PROTOCOL_MIN_ARGS(0);
@ -234,7 +234,7 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake)
if (client->status != RELAY_STATUS_WAITING_AUTH)
return WEECHAT_RC_OK;
auth_found = -1;
hash_algo_found = -1;
password_received = 0;
options = (argc > 0) ?
@ -248,7 +248,7 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake)
{
pos[0] = '\0';
pos++;
if (strcmp (options[i], "password") == 0)
if (strcmp (options[i], "password_hash_algo") == 0)
{
password_received = 1;
auths = weechat_string_split (
@ -264,16 +264,16 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake)
{
for (j = 0; auths[j]; j++)
{
index_auth = relay_auth_password_search (
index_hash_algo = relay_auth_password_hash_algo_search (
auths[j]);
if ((index_auth >= 0) && (index_auth > auth_found))
if ((index_hash_algo >= 0) && (index_hash_algo > hash_algo_found))
{
auth_allowed = weechat_string_match_list (
relay_auth_password_name[index_auth],
(const char **)relay_config_network_auth_password_list,
relay_auth_password_hash_algo_name[index_hash_algo],
(const char **)relay_config_network_password_hash_algo_list,
1);
if (auth_allowed)
auth_found = index_auth;
hash_algo_found = index_hash_algo;
}
}
weechat_string_free_split (auths);
@ -293,14 +293,14 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(handshake)
if (!password_received)
{
plain_text_password = weechat_string_match_list (
relay_auth_password_name[0],
(const char **)relay_config_network_auth_password_list,
relay_auth_password_hash_algo_name[0],
(const char **)relay_config_network_password_hash_algo_list,
1);
if (plain_text_password)
auth_found = 0;
hash_algo_found = 0;
}
client->auth_password = auth_found;
client->password_hash_algo = hash_algo_found;
relay_weechat_protocol_handshake_reply (client, id);