Changeset 8e6ecfe

Timestamp:

2016-03-25T18:07:53Z (8 years ago)

Author:

Dennis Kaarsemaker <dennis@…>

Branches:

master

Children:

a6005da

Parents:

446a23e

git-author:

Dennis Kaarsemaker <dennis@…> (23-02-16 18:41:34)

git-committer:

Dennis Kaarsemaker <dennis@…> (25-03-16 18:07:53)

Message:

Authentication: scaffolding for multiple authentication backends

Instead of always putting users passwords in XML files, allow site
admins to configure a different authentication method to integrate
authentication with other systems.

This doesn't add any authentication backends yet, merely the
scaffolding. Notably:

• Password checking and loading/removing from storage has been decoupled. A new auth_check_pass function is used to check passwords. It does check against the configured storage first, but will handle the authentication backends as well. The XML storage merely signals that a user's password should be checked using an authentication backend.
• If unknown-to-bitlbee users identify using an authentication backend, they are automatically registered.
• If an authentication backend is used, that fact is stored in the XML file, the password is not. Passwords are also stored unencrypted in this case, as the password used to encrypt them can change underneath us.
• configure and Makefile changes for the backend objects

Files:

• Makefile (modified) (1 diff)
• auth.c (added)
• auth.h (added)
• bitlbee.conf (modified) (1 diff)
• bitlbee.h (modified) (2 diffs)
• conf.c (modified) (2 diffs)
• conf.h (modified) (1 diff)
• configure (modified) (1 diff)
• irc.h (modified) (1 diff)
• irc_commands.c (modified) (1 diff)
• root_commands.c (modified) (3 diffs)
• storage.c (modified) (4 diffs)
• storage.h (modified) (3 diffs)
• storage_xml.c (modified) (8 diffs)
• tests/Makefile (modified) (1 diff)
• unix.c (modified) (1 diff)

Makefile

@@ -10 +10 @@
 
 # Program variables
-objects = bitlbee.o dcc.o help.o ipc.o irc.o irc_im.o irc_cap.o irc_channel.o irc_commands.o irc_send.o irc_user.o irc_util.o nick.o $(OTR_BI) query.o root_commands.o set.o storage.o $(STORAGE_OBJS) unix.o conf.o log.o
+objects = bitlbee.o dcc.o help.o ipc.o irc.o irc_im.o irc_cap.o irc_channel.o irc_commands.o irc_send.o irc_user.o irc_util.o nick.o $(OTR_BI) query.o root_commands.o set.o storage.o $(STORAGE_OBJS) auth.o $(AUTH_OBJS) unix.o conf.o log.o
 headers = $(wildcard $(_SRCDIR_)*.h $(_SRCDIR_)lib/*.h $(_SRCDIR_)protocols/*.h)
 subdirs = lib protocols

bitlbee.conf

@@ -51 +51 @@
 ##
 # AuthMode = Open
+
+## AuthBackend
+##
+## By default, the authentication data for a user is stored in the storage
+## backend. If you want to authenticate against another authentication system
+## (e.g. ldap), you can specify that here.
+##
+## Beware that this disables password changes and causes passwords for the
+## accounts people create to be stored in plain text instead of encrypted with
+## their bitlbee password.
+#
+# AuthBackend = storage
+#
 
 ## AuthPassword

bitlbee.h

@@ -133 +133 @@
 #include "irc.h"
 #include "storage.h"
+#include "auth.h"
 #include "set.h"
 #include "nogaim.h"
@@ -154 +155 @@
         conf_t *conf;
         GList *storage; /* The first backend in the list will be used for saving */
+        GList *auth;    /* Authentication backends */
         char *helpfile;
         int restart;

conf.c

@@ -55 +55 @@
         conf->runmode = RUNMODE_INETD;
         conf->authmode = AUTHMODE_OPEN;
+        conf->auth_backend = NULL;
         conf->auth_pass = NULL;
         conf->oper_pass = NULL;
@@ -241 +242 @@
                                         conf->authmode = AUTHMODE_OPEN;
                                 }
+                        } else if (g_strcasecmp(ini->key, "authbackend") == 0) {
+                                if (g_strcasecmp(ini->value, "storage") == 0) {
+                                        conf->auth_backend = NULL;
+                                } else {
+                                        fprintf(stderr, "Invalid %s value: %s\n", ini->key, ini->value);
+                                        return 0;
+                                }
                         } else if (g_strcasecmp(ini->key, "authpassword") == 0) {
                                 g_free(conf->auth_pass);

conf.h

@@ -37 +37 @@
         runmode_t runmode;
         authmode_t authmode;
+        char *auth_backend;
         char *auth_pass;
         char *oper_pass;

configure

@@ -628 +628 @@
 done
 echo "STORAGE_OBJS="$STORAGE_OBJS >> Makefile.settings
+
+authobjs=
+authlibs=
+echo AUTH_OBJS=$authobjs >> Makefile.settings
+echo EFLAGS+=$authlibs >> Makefile.settings
 
 if [ "$strip" = 0 ]; then

irc.h

@@ -92 +92 @@
                            logging in, this may contain a password we should
                            send to identify after USER/NICK are received. */
+        char *auth_backend;
 
         char umode[8];

irc_commands.c

@@ -97 +97 @@
         /* just check the password here to be able to reply with useful numerics
          * the actual identification will be handled later */
-        status = storage_check_pass(user, pass);
+        status = auth_check_pass(irc, user, pass);
 
         if (status == STORAGE_OK) {

root_commands.c

@@ -143 +143 @@
         }
 
-        if (load) {
+        status = auth_check_pass(irc, irc->user->nick, password);
+        if (load && (status == STORAGE_OK)) {
                 status = storage_load(irc, password);
-        } else {
-                status = storage_check_pass(irc->user->nick, password);
         }
 
@@ -159 +158 @@
                 irc_rootmsg(irc, "Password accepted%s",
                             load ? ", settings and accounts loaded" : "");
-                irc_setpass(irc, password);
                 irc->status |= USTATUS_IDENTIFIED;
                 irc_umode_set(irc, "+R", 1);
@@ -268 +266 @@
         storage_status_t status;
 
-        status = storage_remove(irc->user->nick, cmd[1]);
+        status = auth_check_pass(irc, irc->user->nick, cmd[1]);
+        if (status == STORAGE_OK) {
+                status = storage_remove(irc->user->nick);
+        }
+
         switch (status) {
         case STORAGE_NO_SUCH_USER:

storage.c

@@ -87 +87 @@
 }
 
-storage_status_t storage_check_pass(const char *nick, const char *password)
+storage_status_t storage_check_pass(irc_t *irc, const char *nick, const char *password)
 {
         GList *gl;
@@ -97 +97 @@
                 storage_status_t status;
 
-                status = st->check_pass(nick, password);
+                status = st->check_pass(irc, nick, password);
                 if (status != STORAGE_NO_SUCH_USER) {
                         return status;
@@ -171 +171 @@
 }
 
-storage_status_t storage_remove(const char *nick, const char *password)
+storage_status_t storage_remove(const char *nick)
 {
         GList *gl;
@@ -185 +185 @@
                 storage_status_t status;
 
-                status = st->remove(nick, password);
+                status = st->remove(nick);
                 ok |= status == STORAGE_OK;
                 if (status != STORAGE_NO_SUCH_USER && status != STORAGE_OK) {

storage.h

@@ -31 +31 @@
         STORAGE_NO_SUCH_USER,
         STORAGE_INVALID_PASSWORD,
+        STORAGE_CHECK_BACKEND,
         STORAGE_ALREADY_EXISTS,
         STORAGE_OTHER_ERROR /* Error that isn't caused by user input, such as
@@ -43 +44 @@
         void (*init)(void);
 
-        storage_status_t (*check_pass)(const char *nick, const char *password);
+        storage_status_t (*check_pass)(irc_t *irc, const char *nick, const char *password);
 
         storage_status_t (*load)(irc_t *irc, const char *password);
         storage_status_t (*save)(irc_t *irc, int overwrite);
-        storage_status_t (*remove)(const char *nick, const char *password);
+        storage_status_t (*remove)(const char *nick);
 
         /* May be NULL if not supported by backend */
@@ -53 +54 @@
 } storage_t;
 
-storage_status_t storage_check_pass(const char *nick, const char *password);
+storage_status_t storage_check_pass(irc_t *irc, const char *nick, const char *password);
 
 storage_status_t storage_load(irc_t * irc, const char *password);
 storage_status_t storage_save(irc_t *irc, char *password, int overwrite);
-storage_status_t storage_remove(const char *nick, const char *password);
+storage_status_t storage_remove(const char *nick);
 
 void register_storage_backend(storage_t *);

storage_xml.c

@@ -34 +34 @@
 
 typedef enum {
-        XML_PASS_CHECK_ONLY = -1,
-        XML_PASS_UNKNOWN = 0,
-        XML_PASS_WRONG,
-        XML_PASS_OK
-} xml_pass_st;
+        XML_PASS_CHECK = 0,
+        XML_LOAD
+} xml_action;
 
 /* To make it easier later when extending the format: */
@@ -121 +119 @@
         if (!handle || !pass_b64 || !protocol || !prpl) {
                 return XT_ABORT;
-        } else if ((pass_len = base64_decode(pass_b64, (unsigned char **) &pass_cr)) &&
-                   arc_decode(pass_cr, pass_len, &password, xd->given_pass) >= 0) {
-                acc = account_add(xd->irc->b, prpl, handle, password);
-                if (server) {
-                        set_setstr(&acc->set, "server", server);
-                }
-                if (autoconnect) {
-                        set_setstr(&acc->set, "auto_connect", autoconnect);
-                }
-                if (tag) {
-                        set_setstr(&acc->set, "tag", tag);
-                }
-                if (local) {
-                        acc->flags |= ACC_FLAG_LOCAL;
-                }
-                if (locked && !g_strcasecmp(locked, "true")) {
-                        acc->flags |= ACC_FLAG_LOCKED;
-                }
+        }
+
+        base64_decode(pass_b64, (unsigned char **) &pass_cr);
+        if (xd->irc->auth_backend) {
+                password = g_strdup((char *)pass_cr);
         } else {
-                g_free(pass_cr);
-                g_free(password);
-                return XT_ABORT;
+                pass_len = arc_decode(pass_cr, pass_len, &password, xd->given_pass);
+                if (pass_len < 0) {
+                        g_free(pass_cr);
+                        g_free(password);
+                        return XT_ABORT;
+                }
+        }
+
+        acc = account_add(xd->irc->b, prpl, handle, password);
+        if (server) {
+                set_setstr(&acc->set, "server", server);
+        }
+        if (autoconnect) {
+                set_setstr(&acc->set, "auto_connect", autoconnect);
+        }
+        if (tag) {
+                set_setstr(&acc->set, "tag", tag);
+        }
+        if (local) {
+                acc->flags |= ACC_FLAG_LOCAL;
+        }
+        if (locked && !g_strcasecmp(locked, "true")) {
+                acc->flags |= ACC_FLAG_LOCKED;
         }
 
@@ -198 +203 @@
 };
 
-static storage_status_t xml_load_real(irc_t *irc, const char *my_nick, const char *password, xml_pass_st action)
+static storage_status_t xml_load_real(irc_t *irc, const char *my_nick, const char *password, xml_action action)
 {
         struct xml_parsedata xd[1];
@@ -240 +245 @@
         }
 
-        {
+        if (action == XML_PASS_CHECK) {
                 char *nick = xt_find_attr(node, "nick");
                 char *pass = xt_find_attr(node, "password");
-
-                if (!nick || !pass) {
+                char *backend = xt_find_attr(node, "auth_backend");
+
+                if (!nick || !(pass || backend)) {
                         goto error;
+                }
+
+                if (backend) {
+                        g_free(xd->irc->auth_backend);
+                        xd->irc->auth_backend = g_strdup(backend);
+                        ret = STORAGE_CHECK_BACKEND;
                 } else if ((st = md5_verify_password(xd->given_pass, pass)) != 0) {
                         ret = STORAGE_INVALID_PASSWORD;
-                        goto error;
-                }
-        }
-
-        if (action == XML_PASS_CHECK_ONLY) {
-                ret = STORAGE_OK;
-                goto error;
-        }
-
-        /* DO NOT call xt_handle() before verifying the password! */
+                } else {
+                        ret = STORAGE_OK;
+                }
+                goto error;
+        }
+
         if (xt_handle(xp, NULL, 1) == XT_HANDLED) {
                 ret = STORAGE_OK;
@@ -272 +280 @@
 static storage_status_t xml_load(irc_t *irc, const char *password)
 {
-        return xml_load_real(irc, irc->user->nick, password, XML_PASS_UNKNOWN);
-}
-
-static storage_status_t xml_check_pass(const char *my_nick, const char *password)
-{
-        return xml_load_real(NULL, my_nick, password, XML_PASS_CHECK_ONLY);
+        return xml_load_real(irc, irc->user->nick, password, XML_LOAD);
+}
+
+static storage_status_t xml_check_pass(irc_t *irc, const char *my_nick, const char *password)
+{
+        return xml_load_real(irc, my_nick, password, XML_PASS_CHECK);
 }
 
@@ -292 +300 @@
         struct xt_node *root, *cur;
 
-        /* Generate a salted md5sum of the password. Use 5 bytes for the salt
-           (to prevent dictionary lookups of passwords) to end up with a 21-
-           byte password hash, more convenient for base64 encoding. */
-        random_bytes(pass_md5 + 16, 5);
-        md5_init(&md5_state);
-        md5_append(&md5_state, (md5_byte_t *) irc->password, strlen(irc->password));
-        md5_append(&md5_state, pass_md5 + 16, 5);   /* Add the salt. */
-        md5_finish(&md5_state, pass_md5);
-        /* Save the hash in base64-encoded form. */
-        pass_buf = base64_encode(pass_md5, 21);
-
         root = cur = xt_new_node("user", NULL, NULL);
+        if (irc->auth_backend) {
+                xt_add_attr(cur, "auth_backend", irc->auth_backend);
+        } else {
+                /* Generate a salted md5sum of the password. Use 5 bytes for the salt
+                   (to prevent dictionary lookups of passwords) to end up with a 21-
+                   byte password hash, more convenient for base64 encoding. */
+                random_bytes(pass_md5 + 16, 5);
+                md5_init(&md5_state);
+                md5_append(&md5_state, (md5_byte_t *) irc->password, strlen(irc->password));
+                md5_append(&md5_state, pass_md5 + 16, 5);   /* Add the salt. */
+                md5_finish(&md5_state, pass_md5);
+                /* Save the hash in base64-encoded form. */
+                pass_buf = base64_encode(pass_md5, 21);
+                xt_add_attr(cur, "password", pass_buf);
+                g_free(pass_buf);
+        }
+
         xt_add_attr(cur, "nick", irc->user->nick);
-        xt_add_attr(cur, "password", pass_buf);
         xt_add_attr(cur, "version", XML_FORMAT_VERSION);
-
-        g_free(pass_buf);
 
         xml_generate_settings(cur, &irc->b->set);
@@ -319 +330 @@
                 int pass_len;
 
-                pass_len = arc_encode(acc->pass, strlen(acc->pass), (unsigned char **) &pass_cr, irc->password, 12);
-                pass_b64 = base64_encode(pass_cr, pass_len);
-                g_free(pass_cr);
+                if(irc->auth_backend) {
+                        /* If we don't "own" the password, it may change without us
+                         * knowing, so we cannot encrypt the data, as we then may not be
+                         * able to decrypt it */
+                        pass_b64 = base64_encode((unsigned char *)acc->pass, strlen(acc->pass));
+                } else {
+                        pass_len = arc_encode(acc->pass, strlen(acc->pass), (unsigned char **) &pass_cr, irc->password, 12);
+                        pass_b64 = base64_encode(pass_cr, pass_len);
+                        g_free(pass_cr);
+                }
 
                 cur = xt_new_node("account", NULL, NULL);
@@ -440 +458 @@
 
 
-static storage_status_t xml_remove(const char *nick, const char *password)
+static storage_status_t xml_remove(const char *nick)
 {
         char s[512], *lc;
-        storage_status_t status;
-
-        status = xml_check_pass(nick, password);
-        if (status != STORAGE_OK) {
-                return status;
-        }
 
         lc = g_strdup(nick);

tests/Makefile

@@ -15 +15 @@
 distclean: clean
 
-main_objs = bitlbee.o conf.o dcc.o help.o ipc.o irc.o irc_cap.o irc_channel.o irc_commands.o irc_im.o irc_send.o irc_user.o irc_util.o irc_commands.o log.o nick.o query.o root_commands.o set.o storage.o storage_xml.o
+main_objs = bitlbee.o conf.o dcc.o help.o ipc.o irc.o irc_cap.o irc_channel.o irc_commands.o irc_im.o irc_send.o irc_user.o irc_util.o irc_commands.o log.o nick.o query.o root_commands.o set.o storage.o storage_xml.o auth.o
 
 test_objs = check.o check_util.o check_nick.o check_md5.o check_arc.o check_irc.o check_help.o check_user.o check_set.o check_jabber_sasl.o check_jabber_util.o

unix.c

@@ -104 +104 @@
         }
 
+        global.auth = auth_init(global.conf->auth_backend);
+        if (global.conf->auth_backend && global.auth == NULL) {
+                log_message(LOGLVL_ERROR, "Unable to load authentication backend '%s'", global.conf->auth_backend);
+                return(1);
+        }
+
         if (global.conf->runmode == RUNMODE_INETD) {
                 log_link(LOGLVL_ERROR, LOGOUTPUT_IRC);