1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-04 16:53:14 +02:00

relay: add command "handshake" in weechat relay protocol and nonce to prevent replay attacks (closes #1474)

This introduces a new command called "handshake" in the weechat relay protocol.
It should be sent by the client before the "init" command, to negotiate the way
to authenticate with a password.

3 new options are added:

* relay.network.auth_password
* relay.network.hash_iterations
* relay.network.nonce_size
This commit is contained in:
Sébastien Helleu
2020-04-14 21:34:46 +02:00
parent ccd45e4921
commit 9fa3609c85
43 changed files with 2390 additions and 471 deletions
+30
View File
@@ -20,6 +20,36 @@ https://weechat.org/files/changelog/ChangeLog-devel.html[ChangeLog]
[[v2.9]]
== Version 2.9 (under dev)
[[v2.9_relay_weechat_protocol_handshake_nonce]]
=== Add of handshake and nonce in weechat relay protocol
==== Handshake
A _handshake_ command has been added in weechat relay protocol. +
The client should send this command before the _init_ to negotiate the way to
authenticate with the relay server.
See the link:weechat_relay_protocol.en.html#command_handshake[handshake command]
in Relay protocol doc for more information.
==== Server "nonce"
Furthermore, a "nonce" is now generated for each client connecting and must be
used by the client in case of hashed password in the _init_ command. +
The goal is to prevent replay attacks in case someone manages to read exchanges
between the client and relay.
When hashing the password, the client must use salt composed by this nonce
as binary (it is hexadecimal and must be base16-decoded), concatenated with
a client nonce after this one. +
So the hash is computed on: (`server nonce` + `client nonce` + `password`).
This salt is now mandatory even for algorithms `SHA256` and `SHA512`; this is
a breaking change in protocol, needed for security reasons.
See the link:weechat_relay_protocol.en.html#command_init[init command]
in Relay protocol doc for more information.
[[v2.9_trigger_command_eval]]
=== Evaluation of trigger command arguments