1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-05 17:23:15 +02:00
Commit Graph

9 Commits

Author SHA1 Message Date
Sébastien Helleu 30230498b2 relay: fix timing attack on password authentication (GHSA-vhv8-g2r9-cwcc)
The relay authentication used non-constant-time comparisons (strcasecmp,
strcmp) to verify password hashes and plaintext passwords, allowing an
attacker to derive the expected hash byte-by-byte from response timing
and then authenticate without knowing the password.

- SHA/PBKDF2 hex hash comparisons: normalize the client-supplied hash to
  uppercase and compare in constant time over the fixed expected length.
- Plaintext password comparison: HMAC-SHA256 both passwords with a fresh
  per-call random key and compare the fixed-size MACs in constant time,
  hiding both per-byte timing and the password length.

Add string_memcmp_constant_time helper in core, exposed via the plugin
API. Bump WEECHAT_PLUGIN_API_VERSION accordingly.
2026-05-31 09:11:53 +02:00
Sébastien Helleu 106fe6ca7c core: update copyright dates 2026-03-08 10:37:15 +01:00
Sébastien Helleu 3a6ac9ee76 all: add SPDX license tag 2025-03-31 07:49:26 +02:00
Sébastien Helleu d8987a1678 all: replace Copyright lines by SPDX copyright tag 2025-03-30 14:47:12 +02:00
Aaron Jones f5038bccbc Fix function prototypes for list of arguments
At the moment, building WeeChat triggers several thousand -Wstrict-prototypes
diagnostics.  This is due to its source code using an empty argument list for
functions and function pointers that take no arguments, instead of explicitly
declaring that they take no arguments by using a void list.

This commit replaces all empty argument lists with a void list.

Note that Ruby's headers also suffer the same problem, which WeeChat can't
do anything to fix.  Thus, building WeeChat with the Ruby plugin enabled
will still issue approximately 30 such diagnostics.
2025-03-10 08:16:52 +01:00
Sébastien Helleu 547e2b934e core: update copyright dates 2025-02-01 23:13:18 +01:00
Josh Soref d97467ff67 spelling: escape
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2024-09-28 18:22:41 +02:00
Sébastien Helleu 2cf66de423 api: add function "asprintf" 2024-04-07 13:18:13 +02:00
Sébastien Helleu 24c4029c96 core: remove "wee-" prefix from source files in src/core and src/core/hook 2024-03-12 21:27:37 +01:00