The IRC relay protocol's PASS handler compared the server password with
the client-supplied value using strcmp, leaking the password byte-by-byte
via response timing. This is the same class of bug fixed for the api and
weechat protocols, on a separate code path that did not go through
relay_auth_check_password_plain.
Extract the HMAC-then-constant-time-compare logic from
relay_auth_check_password_plain into relay_auth_password_equals, then
use it in both the plain-auth wrapper and the IRC PASS handler.
At the moment, building WeeChat triggers several thousand -Wstrict-prototypes
diagnostics. This is due to its source code using an empty argument list for
functions and function pointers that take no arguments, instead of explicitly
declaring that they take no arguments by using a void list.
This commit replaces all empty argument lists with a void list.
Note that Ruby's headers also suffer the same problem, which WeeChat can't
do anything to fix. Thus, building WeeChat with the Ruby plugin enabled
will still issue approximately 30 such diagnostics.
Connection to remote:
- handshake: offer support for all supported hash algorithms
- network connect with a socket
- upgrade to websocket and authenticate with remote (password/TOTP)
- check websocket response
- get list of buffers (not used yet)
Note: connection to remote with TLS or a proxy is not yet supported.
The bug was fixed in version 2.0 (issue #1040) but a regression in version 3.7
happened while using the new IRC parser for message arguments (issue #1796,
commit 96ed471261).
Now the status "waiting_auth" is used and displayed in the relay buffer.
When a client connects, there are now 2 messages (except for irc protocol if
there's no password required):
relay: new client on port 9000: 1/weechat/1.2.3.4 (waiting auth)
relay: client 1/weechat/1.2.3.4 authenticated
If the authentication fails, the messages are:
relay: new client on port 9000: 1/weechat/1.2.3.4 (waiting auth)
=!= relay: authentication failed with client 1/weechat/1.2.3.4