The relay authentication used non-constant-time comparisons (strcasecmp,
strcmp) to verify password hashes and plaintext passwords, allowing an
attacker to derive the expected hash byte-by-byte from response timing
and then authenticate without knowing the password.
- SHA/PBKDF2 hex hash comparisons: normalize the client-supplied hash to
uppercase and compare in constant time over the fixed expected length.
- Plaintext password comparison: HMAC-SHA256 both passwords with a fresh
per-call random key and compare the fixed-size MACs in constant time,
hiding both per-byte timing and the password length.
Add string_memcmp_constant_time helper in core, exposed via the plugin
API. Bump WEECHAT_PLUGIN_API_VERSION accordingly.
Bump the requirement to v1.8.0, which means we can remove ~70% of the
ifdef guard.
It was released over 8 years ago, with 3 new feature releases since
then and dozen of bugfix releases in the 1.8 branch.
The oldest distributions we target Ubuntu 20.04 and Debian Bullseye,
have 1.8.5 and 1.8.7 respectively.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
This reverts commit e64ab3c675.
This was causing incorrect conversion of strings "0x..." to pointers on systems
like Solaris/illumos.
And as a side effect, buffers were sometimes empty in weechat relay clients
like glowing-bear.
Now the function utf8_next_char with an empty string returns NULL instead of
the next char, which is most of the time after an allocated buffer.
And the function utf8_char_size with an empty string now returns 0 instead of
1.
This indirectly fixes a buffer overflow in function eval_string_range_chars
when the input string is empty (for example when doing `/eval -n ${chars:}`).
For now the only supported flag is:
- "stop_on_error": stop execution of callbacks immediately after an
error (ie return code of callback is WEECHAT_RC_ERROR) and return this code
(by default execute all callbacks and return the last return code, or return
WEECHAT_RC_EAT immediately if a callback returns this)
Example:
hook_signal_send("[flags:stop_on_error]my_signal", WEECHAT_HOOK_SIGNAL_STRING, "test");
Sébastien Helleu