1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-07 18:23:13 +02:00
Commit Graph

10 Commits

Author SHA1 Message Date
Sébastien Helleu 34cbe56a6f relay/irc: fix timing attack on PASS command (GHSA-vhv8-g2r9-cwcc)
The IRC relay protocol's PASS handler compared the server password with
the client-supplied value using strcmp, leaking the password byte-by-byte
via response timing. This is the same class of bug fixed for the api and
weechat protocols, on a separate code path that did not go through
relay_auth_check_password_plain.

Extract the HMAC-then-constant-time-compare logic from
relay_auth_check_password_plain into relay_auth_password_equals, then
use it in both the plain-auth wrapper and the IRC PASS handler.
2026-06-06 14:08:23 +02:00
Sébastien Helleu 547e2b934e core: update copyright dates 2025-02-01 23:13:18 +01:00
Sébastien Helleu 83567fd871 relay: allow password hash authentication in api relay, add option relay.network.time_window (issue #2066) 2024-02-01 21:39:23 +01:00
Sébastien Helleu eecb2a997e core: update copyright dates 2024-01-01 22:29:58 +01:00
Sébastien Helleu 33bba784c3 core: update copyright dates 2023-01-01 14:54:35 +01:00
Sébastien Helleu c44b79dce7 core: update copyright dates 2022-01-17 18:41:06 +01:00
Sébastien Helleu efc7a588d6 core: update copyright dates 2021-01-02 21:34:16 +01:00
Sébastien Helleu 60b75f4677 tests: add tests on functions relay_auth_password_hash_algo_search and relay_auth_generate_nonce 2020-04-20 07:16:08 +02:00
Sébastien Helleu 95c908e83c relay: rename configuration options and keywords in handshake command (weechat protocol)
Configuration options renamed:

* relay.network.auth_password -> relay.network.password_hash_algo
* relay.network.hash_iterations -> relay.network.password_hash_iterations

Handshake command options renamed:

* password -> password_hash_algo

Handshake reply keys renamed:

* auth_password -> password_hash_algo
* hash_iterations -> password_hash_iterations
2020-04-17 23:34:27 +02:00
Sébastien Helleu 9fa3609c85 relay: add command "handshake" in weechat relay protocol and nonce to prevent replay attacks (closes #1474)
This introduces a new command called "handshake" in the weechat relay protocol.
It should be sent by the client before the "init" command, to negotiate the way
to authenticate with a password.

3 new options are added:

* relay.network.auth_password
* relay.network.hash_iterations
* relay.network.nonce_size
2020-04-14 21:38:12 +02:00