From e8cdda318fe2a09ff7302c54cdd7900040a8ba5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Tue, 15 Jun 2021 21:49:45 +0200 Subject: [PATCH] irc: drop support of DH-BLOWFISH and DH-AES SASL mechanisms (closes #175) --- ChangeLog.adoc | 7 +- ReleaseNotes.adoc | 17 + doc/de/includes/autogen_user_options.de.adoc | 4 +- doc/de/weechat_user.de.adoc | 4 - doc/en/includes/autogen_user_options.en.adoc | 4 +- doc/en/weechat_user.en.adoc | 2 - doc/fr/includes/autogen_user_options.fr.adoc | 4 +- doc/fr/weechat_user.fr.adoc | 2 - doc/it/includes/autogen_user_options.it.adoc | 4 +- doc/it/weechat_user.it.adoc | 4 - doc/ja/includes/autogen_user_options.ja.adoc | 4 +- doc/ja/weechat_user.ja.adoc | 2 - doc/pl/includes/autogen_user_options.pl.adoc | 4 +- doc/pl/weechat_user.pl.adoc | 4 - doc/sr/includes/autogen_user_options.sr.adoc | 4 +- doc/sr/weechat_user.sr.adoc | 2 - po/cs.po | 6 +- po/de.po | 16 +- po/es.po | 6 +- po/fr.po | 23 +- po/hu.po | 6 +- po/it.po | 6 +- po/ja.po | 6 +- po/pl.po | 16 +- po/pt.po | 6 +- po/pt_BR.po | 6 +- po/ru.po | 6 +- po/sr.po | 16 +- po/tr.po | 6 +- po/weechat.pot | 6 +- src/plugins/irc/irc-config.c | 8 +- src/plugins/irc/irc-protocol.c | 8 - src/plugins/irc/irc-sasl.c | 384 +------------------ src/plugins/irc/irc-sasl.h | 10 - 34 files changed, 106 insertions(+), 507 deletions(-) diff --git a/ChangeLog.adoc b/ChangeLog.adoc index 6f3df7837..c2b7cc3b6 100644 --- a/ChangeLog.adoc +++ b/ChangeLog.adoc @@ -23,6 +23,7 @@ New features:: * irc: add command /setname, add support of message and capability "setname" (issue #1653) * irc: always set realname in nicks even when extended-join capability is not enabled (issue #1653) * irc: add support of FAIL/WARN/NOTE messages (issue #1653) + * irc: drop support of DH-BLOWFISH and DH-AES SASL mechanisms (issue #175) Documentation:: @@ -766,7 +767,7 @@ Bug fixes:: * core: fix command /cursor stop (do not toggle cursor mode) (issue #964) * core: fix delayed refresh when the signal SIGWINCH is received (terminal resized), send signal "signal_sigwinch" after refreshes (issue #902) * irc: fix update of server addresses on reconnection when the evaluated content has changed (issue #925) - * irc: fix crash in case of invalid server reply during SASL authentication with dh-blowfish or dh-aes mechanism + * irc: fix crash in case of invalid server reply during SASL authentication with DH-BLOWFISH or DH-AES mechanism * irc: fix double decoding of IRC colors in messages sent/displayed by commands /msg and /query (issue #943) * irc: fix parsing of message 324 (modes) when there is a colon before the modes (issue #913) * relay: check buffer pointer received in "sync" and "desync" commands (weechat protocol) (issue #936) @@ -1553,7 +1554,7 @@ New features:: * aspell: add completion "aspell_dicts" (list of aspell installed dictionaries) * aspell: add info "aspell_dict" (dictionaries used on a buffer) * aspell: optimization on spellers to improve speed (save state by buffer) - * irc: add support of "dh-aes" SASL mechanism (patch #8020) + * irc: add support of DH-AES SASL mechanism (patch #8020) * irc: add support of UHNAMES (capability "userhost-in-names") (task #9353) * irc: add tag "irc_nick_back" for messages displayed in private buffer when a nick is back on server (task #12576) * irc: add option irc.look.display_join_message (task #10895) @@ -1933,7 +1934,7 @@ Bug fixes:: * core: fix help on plugin option when config_set_desc_plugin is called to set help on newly created option * core: enable background process under Cygwin to connect to servers, fix reconnection problem (bug #34626) * aspell: fix URL detection (do not check spelling of URLs) (bug #34040) - * irc: fix memory leak in SASL/blowfish authentication + * irc: fix memory leak in SASL DH-BLOWFISH authentication * irc: fix memory leak when a server is deleted * irc: fix self-highlight when using /me with an IRC bouncer like znc (bug #35123) * irc: use low priority for MODE sent automatically by WeeChat (when joining channel) diff --git a/ReleaseNotes.adoc b/ReleaseNotes.adoc index dac9144ca..6bae415f7 100644 --- a/ReleaseNotes.adoc +++ b/ReleaseNotes.adoc @@ -17,6 +17,23 @@ https://weechat.org/files/changelog/ChangeLog-devel.html[ChangeLog] (file _ChangeLog.adoc_ in sources). +[[v3.3]] +== Version 3.3 (under dev) + +[[v3.2_irc_sasl_blowfish_aes]] +=== Drop support of SASL DH-BLOWFISH and DH-AES mechanisms + +The SASL mechanisms DH-BLOWFISH and DH-AES have been removed, because they +are insecure and already removed from most IRC servers. + +If you were using one of these mechanisms, it is highly recommended to switch +to any other supported SASL mechanism. + +For example: + +---- +/set irc.server.example.sasl_mechanism scram-sha-256 +---- + [[v3.2]] == Version 3.2 (2021-06-13) diff --git a/doc/de/includes/autogen_user_options.de.adoc b/doc/de/includes/autogen_user_options.de.adoc index 669249e77..bbf4fbbfc 100644 --- a/doc/de/includes/autogen_user_options.de.adoc +++ b/doc/de/includes/autogen_user_options.de.adoc @@ -2779,9 +2779,9 @@ ** Standardwert: `+""+` * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism* -** Beschreibung: pass:none[Verfahren welches bei einer SASL Authentifizierung angewandt werden soll: "plain" Passwort wird im Klartext gesendet, "scram-sha-1" für SCRAM-Authentifizierung mit SHA-1-Digest-Algorithmus, "scram-sha-256" für SCRAM-Authenrifizierung mit SHA-256 Digest-Algorithmus, "scram-sha-512" für SCRAM-Authentifizierung mit SHA-512 Digest-Algorithmus, "ecdsa-nist256p-challenge" für öffentlich/private Schlüsselmethode, "external" SSL Zertifikat welches auf Client Seite vorliegt wird verwendet, "dh-blowfish" Passwort wird mittels blowfish verschlüsselt (unsicher, wird nicht empfohlen), "dh-aes" Passwort wird mittels AES verschlüsselt (unsicher, wird nicht empfohlen)] +** Beschreibung: pass:none[mechanism for SASL authentication: "plain" for plain text password, "scram-sha-1" for SCRAM authentication with SHA-1 digest algorithm, "scram-sha-256" for SCRAM authentication with SHA-256 digest algorithm, "scram-sha-512" for SCRAM authentication with SHA-512 digest algorithm, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL certificate] ** Typ: integer -** Werte: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes +** Werte: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external ** Standardwert: `+plain+` * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password* diff --git a/doc/de/weechat_user.de.adoc b/doc/de/weechat_user.de.adoc index a1a73e7f8..27f62703f 100644 --- a/doc/de/weechat_user.de.adoc +++ b/doc/de/weechat_user.de.adoc @@ -3003,10 +3003,6 @@ WeeChat unterstützt eine SASL Authentifikation, mittels verschiedener Mechanism * _scram-sha-512_: SCRAM mit SHA-512 Digest-Algorithmus * _ecdsa-nist256p-challenge_: Abgleich von öffentlichem/privatem Schlüssel * _external_: SSL Zertifikat welches auf Client Seite vorliegt -* _dh-blowfish_: Passwort wird mittels blowfish verschlüsselt - (*unsicher*, wird nicht empfohlen) -* _dh-aes_: Passwort wird mittels AES verschlüsselt - (*unsicher*, wird nicht empfohlen) Optionen für Server sind: diff --git a/doc/en/includes/autogen_user_options.en.adoc b/doc/en/includes/autogen_user_options.en.adoc index 193c623a0..059e57c30 100644 --- a/doc/en/includes/autogen_user_options.en.adoc +++ b/doc/en/includes/autogen_user_options.en.adoc @@ -2779,9 +2779,9 @@ ** default value: `+""+` * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism* -** description: pass:none[mechanism for SASL authentication: "plain" for plain text password, "scram-sha-1" for SCRAM authentication with SHA-1 digest algorithm, "scram-sha-256" for SCRAM authentication with SHA-256 digest algorithm, "scram-sha-512" for SCRAM authentication with SHA-512 digest algorithm, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL cert, "dh-blowfish" for blowfish crypted password (insecure, not recommended), "dh-aes" for AES crypted password (insecure, not recommended)] +** description: pass:none[mechanism for SASL authentication: "plain" for plain text password, "scram-sha-1" for SCRAM authentication with SHA-1 digest algorithm, "scram-sha-256" for SCRAM authentication with SHA-256 digest algorithm, "scram-sha-512" for SCRAM authentication with SHA-512 digest algorithm, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL certificate] ** type: integer -** values: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes +** values: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external ** default value: `+plain+` * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password* diff --git a/doc/en/weechat_user.en.adoc b/doc/en/weechat_user.en.adoc index edb7879db..bc5ac9498 100644 --- a/doc/en/weechat_user.en.adoc +++ b/doc/en/weechat_user.en.adoc @@ -2947,8 +2947,6 @@ WeeChat supports SASL authentication, using different mechanisms: * _scram-sha-512_: SCRAM with SHA-512 digest algorithm * _ecdsa-nist256p-challenge_: challenge with public/private key * _external_: client side SSL cert -* _dh-blowfish_: blowfish encrypted password (*insecure*, not recommended) -* _dh-aes_: AES encrypted password (*insecure*, not recommended) Options in servers are: diff --git a/doc/fr/includes/autogen_user_options.fr.adoc b/doc/fr/includes/autogen_user_options.fr.adoc index 7fa3d6dd0..37714f5d4 100644 --- a/doc/fr/includes/autogen_user_options.fr.adoc +++ b/doc/fr/includes/autogen_user_options.fr.adoc @@ -2779,9 +2779,9 @@ ** valeur par défaut: `+""+` * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism* -** description: pass:none[mécanisme pour l'authentification SASL : "plain" pour un mot de passe en clair, "scram-sha-1" pour une authentification SCRAM avec algorithme de hachage SHA-1, "scram-sha-256" pour une authentification SCRAM avec algorithme de hachage SHA-256, "scram-sha-512" pour une authentification SCRAM avec algorithme de hachage SHA-512, "ecdsa-nist256p-challenge" pour une authentification par challenge avec clé, "external" pour une authentification en utilisant un certificat SSL côté client, "dh-blowfish" pour un mot de passe chiffré avec blowfish (non sûr, non recommandé), "dh-aes" pour un mot de passe chiffré avec AES (non sûr, non recommandé)] +** description: pass:none[mécanisme pour l'authentification SASL : "plain" pour un mot de passe en clair, "scram-sha-1" pour une authentification SCRAM avec algorithme de hachage SHA-1, "scram-sha-256" pour une authentification SCRAM avec algorithme de hachage SHA-256, "scram-sha-512" pour une authentification SCRAM avec algorithme de hachage SHA-512, "ecdsa-nist256p-challenge" pour une authentification par challenge avec clé, "external" pour une authentification en utilisant un certificat SSL côté client] ** type: entier -** valeurs: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes +** valeurs: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external ** valeur par défaut: `+plain+` * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password* diff --git a/doc/fr/weechat_user.fr.adoc b/doc/fr/weechat_user.fr.adoc index a08d7d79c..72a572c15 100644 --- a/doc/fr/weechat_user.fr.adoc +++ b/doc/fr/weechat_user.fr.adoc @@ -3051,8 +3051,6 @@ mécanismes : * _scram-sha-512_ : SCRAM avec algorithme de hachage SHA-512 * _ecdsa-nist256p-challenge_ : challenge avec clé publique/privée * _external_ : certificat SSL côté client -* _dh-blowfish_ : mot de passe chiffré avec blowfish (*non sûr*, non recommandé) -* _dh-aes_ : mot de passe chiffré avec AES (*non sûr*, non recommandé) Les options dans le serveur sont : diff --git a/doc/it/includes/autogen_user_options.it.adoc b/doc/it/includes/autogen_user_options.it.adoc index 768f1abab..1657db6ee 100644 --- a/doc/it/includes/autogen_user_options.it.adoc +++ b/doc/it/includes/autogen_user_options.it.adoc @@ -2779,9 +2779,9 @@ ** valore predefinito: `+""+` * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism* -** descrizione: pass:none[mechanism for SASL authentication: "plain" for plain text password, "scram-sha-1" for SCRAM authentication with SHA-1 digest algorithm, "scram-sha-256" for SCRAM authentication with SHA-256 digest algorithm, "scram-sha-512" for SCRAM authentication with SHA-512 digest algorithm, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL cert, "dh-blowfish" for blowfish crypted password (insecure, not recommended), "dh-aes" for AES crypted password (insecure, not recommended)] +** descrizione: pass:none[mechanism for SASL authentication: "plain" for plain text password, "scram-sha-1" for SCRAM authentication with SHA-1 digest algorithm, "scram-sha-256" for SCRAM authentication with SHA-256 digest algorithm, "scram-sha-512" for SCRAM authentication with SHA-512 digest algorithm, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL certificate] ** tipo: intero -** valori: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes +** valori: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external ** valore predefinito: `+plain+` * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password* diff --git a/doc/it/weechat_user.it.adoc b/doc/it/weechat_user.it.adoc index 9326f509f..a21ea9f3b 100644 --- a/doc/it/weechat_user.it.adoc +++ b/doc/it/weechat_user.it.adoc @@ -3183,10 +3183,6 @@ WeeChat supports SASL authentication, using different mechanisms: // TRANSLATION MISSING * _ecdsa-nist256p-challenge_: challenge with public/private key * _external_: certificato SSL da lato client -// TRANSLATION MISSING -* _dh-blowfish_: blowfish encrypted password (*insecure*, not recommended) -// TRANSLATION MISSING -* _dh-aes_: AES encrypted password (*insecure*, not recommended) Le opzioni nel server sono: diff --git a/doc/ja/includes/autogen_user_options.ja.adoc b/doc/ja/includes/autogen_user_options.ja.adoc index fbb821681..cc03ac29e 100644 --- a/doc/ja/includes/autogen_user_options.ja.adoc +++ b/doc/ja/includes/autogen_user_options.ja.adoc @@ -2779,9 +2779,9 @@ ** デフォルト値: `+""+` * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism* -** 説明: pass:none[mechanism for SASL authentication: "plain" for plain text password, "scram-sha-1" for SCRAM authentication with SHA-1 digest algorithm, "scram-sha-256" for SCRAM authentication with SHA-256 digest algorithm, "scram-sha-512" for SCRAM authentication with SHA-512 digest algorithm, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL cert, "dh-blowfish" for blowfish crypted password (insecure, not recommended), "dh-aes" for AES crypted password (insecure, not recommended)] +** 説明: pass:none[mechanism for SASL authentication: "plain" for plain text password, "scram-sha-1" for SCRAM authentication with SHA-1 digest algorithm, "scram-sha-256" for SCRAM authentication with SHA-256 digest algorithm, "scram-sha-512" for SCRAM authentication with SHA-512 digest algorithm, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL certificate] ** タイプ: 整数 -** 値: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes +** 値: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external ** デフォルト値: `+plain+` * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password* diff --git a/doc/ja/weechat_user.ja.adoc b/doc/ja/weechat_user.ja.adoc index 79cd3b39a..a3a7769cd 100644 --- a/doc/ja/weechat_user.ja.adoc +++ b/doc/ja/weechat_user.ja.adoc @@ -3036,8 +3036,6 @@ WeeChat は SASL 認証をサポートします、以下の認証メカニズム * _scram-sha-512_: SCRAM with SHA-512 digest algorithm * _ecdsa-nist256p-challenge_: 公開鍵/秘密鍵を使うチャレンジ認証 * _external_: クライアント側 SSL 証明書 -* _dh-blowfish_: blowfish 暗号パスワード (*危険*、非推奨) -* _dh-aes_: AES 暗号パスワード (*危険*、非推奨) サーバオプション: diff --git a/doc/pl/includes/autogen_user_options.pl.adoc b/doc/pl/includes/autogen_user_options.pl.adoc index 5c0536d0b..cbcb65102 100644 --- a/doc/pl/includes/autogen_user_options.pl.adoc +++ b/doc/pl/includes/autogen_user_options.pl.adoc @@ -2779,9 +2779,9 @@ ** domyślna wartość: `+""+` * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism* -** opis: pass:none[mechanizm autentykacji SASL: "plain" dla hasła w czystym tekście, "scram-sha-1" dla uwierzytelnienia SCRAM za pomocą algorytmu SHA-1, "scram-sha-256" dla uwierzytelnienia SCRAM za pomocą algorytmu SHA-256, "scram-sha-512" dla uwierzytelnienia SCRAM za pomocą algorytmu SHA-512, "ecdsa-nist256p-challenge" uwierzytelnianie na podstawie pary kluczy, "external" dla uwierzytelnienia za pomocą certyfikatu SSL po stronie klienta, "dh-blowfish" dla hasła szyfrowanego za pomocą blowfish (mało bezpieczne, niepolecane), "dh-aes" dla hasła szyfrowanego za pomocą AES (mało bezpieczne, niepolecane)] +** opis: pass:none[mechanism for SASL authentication: "plain" for plain text password, "scram-sha-1" for SCRAM authentication with SHA-1 digest algorithm, "scram-sha-256" for SCRAM authentication with SHA-256 digest algorithm, "scram-sha-512" for SCRAM authentication with SHA-512 digest algorithm, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL certificate] ** typ: liczba -** wartości: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes +** wartości: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external ** domyślna wartość: `+plain+` * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password* diff --git a/doc/pl/weechat_user.pl.adoc b/doc/pl/weechat_user.pl.adoc index 5180ed43c..9a7a43b9e 100644 --- a/doc/pl/weechat_user.pl.adoc +++ b/doc/pl/weechat_user.pl.adoc @@ -2971,10 +2971,6 @@ WeeChat wspiera uwierzytelnianie SASL, używając różnych mechanizmów: * _scram-sha-512_: SCRAM z użyciem algorytmu SHA-512 * _ecdsa-nist256p-challenge_: klucz prywatny/publiczny * _external_: certyfikat SSL po stronie klienta -* _dh-blowfish_: hasło zaszyfrowane algorytmem blowfish - (*niebezpieczne*, nie zalecane) -* _dh-aes_: hasło zaszyfrowane algorytmem AES - (*niebezpieczne*, nie zalecane) Opcje dla serwerów to: diff --git a/doc/sr/includes/autogen_user_options.sr.adoc b/doc/sr/includes/autogen_user_options.sr.adoc index ff1d11e7b..4b2c561bc 100644 --- a/doc/sr/includes/autogen_user_options.sr.adoc +++ b/doc/sr/includes/autogen_user_options.sr.adoc @@ -2779,9 +2779,9 @@ ** подразумевана вредност: `+""+` * [[option_irc.server_default.sasl_mechanism]] *irc.server_default.sasl_mechanism* -** опис: pass:none[механизам SASL аутентификације: „plain” за просту текст лозинку, „scram-sha-1” за SCRAM аутентификацију са SHA-1 digest алгоритмом, „scram-sha-256” за SCRAM аутентификацију са SHA-256 digest алгоритмом, „scram-sha-512” за SCRAM аутентификацију са SHA-512 digest алгоритмом, „ecdsa-nist256p-challenge” за аутентификацију са изазовом базираним на кључу, „external” за аутентификацију употребом SSL сертификата са клијентске стране, „dh-blowfish” за blowfish шифровану лозинку (није безбедно, не препоручује се), „dh-aes” за AES шифровану лозинку (није безбедно, не препоручује се)] +** опис: pass:none[mechanism for SASL authentication: "plain" for plain text password, "scram-sha-1" for SCRAM authentication with SHA-1 digest algorithm, "scram-sha-256" for SCRAM authentication with SHA-256 digest algorithm, "scram-sha-512" for SCRAM authentication with SHA-512 digest algorithm, "ecdsa-nist256p-challenge" for key-based challenge authentication, "external" for authentication using client side SSL certificate] ** тип: целобројна -** вредности: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external, dh-blowfish, dh-aes +** вредности: plain, scram-sha-1, scram-sha-256, scram-sha-512, ecdsa-nist256p-challenge, external ** подразумевана вредност: `+plain+` * [[option_irc.server_default.sasl_password]] *irc.server_default.sasl_password* diff --git a/doc/sr/weechat_user.sr.adoc b/doc/sr/weechat_user.sr.adoc index d6a406621..ec566d8bb 100644 --- a/doc/sr/weechat_user.sr.adoc +++ b/doc/sr/weechat_user.sr.adoc @@ -2722,8 +2722,6 @@ $ openssl req -nodes -newkey rsa:2048 -keyout nick.pem -x509 -days 365 -out nick * _scram-sha-512_: SCRAM са SHA-512 digest алгоритмом * _ecdsa-nist256p-challenge_: изазов са јавним/приватним кључем * _external_: SSL сертификат са клијентске стране -* _dh-blowfish_: blowfish шифрована лозинка (*небезбедно*, не препоручује се) -* _dh-aes_: AES шифрована лозинка (*небезбедно*, не препоручује се) Опције за сервере су следеће: diff --git a/po/cs.po b/po/cs.po index 9b63af153..4b2a76ae6 100644 --- a/po/cs.po +++ b/po/cs.po @@ -21,7 +21,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-05-25 18:28+0200\n" "Last-Translator: Ondřej Súkup \n" "Language-Team: weechat-dev \n" @@ -8035,9 +8035,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" #, fuzzy diff --git a/po/de.po b/po/de.po index d8341e2a3..4c1c3eb24 100644 --- a/po/de.po +++ b/po/de.po @@ -24,7 +24,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-06-05 23:02+0200\n" "Last-Translator: Nils Görs \n" "Language-Team: German \n" @@ -9886,15 +9886,23 @@ msgstr "" "(siehe /help cap um eine Liste von Fähigkeiten zu erhalten die von WeeChat " "unterstützt werden) (Beispiel: \"away-notify,multi-prefix\")" +#, fuzzy +#| msgid "" +#| "mechanism for SASL authentication: \"plain\" for plain text password, " +#| "\"scram-sha-1\" for SCRAM authentication with SHA-1 digest algorithm, " +#| "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " +#| "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " +#| "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " +#| "\"external\" for authentication using client side SSL cert, \"dh-blowfish" +#| "\" for blowfish crypted password (insecure, not recommended), \"dh-aes\" " +#| "for AES crypted password (insecure, not recommended)" msgid "" "mechanism for SASL authentication: \"plain\" for plain text password, " "\"scram-sha-1\" for SCRAM authentication with SHA-1 digest algorithm, " "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" "Verfahren welches bei einer SASL Authentifizierung angewandt werden soll: " "\"plain\" Passwort wird im Klartext gesendet, \"scram-sha-1\" für SCRAM-" diff --git a/po/es.po b/po/es.po index 1a7ef7494..42480d584 100644 --- a/po/es.po +++ b/po/es.po @@ -22,7 +22,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-05-25 18:28+0200\n" "Last-Translator: Elián Hanisch \n" "Language-Team: weechat-dev \n" @@ -8274,9 +8274,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" "mecanismo de autenticación SASL: \"plain\" para contraseñas en texto plano, " "\"dh-blowfish\" para contraseña encriptada, \"external\" para autentificar " diff --git a/po/fr.po b/po/fr.po index 36b7f74cb..3052e65a2 100644 --- a/po/fr.po +++ b/po/fr.po @@ -21,8 +21,8 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" -"PO-Revision-Date: 2021-06-15 18:52+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" +"PO-Revision-Date: 2021-06-15 20:43+0200\n" "Last-Translator: Sébastien Helleu \n" "Language-Team: weechat-dev \n" "Language: fr\n" @@ -8247,14 +8247,19 @@ msgstr "" " ls : lister les capacités supportées par le serveur\n" " list : lister les capacités actuellement activées\n" " req : demander une capacité\n" -" ack : accuser réception de capacités qui nécessitent un accusé de réception du client\n" +" ack : accuser réception de capacités qui nécessitent un accusé de " +"réception du client\n" " end : terminer la négociation de capacité\n" "\n" "Sans paramètre, \"ls\" et \"list\" sont envoyés.\n" "\n" -"Les capacités supportées par WeeChat sont : account-notify, away-notify, cap-notify, chghost, extended-join, invite-notify, multi-prefix, server-time, setname, userhost-in-names.\n" +"Les capacités supportées par WeeChat sont : account-notify, away-notify, cap-" +"notify, chghost, extended-join, invite-notify, multi-prefix, server-time, " +"setname, userhost-in-names.\n" "\n" -"Les capacités à activer automatiquement sur les serveurs peuvent être définies dans l'option irc.server_default.capabilities (ou par serveur dans l'option irc.server.xxx.capabilities).\n" +"Les capacités à activer automatiquement sur les serveurs peuvent être " +"définies dans l'option irc.server_default.capabilities (ou par serveur dans " +"l'option irc.server.xxx.capabilities).\n" "\n" "Exemples :\n" " /cap\n" @@ -9705,9 +9710,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" "mécanisme pour l'authentification SASL : \"plain\" pour un mot de passe en " "clair, \"scram-sha-1\" pour une authentification SCRAM avec algorithme de " @@ -9715,9 +9718,7 @@ msgstr "" "algorithme de hachage SHA-256, \"scram-sha-512\" pour une authentification " "SCRAM avec algorithme de hachage SHA-512, \"ecdsa-nist256p-challenge\" pour " "une authentification par challenge avec clé, \"external\" pour une " -"authentification en utilisant un certificat SSL côté client, \"dh-blowfish\" " -"pour un mot de passe chiffré avec blowfish (non sûr, non recommandé), \"dh-" -"aes\" pour un mot de passe chiffré avec AES (non sûr, non recommandé)" +"authentification en utilisant un certificat SSL côté client" msgid "" "username for SASL authentication; this option is not used for mechanism " diff --git a/po/hu.po b/po/hu.po index 714089ee1..d2715dc3d 100644 --- a/po/hu.po +++ b/po/hu.po @@ -20,7 +20,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-05-25 18:28+0200\n" "Last-Translator: Andras Voroskoi \n" "Language-Team: weechat-dev \n" @@ -7639,9 +7639,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" #, fuzzy diff --git a/po/it.po b/po/it.po index 6c491c26a..7bb8c636f 100644 --- a/po/it.po +++ b/po/it.po @@ -20,7 +20,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-05-25 18:28+0200\n" "Last-Translator: Esteban I. Ruiz Moreno \n" "Language-Team: weechat-dev \n" @@ -8416,9 +8416,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" "meccanismo per l'autenticazione SASL: \"plain\" per le password in chiaro, " "\"dh-blowfish\" per le password cifrate in blowfish, \"dh-aes\" per le " diff --git a/po/ja.po b/po/ja.po index 1469d6d6b..e91f4c7fc 100644 --- a/po/ja.po +++ b/po/ja.po @@ -20,7 +20,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-05-25 18:28+0200\n" "Last-Translator: AYANOKOUZI, Ryuunosuke \n" "Language-Team: Japanese \n" "Language-Team: Polish \n" @@ -9487,15 +9487,23 @@ msgstr "" "są dostępne (zobacz /help cap żeby poznać listę opcji wspieranych przez " "WeeChat) (przykład: \"away-notify,multi-prefix\")" +#, fuzzy +#| msgid "" +#| "mechanism for SASL authentication: \"plain\" for plain text password, " +#| "\"scram-sha-1\" for SCRAM authentication with SHA-1 digest algorithm, " +#| "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " +#| "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " +#| "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " +#| "\"external\" for authentication using client side SSL cert, \"dh-blowfish" +#| "\" for blowfish crypted password (insecure, not recommended), \"dh-aes\" " +#| "for AES crypted password (insecure, not recommended)" msgid "" "mechanism for SASL authentication: \"plain\" for plain text password, " "\"scram-sha-1\" for SCRAM authentication with SHA-1 digest algorithm, " "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" "mechanizm autentykacji SASL: \"plain\" dla hasła w czystym tekście, \"scram-" "sha-1\" dla uwierzytelnienia SCRAM za pomocą algorytmu SHA-1, \"scram-" diff --git a/po/pt.po b/po/pt.po index 363797dec..71eb3c83f 100644 --- a/po/pt.po +++ b/po/pt.po @@ -20,7 +20,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-05-25 18:28+0200\n" "Last-Translator: Vasco Almeida \n" "Language-Team: Portuguese <>\n" @@ -9038,9 +9038,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" "mecanismo de autenticação SASL: \"plain\" para palavra-passe em texto " "simples, \"ecdsa-nist256p-challenge\" para autenticação por desafio com " diff --git a/po/pt_BR.po b/po/pt_BR.po index 2b24ea8aa..bdf3ebc87 100644 --- a/po/pt_BR.po +++ b/po/pt_BR.po @@ -21,7 +21,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-05-25 18:28+0200\n" "Last-Translator: Érico Nogueira \n" "Language-Team: weechat-dev \n" @@ -8081,9 +8081,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" #, fuzzy diff --git a/po/ru.po b/po/ru.po index b56efd0de..a52030b5c 100644 --- a/po/ru.po +++ b/po/ru.po @@ -21,7 +21,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-05-25 18:28+0200\n" "Last-Translator: Aleksey V Zapparov AKA ixti \n" "Language-Team: weechat-dev \n" @@ -7669,9 +7669,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" #, fuzzy diff --git a/po/sr.po b/po/sr.po index e851c7dd0..6ca23c41a 100644 --- a/po/sr.po +++ b/po/sr.po @@ -20,7 +20,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-06-03 15:15+0400\n" "Last-Translator: Ivan Pešić \n" "Language-Team: weechat-dev \n" @@ -9469,15 +9469,23 @@ msgstr "" "за листу могућности које подржава програм WeeChat) (пример: „away-notify," "multi-prefix”)" +#, fuzzy +#| msgid "" +#| "mechanism for SASL authentication: \"plain\" for plain text password, " +#| "\"scram-sha-1\" for SCRAM authentication with SHA-1 digest algorithm, " +#| "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " +#| "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " +#| "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " +#| "\"external\" for authentication using client side SSL cert, \"dh-blowfish" +#| "\" for blowfish crypted password (insecure, not recommended), \"dh-aes\" " +#| "for AES crypted password (insecure, not recommended)" msgid "" "mechanism for SASL authentication: \"plain\" for plain text password, " "\"scram-sha-1\" for SCRAM authentication with SHA-1 digest algorithm, " "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" "механизам SASL аутентификације: „plain” за просту текст лозинку, „scram-" "sha-1” за SCRAM аутентификацију са SHA-1 digest алгоритмом, „scram-sha-256” " diff --git a/po/tr.po b/po/tr.po index 71703d509..872dc546f 100644 --- a/po/tr.po +++ b/po/tr.po @@ -20,7 +20,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2021-05-25 18:28+0200\n" "Last-Translator: Emir SARI \n" "Language-Team: weechat-dev \n" @@ -7348,9 +7348,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" msgid "" diff --git a/po/weechat.pot b/po/weechat.pot index 9f3382781..e7d3b9a8d 100644 --- a/po/weechat.pot +++ b/po/weechat.pot @@ -21,7 +21,7 @@ msgid "" msgstr "" "Project-Id-Version: WeeChat\n" "Report-Msgid-Bugs-To: flashcode@flashtux.org\n" -"POT-Creation-Date: 2021-06-15 18:50+0200\n" +"POT-Creation-Date: 2021-06-15 20:40+0200\n" "PO-Revision-Date: 2014-08-16 10:27+0200\n" "Last-Translator: Sébastien Helleu \n" "Language-Team: weechat-dev \n" @@ -6822,9 +6822,7 @@ msgid "" "\"scram-sha-256\" for SCRAM authentication with SHA-256 digest algorithm, " "\"scram-sha-512\" for SCRAM authentication with SHA-512 digest algorithm, " "\"ecdsa-nist256p-challenge\" for key-based challenge authentication, " -"\"external\" for authentication using client side SSL cert, \"dh-blowfish\" " -"for blowfish crypted password (insecure, not recommended), \"dh-aes\" for " -"AES crypted password (insecure, not recommended)" +"\"external\" for authentication using client side SSL certificate" msgstr "" msgid "" diff --git a/src/plugins/irc/irc-config.c b/src/plugins/irc/irc-config.c index 3ad0ed8a6..2eb0b8635 100644 --- a/src/plugins/irc/irc-config.c +++ b/src/plugins/irc/irc-config.c @@ -1868,13 +1868,9 @@ irc_config_server_new_option (struct t_config_file *config_file, "\"ecdsa-nist256p-challenge\" for key-based " "challenge authentication, " "\"external\" for authentication using client side SSL " - "cert, " - "\"dh-blowfish\" for blowfish crypted password " - "(insecure, not recommended), " - "\"dh-aes\" for AES crypted password " - "(insecure, not recommended)"), + "certificate"), "plain|scram-sha-1|scram-sha-256|scram-sha-512|" - "ecdsa-nist256p-challenge|external|dh-blowfish|dh-aes", + "ecdsa-nist256p-challenge|external", 0, 0, default_value, value, null_value_allowed, diff --git a/src/plugins/irc/irc-protocol.c b/src/plugins/irc/irc-protocol.c index 642f7a8e2..e75ed9224 100644 --- a/src/plugins/irc/irc-protocol.c +++ b/src/plugins/irc/irc-protocol.c @@ -502,14 +502,6 @@ IRC_PROTOCOL_CALLBACK(authenticate) case IRC_SASL_MECHANISM_EXTERNAL: answer = strdup ("+"); break; - case IRC_SASL_MECHANISM_DH_BLOWFISH: - answer = irc_sasl_mechanism_dh_blowfish ( - argv[1], sasl_username, sasl_password, &sasl_error); - break; - case IRC_SASL_MECHANISM_DH_AES: - answer = irc_sasl_mechanism_dh_aes ( - argv[1], sasl_username, sasl_password, &sasl_error); - break; } if (answer) { diff --git a/src/plugins/irc/irc-sasl.c b/src/plugins/irc/irc-sasl.c index bfd7824ef..512b315c6 100644 --- a/src/plugins/irc/irc-sasl.c +++ b/src/plugins/irc/irc-sasl.c @@ -43,7 +43,7 @@ */ char *irc_sasl_mechanism_string[IRC_NUM_SASL_MECHANISMS] = { "plain", "scram-sha-1", "scram-sha-256", "scram-sha-512", - "ecdsa-nist256p-challenge", "external", "dh-blowfish", "dh-aes" }; + "ecdsa-nist256p-challenge", "external" }; /* @@ -711,385 +711,3 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, return NULL; #endif /* LIBGNUTLS_VERSION_NUMBER >= 0x030015 */ } - -/* - * Reads key sent by server (Diffie-Hellman key exchange). - * - * If an error occurs and if sasl_error is not NULL, *sasl_error is set to the - * error and must be freed after use. - * - * Returns: - * 1: OK - * 0: error - */ - -int -irc_sasl_dh (const char *data_base64, - unsigned char **public_bin, unsigned char **secret_bin, - int *length_key, char **sasl_error) -{ - char *data; - unsigned char *ptr_data; - int length_data, size, num_bits_prime_number, rc; - size_t num_written; - gcry_mpi_t data_prime_number, data_generator_number, data_server_pub_key; - gcry_mpi_t pub_key, priv_key, secret_mpi; - - rc = 0; - - data = NULL; - data_prime_number = NULL; - data_generator_number = NULL; - data_server_pub_key = NULL; - pub_key = NULL; - priv_key = NULL; - secret_mpi = NULL; - - /* decode data */ - data = malloc (strlen (data_base64) + 1); - if (!data) - goto memory_error; - length_data = weechat_string_base_decode (64, data_base64, data); - ptr_data = (unsigned char *)data; - - /* extract prime number */ - size = ntohs ((((unsigned int)ptr_data[1]) << 8) | ptr_data[0]); - ptr_data += 2; - length_data -= 2; - if (size > length_data) - goto crypto_error; - data_prime_number = gcry_mpi_new (size * 8); - gcry_mpi_scan (&data_prime_number, GCRYMPI_FMT_USG, ptr_data, size, NULL); - num_bits_prime_number = gcry_mpi_get_nbits (data_prime_number); - if (num_bits_prime_number == 0 || INT_MAX - 7 < num_bits_prime_number) - goto crypto_error; - ptr_data += size; - length_data -= size; - - /* extract generator number */ - size = ntohs ((((unsigned int)ptr_data[1]) << 8) | ptr_data[0]); - ptr_data += 2; - length_data -= 2; - if (size > length_data) - goto crypto_error; - data_generator_number = gcry_mpi_new (size * 8); - gcry_mpi_scan (&data_generator_number, GCRYMPI_FMT_USG, ptr_data, size, NULL); - ptr_data += size; - length_data -= size; - - /* extract server-generated public key */ - size = ntohs ((((unsigned int)ptr_data[1]) << 8) | ptr_data[0]); - ptr_data += 2; - length_data -= 2; - if (size > length_data) - goto crypto_error; - data_server_pub_key = gcry_mpi_new (size * 8); - gcry_mpi_scan (&data_server_pub_key, GCRYMPI_FMT_USG, ptr_data, size, NULL); - - /* generate keys */ - pub_key = gcry_mpi_new (num_bits_prime_number); - priv_key = gcry_mpi_new (num_bits_prime_number); - gcry_mpi_randomize (priv_key, num_bits_prime_number, GCRY_STRONG_RANDOM); - /* pub_key = (g ^ priv_key) % p */ - gcry_mpi_powm (pub_key, data_generator_number, priv_key, data_prime_number); - - /* compute secret_bin */ - *length_key = (num_bits_prime_number + 7) / 8; - *secret_bin = malloc (*length_key); - secret_mpi = gcry_mpi_new (num_bits_prime_number); - /* secret_mpi = (y ^ priv_key) % p */ - gcry_mpi_powm (secret_mpi, data_server_pub_key, priv_key, data_prime_number); - gcry_mpi_print (GCRYMPI_FMT_USG, *secret_bin, *length_key, - &num_written, secret_mpi); - - /* create public_bin */ - *public_bin = malloc (*length_key); - gcry_mpi_print (GCRYMPI_FMT_USG, *public_bin, *length_key, - &num_written, pub_key); - rc = 1; - - goto end; - -memory_error: - if (sasl_error) - *sasl_error = strdup (_("memory error")); - goto end; - -crypto_error: - if (sasl_error) - *sasl_error = strdup (_("cryptography error")); - goto end; - -end: - if (data) - free (data); - if (data_prime_number) - gcry_mpi_release (data_prime_number); - if (data_generator_number) - gcry_mpi_release (data_generator_number); - if (data_server_pub_key) - gcry_mpi_release (data_server_pub_key); - if (pub_key) - gcry_mpi_release (pub_key); - if (priv_key) - gcry_mpi_release (priv_key); - if (secret_mpi) - gcry_mpi_release (secret_mpi); - - return rc; -} - -/* - * Builds answer for SASL authentication, using mechanism "DH-BLOWFISH". - * - * Argument data_base64 is a concatenation of 3 strings, each string is composed - * of 2 bytes (length of string), followed by content of string: - * 1. a prime number - * 2. a generator number - * 3. server-generated public key - * - * If an error occurs and if sasl_error is not NULL, *sasl_error is set to the - * error and must be freed after use. - * - * Note: result must be freed after use. - */ - -char * -irc_sasl_mechanism_dh_blowfish (const char *data_base64, - const char *sasl_username, - const char *sasl_password, - char **sasl_error) -{ - char *answer, *ptr_answer, *answer_base64; - unsigned char *password_clear, *password_crypted; - int length_key, length_username, length_password, length_answer; - unsigned char *public_bin, *secret_bin; - gcry_cipher_hd_t gcrypt_handle; - - password_clear = NULL; - password_crypted = NULL; - answer = NULL; - answer_base64 = NULL; - secret_bin = NULL; - public_bin = NULL; - - if (!irc_sasl_dh (data_base64, &public_bin, &secret_bin, &length_key, - sasl_error)) - { - goto end; - } - - /* create password buffers (clear and crypted) */ - length_password = strlen (sasl_password) + - ((8 - (strlen (sasl_password) % 8)) % 8); - password_clear = calloc (1, length_password); - password_crypted = calloc (1, length_password); - memcpy (password_clear, sasl_password, strlen (sasl_password)); - - /* crypt password using blowfish */ - if (gcry_cipher_open (&gcrypt_handle, GCRY_CIPHER_BLOWFISH, - GCRY_CIPHER_MODE_ECB, 0) != 0) - goto crypto_error; - if (gcry_cipher_setkey (gcrypt_handle, secret_bin, length_key) != 0) - goto crypto_error; - if (gcry_cipher_encrypt (gcrypt_handle, - password_crypted, length_password, - password_clear, length_password) != 0) - goto crypto_error; - - gcry_cipher_close (gcrypt_handle); - - /* - * build answer for server, it is concatenation of: - * 1. key length (2 bytes) - * 2. public key ('length_key' bytes) - * 3. sasl_username ('length_username'+1 bytes) - * 4. encrypted password ('length_password' bytes) - */ - length_username = strlen (sasl_username) + 1; - length_answer = 2 + length_key + length_username + length_password; - answer = malloc (length_answer); - ptr_answer = answer; - *((unsigned int *)ptr_answer) = htons (length_key); - ptr_answer += 2; - memcpy (ptr_answer, public_bin, length_key); - ptr_answer += length_key; - memcpy (ptr_answer, sasl_username, length_username); - ptr_answer += length_username; - memcpy (ptr_answer, password_crypted, length_password); - - /* encode answer to base64 */ - answer_base64 = malloc ((length_answer + 1) * 4); - if (answer_base64) - { - if (weechat_string_base_encode (64, answer, length_answer, - answer_base64) < 0) - { - free (answer_base64); - answer_base64 = NULL; - } - } - - goto end; - -crypto_error: - if (sasl_error) - *sasl_error = strdup (_("cryptography error")); - goto end; - -end: - if (secret_bin) - free (secret_bin); - if (public_bin) - free (public_bin); - if (password_clear) - free (password_clear); - if (password_crypted) - free (password_crypted); - if (answer) - free (answer); - - return answer_base64; -} - -/* - * Builds answer for SASL authentication, using mechanism "DH-AES". - * - * Argument data_base64 is a concatenation of 3 strings, each string is composed - * of 2 bytes (length of string), followed by content of string: - * 1. a prime number - * 2. a generator number - * 3. server-generated public key - * - * If an error occurs and if sasl_error is not NULL, *sasl_error is set to the - * error and must be freed after use. - * - * Note: result must be freed after use. - */ - -char * -irc_sasl_mechanism_dh_aes (const char *data_base64, - const char *sasl_username, - const char *sasl_password, - char **sasl_error) -{ - char *answer, *ptr_answer, *answer_base64; - unsigned char *ptr_userpass, *userpass_clear, *userpass_crypted; - int length_key, length_answer; - int length_username, length_password, length_userpass; - unsigned char *public_bin, *secret_bin; - char iv[16]; - int cipher_algo; - gcry_cipher_hd_t gcrypt_handle; - - userpass_clear = NULL; - userpass_crypted = NULL; - answer = NULL; - answer_base64 = NULL; - secret_bin = NULL; - public_bin = NULL; - - if (!irc_sasl_dh (data_base64, &public_bin, &secret_bin, &length_key, - sasl_error)) - { - goto end; - } - - /* Select cipher algorithm: key length * 8 = cipher bit size */ - switch (length_key) - { - case 32: - cipher_algo = GCRY_CIPHER_AES256; - break; - case 24: - cipher_algo = GCRY_CIPHER_AES192; - break; - case 16: - cipher_algo = GCRY_CIPHER_AES128; - break; - default: - /* Invalid bit length */ - goto end; - } - - /* Generate the IV */ - gcry_randomize (iv, sizeof (iv), GCRY_STRONG_RANDOM); - - /* create user/pass buffers (clear and crypted) */ - length_username = strlen (sasl_username) + 1; - length_password = strlen (sasl_password) + 1; - length_userpass = length_username + length_password + - ((16 - ((length_username + length_password) % 16)) % 16); - userpass_clear = calloc (1, length_userpass); - ptr_userpass = userpass_clear; - userpass_crypted = calloc (1, length_userpass); - memcpy (ptr_userpass, sasl_username, length_username); - ptr_userpass += length_username; - memcpy (ptr_userpass, sasl_password, length_password); - - /* crypt password using AES in CBC mode */ - if (gcry_cipher_open (&gcrypt_handle, cipher_algo, - GCRY_CIPHER_MODE_CBC, 0) != 0) - goto crypto_error; - if (gcry_cipher_setkey (gcrypt_handle, secret_bin, length_key) != 0) - goto crypto_error; - if (gcry_cipher_setiv (gcrypt_handle, iv, sizeof (iv)) != 0) - goto crypto_error; - if (gcry_cipher_encrypt (gcrypt_handle, - userpass_crypted, length_userpass, - userpass_clear, length_userpass) != 0) - goto crypto_error; - - gcry_cipher_close (gcrypt_handle); - - /* - * build answer for server, it is concatenation of: - * 1. key length (2 bytes) - * 2. public key ('length_key' bytes) - * 3. IV (sizeof (iv) bytes) - * 4. encrypted password ('length_userpass' bytes) - */ - length_answer = 2 + length_key + sizeof (iv) + length_userpass; - answer = malloc (length_answer); - ptr_answer = answer; - *((unsigned int *)ptr_answer) = htons (length_key); - ptr_answer += 2; - memcpy (ptr_answer, public_bin, length_key); - ptr_answer += length_key; - memcpy (ptr_answer, iv, sizeof (iv)); - ptr_answer += sizeof (iv); - memcpy (ptr_answer, userpass_crypted, length_userpass); - - /* encode answer to base64 */ - answer_base64 = malloc ((length_answer + 1) * 4); - if (answer_base64) - { - if (weechat_string_base_encode (64, answer, length_answer, - answer_base64) < 0) - { - free (answer_base64); - answer_base64 = NULL; - } - } - - goto end; - -crypto_error: - if (sasl_error) - *sasl_error = strdup (_("cryptography error")); - goto end; - -end: - if (secret_bin) - free (secret_bin); - if (public_bin) - free (public_bin); - if (userpass_clear) - free (userpass_clear); - if (userpass_crypted) - free (userpass_crypted); - if (answer) - free (answer); - - return answer_base64; -} diff --git a/src/plugins/irc/irc-sasl.h b/src/plugins/irc/irc-sasl.h index 841d0dbdf..3e4163b9b 100644 --- a/src/plugins/irc/irc-sasl.h +++ b/src/plugins/irc/irc-sasl.h @@ -35,8 +35,6 @@ enum t_irc_sasl_mechanism IRC_SASL_MECHANISM_SCRAM_SHA_512, IRC_SASL_MECHANISM_ECDSA_NIST256P_CHALLENGE, IRC_SASL_MECHANISM_EXTERNAL, - IRC_SASL_MECHANISM_DH_BLOWFISH, - IRC_SASL_MECHANISM_DH_AES, /* number of SASL mechanisms */ IRC_NUM_SASL_MECHANISMS, }; @@ -56,13 +54,5 @@ extern char *irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *s const char *sasl_username, const char *sasl_key, char **sasl_error); -extern char *irc_sasl_mechanism_dh_blowfish (const char *data_base64, - const char *sasl_username, - const char *sasl_password, - char **sasl_error); -extern char *irc_sasl_mechanism_dh_aes (const char *data_base64, - const char *sasl_username, - const char *sasl_password, - char **sasl_error); #endif /* WEECHAT_PLUGIN_IRC_SASL_H */