masq/glowing-bear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bug 1157 - Authentication in Non-Secure Context

Browse Source
This commit is contained in:
tbabik 2022-03-29 19:58:37 +02:00
parent d4b79f5fb9
commit 7dbbcd74da
5 changed files with 76 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
package-lock.json generated
View File

@ -6083,9 +6083,9 @@
}
},
"node_modules/jshint": {
"version": "2.13.3",
"resolved": "https://registry.npmjs.org/jshint/-/jshint-2.13.3.tgz",
"integrity": "sha512-zlVQz8XAl1ODXEOVMPkDNuntPebPIE39Xn7ex/JAI9+TmBIf/fcUuj58FaLCC88rOHy8leq0N5ChBB+V5fmpzA==",
"version": "2.13.4",
"resolved": "https://registry.npmjs.org/jshint/-/jshint-2.13.4.tgz",
"integrity": "sha512-HO3bosL84b2qWqI0q+kpT/OpRJwo0R4ivgmxaO848+bo10rc50SkPnrtwSFXttW0ym4np8jbJvLwk5NziB7jIw==",
"dev": true,
"dependencies": {
"cli": "~1.0.0",
@ -6094,7 +6094,6 @@
"htmlparser2": "3.8.x",
"lodash": "~4.17.21",
"minimatch": "~3.0.2",
"shelljs": "0.3.x",
"strip-json-comments": "1.0.x"
},
"bin": {
@ -6713,9 +6712,9 @@
}
},
"node_modules/minimist": {
"version": "1.2.5",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
"integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
"version": "1.2.6",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
"integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
"dev": true
},
"node_modules/mkdirp": {
@ -7270,9 +7269,9 @@
}
},
"node_modules/plist": {
"version": "3.0.4",
"resolved": "https://registry.npmjs.org/plist/-/plist-3.0.4.tgz",
"integrity": "sha512-ksrr8y9+nXOxQB2osVNqrgvX/XQPOXaU4BQMKjYq8PvaY1U18mo+fKgBSwzK+luSyinOuPae956lSVcBwxlAMg==",
"version": "3.0.5",
"resolved": "https://registry.npmjs.org/plist/-/plist-3.0.5.tgz",
"integrity": "sha512-83vX4eYdQp3vP9SxuYgEM/G/pJQqLUz/V/xzPrzruLs7fz7jxGQ1msZ/mg1nwZxUSuOp4sb+/bEIbRrbzZRxDA==",
"dev": true,
"dependencies": {
"base64-js": "^1.5.1",
@ -8626,18 +8625,6 @@
"node": ">=8"
}
},
"node_modules/shelljs": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/shelljs/-/shelljs-0.3.0.tgz",
"integrity": "sha1-NZbmMHp4FUT1kfN9phg2DzHbV7E=",
"dev": true,
"bin": {
"shjs": "bin/shjs"
},
"engines": {
"node": ">=0.8.0"
}
},
"node_modules/signal-exit": {
"version": "3.0.6",
"resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.6.tgz",
@ -14904,9 +14891,9 @@
"dev": true
},
"jshint": {
"version": "2.13.3",
"resolved": "https://registry.npmjs.org/jshint/-/jshint-2.13.3.tgz",
"integrity": "sha512-zlVQz8XAl1ODXEOVMPkDNuntPebPIE39Xn7ex/JAI9+TmBIf/fcUuj58FaLCC88rOHy8leq0N5ChBB+V5fmpzA==",
"version": "2.13.4",
"resolved": "https://registry.npmjs.org/jshint/-/jshint-2.13.4.tgz",
"integrity": "sha512-HO3bosL84b2qWqI0q+kpT/OpRJwo0R4ivgmxaO848+bo10rc50SkPnrtwSFXttW0ym4np8jbJvLwk5NziB7jIw==",
"dev": true,
"requires": {
"cli": "~1.0.0",
@ -14915,7 +14902,6 @@
"htmlparser2": "3.8.x",
"lodash": "~4.17.21",
"minimatch": "~3.0.2",
"shelljs": "0.3.x",
"strip-json-comments": "1.0.x"
}
},
@ -15405,9 +15391,9 @@
}
},
"minimist": {
"version": "1.2.5",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
"integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
"version": "1.2.6",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
"integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
"dev": true
},
"mkdirp": {
@ -15831,9 +15817,9 @@
}
},
"plist": {
"version": "3.0.4",
"resolved": "https://registry.npmjs.org/plist/-/plist-3.0.4.tgz",
"integrity": "sha512-ksrr8y9+nXOxQB2osVNqrgvX/XQPOXaU4BQMKjYq8PvaY1U18mo+fKgBSwzK+luSyinOuPae956lSVcBwxlAMg==",
"version": "3.0.5",
"resolved": "https://registry.npmjs.org/plist/-/plist-3.0.5.tgz",
"integrity": "sha512-83vX4eYdQp3vP9SxuYgEM/G/pJQqLUz/V/xzPrzruLs7fz7jxGQ1msZ/mg1nwZxUSuOp4sb+/bEIbRrbzZRxDA==",
"dev": true,
"requires": {
"base64-js": "^1.5.1",
@ -16902,12 +16888,6 @@
"integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
"dev": true
},
"shelljs": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/shelljs/-/shelljs-0.3.0.tgz",
"integrity": "sha1-NZbmMHp4FUT1kfN9phg2DzHbV7E=",
"dev": true
},
"signal-exit": {
"version": "3.0.6",
"resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.6.tgz",

5
src/index.html
View File

@ -36,6 +36,7 @@
<small>WeeChat web frontend</small>
</h2>
<div class="alert alert-warning" ng-show="show_tls_warning" ng-cloak><strong>You're using Glowing Bear over an unencrypted connection (http://). This is not recommended!</strong> We recommend using our secure hosted version at <a href="https://www.glowing-bear.org/">https://www.glowing-bear.org/</a>, or <a href="https://latest.glowing-bear.org/">https://latest.glowing-bear.org</a> for the latest development version. If your relay is on your local network, that is unfortunately impossible, but be aware of the implications.</div>
<div class="alert alert-danger" ng-show="!isSecureContext" ng-cloak><strong>You're using Glowing Bear over an unencrypted connection.</strong> Password will be transmitted in plain text!</div>
<div class="alert alert-danger" ng-show="errorMessage" ng-cloak>
<strong>Connection error</strong> The client was unable to connect to the WeeChat relay
</div>
@ -49,7 +50,7 @@
<strong>Weechat version error</strong> Weechat connected but did not respond to a handshake. This could mean weechat &lt; version 2.9. Verify your weechat is 2.8 or older and check "Compatibility with Weechat 2.8 and older" or consider updating weechat.
</div>
<div class="alert alert-danger" ng-show="hashAlgorithmDisagree" ng-cloak>
<strong>Hash algorithm error</strong> Weechat and glowing bear did not agree on a hashing algorithm, please do /set relay.network.password_hash_algo "pbkdf2+sha512" in weechat.
<strong>Hash algorithm error</strong> Weechat and glowing bear did not agree on a hashing algorithm, please do /set relay.network.password_hash_algo "pbkdf2+sha512" or "plain" (when using http-only) in weechat.
</div>
<div class="alert alert-warning alert-dismissible" role="alert" ng-hide="settings.freenodeWarningRead">
<button type="button" class="close" data-dismiss="alert" aria-label="Close" ng-click="settings.freenodeWarningRead=1"><span aria-hidden="true">&times;</span></button>
@ -117,7 +118,7 @@
<div class="checkbox">
<label class="control-label" for="compatibilityWeechat28">
<input type="checkbox" id="compatibilityWeechat28" ng-model="settings.compatibilityWeechat28">
Compatibility with Weechat 2.8 and older <a href="#plaintext" ng-click="toggleAccordionByName('gettingStartedAccordion')"><i class="glyphicon glyphicon-info-sign"></i></a>
Compatibility with Weechat 2.8 and older (Password in Plaintext) <a href="#plaintext" ng-click="toggleAccordionByName('gettingStartedAccordion')"><i class="glyphicon glyphicon-info-sign"></i></a>
<span style="color: #888;display:block">WeeChat 2.9 was released in July 2020, so you can disable this if you&apos;re up to date.</span>
</label>
</div>

93
src/js/connection.js
View File

@ -29,7 +29,12 @@ export const connectionFactory = ['$rootScope', '$log', 'handlers', 'models', 's
$rootScope.oldWeechatError = false;
$rootScope.hashAlgorithmDisagree = false;
connectionData = [host, port, path, passwd, ssl, noCompression];
var proto = ssl ? 'wss' : 'ws';
// https://github.com/glowing-bear/glowing-bear/issues/1157
var isSecureContext = window.isSecureContext;
var weechatPre2_9 = settings.compatibilityWeechat28;
var proto = ssl ? 'wss' : 'ws';
// If host is an IPv6 literal wrap it in brackets
if (host.indexOf(":") !== -1 && host[0] !== "[" && host[host.length-1] !== "]") {
host = "[" + host + "]";
@ -37,38 +42,45 @@ export const connectionFactory = ['$rootScope', '$log', 'handlers', 'models', 's
var url = proto + "://" + host + ":" + port + "/" + path;
$log.debug('Connecting to URL: ', url);
var weechatAssumedPre2_9 = false;
var onopen = function () {
var _performHandshake = function() {
return new Promise(function(resolve) {
// First a handshake is sent to determine authentication method
// This is only supported for weechat >= 2.9
// If after 'a while' weechat does not respond
// stop waiting for the handshake and assume it's an old version
// This time is debatable, high latency connections may wrongfully
// think weechat is an older version. This time is purposfully set
// too high, this time should be reduced if determined the weechat
// is lower than 2.9
// This time also includes the time it takes to generate the hash
var WAIT_TIME_OLD_WEECHAT = 2000; //ms
// 1. Compatability for Weechat 2.8 was activated by the user - skip handshake
// 2. If SecureContext use pbkdf2+sha512 hash
// 3. If !SecureContext use plain text
// If handshake times out we do no longer make the assumption it is Pre 2.9 but just inform the user
// Wait long enough to assume we are on a version < 2.9
var handShakeTimeout = setTimeout(function () {
weechatAssumedPre2_9 = true;
console.log('Weechat\'s version is assumed to be < 2.9');
if (weechatPre2_9) {
resolve();
}, WAIT_TIME_OLD_WEECHAT);
} else {
var WAIT_TIME_OLD_WEECHAT = 2000; //ms
var handShakeTimeout = setTimeout(function () {
$rootScope.oldWeechatError = true;
$rootScope.$emit('relayDisconnect');
$rootScope.$digest(); // Have to do this otherwise change detection doesn't see the error.
throw new Error('Handshake timed out. Verify Weechat Version.');
}, WAIT_TIME_OLD_WEECHAT);
// Or wait for a response from the handshake
ngWebsockets.send(
weeChat.Protocol.formatHandshake({
password_hash_algo: "pbkdf2+sha512", compression: noCompression ? 'off' : 'zlib'
})
).then(function (message){
clearTimeout(handShakeTimeout);
resolve(message);
});
if (isSecureContext) {
ngWebsockets.send(
weeChat.Protocol.formatHandshake({
password_hash_algo: "pbkdf2+sha512", compression: noCompression ? 'off' : 'zlib'
})
).then(function (message){
clearTimeout(handShakeTimeout);
resolve(message);
});
} else {
ngWebsockets.send(
weeChat.Protocol.formatHandshake({
password_hash_algo: "plain", compression: noCompression ? 'off' : 'zlib'
})
).then(function (message){
clearTimeout(handShakeTimeout);
resolve(message);
});
}
}
});
};
@ -88,18 +100,8 @@ export const connectionFactory = ['$rootScope', '$log', 'handlers', 'models', 's
};
// Helper methods for initialization commands
// This method is used to initialize weechat < 2.9
// This method is used to initialize weechat < 2.9 but only if the User has picked compatibility mode explicitly
var _initializeConnectionPre29 = function(passwd, totp) {
// This is not secure, this has to be specifically allowed with a setting
// Otherwise an attacker could persuade the client to send it's password
// Or due to latency the client could think weechat was an older version
if (!settings.compatibilityWeechat28) {
$rootScope.oldWeechatError = true;
$rootScope.$emit('relayDisconnect');
$rootScope.$digest(); // Have to do this otherwise change detection doesn't see the error.
throw new Error('Plaintext authentication not allowed.');
}
// Escape comma in password (#937)
passwd = passwd.replace(',', '\\,');
@ -290,7 +292,7 @@ export const connectionFactory = ['$rootScope', '$log', 'handlers', 'models', 's
// Do nothing if the handshake was received
// after concluding weechat was an old version
// TODO maybe warn the user here
if (weechatAssumedPre2_9) {
if (weechatPre2_9) {
return;
}
@ -300,15 +302,16 @@ export const connectionFactory = ['$rootScope', '$log', 'handlers', 'models', 's
nonce = utils.hexStringToByte(content.nonce);
iterations = content.password_hash_iterations;
if (passwordMethod != "pbkdf2+sha512") {
if (isSecureContext && passwordMethod != "pbkdf2+sha512" ||
!isSecureContext && passwordMethod != "plain") {
$rootScope.hashAlgorithmDisagree = true;
$rootScope.$emit('relayDisconnect');
$rootScope.$digest(); // Have to do this otherwise change detection doesn't see the error.
throw new Error('No supported password hash algorithm returned.');
throw new Error('No supported password hash algorithm returned (secure context only pbkdf2+sha512 / insecure only plain).');
}
}
).then(function() {
if (weechatAssumedPre2_9) {
if (weechatPre2_9) {
// Ask the user for the TOTP token if this is enabled
return _askTotp(useTotp)
.then(function (totp) {
@ -318,7 +321,11 @@ export const connectionFactory = ['$rootScope', '$log', 'handlers', 'models', 's
// Weechat version >= 2.9
return _askTotp(totpRequested)
.then(function(totp) {
return _initializeConnection29(passwd, nonce, iterations, totp);
if (passwordMethod == "pbkdf2+sha512") {
return _initializeConnection29(passwd, nonce, iterations, totp);
} else if (passwordMethod == "plain") {
return _initializeConnectionPre29(passwd, totp);
}
});
}
}).then(function(){

2
src/js/glowingbear.js
View File

@ -122,6 +122,8 @@ weechat.controller('WeechatCtrl', ['$rootScope', '$scope', '$store', '$timeout',
$scope.show_tls_warning = (["https:", "file:"].indexOf(window.location.protocol) === -1) &&
(["localhost", "127.0.0.1", "::1"].indexOf(window.location.hostname) === -1) &&
!window.is_electron && !utils.isCordova();
// Perhaps to be combined with show_tls_warning - the above conditions should reflect the same as isSecureContext
$scope.isSecureContext = window.isSecureContext;
$rootScope.isWindowFocused = function() {
if (typeof $scope.documentHidden === "undefined") {

3
webpack.config.js
View File

@ -62,5 +62,8 @@ module.exports = {
]
},
]
},
performance: {
hints: false
}
};