From f03e011d1a270a063a37b6f87b61c3e78362a188 Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Fri, 17 Apr 2020 22:33:21 +0200 Subject: [PATCH 01/19] Use new authentication methods in weechat 2.9 --- css/glowingbear.css | 4 + index.html | 41 +++--- js/connection.js | 297 ++++++++++++++++++++++++++++++++++---------- js/glowingbear.js | 12 ++ js/utils.js | 38 ++++++ js/weechat.js | 66 +++++++++- 6 files changed, 374 insertions(+), 84 deletions(-) diff --git a/css/glowingbear.css b/css/glowingbear.css index 62a10fb..1952962 100644 --- a/css/glowingbear.css +++ b/css/glowingbear.css @@ -960,3 +960,7 @@ code { color: #444; border: 1pt solid #444; } + +.checkbox.indent { + margin-left: 20px; +} \ No newline at end of file diff --git a/index.html b/index.html index 1928512..27098ec 100644 --- a/index.html +++ b/index.html @@ -68,6 +68,9 @@
Secure connection error Unable to connect to unencrypted relay when you are connecting to Glowing Bear over HTTPS. Please use an encrypted relay or load the page without using HTTPS.
+
+ Weechat version error Weechat connected but did not respond to a handshake. This could mean weechat < version 2.9. Verify your weechat version and check "Allow Plaintext Authentication" if it's < 2.9. +
@@ -113,39 +116,41 @@
-
+
-
- - -
Error: wrong password or token
-
+ +
+
-
-
+
@@ -155,7 +160,7 @@
-
+

@@ -188,6 +193,12 @@ chown -R username:username ~username/secure set relay_totp_secret xxxxx /set relay.network.totp_secret "${sec.data.relay_totp_secret}"

Open an authenticator app and create an entry with the same secret. In Glowing Bear check the checkbox for "use Time-based One-Time Password" and fill in the one time password as you see it in the authenticator app.

+ +

Allow plaintext authentication

+

Required for Weechat < 2.9

+

Since weechat version 2.9 the authentication was made more secure and resistant to brute forcing. Glowing bear uses the most secure authentication method by default. However to supports older version of weechat this options allows glowing bear to still send your password in plaintext (wrapped in https if enabled). Only enable this if you are using Weechat < 2.9

+

By default weechat 2.9 support all authentication methods, if you are only using glowing bear you can do the following command to improve security:

+ 
/relay.network.auth_password "pbkdf2+sha512"

diff --git a/js/connection.js b/js/connection.js index a8f813d..cedba21 100644 --- a/js/connection.js +++ b/js/connection.js @@ -4,12 +4,13 @@ var weechat = angular.module('weechat'); weechat.factory('connection', - ['$rootScope', '$log', 'handlers', 'models', 'settings', 'ngWebsockets', function($rootScope, + ['$rootScope', '$log', 'handlers', 'models', 'settings', 'ngWebsockets', 'utils', function($rootScope, $log, handlers, models, settings, - ngWebsockets) { + ngWebsockets, + utils) { var protocol = new weeChat.Protocol(); @@ -22,6 +23,7 @@ weechat.factory('connection', // Takes care of the connection and websocket hooks var connect = function (host, port, path, passwd, ssl, useTotp, totp, noCompression, successCallback, failCallback) { $rootScope.passwordError = false; + $rootScope.oldWeechatError = false; connectionData = [host, port, path, passwd, ssl, noCompression]; var proto = ssl ? 'wss' : 'ws'; // If host is an IPv6 literal wrap it in brackets @@ -31,31 +33,143 @@ weechat.factory('connection', var url = proto + "://" + host + ":" + port + "/" + path; $log.debug('Connecting to URL: ', url); + + var weechatIsPre2_9 = false; var onopen = function () { + var _performHandshake = function() { + return new Promise(function(resolve) { + + // First a handshake is sent to determine authentication method + // This is only supported for weechat >= 2.9 + // If after 'a while' weechat does not respond + // stop waiting for the handshake and assume it's an old version + // This time is debatable, high latency connections may wrongfully + // think weechat is an older version. This time is purposfully set + // too high, this time should be reduced if determined the weechat + // is lower than 2.9 + // This time also includes the time it takes to generate the hash + const WAIT_TIME_OLD_WEECHAT = 2000; //ms + + // Wait long enough to assume we are on a version < 2.9 + var handShakeTimeout = setTimeout(function () { + weechatIsPre2_9 = true; + console.log('Weechat\'s version is assumed to be < 2.9'); + resolve(); + }, WAIT_TIME_OLD_WEECHAT); + + // Or wait for a response from the handshake + ngWebsockets.send( + weeChat.Protocol.formatHandshake({ + password: "pbkdf2+sha512", compression: noCompression ? 'off' : 'zlib' + }) + ).then(function (message){ + clearTimeout(handShakeTimeout); + resolve(message); + }); + + + + }); + + } + + var _askTotp = function (useTotp) { + return new Promise(function(resolve) { + + // If weechat is < 2.9 the totp will be a setting (checkbox) + // Otherwise the handshake will specify it + if ( useTotp ) { + // Ask the user to input his TOTP + var totp = prompt("Please enter your TOTP Token"); + resolve (totp); + } else { + // User does not use TOTP, don't ask + resolve(null); + } + + }) + } // Helper methods for initialization commands - var _initializeConnection = function(passwd) { + // This method is used to initialize weechat < 2.9 + var _initializeConnectionPre29 = function(passwd, totp) { + + // This is not secure, this has to be specifically allowed with a setting + // Otherwise an attacker could persuade the client to send it's password + // Or due to latency the client could think weechat was an older version + if (!settings.allowPlaintextAuthentication) + { + $rootScope.oldWeechatError = true; + $rootScope.$emit('relayDisconnect'); + $rootScope.$digest() // Have to do this otherwise change detection doesn't see the error. + throw new Error('Plainttext authentication not allowed.'); + } + // Escape comma in password (#937) passwd = passwd.replace(',', '\\,'); - // This is not the proper way to do this. - // WeeChat does not send a confirmation for the init. - // Until it does, We need to "assume" that formatInit - // will be received before formatInfo + ngWebsockets.send( - weeChat.Protocol.formatInit({ + weeChat.Protocol.formatInitPre29({ password: passwd, compression: noCompression ? 'off' : 'zlib', - useTotp: useTotp, totp: totp }) ); - return ngWebsockets.send( - weeChat.Protocol.formatInfo({ - name: 'version' + // Wait a little bit until the init is sent + return new Promise(function(resolve) { + setTimeout(() => resolve(), 5); + }) + + }; + + // Helper methods for initialization commands + // This method is used to initialize weechat >= 2.9 + var salt; + var _initializeConnection29 = function(passwd, nonce, iterations, totp) { + + return window.crypto.subtle.importKey( + + 'raw', + utils.stringToUTF8Array(passwd), + {name: 'PBKDF2'},//{name: 'HMAC', hash: 'SHA-512'}, + false, + ['deriveBits'] + + ).then( function (key) { + + salt = utils.concatenateTypedArray(utils.concatenateTypedArray(nonce, new Uint8Array([0x3A])), window.crypto.getRandomValues(new Uint8Array(16))); //nonce:cnonce, 3A is a ':' in ASCII + return window.crypto.subtle.deriveBits( + { + name: 'PBKDF2', + hash: 'SHA-512', + salt: salt, + iterations: iterations, + }, + key, //your key from generateKey or importKey + 512 + ); + + }).then( function (hash) { + + + ngWebsockets.send( + weeChat.Protocol.formatInit29( + 'pbkdf2+sha512:' + utils.bytetoHexString(salt) + ':100000:' + utils.bytetoHexString(hash), + totp + ) + ); + + // Wait a little bit until the init is sent + return new Promise(function(resolve) { + + setTimeout(() => resolve(), 5); + }) - ); + + }); + }; var _requestHotlist = function() { @@ -180,71 +294,124 @@ weechat.factory('connection', $rootScope.angularTimeFormat = angularFormat; }; + var passwordMethod + var totpRequested; + var nonce; + var iterations; + + _performHandshake().then( + + //Wait for weechat to respond or handshake times out + function (message) + { + // Do nothing if the handshake was received + // after concluding weechat was an old version + // TODO maybe warn the user here + if(weechatIsPre2_9) { + return; + } - // First command asks for the password and issues - // a version command. If it fails, it means the we - // did not provide the proper password. - _initializeConnection(passwd).then( - function(version) { - handlers.handleVersionInfo(version); - // Connection is successful - // Send all the other commands required for initialization - _requestBufferInfos().then(function(bufinfo) { - handlers.handleBufferInfo(bufinfo); - }); + passwordMethod = message.objects[0].content.auth_password; + totpRequested = message.objects[0].content.totp === 'on' ? true : false; + nonce = utils.hexStringToByte(message.objects[0].content.nonce); + iterations = message.objects[0].content.hash_iterations; + + } - _requestHotlist().then(function(hotlist) { - handlers.handleHotlistInfo(hotlist); + ).then( function() { - }); - if (settings.hotlistsync) { - // Schedule hotlist syncing every so often so that this - // client will have unread counts (mostly) in sync with - // other clients or terminal usage directly. - setInterval(function() { - if ($rootScope.connected) { - _requestHotlist().then(function(hotlist) { - handlers.handleHotlistInfo(hotlist); - - }); - } - }, 60000); // Sync hotlist every 60 second - } + if(weechatIsPre2_9) + { + // Ask the user for the TOTP token if this is enabled + return _askTotp(useTotp) + .then( function (totp) { + return _initializeConnectionPre29(passwd, totp) + }) - // Fetch weechat time format for displaying timestamps - fetchConfValue('weechat.look.buffer_time_format', - function() { - // Will set models.wconfig['weechat.look.buffer_time_format'] - _parseWeechatTimeFormat(); - }); + } else { + + // Weechat version >= 2.9 + return _askTotp(totpRequested) + .then( function(totp) { + return _initializeConnection29(passwd, nonce, iterations, totp) + }) - // Fetch nick completion config - fetchConfValue('weechat.completion.nick_completer'); - fetchConfValue('weechat.completion.nick_add_space'); + } - _requestSync(); - $log.info("Connected to relay"); - $rootScope.connected = true; - if (successCallback) { - successCallback(); - } - }, - function() { - handleWrongPassword(); + }).then( function(){ + + // The Init was sent, weechat will not respond + // Wait until either the connection closes + // Or try to send version and see if weechat responds + return ngWebsockets.send( + weeChat.Protocol.formatInfo({ + name: 'version' + }) + ); + + }).then( function(version) { + + // From now on we are assumed initialized + // We don't know for sure because weechat does not respond + // All we know is the socket wasn't closed afer waiting a little bit + console.log('Succesfully connected'); + $rootScope.waseverconnected = true; + handlers.handleVersionInfo(version); + + // Send all the other commands required for initialization + _requestBufferInfos().then(function(bufinfo) { + handlers.handleBufferInfo(bufinfo); + }); + + _requestHotlist().then(function(hotlist) { + handlers.handleHotlistInfo(hotlist); + + }); + if (settings.hotlistsync) { + // Schedule hotlist syncing every so often so that this + // client will have unread counts (mostly) in sync with + // other clients or terminal usage directly. + setInterval(function() { + if ($rootScope.connected) { + _requestHotlist().then(function(hotlist) { + handlers.handleHotlistInfo(hotlist); + + }); + } + }, 60000); // Sync hotlist every 60 second } - ); + // Fetch weechat time format for displaying timestamps + fetchConfValue('weechat.look.buffer_time_format', + function() { + // Will set models.wconfig['weechat.look.buffer_time_format'] + _parseWeechatTimeFormat(); + }); + + // Fetch nick completion config + fetchConfValue('weechat.completion.nick_completer'); + fetchConfValue('weechat.completion.nick_add_space'); + + _requestSync(); + $log.info("Connected to relay"); + $rootScope.connected = true; + if (successCallback) { + successCallback(); + } + + }, + + //Sending version failed + function() { + handleWrongPassword(); + }); }; var onmessage = function() { - // If we recieve a message from WeeChat it means that - // password was OK. Store that result and check for it - // in the failure handler. - $rootScope.waseverconnected = true; + }; - var onclose = function (evt) { /* * Handles websocket disconnection @@ -274,7 +441,7 @@ weechat.factory('connection', var handleWrongPassword = function() { // Connection got closed, lets check if we ever was connected successfully - if (!$rootScope.waseverconnected && !$rootScope.errorMessage) { + if (!$rootScope.waseverconnected && !$rootScope.errorMessage && !$rootScope.oldWeechatError) { $rootScope.passwordError = true; $rootScope.$apply(); } diff --git a/js/glowingbear.js b/js/glowingbear.js index 04519bb..1e8c177 100644 --- a/js/glowingbear.js +++ b/js/glowingbear.js @@ -45,6 +45,7 @@ weechat.controller('WeechatCtrl', ['$rootScope', '$scope', '$store', '$timeout', 'port': 9001, 'path': 'weechat', 'ssl': (window.location.protocol === "https:"), + 'allowPlaintextAuthentication': true, 'useTotp': false, 'savepassword': false, 'autoconnect': false, @@ -773,6 +774,17 @@ weechat.controller('WeechatCtrl', ['$rootScope', '$scope', '$store', '$timeout', event.preventDefault(); var target = event.target.parentNode.parentNode.parentNode; + toggleAccordionByTarget(target); + }; + + $scope.toggleAccordionByName = function(name) { + + var target = document.getElementById(name);; + toggleAccordionByTarget(target); + }; + + var toggleAccordionByTarget = function(target) { + target.setAttribute('data-state', target.getAttribute('data-state') === 'active' ? 'collapsed' : 'active'); // Hide all other siblings diff --git a/js/utils.js b/js/utils.js index 854372b..4c1ef15 100644 --- a/js/utils.js +++ b/js/utils.js @@ -45,6 +45,40 @@ weechat.factory('utils', function() { head.appendChild(elem); }; + // Convert string to ByteArray + function hexStringToByte(str) { + if (!str) { + return new Uint8Array(); + } + + var a = []; + for (var i = 0, len = str.length; i < len; i+=2) { + a.push(parseInt(str.substr(i,2),16)); + } + + return new Uint8Array(a); + } + + function bytetoHexString(buffer) { + return Array + .from (new Uint8Array (buffer)) + .map (b => b.toString (16).padStart (2, "0")) + .join (""); + } + + function stringToUTF8Array(string) { + const encoder = new TextEncoder() + const view = encoder.encode(string) + return view; + } + + function concatenateTypedArray(a, b) { // a, b TypedArray of same type + var c = new (a.constructor)(a.length + b.length); + c.set(a, 0); + c.set(b, a.length); + return c; + } + return { changeClassStyle: changeClassStyle, @@ -53,5 +87,9 @@ weechat.factory('utils', function() { isCordova: isCordova, inject_script: inject_script, inject_css: inject_css, + hexStringToByte: hexStringToByte, + bytetoHexString: bytetoHexString, + stringToUTF8Array: stringToUTF8Array, + concatenateTypedArray: concatenateTypedArray }; }); diff --git a/js/weechat.js b/js/weechat.js index f46e3ef..79e70de 100644 --- a/js/weechat.js +++ b/js/weechat.js @@ -628,17 +628,51 @@ }; /** - * Formats an init command. + * Formats a handshake command. + * + * @param params Parameters: + * password: list of supported hash algorithems, colon separated (optional) + * compression: compression ('off' or 'zlib') (optional) + * @return Formatted handshake command string + */ + //https://weechat.org/files/doc/stable/weechat_relay_protocol.en.html#command_handshake + WeeChatProtocol.formatHandshake = function(params) { + var defaultParams = { + password: 'pbkdf2+sha512', + compression: 'zlib' + }; + var keys = []; + var parts = []; + + params = WeeChatProtocol._mergeParams(defaultParams, params); + + if (params.password !== null) { + keys.push('compression=' + params.compression); + } + + if (params.password !== null) { + keys.push('password=' + params.password); + } + + parts.push(keys.join(',')); + + return WeeChatProtocol._formatCmd(null, 'handshake', parts); + }; + + /** + * Formats an init command for weechat versions < 2.9 * * @param params Parameters: * password: password (optional) * compression: compression ('off' or 'zlib') (optional) + * totp: One Time Password (optional) * @return Formatted init command string */ - WeeChatProtocol.formatInit = function(params) { + WeeChatProtocol.formatInitPre29 = function(params) { var defaultParams = { password: null, - compression: 'zlib' + compression: 'zlib', + totp: null }; var keys = []; var parts = []; @@ -648,7 +682,7 @@ if (params.password !== null) { keys.push('password=' + params.password); } - if (params.useTotp) { + if (params.totp !== null) { keys.push('totp=' + params.totp); } parts.push(keys.join(',')); @@ -656,6 +690,30 @@ return WeeChatProtocol._formatCmd(null, 'init', parts); }; + /** + * Formats an init command for weechat versions >= 2.9 + * + * @param params Parameters: + * password_hash: hash of password with method and salt + * totp: One Time Password (can be null) + * @return Formatted init command string + */ + WeeChatProtocol.formatInit29 = function(password_hash, totp) { + + var keys = []; + var parts = []; + + if (totp != null) { + keys.push('totp=' + totp); + } + if (password_hash !== null) { + keys.push('password_hash=' + password_hash); + } + parts.push(keys.join(',')); + + return WeeChatProtocol._formatCmd(null, 'init', parts); + }; + /** * Formats an hdata command. * From 0d1f8ac1672d3b9c15f71d2121e4065d5a03936a Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Sat, 18 Apr 2020 11:37:55 +0200 Subject: [PATCH 02/19] Add error for hash disagree, change handshake names --- js/connection.js | 17 +++++++++++++---- js/weechat.js | 4 ++-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/js/connection.js b/js/connection.js index cedba21..814f3e0 100644 --- a/js/connection.js +++ b/js/connection.js @@ -24,6 +24,7 @@ weechat.factory('connection', var connect = function (host, port, path, passwd, ssl, useTotp, totp, noCompression, successCallback, failCallback) { $rootScope.passwordError = false; $rootScope.oldWeechatError = false; + $rootScope.hashAlgorithemDisagree = false; connectionData = [host, port, path, passwd, ssl, noCompression]; var proto = ssl ? 'wss' : 'ws'; // If host is an IPv6 literal wrap it in brackets @@ -61,7 +62,7 @@ weechat.factory('connection', // Or wait for a response from the handshake ngWebsockets.send( weeChat.Protocol.formatHandshake({ - password: "pbkdf2+sha512", compression: noCompression ? 'off' : 'zlib' + password_hash_algo: "pbkdf2+sha512", compression: noCompression ? 'off' : 'zlib' }) ).then(function (message){ clearTimeout(handShakeTimeout); @@ -311,10 +312,18 @@ weechat.factory('connection', return; } - passwordMethod = message.objects[0].content.auth_password; + passwordMethod = message.objects[0].content.password_hash_algo; totpRequested = message.objects[0].content.totp === 'on' ? true : false; nonce = utils.hexStringToByte(message.objects[0].content.nonce); - iterations = message.objects[0].content.hash_iterations; + iterations = message.objects[0].content.password_hash_iterations; + + if(passwordMethod != "pbkdf2+sha512") + { + $rootScope.hashAlgorithemDisagree = true; + $rootScope.$emit('relayDisconnect'); + $rootScope.$digest() // Have to do this otherwise change detection doesn't see the error. + throw new Error('No password hash algorithem returned.'); + } } @@ -441,7 +450,7 @@ weechat.factory('connection', var handleWrongPassword = function() { // Connection got closed, lets check if we ever was connected successfully - if (!$rootScope.waseverconnected && !$rootScope.errorMessage && !$rootScope.oldWeechatError) { + if (!$rootScope.waseverconnected && !$rootScope.errorMessage && !$rootScope.oldWeechatError && !$rootScope.hashAlgorithemDisagree) { $rootScope.passwordError = true; $rootScope.$apply(); } diff --git a/js/weechat.js b/js/weechat.js index 79e70de..904fc0a 100644 --- a/js/weechat.js +++ b/js/weechat.js @@ -638,7 +638,7 @@ //https://weechat.org/files/doc/stable/weechat_relay_protocol.en.html#command_handshake WeeChatProtocol.formatHandshake = function(params) { var defaultParams = { - password: 'pbkdf2+sha512', + password_hash_algo: 'pbkdf2+sha512', compression: 'zlib' }; var keys = []; @@ -651,7 +651,7 @@ } if (params.password !== null) { - keys.push('password=' + params.password); + keys.push('password_hash_algo=' + params.password_hash_algo); } parts.push(keys.join(',')); From fcd93cee5f7ddc11710d5af26b251aae6f59dafb Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Sat, 18 Apr 2020 11:44:26 +0200 Subject: [PATCH 03/19] Correct sommand to change hash algorithem --- index.html | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/index.html b/index.html index 27098ec..96aa7c5 100644 --- a/index.html +++ b/index.html @@ -71,6 +71,11 @@
Weechat version error Weechat connected but did not respond to a handshake. This could mean weechat < version 2.9. Verify your weechat version and check "Allow Plaintext Authentication" if it's < 2.9.
+
+ Hash algorithem error Weechat and glowing bear did not agree on a hashing algorithem, please do /set relay.network.password_hash_algo "pbkdf2+sha512" in weechat. +
+ + hashAlgorithemDisagree
@@ -198,7 +203,7 @@ chown -R username:username ~usernameRequired for Weechat < 2.9

Since weechat version 2.9 the authentication was made more secure and resistant to brute forcing. Glowing bear uses the most secure authentication method by default. However to supports older version of weechat this options allows glowing bear to still send your password in plaintext (wrapped in https if enabled). Only enable this if you are using Weechat < 2.9

By default weechat 2.9 support all authentication methods, if you are only using glowing bear you can do the following command to improve security:

- 
/relay.network.auth_password "pbkdf2+sha512"
+ 
/set relay.network.password_hash_algo "pbkdf2+sha512"
From d70b8faf8bc2d0fdeba090a953d3514554974c0a Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Sat, 18 Apr 2020 13:51:04 +0200 Subject: [PATCH 04/19] Remove accidentally pasted text from html --- index.html | 2 -- 1 file changed, 2 deletions(-) diff --git a/index.html b/index.html index 96aa7c5..67c9828 100644 --- a/index.html +++ b/index.html @@ -74,8 +74,6 @@
Hash algorithem error Weechat and glowing bear did not agree on a hashing algorithem, please do /set relay.network.password_hash_algo "pbkdf2+sha512" in weechat.
- - hashAlgorithemDisagree
From 9626155da4d72231dfd618c70957dcc7f24f8d71 Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Wed, 22 Apr 2020 11:58:49 +0200 Subject: [PATCH 05/19] Correctly add itteration instead of hardcoding --- js/connection.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/js/connection.js b/js/connection.js index 814f3e0..05a9e63 100644 --- a/js/connection.js +++ b/js/connection.js @@ -157,7 +157,7 @@ weechat.factory('connection', ngWebsockets.send( weeChat.Protocol.formatInit29( - 'pbkdf2+sha512:' + utils.bytetoHexString(salt) + ':100000:' + utils.bytetoHexString(hash), + 'pbkdf2+sha512:' + utils.bytetoHexString(salt) + ':' + iterations + ':' + utils.bytetoHexString(hash), totp ) ); From 43036f5c3139a3acd02fa299e1cbcb46c500b78b Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Wed, 22 Apr 2020 12:07:21 +0200 Subject: [PATCH 06/19] Correct handshake parameter compare --- js/weechat.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/js/weechat.js b/js/weechat.js index 904fc0a..478d252 100644 --- a/js/weechat.js +++ b/js/weechat.js @@ -646,11 +646,11 @@ params = WeeChatProtocol._mergeParams(defaultParams, params); - if (params.password !== null) { + if (params.compression !== null) { keys.push('compression=' + params.compression); } - if (params.password !== null) { + if (params.password_hash_algo !== null) { keys.push('password_hash_algo=' + params.password_hash_algo); } From 3fe48d9e4e30593c98817f39981248cf5276bfd6 Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Wed, 22 Apr 2020 12:14:53 +0200 Subject: [PATCH 07/19] Correct spelling of algorithm --- index.html | 4 ++-- js/connection.js | 8 ++++---- js/weechat.js | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/index.html b/index.html index 67c9828..33dc0d6 100644 --- a/index.html +++ b/index.html @@ -71,8 +71,8 @@
Weechat version error Weechat connected but did not respond to a handshake. This could mean weechat < version 2.9. Verify your weechat version and check "Allow Plaintext Authentication" if it's < 2.9.
-
- Hash algorithem error Weechat and glowing bear did not agree on a hashing algorithem, please do /set relay.network.password_hash_algo "pbkdf2+sha512" in weechat. +
+ Hash algorithm error Weechat and glowing bear did not agree on a hashing algorithm, please do /set relay.network.password_hash_algo "pbkdf2+sha512" in weechat.
diff --git a/js/connection.js b/js/connection.js index 05a9e63..84292f1 100644 --- a/js/connection.js +++ b/js/connection.js @@ -24,7 +24,7 @@ weechat.factory('connection', var connect = function (host, port, path, passwd, ssl, useTotp, totp, noCompression, successCallback, failCallback) { $rootScope.passwordError = false; $rootScope.oldWeechatError = false; - $rootScope.hashAlgorithemDisagree = false; + $rootScope.hashAlgorithmDisagree = false; connectionData = [host, port, path, passwd, ssl, noCompression]; var proto = ssl ? 'wss' : 'ws'; // If host is an IPv6 literal wrap it in brackets @@ -319,10 +319,10 @@ weechat.factory('connection', if(passwordMethod != "pbkdf2+sha512") { - $rootScope.hashAlgorithemDisagree = true; + $rootScope.hashAlgorithmDisagree = true; $rootScope.$emit('relayDisconnect'); $rootScope.$digest() // Have to do this otherwise change detection doesn't see the error. - throw new Error('No password hash algorithem returned.'); + throw new Error('No password hash algorithm returned.'); } } @@ -450,7 +450,7 @@ weechat.factory('connection', var handleWrongPassword = function() { // Connection got closed, lets check if we ever was connected successfully - if (!$rootScope.waseverconnected && !$rootScope.errorMessage && !$rootScope.oldWeechatError && !$rootScope.hashAlgorithemDisagree) { + if (!$rootScope.waseverconnected && !$rootScope.errorMessage && !$rootScope.oldWeechatError && !$rootScope.hashAlgorithmDisagree) { $rootScope.passwordError = true; $rootScope.$apply(); } diff --git a/js/weechat.js b/js/weechat.js index 478d252..f21d739 100644 --- a/js/weechat.js +++ b/js/weechat.js @@ -631,7 +631,7 @@ * Formats a handshake command. * * @param params Parameters: - * password: list of supported hash algorithems, colon separated (optional) + * password: list of supported hash algorithms, colon separated (optional) * compression: compression ('off' or 'zlib') (optional) * @return Formatted handshake command string */ From 620afd6f7d0d8148f8d64121c46ae8f1e5d45965 Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Wed, 22 Apr 2020 12:26:20 +0200 Subject: [PATCH 08/19] Rename the allow plaintext setting --- index.html | 14 +++++++------- js/connection.js | 2 +- js/glowingbear.js | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/index.html b/index.html index 9503907..c3d445c 100644 --- a/index.html +++ b/index.html @@ -134,12 +134,12 @@
-
-
+
@@ -197,8 +197,8 @@ chown -R username:username ~username

Open an authenticator app and create an entry with the same secret. In Glowing Bear check the checkbox for "use Time-based One-Time Password" and fill in the one time password as you see it in the authenticator app.

-

Allow plaintext authentication

-

Required for Weechat < 2.9

+

Compatibility with Weechat 2.8 and older

+

Required for Weechat <= 2.8

Since weechat version 2.9 the authentication was made more secure and resistant to brute forcing. Glowing bear uses the most secure authentication method by default. However to supports older version of weechat this options allows glowing bear to still send your password in plaintext (wrapped in https if enabled). Only enable this if you are using Weechat < 2.9

By default weechat 2.9 support all authentication methods, if you are only using glowing bear you can do the following command to improve security:

/set relay.network.password_hash_algo "pbkdf2+sha512"
diff --git a/js/connection.js b/js/connection.js index 84292f1..bef2018 100644 --- a/js/connection.js +++ b/js/connection.js @@ -99,7 +99,7 @@ weechat.factory('connection', // This is not secure, this has to be specifically allowed with a setting // Otherwise an attacker could persuade the client to send it's password // Or due to latency the client could think weechat was an older version - if (!settings.allowPlaintextAuthentication) + if (!settings.compatibilityWeechat28) { $rootScope.oldWeechatError = true; $rootScope.$emit('relayDisconnect'); diff --git a/js/glowingbear.js b/js/glowingbear.js index 1e8c177..fab7280 100644 --- a/js/glowingbear.js +++ b/js/glowingbear.js @@ -45,7 +45,7 @@ weechat.controller('WeechatCtrl', ['$rootScope', '$scope', '$store', '$timeout', 'port': 9001, 'path': 'weechat', 'ssl': (window.location.protocol === "https:"), - 'allowPlaintextAuthentication': true, + 'compatibilityWeechat28': true, 'useTotp': false, 'savepassword': false, 'autoconnect': false, From 479cda738962005ef9dba1dafc42bf5aa6caaf89 Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Fri, 24 Apr 2020 16:00:56 +0200 Subject: [PATCH 09/19] Change name of checkbox in 'gettings started' --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index c3d445c..b3b334c 100644 --- a/index.html +++ b/index.html @@ -69,7 +69,7 @@ Secure connection error Unable to connect to unencrypted relay when you are connecting to Glowing Bear over HTTPS. Please use an encrypted relay or load the page without using HTTPS.
- Weechat version error Weechat connected but did not respond to a handshake. This could mean weechat < version 2.9. Verify your weechat version and check "Allow Plaintext Authentication" if it's < 2.9. + Weechat version error Weechat connected but did not respond to a handshake. This could mean weechat < version 2.9. Verify your weechat version and check "Compatibility with Weechat 2.8 and older" if it's <= 2.8.
Hash algorithm error Weechat and glowing bear did not agree on a hashing algorithm, please do /set relay.network.password_hash_algo "pbkdf2+sha512" in weechat. From 5fb51c07e6a5bd2777c2cf4a7ae300419878c5b5 Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Tue, 28 Apr 2020 10:59:46 +0200 Subject: [PATCH 10/19] Change handshake timout to 200ms --- js/connection.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/js/connection.js b/js/connection.js index bef2018..5b7bd5c 100644 --- a/js/connection.js +++ b/js/connection.js @@ -50,7 +50,7 @@ weechat.factory('connection', // too high, this time should be reduced if determined the weechat // is lower than 2.9 // This time also includes the time it takes to generate the hash - const WAIT_TIME_OLD_WEECHAT = 2000; //ms + const WAIT_TIME_OLD_WEECHAT = 200; //ms // Wait long enough to assume we are on a version < 2.9 var handShakeTimeout = setTimeout(function () { From 7c568f8193b5d02ccff9336acfe70f8956259bd8 Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Tue, 28 Apr 2020 11:29:24 +0200 Subject: [PATCH 11/19] Improve error message old weechat version --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index b3b334c..69a9872 100644 --- a/index.html +++ b/index.html @@ -69,7 +69,7 @@ Secure connection error Unable to connect to unencrypted relay when you are connecting to Glowing Bear over HTTPS. Please use an encrypted relay or load the page without using HTTPS.
- Weechat version error Weechat connected but did not respond to a handshake. This could mean weechat < version 2.9. Verify your weechat version and check "Compatibility with Weechat 2.8 and older" if it's <= 2.8. + Weechat version error Weechat connected but did not respond to a handshake. This could mean weechat < version 2.9. Verify your weechat is 2.8 or older and check "Compatibility with Weechat 2.8 and older" or consider updating weechat.
Hash algorithm error Weechat and glowing bear did not agree on a hashing algorithm, please do /set relay.network.password_hash_algo "pbkdf2+sha512" in weechat. From d5695b8c310f920ec9ea5aa480682df2c8e0f528 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20H=C3=BCbschle-Schneider?= Date: Thu, 30 Apr 2020 11:32:00 +0200 Subject: [PATCH 12/19] Improve help text --- index.html | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/index.html b/index.html index 69a9872..296a72c 100644 --- a/index.html +++ b/index.html @@ -119,7 +119,7 @@
-
+
@@ -197,11 +197,11 @@ chown -R username:username ~username

Open an authenticator app and create an entry with the same secret. In Glowing Bear check the checkbox for "use Time-based One-Time Password" and fill in the one time password as you see it in the authenticator app.

-

Compatibility with Weechat 2.8 and older

-

Required for Weechat <= 2.8

-

Since weechat version 2.9 the authentication was made more secure and resistant to brute forcing. Glowing bear uses the most secure authentication method by default. However to supports older version of weechat this options allows glowing bear to still send your password in plaintext (wrapped in https if enabled). Only enable this if you are using Weechat < 2.9

-

By default weechat 2.9 support all authentication methods, if you are only using glowing bear you can do the following command to improve security:

- 
/set relay.network.password_hash_algo "pbkdf2+sha512"
+

Compatibility with WeeChat 2.8 and older

+

Required for WeeChat <= 2.8

+

With WeeChat 2.9, relay client authentication was made more secure and resistant to brute forcing. Glowing Bear uses the most secure authentication method by default. However, to support older versions of WeeChat, this option allows Glowing Bear to still use the old authentication method, sending your password to WeeChat (in plain text if you are not using encryption!). Only enable this if you are using a WeeChat version before 2.9!

+

By default, WeeChat 2.9 support several authentication methdos. Of these, Glowing Bear only uses the most secure one, 

pbkdf2+sha512
. You can check the list of enabled methods to ensure it is in there:

+ 
/set relay.network.password_hash_algo
From 1cc706da63f1bf09ae0e676ad532834905f7727f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20H=C3=BCbschle-Schneider?= Date: Thu, 30 Apr 2020 11:50:48 +0200 Subject: [PATCH 13/19] Don't indent autoconnect checkbox --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 296a72c..47b3d4f 100644 --- a/index.html +++ b/index.html @@ -151,7 +151,7 @@ Save password in your browser
-
+
From b146c07623dfb3dc590e61128c3e4ef56b8763fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20H=C3=BCbschle-Schneider?= Date: Thu, 30 Apr 2020 12:44:39 +0200 Subject: [PATCH 17/19] Fix order of headings in Getting Started guide --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 901a935..57451c7 100644 --- a/index.html +++ b/index.html @@ -173,8 +173,8 @@
-

Use TLS encryption

WeeChat version 0.4.2 or higher is required, but WeeChat 2.9 or later is recommended for the best experience.

+

Use TLS encryption

To start using Glowing Bear, follow the instructions below to set up an encrypted relay. All communication goes directly between your browser and your WeeChat relay! This means that your server must be accessible. We never see any of your data or your password, and you don't need to trust a "cloud". All settings, including your password, are saved locally in your own browser between sessions.

You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest and greatest development version. You can still follow the instructions below to set up an encrypted relay, though.

When using encryption, all communication between your browser and WeeChat will be securely encrypted with TLS. This means that you have to set up a certificate. While it's possible to use a self-signed cert, we recommend against it, because it's handled poorly in browsers, and may not work at all on mobile devices. If you don't already have a certificate for your domain (or you don't have a domain), we strongly encourage you to get a certificate from Let's Encrypt—it's free and easy. We'll walk you through it.

From edee76813989fa5daa4740233d0618faa6619967 Mon Sep 17 00:00:00 2001 From: Jeremy Mahieu Date: Thu, 30 Apr 2020 12:57:02 +0200 Subject: [PATCH 18/19] Typo in getting started --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 57451c7..b790cb3 100644 --- a/index.html +++ b/index.html @@ -200,7 +200,7 @@ chown -R username:username ~usernameCompatibility with WeeChat 2.8 and older

Required for WeeChat <= 2.8

With WeeChat 2.9, relay client authentication was made more secure and resistant to brute forcing. Glowing Bear uses the most secure authentication method by default. However, to support older versions of WeeChat, this option allows Glowing Bear to still use the old authentication method, sending your password to WeeChat (in plain text if you are not using encryption!). Only enable this if you are using a WeeChat version before 2.9!

-

By default, WeeChat 2.9 support several authentication methdos. Of these, Glowing Bear only uses the most secure one, pbkdf2+sha512. You can check the list of enabled methods to ensure it is in there: +

By default, WeeChat 2.9 support several authentication methods. Of these, Glowing Bear only uses the most secure one, pbkdf2+sha512. You can check the list of enabled methods to ensure it is in there: /set relay.network.password_hash_algo

From 06adb2adef12d5e4a89eddf0b9e4fe2802d2fb00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20H=C3=BCbschle-Schneider?= Date: Thu, 30 Apr 2020 14:38:52 +0200 Subject: [PATCH 19/19] Add note on WeeChat 2.9 release date --- index.html | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/index.html b/index.html index b790cb3..e247912 100644 --- a/index.html +++ b/index.html @@ -137,6 +137,7 @@
@@ -199,7 +200,7 @@ chown -R username:username ~usernameCompatibility with WeeChat 2.8 and older

Required for WeeChat <= 2.8

-

With WeeChat 2.9, relay client authentication was made more secure and resistant to brute forcing. Glowing Bear uses the most secure authentication method by default. However, to support older versions of WeeChat, this option allows Glowing Bear to still use the old authentication method, sending your password to WeeChat (in plain text if you are not using encryption!). Only enable this if you are using a WeeChat version before 2.9!

+

With WeeChat 2.9—scheduled for release in July 2020—relay client authentication was made more secure and resistant to brute forcing. Glowing Bear uses the most secure authentication method by default. However, to support older versions of WeeChat, this option allows Glowing Bear to still use the old authentication method, sending your password to WeeChat (in plain text if you are not using encryption!). Only enable this if you are using a WeeChat version before 2.9!

By default, WeeChat 2.9 support several authentication methods. Of these, Glowing Bear only uses the most secure one, pbkdf2+sha512. You can check the list of enabled methods to ensure it is in there: /set relay.network.password_hash_algo