Small and lightweight cloud storage written in C99 and POSIX.1-2008. https://gitea.privatedns.org/xavi/slcl/atom?h=libweb-configure 2025-10-09T07:42:26+00:00 2025-10-09T07:42:26+00:00 Xavier Del Campo Romero xavi92@disroot.org 2025-10-09T07:42:26+00:00 urn:sha1:197b8c52b74322cd2289fd365e4cb65074682870 Otherwise, cookies set by previous, OpenSSL-based versions of slcl would be now invalidated because URL-safe base64 transforms some characters, thus breaking backwards compatiblity. For example, '/' is transformed into '_' on the example cookies below: - Original base64 encoding: a=eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJuYW1lIjogImEifQ==.jgp/SsraDR/3zlAnDLyj05VHulUNbDNHaPowvUkLto4= - URL-safe base64 encoding: a=eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJuYW1lIjogImEifQ==.jgp_SsraDR_3zlAnDLyj05VHulUNbDNHaPowvUkLto4= 2025-10-08T20:55:44+00:00 Xavier Del Campo Romero xavi92@disroot.org 2025-10-08T11:50:52+00:00 urn:sha1:10e42591ac72285736d5cc4ee5e7c2f68dbf1e4b The SHA256-based password hashing algorithm used by slcl(1) and usergen(1) is considered insecure against several kinds of attacks, including brute force attacks. [1] Therefore, a stronger password hashing algorithm based on the Argon2id key derivation function is now used by default. While OpenSSL does support Argon2id, it is only supported by very recent versions [2], which are still not packaged by most distributions as of the time of this writing. [3] As an alternative to OpenSSL, libsodium [4] had several benefits: - It provides easy-to-use functions for password hashing, base64 encoding/decoding and other cryptographic primitives used by slcl(1) and usergen(1). - It is packaged by most distributions [5], and most often only the patch version differs, which ensures good compatibility across distributions. Unfortunately, and as opposed to OpenSSL, libsodium does not come with command-line tools. Therefore, usergen(1) had to be rewritten in C. In order to maintain backwards compatiblity with existing databases, slcl(1) and usergen(1) shall support the insecure, SHA256-based password hashing algorithm. However, Argon2id shall now be the default choice for usergen(1). [1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords [2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/ [3]: https://repology.org/project/openssl/versions [4]: https://www.libsodium.org/ [5]: https://repology.org/project/libsodium/versions 2025-10-06T14:28:59+00:00 Xavier Del Campo Romero xavi92@disroot.org 2025-10-06T14:18:07+00:00 urn:sha1:cf10ad5c11764ae83b00ac8c57fa4985045daadb The base64 string is considered untrusted input and, therefore, it might cause a decoding error. Therefore, this should not cause the server to close. 2023-02-28T00:43:56+00:00 Xavier Del Campo Romero xavi.dcr@tutanota.com 2023-01-09T00:22:54+00:00 urn:sha1:d26f046fc9149693a6ebc28301ccc3581c0f144e