xavi/slcl - Small and lightweight cloud storage written in C99 and POSIX.1-2008.

	Commit message (Collapse)	Author	Age	Files	Lines
*	jwt.c: Use original base64 variant	Xavier Del Campo Romero	2025-10-09	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Otherwise, cookies set by previous, OpenSSL-based versions of slcl would be now invalidated because URL-safe base64 transforms some characters, thus breaking backwards compatiblity. For example, '/' is transformed into '_' on the example cookies below: - Original base64 encoding: a=eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJuYW1lIjogImEifQ==.jgp/SsraDR/3zlAnDLyj05VHulUNbDNHaPowvUkLto4= - URL-safe base64 encoding: a=eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJuYW1lIjogImEifQ==.jgp_SsraDR_3zlAnDLyj05VHulUNbDNHaPowvUkLto4=
*	Replace OpenSSL with libsodium and argon2id	Xavier Del Campo Romero	2025-10-08	1	-45/+69
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The SHA256-based password hashing algorithm used by slcl(1) and usergen(1) is considered insecure against several kinds of attacks, including brute force attacks. [1] Therefore, a stronger password hashing algorithm based on the Argon2id key derivation function is now used by default. While OpenSSL does support Argon2id, it is only supported by very recent versions [2], which are still not packaged by most distributions as of the time of this writing. [3] As an alternative to OpenSSL, libsodium [4] had several benefits: - It provides easy-to-use functions for password hashing, base64 encoding/decoding and other cryptographic primitives used by slcl(1) and usergen(1). - It is packaged by most distributions [5], and most often only the patch version differs, which ensures good compatibility across distributions. Unfortunately, and as opposed to OpenSSL, libsodium does not come with command-line tools. Therefore, usergen(1) had to be rewritten in C. In order to maintain backwards compatiblity with existing databases, slcl(1) and usergen(1) shall support the insecure, SHA256-based password hashing algorithm. However, Argon2id shall now be the default choice for usergen(1). [1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords [2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/ [3]: https://repology.org/project/openssl/versions [4]: https://www.libsodium.org/ [5]: https://repology.org/project/libsodium/versions
*	jwt.c: Do not consider decoding errors as fatals	Xavier Del Campo Romero	2025-10-06	1	-1/+1
\| \| \| \| \| \|	The base64 string is considered untrusted input and, therefore, it might cause a decoding error. Therefore, this should not cause the server to close.
*	Initial commit	Xavier Del Campo Romero	2023-02-28	1	-0/+147