security: SSL/TLS option

[mrtowers]

I just realized that Zentropy authorization works in plaintext. This is major security risk becouse anyone listening on the same network could just read the password sent to the server without any issue.

Proposal: all of the communication should be encrypted, Zentropy communication should start with a handshake like Diffie Helman and then on everything should be encrypted with symmetric encryption.

Problematic code:

if (std.mem.startsWith(u8, msg, "AUTH ")) { //msg is plaintext
        const pass = trimCrlf(msg[5..]);
        if (app_config.password != null and std.mem.eql(u8, pass, app_config.password.?)) {
            try auth_map.put(fd, true);
            _ = try posix.write(fd, "OK\r\n");
            const authLen = pass.len + 7;
            const msgData = trimCrlf(msg[authLen..]);
            return commands.parseCmd(fd, store, msgData);
    } else {
        _ = try posix.write(fd, "ERR invalid password\r\n");
        return "";
    }
}

[arshidkv12]

Redis also uses plain-text authentication. We can implement an SSL option for Zentropy.