add ubuntu 24 and gcc14/g++14

.github/workflows/build-ubuntu.yml

@@ -36,11 +36,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04]
+        os: [ubuntu-22.04, ubuntu-24.04]
         buildtype: [linux-release, linux-debug]
         include:
           - os: ubuntu-22.04
             triplet: x64-linux
+          - os: ubuntu-24.04
+            triplet: x64-linux
 
     steps:
       - name: Checkout repository
@@ -50,12 +52,21 @@ jobs:
         run: >
           sudo apt-get update && sudo apt-get install ccache linux-headers-$(uname -r)
 
-      - name: Switch to gcc-11
-        if: matrix.os == 'ubuntu-20.04'
+      - name: Switch to gcc-12 on Ubuntu 20.04
+        if: matrix.os == 'ubuntu-22.04'
+        run: |
+          sudo apt install gcc-12 g++-12
+          sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 100 --slave /usr/bin/g++ g++ /usr/bin/g++-12 --slave /usr/bin/gcov gcov /usr/bin/gcov-12
+          sudo update-alternatives --set gcc /usr/bin/gcc-12
+
+      - name: Switch to gcc-14 on Ubuntu 24.04
+        if: matrix.os == 'ubuntu-24.04'
         run: |
-          sudo apt install gcc-11 g++-11
-          sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-11 100 --slave /usr/bin/g++ g++ /usr/bin/g++-11 --slave /usr/bin/gcov gcov /usr/bin/gcov-11
-          sudo update-alternatives --set gcc /usr/bin/gcc-11
+          sudo add-apt-repository ppa:ubuntu-toolchain-r/test -y
+          sudo apt-get update
+          sudo apt-get install gcc-14 g++-14 -y
+          sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-14 100 --slave /usr/bin/g++ g++ /usr/bin/g++-14 --slave /usr/bin/gcov gcov /usr/bin/gcov-14
+          sudo update-alternatives --set gcc /usr/bin/gcc-14
 
       - name: CCache
         uses: hendrikmuhs/ccache-action@main

cmake/modules/CanaryLib.cmake

@@ -47,23 +47,31 @@ target_compile_definitions(${PROJECT_NAME}_lib PUBLIC
 )
 
 # === IPO ===
-if(MSVC)
-    target_compile_options(${PROJECT_NAME}_lib PRIVATE "/GL")
-    set_target_properties(${PROJECT_NAME}_lib PROPERTIES
-            STATIC_LINKER_FLAGS "/LTCG"
-            SHARED_LINKER_FLAGS "/LTCG"
-            MODULE_LINKER_FLAGS "/LTCG"
-            EXE_LINKER_FLAGS "/LTCG")
-else()
-    include(CheckIPOSupported)
-    check_ipo_supported(RESULT result)
-    if(result)
-        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -flto=auto")
-        message(STATUS "IPO/LTO enabled with -flto=auto for non-MSVC compiler.")
-        set_property(TARGET ${PROJECT_NAME}_lib PROPERTY INTERPROCEDURAL_OPTIMIZATION TRUE)
+if(OPTIONS_ENABLE_IPO)
+    if(MSVC)
+        target_compile_options(${PROJECT_NAME}_lib PRIVATE "/GL")
+        set_target_properties(${PROJECT_NAME}_lib PROPERTIES
+                STATIC_LINKER_FLAGS "/LTCG"
+                SHARED_LINKER_FLAGS "/LTCG"
+                MODULE_LINKER_FLAGS "/LTCG"
+                EXE_LINKER_FLAGS "/LTCG")
     else()
-        message(WARNING "IPO/LTO is not supported: ${output}")
+        if (CMAKE_CXX_COMPILER_ID MATCHES "GNU" AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL "14.0" AND CMAKE_BUILD_TYPE STREQUAL "Debug")
+            message(STATUS "GCC 14 detected and Debug build. Disabling IPO/LTO.")
+        else()
+            include(CheckIPOSupported)
+            check_ipo_supported(RESULT result)
+            if(result)
+                set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -flto=auto")
+                message(STATUS "IPO/LTO enabled with -flto=auto for non-MSVC compiler.")
+                set_property(TARGET ${PROJECT_NAME}_lib PROPERTY INTERPROCEDURAL_OPTIMIZATION TRUE)
+            else()
+                message(WARNING "IPO/LTO is not supported: ${output}")
+            endif()
+        endif()
     endif()
+else()
+    log_option_disabled("IPO/LTO")
 endif()
 
 # === UNITY BUILD (compile time reducer) ===

src/account/account.cpp

@@ -280,7 +280,8 @@ bool Account::authenticateSession() {
 }
 
 bool Account::authenticatePassword(const std::string &password) {
-	if (Argon2 {}.argon(password.c_str(), getPassword())) {
+	Argon2 argon2;
+	if (argon2.argon(password, getPassword())) {
 		return true;
 	}
 

src/account/account_repository_db.hpp

@@ -10,6 +10,7 @@
 #pragma once
 
 #include "account/account_repository.hpp"
+#include "map"
 
 class AccountRepositoryDB final : public AccountRepository {
 public:

src/security/argon.cpp

@@ -15,7 +15,6 @@
 
 #include <argon2.h>
 
-const std::regex Argon2::re("\\$([A-Za-z0-9+/]+)\\$([A-Za-z0-9+/]+)");
 const std::string Argon2::base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 
 Argon2::Argon2() {
@@ -29,7 +28,7 @@ void Argon2::updateConstants() {
 	parallelism = g_configManager().getNumber(PARALLELISM, __FUNCTION__);
 }
 
-uint32_t Argon2::parseBitShift(const std::string &bitShiftStr) const {
+uint32_t Argon2::parseBitShift(const std::string &bitShiftStr) {
 	std::stringstream ss(bitShiftStr);
 	int base;
 	int shift;
@@ -43,28 +42,39 @@ uint32_t Argon2::parseBitShift(const std::string &bitShiftStr) const {
 	return base << shift;
 }
 
+const std::regex &Argon2::getRegex() {
+	static const std::regex re(R"(\$([A-Za-z0-9+/]+)\$([A-Za-z0-9+/]+))");
+	return re;
+}
+
 bool Argon2::verifyPassword(const std::string &password, const std::string &phash) const {
 	std::smatch match;
+	const std::regex &re = getRegex();
 	if (!std::regex_search(phash, match, re)) {
 		g_logger().debug("No argon2 hash found in string");
 		return false;
 	}
 
-	std::vector<uint8_t> salt = base64_decode(match[1]);
-	std::vector<uint8_t> hash = base64_decode(match[2]);
+	try {
+		std::vector<uint8_t> salt = base64_decode(match[1]);
+		std::vector<uint8_t> hash = base64_decode(match[2]);
 
-	// Hash the password
-	std::vector<uint8_t> computed_hash(hash.size());
-	if (argon2id_hash_raw(t_cost, m_cost, parallelism, password.c_str(), password.length(), salt.data(), salt.size(), computed_hash.data(), computed_hash.size()) != ARGON2_OK) {
-		g_logger().warn("Error hashing password");
+		// Hash the password
+		std::vector<uint8_t> computed_hash(hash.size());
+		if (argon2id_hash_raw(t_cost, m_cost, parallelism, password.c_str(), password.length(), salt.data(), salt.size(), computed_hash.data(), computed_hash.size()) != ARGON2_OK) {
+			g_logger().warn("Error hashing password");
+			return false;
+		}
+
+		// Use constant-time comparison to avoid timing attacks
+		return std::equal(computed_hash.begin(), computed_hash.end(), hash.begin());
+	} catch (const std::exception &e) {
+		g_logger().warn("Exception during password verification: {}", e.what());
 		return false;
 	}
-
-	// Compare
-	return computed_hash == hash;
 }
 
-std::vector<uint8_t> Argon2::base64_decode(const std::string &input) const {
+std::vector<uint8_t> Argon2::base64_decode(const std::string &input) {
 	std::vector<uint8_t> ret;
 	int i = 0;
 	uint32_t val = 0;

src/security/argon.hpp

@@ -14,23 +14,22 @@ class Argon2 {
 	Argon2();
 	~Argon2() = default;
 
-	void updateConstants();
-
 	// Singleton - ensures we don't accidentally copy it
 	Argon2(const Argon2 &) = delete;
 	void operator=(const Argon2 &) = delete;
 
 	bool argon(const std::string &password_attempt, const std::string &hashed_password) const;
 
 private:
-	uint32_t parseBitShift(const std::string &bitShiftStr) const;
+	void updateConstants();
+	static uint32_t parseBitShift(const std::string &bitShiftStr);
 	bool verifyPassword(const std::string &password, const std::string &phash) const;
-	std::vector<uint8_t> base64_decode(const std::string &input) const;
+	static std::vector<uint8_t> base64_decode(const std::string &input);
 
-	static const std::regex re;
+	static const std::regex &getRegex();
 	static const std::string base64_chars;
 	std::string m_const_str;
-	uint32_t m_cost;
-	uint32_t t_cost;
-	uint32_t parallelism;
+	uint32_t m_cost {};
+	uint32_t t_cost {};
+	uint32_t parallelism {};
 };

vcpkg.json

@@ -32,5 +32,5 @@
       "platform": "windows"
     }
   ],
-  "builtin-baseline": "095ee06e7f60dceef7d713e3f8b1c2eb10d650d7"
+  "builtin-baseline": "7eb700c9688daed6d8bdcdc571ebe3eedea6a774"
 }