Use TimingSafeCompare() to compare passwords and password hashes (non-hmac only)

Issue #882
author: Attila Molnar <attilamolnar@hush.com> 2014-06-28 18:27:51 +0200
committer: Attila Molnar <attilamolnar@hush.com> 2014-06-28 18:27:51 +0200
commit: c1cc5cf147babcd834ba0dbbdd4b1c1d4ae010b6 (patch)
tree: 3abb61ec559f392aef92c134e02bca950e68184d /src/modules/m_password_hash.cpp
parent: 098602163498b06ec865ab02625cc0ba19f43786 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/src/modules/m_password_hash.cpp b/src/modules/m_password_hash.cpp
index 89b6605b9..926ba5632 100644
--- a/src/modules/m_password_hash.cpp
+++ b/src/modules/m_password_hash.cpp
@@ -106,15 +106,15 @@ class ModuleOperHash : public Module
 		/* Is this a valid hash name? */
 		if (hp)
 		{
-			/* Compare the hash in the config to the generated hash */
-			if (data == hp->hexsum(input))
+			// Use the timing-safe compare function to compare the hashes
+			if (InspIRCd::TimingSafeCompare(data, hp->hexsum(input)))
 				return MOD_RES_ALLOW;
 			else
 				/* No match, and must be hashed, forbid */
 				return MOD_RES_DENY;
 		}
 
-		/* Not a hash, fall through to strcmp in core */
+		// We don't handle this type, let other mods or the core decide
 		return MOD_RES_PASSTHRU;
 	}
author	Attila Molnar <attilamolnar@hush.com>	2014-06-28 18:27:51 +0200
committer	Attila Molnar <attilamolnar@hush.com>	2014-06-28 18:27:51 +0200
commit	c1cc5cf147babcd834ba0dbbdd4b1c1d4ae010b6 (patch)
tree	3abb61ec559f392aef92c134e02bca950e68184d /src/modules/m_password_hash.cpp
parent	098602163498b06ec865ab02625cc0ba19f43786 (diff)