Use TimingSafeCompare() to compare passwords and password hashes (non-hmac only)

Issue #882
author: Attila Molnar <attilamolnar@hush.com> 2014-06-28 18:27:51 +0200
committer: Attila Molnar <attilamolnar@hush.com> 2014-06-28 18:27:51 +0200
commit: c1cc5cf147babcd834ba0dbbdd4b1c1d4ae010b6 (patch)
tree: 3abb61ec559f392aef92c134e02bca950e68184d /src/modules/m_spanningtree
parent: 098602163498b06ec865ab02625cc0ba19f43786 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp
index 9b368d60b..520719c5a 100644
--- a/src/modules/m_spanningtree/hmac.cpp
+++ b/src/modules/m_spanningtree/hmac.cpp
@@ -86,14 +86,14 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
 	{
 		std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
 
-		/* Straight string compare of hashes */
-		if (our_hmac != theirs)
+		// Use the timing-safe compare function to compare the hashes
+		if (!InspIRCd::TimingSafeCompare(our_hmac, theirs))
 			return false;
 	}
 	else
 	{
-		/* Straight string compare of plaintext */
-		if (link.RecvPass != theirs)
+		// Use the timing-safe compare function to compare the passwords
+		if (!InspIRCd::TimingSafeCompare(link.RecvPass, theirs))
 			return false;
 	}
author	Attila Molnar <attilamolnar@hush.com>	2014-06-28 18:27:51 +0200
committer	Attila Molnar <attilamolnar@hush.com>	2014-06-28 18:27:51 +0200
commit	c1cc5cf147babcd834ba0dbbdd4b1c1d4ae010b6 (patch)
tree	3abb61ec559f392aef92c134e02bca950e68184d /src/modules/m_spanningtree
parent	098602163498b06ec865ab02625cc0ba19f43786 (diff)