From c1cc5cf147babcd834ba0dbbdd4b1c1d4ae010b6 Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Sat, 28 Jun 2014 18:27:51 +0200 Subject: Use TimingSafeCompare() to compare passwords and password hashes (non-hmac only) Issue #882 --- src/command_parse.cpp | 2 +- src/modules/m_password_hash.cpp | 6 +++--- src/modules/m_spanningtree/hmac.cpp | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/command_parse.cpp b/src/command_parse.cpp index eed549deb..ed996e83c 100644 --- a/src/command_parse.cpp +++ b/src/command_parse.cpp @@ -40,7 +40,7 @@ bool InspIRCd::PassCompare(Extensible* ex, const std::string& data, const std::s if (!hashtype.empty() && hashtype != "plaintext") return false; - return (data == input); + return TimingSafeCompare(data, input); } bool CommandParser::LoopCall(User* user, Command* handler, const std::vector& parameters, unsigned int splithere, int extra, bool usemax) diff --git a/src/modules/m_password_hash.cpp b/src/modules/m_password_hash.cpp index 89b6605b9..926ba5632 100644 --- a/src/modules/m_password_hash.cpp +++ b/src/modules/m_password_hash.cpp @@ -106,15 +106,15 @@ class ModuleOperHash : public Module /* Is this a valid hash name? */ if (hp) { - /* Compare the hash in the config to the generated hash */ - if (data == hp->hexsum(input)) + // Use the timing-safe compare function to compare the hashes + if (InspIRCd::TimingSafeCompare(data, hp->hexsum(input))) return MOD_RES_ALLOW; else /* No match, and must be hashed, forbid */ return MOD_RES_DENY; } - /* Not a hash, fall through to strcmp in core */ + // We don't handle this type, let other mods or the core decide return MOD_RES_PASSTHRU; } diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp index 9b368d60b..520719c5a 100644 --- a/src/modules/m_spanningtree/hmac.cpp +++ b/src/modules/m_spanningtree/hmac.cpp @@ -86,14 +86,14 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs) { std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge); - /* Straight string compare of hashes */ - if (our_hmac != theirs) + // Use the timing-safe compare function to compare the hashes + if (!InspIRCd::TimingSafeCompare(our_hmac, theirs)) return false; } else { - /* Straight string compare of plaintext */ - if (link.RecvPass != theirs) + // Use the timing-safe compare function to compare the passwords + if (!InspIRCd::TimingSafeCompare(link.RecvPass, theirs)) return false; } -- cgit v1.2.3