Use TimingSafeCompare() to compare passwords and password hashes (non-hmac only)

Issue #882

2 files changed, 7 insertions, 7 deletions

diff --git a/src/modules/m_password_hash.cpp b/src/modules/m_password_hash.cpp
index 89b6605b9..926ba5632 100644
--- a/src/modules/m_password_hash.cpp
+++ b/src/modules/m_password_hash.cpp
@@ -106,15 +106,15 @@ class ModuleOperHash : public Module
 		/* Is this a valid hash name? */
 		if (hp)
 		{
-			/* Compare the hash in the config to the generated hash */
-			if (data == hp->hexsum(input))
+			// Use the timing-safe compare function to compare the hashes
+			if (InspIRCd::TimingSafeCompare(data, hp->hexsum(input)))
 				return MOD_RES_ALLOW;
 			else
 				/* No match, and must be hashed, forbid */
 				return MOD_RES_DENY;
 		}
 
-		/* Not a hash, fall through to strcmp in core */
+		// We don't handle this type, let other mods or the core decide
 		return MOD_RES_PASSTHRU;
 	}
 
diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp
index 9b368d60b..520719c5a 100644
--- a/src/modules/m_spanningtree/hmac.cpp
+++ b/src/modules/m_spanningtree/hmac.cpp
@@ -86,14 +86,14 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
 	{
 		std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
 
-		/* Straight string compare of hashes */
-		if (our_hmac != theirs)
+		// Use the timing-safe compare function to compare the hashes
+		if (!InspIRCd::TimingSafeCompare(our_hmac, theirs))
 			return false;
 	}
 	else
 	{
-		/* Straight string compare of plaintext */
-		if (link.RecvPass != theirs)
+		// Use the timing-safe compare function to compare the passwords
+		if (!InspIRCd::TimingSafeCompare(link.RecvPass, theirs))
 			return false;
 	}