diff options
| -rw-r--r-- | src/command_parse.cpp | 2 | ||||
| -rw-r--r-- | src/modules/m_password_hash.cpp | 6 | ||||
| -rw-r--r-- | src/modules/m_spanningtree/hmac.cpp | 8 |
3 files changed, 8 insertions, 8 deletions
diff --git a/src/command_parse.cpp b/src/command_parse.cpp index eed549deb..ed996e83c 100644 --- a/src/command_parse.cpp +++ b/src/command_parse.cpp @@ -40,7 +40,7 @@ bool InspIRCd::PassCompare(Extensible* ex, const std::string& data, const std::s if (!hashtype.empty() && hashtype != "plaintext") return false; - return (data == input); + return TimingSafeCompare(data, input); } bool CommandParser::LoopCall(User* user, Command* handler, const std::vector<std::string>& parameters, unsigned int splithere, int extra, bool usemax) diff --git a/src/modules/m_password_hash.cpp b/src/modules/m_password_hash.cpp index 89b6605b9..926ba5632 100644 --- a/src/modules/m_password_hash.cpp +++ b/src/modules/m_password_hash.cpp @@ -106,15 +106,15 @@ class ModuleOperHash : public Module /* Is this a valid hash name? */ if (hp) { - /* Compare the hash in the config to the generated hash */ - if (data == hp->hexsum(input)) + // Use the timing-safe compare function to compare the hashes + if (InspIRCd::TimingSafeCompare(data, hp->hexsum(input))) return MOD_RES_ALLOW; else /* No match, and must be hashed, forbid */ return MOD_RES_DENY; } - /* Not a hash, fall through to strcmp in core */ + // We don't handle this type, let other mods or the core decide return MOD_RES_PASSTHRU; } diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp index 9b368d60b..520719c5a 100644 --- a/src/modules/m_spanningtree/hmac.cpp +++ b/src/modules/m_spanningtree/hmac.cpp @@ -86,14 +86,14 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs) { std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge); - /* Straight string compare of hashes */ - if (our_hmac != theirs) + // Use the timing-safe compare function to compare the hashes + if (!InspIRCd::TimingSafeCompare(our_hmac, theirs)) return false; } else { - /* Straight string compare of plaintext */ - if (link.RecvPass != theirs) + // Use the timing-safe compare function to compare the passwords + if (!InspIRCd::TimingSafeCompare(link.RecvPass, theirs)) return false; } |