From: Attila Molnar <attilamolnar@hush.com>
Date: Sat, 28 Jun 2014 16:27:51 +0000 (+0200)
Subject: Use TimingSafeCompare() to compare passwords and password hashes (non-hmac only)
X-Git-Url: https://git.netwichtig.de/gitweb/?a=commitdiff_plain;h=c1cc5cf147babcd834ba0dbbdd4b1c1d4ae010b6;hp=098602163498b06ec865ab02625cc0ba19f43786;p=user%2Fhenk%2Fcode%2Finspircd.git

Use TimingSafeCompare() to compare passwords and password hashes (non-hmac only)

Issue #882
---

diff --git a/src/command_parse.cpp b/src/command_parse.cpp
index eed549deb..ed996e83c 100644
--- a/src/command_parse.cpp
+++ b/src/command_parse.cpp
@@ -40,7 +40,7 @@ bool InspIRCd::PassCompare(Extensible* ex, const std::string& data, const std::s
 	if (!hashtype.empty() && hashtype != "plaintext")
 		return false;
 
-	return (data == input);
+	return TimingSafeCompare(data, input);
 }
 
 bool CommandParser::LoopCall(User* user, Command* handler, const std::vector<std::string>& parameters, unsigned int splithere, int extra, bool usemax)
diff --git a/src/modules/m_password_hash.cpp b/src/modules/m_password_hash.cpp
index 89b6605b9..926ba5632 100644
--- a/src/modules/m_password_hash.cpp
+++ b/src/modules/m_password_hash.cpp
@@ -106,15 +106,15 @@ class ModuleOperHash : public Module
 		/* Is this a valid hash name? */
 		if (hp)
 		{
-			/* Compare the hash in the config to the generated hash */
-			if (data == hp->hexsum(input))
+			// Use the timing-safe compare function to compare the hashes
+			if (InspIRCd::TimingSafeCompare(data, hp->hexsum(input)))
 				return MOD_RES_ALLOW;
 			else
 				/* No match, and must be hashed, forbid */
 				return MOD_RES_DENY;
 		}
 
-		/* Not a hash, fall through to strcmp in core */
+		// We don't handle this type, let other mods or the core decide
 		return MOD_RES_PASSTHRU;
 	}
 
diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp
index 9b368d60b..520719c5a 100644
--- a/src/modules/m_spanningtree/hmac.cpp
+++ b/src/modules/m_spanningtree/hmac.cpp
@@ -86,14 +86,14 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
 	{
 		std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
 
-		/* Straight string compare of hashes */
-		if (our_hmac != theirs)
+		// Use the timing-safe compare function to compare the hashes
+		if (!InspIRCd::TimingSafeCompare(our_hmac, theirs))
 			return false;
 	}
 	else
 	{
-		/* Straight string compare of plaintext */
-		if (link.RecvPass != theirs)
+		// Use the timing-safe compare function to compare the passwords
+		if (!InspIRCd::TimingSafeCompare(link.RecvPass, theirs))
 			return false;
 	}