pegasus/weechat
1
0
Fork 0
mirror of https://github.com/weechat/weechat.git synced 2026-06-12 14:14:48 +02:00
Code Activity

core: fix timing attack on TOTP validation (GHSA-vhv8-g2r9-cwcc)

Browse Source 
weecrypto_totp_validate compared the generated and client-supplied OTPs
with strcmp and broke out of the time-window loop on the first match.
Both choices leaked information via response timing: strcmp leaked the
expected OTP digit-by-digit (shrinking the brute-force search from
~10^digits to a handful of guesses within the 30-second window), and
the early break leaked which window offset matched.

Compare in constant time with string_memcmp_constant_time and always
iterate the full window, OR-ing the result into otp_ok without an
early exit.

This affects both relay protocols (which call totp_validate via the
public info hook) and any other caller of the info hook.
This commit is contained in:
Sébastien Helleu
2026-05-30 20:49:55 +02:00
parent c737373d17
commit 1ca2a00255
2 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+1
View File
@@ -14,6 +14,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
- irc: fix tag in message with list of names when joining a channel
- relay: limit size of decompressed websocket frame with permessage-deflate to prevent memory exhaustion ([GHSA-v2v4-45wm-5cr3](https://github.com/weechat/weechat/security/advisories/GHSA-v2v4-45wm-5cr3))
- relay: fix timing attack on password authentication ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc))
- api, relay: fix timing attack on TOTP validation ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc))
## Version 4.9.0 (2026-03-29)
src/core/core-crypto.c
+7 -4
View File
@@ -660,15 +660,18 @@ weecrypto_totp_validate (const char *secret_base32, time_t totp_time,
otp_ok = 0;
/*
* Compare in constant time and never break early: a non-constant
* compare and an early exit on match would let an observer measure
* how many digits of the expected OTP they got right and which
* time-window offset matched.
*/
for (i = moving_factor - window; i <= moving_factor + window; i++)
{
rc = weecrypto_totp_generate_internal (secret, length_secret,
i, digits, str_otp);
if (rc && (strcmp (str_otp, otp) == 0))
{
if (rc && (string_memcmp_constant_time (str_otp, otp, digits) == 0))
otp_ok = 1;
break;
}
}
free (secret);