mirror of
https://github.com/weechat/weechat.git
synced 2026-07-04 00:33:13 +02:00
relay/irc: fix timing attack on PASS command (GHSA-vhv8-g2r9-cwcc)
The IRC relay protocol's PASS handler compared the server password with the client-supplied value using strcmp, leaking the password byte-by-byte via response timing. This is the same class of bug fixed for the api and weechat protocols, on a separate code path that did not go through relay_auth_check_password_plain. Extract the HMAC-then-constant-time-compare logic from relay_auth_check_password_plain into relay_auth_password_equals, then use it in both the plain-auth wrapper and the IRC PASS handler.
This commit is contained in:
@@ -33,6 +33,7 @@
|
||||
#include "../../weechat-plugin.h"
|
||||
#include "../relay.h"
|
||||
#include "relay-irc.h"
|
||||
#include "../relay-auth.h"
|
||||
#include "../relay-buffer.h"
|
||||
#include "../relay-client.h"
|
||||
#include "../relay-config.h"
|
||||
@@ -1701,7 +1702,7 @@ relay_irc_recv (struct t_relay_client *client, const char *data)
|
||||
NULL, NULL, NULL);
|
||||
if (password)
|
||||
{
|
||||
if (strcmp (password, pos_password) == 0)
|
||||
if (relay_auth_password_equals (password, pos_password))
|
||||
{
|
||||
RELAY_IRC_DATA(client, password_ok) = 1;
|
||||
weechat_hook_signal_send ("relay_client_auth_ok",
|
||||
|
||||
Reference in New Issue
Block a user