1
0
mirror of https://github.com/weechat/weechat.git synced 2026-07-04 00:33:13 +02:00

relay/irc: fix timing attack on PASS command (GHSA-vhv8-g2r9-cwcc)

The IRC relay protocol's PASS handler compared the server password with
the client-supplied value using strcmp, leaking the password byte-by-byte
via response timing. This is the same class of bug fixed for the api and
weechat protocols, on a separate code path that did not go through
relay_auth_check_password_plain.

Extract the HMAC-then-constant-time-compare logic from
relay_auth_check_password_plain into relay_auth_password_equals, then
use it in both the plain-auth wrapper and the IRC PASS handler.
This commit is contained in:
Sébastien Helleu
2026-05-30 20:46:52 +02:00
parent 6948aea626
commit e540d7a2cf
4 changed files with 90 additions and 48 deletions
+2 -1
View File
@@ -33,6 +33,7 @@
#include "../../weechat-plugin.h"
#include "../relay.h"
#include "relay-irc.h"
#include "../relay-auth.h"
#include "../relay-buffer.h"
#include "../relay-client.h"
#include "../relay-config.h"
@@ -1701,7 +1702,7 @@ relay_irc_recv (struct t_relay_client *client, const char *data)
NULL, NULL, NULL);
if (password)
{
if (strcmp (password, pos_password) == 0)
if (relay_auth_password_equals (password, pos_password))
{
RELAY_IRC_DATA(client, password_ok) = 1;
weechat_hook_signal_send ("relay_client_auth_ok",