pegasus/weechat
1
0
Fork 0
mirror of https://github.com/weechat/weechat.git synced 2026-06-29 14:26:39 +02:00
Code Activity

relay/irc: fix timing attack on PASS command (GHSA-vhv8-g2r9-cwcc)

Browse Source 
The IRC relay protocol's PASS handler compared the server password with
the client-supplied value using strcmp, leaking the password byte-by-byte
via response timing. This is the same class of bug fixed for the api and
weechat protocols, on a separate code path that did not go through
relay_auth_check_password_plain.

Extract the HMAC-then-constant-time-compare logic from
relay_auth_check_password_plain into relay_auth_password_equals, then
use it in both the plain-auth wrapper and the IRC PASS handler.
This commit is contained in:
Sébastien Helleu
2026-05-30 20:46:52 +02:00
parent 6948aea626
commit e540d7a2cf
4 changed files with 90 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/unit/plugins/relay/test-relay-auth.cpp
+25
View File
@@ -109,6 +109,31 @@ TEST(RelayAuth, GenerateNonce)
free (nonce);
}
/*
* Test functions:
* relay_auth_password_equals
*/
TEST(RelayAuth, PasswordEquals)
{
/* invalid arguments */
LONGS_EQUAL(0, relay_auth_password_equals (NULL, NULL));
LONGS_EQUAL(0, relay_auth_password_equals ("abcd", NULL));
LONGS_EQUAL(0, relay_auth_password_equals (NULL, "abcd"));
/* different passwords */
LONGS_EQUAL(0, relay_auth_password_equals ("test", "password"));
LONGS_EQUAL(0, relay_auth_password_equals ("Password", "password"));
LONGS_EQUAL(0, relay_auth_password_equals ("", "password"));
LONGS_EQUAL(0, relay_auth_password_equals ("password", ""));
/* equal passwords */
LONGS_EQUAL(1, relay_auth_password_equals ("", ""));
LONGS_EQUAL(1, relay_auth_password_equals ("password", "password"));
LONGS_EQUAL(1, relay_auth_password_equals ("a really long password with spaces",
"a really long password with spaces"));
}
/*
* Test functions:
* relay_auth_check_password_plain