mirror of
https://github.com/weechat/weechat.git
synced 2026-06-12 14:14:48 +02:00
Sébastien Helleu
e540d7a2cf
The IRC relay protocol's PASS handler compared the server password with the client-supplied value using strcmp, leaking the password byte-by-byte via response timing. This is the same class of bug fixed for the api and weechat protocols, on a separate code path that did not go through relay_auth_check_password_plain. Extract the HMAC-then-constant-time-compare logic from relay_auth_check_password_plain into relay_auth_password_equals, then use it in both the plain-auth wrapper and the IRC PASS handler.