sneak/chat
1
0
Fork 0
Code Issues 6 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

fix: use timing-safe comparison for OPER credentials
All checks were successful
check / check (push) Successful in 1m7s
Details

Browse Source 
Replace plain != string comparison with crypto/subtle.ConstantTimeCompare
for both operator name and password checks in handleOper to prevent
timing-based side-channel attacks.

Closes review feedback on PR #82.
This commit is contained in:
user
2026-03-17 11:57:29 -07:00
parent d7bab0bbf8
commit 427ee1e820
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/handlers/api.go
View File

@@ -2,6 +2,7 @@ package handlers
import ( import (
"context" "context"
"crypto/subtle"
"encoding/json" "encoding/json"
"fmt" "fmt"
"net" "net"
@@ -2822,7 +2823,8 @@ func (hdlr *Handlers) handleOper(
cfgPass := hdlr.params.Config.OperPassword cfgPass := hdlr.params.Config.OperPassword
if cfgName == "" || cfgPass == "" || if cfgName == "" || cfgPass == "" ||
operName != cfgName || operPass != cfgPass { subtle.ConstantTimeCompare([]byte(operName), []byte(cfgName)) != 1 ||
subtle.ConstantTimeCompare([]byte(operPass), []byte(cfgPass)) != 1 {
hdlr.enqueueNumeric( hdlr.enqueueNumeric(
ctx, clientID, irc.ErrNoOperHost, nick, ctx, clientID, irc.ErrNoOperHost, nick,
nil, "No O-lines for your host", nil, "No O-lines for your host",