Prosody IM trunk


changeset 6f56170ea986 0.11

mod_dialback: Use constant-time comparison with hmac

author
Matthew Wild
date
parents
children
files

1 files changed, 2 insertions(+), 1 deletions(-)

↓ Download patch

--- a/plugins/mod_dialback.lua	Wed May 12 13:59:49 2021 +0100
+++ b/plugins/mod_dialback.lua	Wed May 12 14:00:53 2021 +0100
@@ -13,6 +13,7 @@
 local st = require "util.stanza";
 local sha256_hash = require "util.hashes".sha256;
 local sha256_hmac = require "util.hashes".hmac_sha256;
+local secure_equals = require "util.hashes".equals;
 local nameprep = require "util.encodings".stringprep.nameprep;
 local uuid_gen = require"util.uuid".generate;
 
@@ -56,7 +57,7 @@
 end
 
 function verify_dialback(id, to, from, key)
-	return key == generate_dialback(id, to, from);
+	return secure_equals(key, generate_dialback(id, to, from));
 end
 
 module:hook("stanza/jabber:server:dialback:verify", function(event)