aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2021-05-12 14:00:53 +0100
committerMatthew Wild <mwild1@gmail.com>2021-05-12 14:00:53 +0100
commit0a3d7966232970cb9c8076d693db0a7fef69116d (patch)
tree206807a71191b80558c8dbdcad6a71ff40cf1146 /plugins
parent0d3dc2e5223f7f63449a2c5c92b97e310377dca9 (diff)
downloadprosody-0a3d7966232970cb9c8076d693db0a7fef69116d.tar.gz
prosody-0a3d7966232970cb9c8076d693db0a7fef69116d.zip
mod_dialback: Use constant-time comparison with hmac
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_dialback.lua3
1 files changed, 2 insertions, 1 deletions
diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua
index eddc3209..38d16b60 100644
--- a/plugins/mod_dialback.lua
+++ b/plugins/mod_dialback.lua
@@ -13,6 +13,7 @@ local log = module._log;
local st = require "util.stanza";
local sha256_hash = require "util.hashes".sha256;
local sha256_hmac = require "util.hashes".hmac_sha256;
+local secure_equals = require "util.hashes".equals;
local nameprep = require "util.encodings".stringprep.nameprep;
local uuid_gen = require"util.uuid".generate;
@@ -56,7 +57,7 @@ function initiate_dialback(session)
end
function verify_dialback(id, to, from, key)
- return key == generate_dialback(id, to, from);
+ return secure_equals(key, generate_dialback(id, to, from));
end
module:hook("stanza/jabber:server:dialback:verify", function(event)