diff options
author | Matthew Wild <mwild1@gmail.com> | 2021-05-12 14:00:53 +0100 |
---|---|---|
committer | Matthew Wild <mwild1@gmail.com> | 2021-05-12 14:00:53 +0100 |
commit | 0a3d7966232970cb9c8076d693db0a7fef69116d (patch) | |
tree | 206807a71191b80558c8dbdcad6a71ff40cf1146 /plugins | |
parent | 0d3dc2e5223f7f63449a2c5c92b97e310377dca9 (diff) | |
download | prosody-0a3d7966232970cb9c8076d693db0a7fef69116d.tar.gz prosody-0a3d7966232970cb9c8076d693db0a7fef69116d.zip |
mod_dialback: Use constant-time comparison with hmac
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/mod_dialback.lua | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua index eddc3209..38d16b60 100644 --- a/plugins/mod_dialback.lua +++ b/plugins/mod_dialback.lua @@ -13,6 +13,7 @@ local log = module._log; local st = require "util.stanza"; local sha256_hash = require "util.hashes".sha256; local sha256_hmac = require "util.hashes".hmac_sha256; +local secure_equals = require "util.hashes".equals; local nameprep = require "util.encodings".stringprep.nameprep; local uuid_gen = require"util.uuid".generate; @@ -56,7 +57,7 @@ function initiate_dialback(session) end function verify_dialback(id, to, from, key) - return key == generate_dialback(id, to, from); + return secure_equals(key, generate_dialback(id, to, from)); end module:hook("stanza/jabber:server:dialback:verify", function(event) |