mod_dialback: Use constant-time comparison with hmac

author: Matthew Wild <mwild1@gmail.com> 2021-05-12 14:00:53 +0100
committer: Matthew Wild <mwild1@gmail.com> 2021-05-12 14:00:53 +0100
commit: 0a3d7966232970cb9c8076d693db0a7fef69116d (patch)
tree: 206807a71191b80558c8dbdcad6a71ff40cf1146
parent: mod_proxy65: Restrict access to local c2s connections by default (diff)
download: prosody-0a3d7966232970cb9c8076d693db0a7fef69116d.tar.xz
prosody-0a3d7966232970cb9c8076d693db0a7fef69116d.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua
index eddc32096..38d16b609 100644
--- a/plugins/mod_dialback.lua
+++ b/plugins/mod_dialback.lua
@@ -13,6 +13,7 @@ local log = module._log;
 local st = require "util.stanza";
 local sha256_hash = require "util.hashes".sha256;
 local sha256_hmac = require "util.hashes".hmac_sha256;
+local secure_equals = require "util.hashes".equals;
 local nameprep = require "util.encodings".stringprep.nameprep;
 local uuid_gen = require"util.uuid".generate;
 
@@ -56,7 +57,7 @@ function initiate_dialback(session)
 end
 
 function verify_dialback(id, to, from, key)
-	return key == generate_dialback(id, to, from);
+	return secure_equals(key, generate_dialback(id, to, from));
 end
 
 module:hook("stanza/jabber:server:dialback:verify", function(event)
author	Matthew Wild <mwild1@gmail.com>	2021-05-12 14:00:53 +0100
committer	Matthew Wild <mwild1@gmail.com>	2021-05-12 14:00:53 +0100
commit	0a3d7966232970cb9c8076d693db0a7fef69116d (patch)
tree	206807a71191b80558c8dbdcad6a71ff40cf1146
parent	mod_proxy65: Restrict access to local c2s connections by default (diff)
download	prosody-0a3d7966232970cb9c8076d693db0a7fef69116d.tar.xz prosody-0a3d7966232970cb9c8076d693db0a7fef69116d.zip