mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_dialback: Use constant-time comparison with hmac

Browse source
This commit is contained in:
Matthew Wild 2021-05-12 14:00:53 +01:00
parent 0d3dc2e522
commit 0a3d796623
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
plugins/mod_dialback.lua
View file

@ -13,6 +13,7 @@ local log = module._log;
local st = require "util.stanza";
local sha256_hash = require "util.hashes".sha256;
local sha256_hmac = require "util.hashes".hmac_sha256;
local secure_equals = require "util.hashes".equals;
local nameprep = require "util.encodings".stringprep.nameprep;
local uuid_gen = require"util.uuid".generate;
@ -56,7 +57,7 @@ function initiate_dialback(session)
end
function verify_dialback(id, to, from, key)
return key == generate_dialback(id, to, from);
return secure_equals(key, generate_dialback(id, to, from));
end
module:hook("stanza/jabber:server:dialback:verify", function(event)