mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-04 13:47:41 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

util.jwt: Use constant-time comparison with expected signature

Browse source
This commit is contained in:
Matthew Wild 2021-05-13 14:13:07 +01:00
parent 5bc8b2a379
commit 8048b53d18
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
util/jwt.lua
View file

@ -3,6 +3,7 @@ local json = require "util.json";
local hashes = require "util.hashes"; local hashes = require "util.hashes";
local base64_encode = require "util.encodings".base64.encode; local base64_encode = require "util.encodings".base64.encode;
local base64_decode = require "util.encodings".base64.decode; local base64_decode = require "util.encodings".base64.decode;
local secure_equals = require "util.hashes".equals;
local b64url_rep = { ["+"] = "-", ["/"] = "_", ["="] = "", ["-"] = "+", ["_"] = "/" }; local b64url_rep = { ["+"] = "-", ["/"] = "_", ["="] = "", ["-"] = "+", ["_"] = "/" };
local function b64url(data) local function b64url(data)
@ -33,7 +34,7 @@ local function verify(key, blob)
elseif header.alg ~= "HS256" then elseif header.alg ~= "HS256" then
return nil, "unsupported-algorithm"; return nil, "unsupported-algorithm";
end end
if b64url(hashes.hmac_sha256(key, signed)) ~= signature then if not secure_equals(b64url(hashes.hmac_sha256(key, signed)), signature) then
return false, "signature-mismatch"; return false, "signature-mismatch";
end end
local payload, err = json.decode(unb64url(bpayload)); local payload, err = json.decode(unb64url(bpayload));