Comparison

plugins/mod_dialback.lua @ 11556:6f56170ea986 0.11

mod_dialback: Use constant-time comparison with hmac
author Matthew Wild <mwild1@gmail.com>
date Wed, 12 May 2021 14:00:53 +0100 (2021-05-12)
parent 8518:0de0018bdf91
child 11557:6be890ca492e
comparison
equal deleted inserted replaced
11555:65dcc175ef5b 11556:6f56170ea986
11 local log = module._log; 11 local log = module._log;
12 12
13 local st = require "util.stanza"; 13 local st = require "util.stanza";
14 local sha256_hash = require "util.hashes".sha256; 14 local sha256_hash = require "util.hashes".sha256;
15 local sha256_hmac = require "util.hashes".hmac_sha256; 15 local sha256_hmac = require "util.hashes".hmac_sha256;
16 local secure_equals = require "util.hashes".equals;
16 local nameprep = require "util.encodings".stringprep.nameprep; 17 local nameprep = require "util.encodings".stringprep.nameprep;
17 local uuid_gen = require"util.uuid".generate; 18 local uuid_gen = require"util.uuid".generate;
18 19
19 local xmlns_stream = "http://etherx.jabber.org/streams"; 20 local xmlns_stream = "http://etherx.jabber.org/streams";
20 21
54 session.sends2s(st.stanza("db:result", { from = session.from_host, to = session.to_host }):text(session.dialback_key)); 55 session.sends2s(st.stanza("db:result", { from = session.from_host, to = session.to_host }):text(session.dialback_key));
55 session.log("debug", "sent dialback key on outgoing s2s stream"); 56 session.log("debug", "sent dialback key on outgoing s2s stream");
56 end 57 end
57 58
58 function verify_dialback(id, to, from, key) 59 function verify_dialback(id, to, from, key)
59 return key == generate_dialback(id, to, from); 60 return secure_equals(key, generate_dialback(id, to, from));
60 end 61 end
61 62
62 module:hook("stanza/jabber:server:dialback:verify", function(event) 63 module:hook("stanza/jabber:server:dialback:verify", function(event)
63 local origin, stanza = event.origin, event.stanza; 64 local origin, stanza = event.origin, event.stanza;
64 65