mod_dialback: Use constant-time comparison with hmac

author: Matthew Wild <mwild1@gmail.com>
date: Wed, 12 May 2021 14:00:53 +0100
parent: 8518:0de0018bdf91
child: 11557:6be890ca492e
--- a/plugins/mod_dialback.lua	Wed May 12 13:59:49 2021 +0100
+++ b/plugins/mod_dialback.lua	Wed May 12 14:00:53 2021 +0100
@@ -13,6 +13,7 @@
 local st = require "util.stanza";
 local sha256_hash = require "util.hashes".sha256;
 local sha256_hmac = require "util.hashes".hmac_sha256;
+local secure_equals = require "util.hashes".equals;
 local nameprep = require "util.encodings".stringprep.nameprep;
 local uuid_gen = require"util.uuid".generate;
 
@@ -56,7 +57,7 @@
 end
 
 function verify_dialback(id, to, from, key)
-	return key == generate_dialback(id, to, from);
+	return secure_equals(key, generate_dialback(id, to, from));
 end
 
 module:hook("stanza/jabber:server:dialback:verify", function(event)