# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1620824453 -3600
# Node ID 6f56170ea986a424706a2cc7806d17e1caf264cf
# Parent  65dcc175ef5b2473c0b4049957e3842248a8cea1
mod_dialback: Use constant-time comparison with hmac

diff -r 65dcc175ef5b -r 6f56170ea986 plugins/mod_dialback.lua
--- a/plugins/mod_dialback.lua	Wed May 12 13:59:49 2021 +0100
+++ b/plugins/mod_dialback.lua	Wed May 12 14:00:53 2021 +0100
@@ -13,6 +13,7 @@
 local st = require "util.stanza";
 local sha256_hash = require "util.hashes".sha256;
 local sha256_hmac = require "util.hashes".hmac_sha256;
+local secure_equals = require "util.hashes".equals;
 local nameprep = require "util.encodings".stringprep.nameprep;
 local uuid_gen = require"util.uuid".generate;
 
@@ -56,7 +57,7 @@
 end
 
 function verify_dialback(id, to, from, key)
-	return key == generate_dialback(id, to, from);
+	return secure_equals(key, generate_dialback(id, to, from));
 end
 
 module:hook("stanza/jabber:server:dialback:verify", function(event)