aboutsummaryrefslogtreecommitdiff
path: root/src/modules/m_spanningtree/hmac.cpp
diff options
context:
space:
mode:
authorGravatar Matthew Martin2014-06-26 12:36:51 -0500
committerGravatar Attila Molnar2014-06-28 18:15:12 +0200
commit2cffabe0c7375a15c702aeaea5d553d90a549860 (patch)
tree4538d0f8b78ae73d6f9fd3f26dba9d1c4c3fd34d /src/modules/m_spanningtree/hmac.cpp
parentAdd man pages. (diff)
Check fingerprint before checking password (server linking)
Checking the password before the fingerprint means that even without the correct cert it's possible to brute force the password or leak information about it. Checking the fingerprint means attackers must forge the cert before they can learn any information about the password.
Diffstat (limited to 'src/modules/m_spanningtree/hmac.cpp')
-rw-r--r--src/modules/m_spanningtree/hmac.cpp30
1 files changed, 15 insertions, 15 deletions
diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp
index 895323a02..15cfbc37a 100644
--- a/src/modules/m_spanningtree/hmac.cpp
+++ b/src/modules/m_spanningtree/hmac.cpp
@@ -69,21 +69,6 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
capab->auth_fingerprint = !link.Fingerprint.empty();
capab->auth_challenge = !capab->ourchallenge.empty() && !capab->theirchallenge.empty();
- if (capab->auth_challenge)
- {
- std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
-
- /* Straight string compare of hashes */
- if (our_hmac != theirs)
- return false;
- }
- else
- {
- /* Straight string compare of plaintext */
- if (link.RecvPass != theirs)
- return false;
- }
-
std::string fp = SSLClientCert::GetFingerprint(this);
if (capab->auth_fingerprint)
{
@@ -101,5 +86,20 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
ServerInstance->SNO->WriteToSnoMask('l', "SSL fingerprint for link %s is \"%s\". "
"You can improve security by specifying this in <link:fingerprint>.", link.Name.c_str(), fp.c_str());
}
+
+ if (capab->auth_challenge)
+ {
+ std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
+
+ /* Straight string compare of hashes */
+ if (our_hmac != theirs)
+ return false;
+ }
+ else
+ {
+ /* Straight string compare of plaintext */
+ if (link.RecvPass != theirs)
+ return false;
+ }
return true;
}