summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorMatthew Martin <phy1729@gmail.com>2014-06-26 12:36:51 -0500
committerAttila Molnar <attilamolnar@hush.com>2014-06-28 18:15:12 +0200
commit2cffabe0c7375a15c702aeaea5d553d90a549860 (patch)
tree4538d0f8b78ae73d6f9fd3f26dba9d1c4c3fd34d /src
parentf78c1c277a80403d53c911893e6ae0a0d57f1cdc (diff)
Check fingerprint before checking password (server linking)
Checking the password before the fingerprint means that even without the correct cert it's possible to brute force the password or leak information about it. Checking the fingerprint means attackers must forge the cert before they can learn any information about the password.
Diffstat (limited to 'src')
-rw-r--r--src/modules/m_spanningtree/hmac.cpp30
1 files changed, 15 insertions, 15 deletions
diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp
index 895323a02..15cfbc37a 100644
--- a/src/modules/m_spanningtree/hmac.cpp
+++ b/src/modules/m_spanningtree/hmac.cpp
@@ -69,21 +69,6 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
capab->auth_fingerprint = !link.Fingerprint.empty();
capab->auth_challenge = !capab->ourchallenge.empty() && !capab->theirchallenge.empty();
- if (capab->auth_challenge)
- {
- std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
-
- /* Straight string compare of hashes */
- if (our_hmac != theirs)
- return false;
- }
- else
- {
- /* Straight string compare of plaintext */
- if (link.RecvPass != theirs)
- return false;
- }
-
std::string fp = SSLClientCert::GetFingerprint(this);
if (capab->auth_fingerprint)
{
@@ -101,5 +86,20 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs)
ServerInstance->SNO->WriteToSnoMask('l', "SSL fingerprint for link %s is \"%s\". "
"You can improve security by specifying this in <link:fingerprint>.", link.Name.c_str(), fp.c_str());
}
+
+ if (capab->auth_challenge)
+ {
+ std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge);
+
+ /* Straight string compare of hashes */
+ if (our_hmac != theirs)
+ return false;
+ }
+ else
+ {
+ /* Straight string compare of plaintext */
+ if (link.RecvPass != theirs)
+ return false;
+ }
return true;
}