From 2cffabe0c7375a15c702aeaea5d553d90a549860 Mon Sep 17 00:00:00 2001 From: Matthew Martin Date: Thu, 26 Jun 2014 12:36:51 -0500 Subject: Check fingerprint before checking password (server linking) Checking the password before the fingerprint means that even without the correct cert it's possible to brute force the password or leak information about it. Checking the fingerprint means attackers must forge the cert before they can learn any information about the password. --- src/modules/m_spanningtree/hmac.cpp | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/modules/m_spanningtree/hmac.cpp b/src/modules/m_spanningtree/hmac.cpp index 895323a02..15cfbc37a 100644 --- a/src/modules/m_spanningtree/hmac.cpp +++ b/src/modules/m_spanningtree/hmac.cpp @@ -69,21 +69,6 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs) capab->auth_fingerprint = !link.Fingerprint.empty(); capab->auth_challenge = !capab->ourchallenge.empty() && !capab->theirchallenge.empty(); - if (capab->auth_challenge) - { - std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge); - - /* Straight string compare of hashes */ - if (our_hmac != theirs) - return false; - } - else - { - /* Straight string compare of plaintext */ - if (link.RecvPass != theirs) - return false; - } - std::string fp = SSLClientCert::GetFingerprint(this); if (capab->auth_fingerprint) { @@ -101,5 +86,20 @@ bool TreeSocket::ComparePass(const Link& link, const std::string &theirs) ServerInstance->SNO->WriteToSnoMask('l', "SSL fingerprint for link %s is \"%s\". " "You can improve security by specifying this in .", link.Name.c_str(), fp.c_str()); } + + if (capab->auth_challenge) + { + std::string our_hmac = MakePass(link.RecvPass, capab->ourchallenge); + + /* Straight string compare of hashes */ + if (our_hmac != theirs) + return false; + } + else + { + /* Straight string compare of plaintext */ + if (link.RecvPass != theirs) + return false; + } return true; } -- cgit v1.2.3