Software / code / prosody
Diff
plugins/mod_auth_internal_hashed.lua @ 11544:c98aebe601f9 0.11
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 10 May 2021 16:50:24 +0100 |
| parent | 10914:0d7d71dee0a0 |
| child | 11560:3bbb1af92514 |
line wrap: on
line diff
--- a/plugins/mod_auth_internal_hashed.lua Mon May 10 16:44:55 2021 +0100 +++ b/plugins/mod_auth_internal_hashed.lua Mon May 10 16:50:24 2021 +0100 @@ -16,6 +16,7 @@ local hex = require"util.hex"; local to_hex, from_hex = hex.to, hex.from; local saslprep = require "util.encodings".stringprep.saslprep; +local secure_equals = require "util.hashes".equals; local log = module._log; local host = module.host; @@ -39,7 +40,7 @@ end if credentials.password ~= nil and string.len(credentials.password) ~= 0 then - if saslprep(credentials.password) ~= password then + if not secure_equals(saslprep(credentials.password), password) then return nil, "Auth failed. Provided password is incorrect."; end @@ -59,7 +60,7 @@ local stored_key_hex = to_hex(stored_key); local server_key_hex = to_hex(server_key); - if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then + if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then return true; else return nil, "Auth failed. Invalid username, password, or password hash information.";
