aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2021-05-10 16:50:24 +0100
committerMatthew Wild <mwild1@gmail.com>2021-05-10 16:50:24 +0100
commit6a54d2d2c483de3824f57fffc3ab3375fde4e21e (patch)
treef311f972f9cc1cc5929e78a189442723bcb8171a
parentd126ee88bc666524339830b71141c92bb06cd283 (diff)
downloadprosody-6a54d2d2c483de3824f57fffc3ab3375fde4e21e.tar.gz
prosody-6a54d2d2c483de3824f57fffc3ab3375fde4e21e.zip
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
-rw-r--r--plugins/mod_auth_internal_hashed.lua5
-rw-r--r--plugins/mod_auth_internal_plain.lua3
2 files changed, 5 insertions, 3 deletions
diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua
index 15058098..b29a9ee8 100644
--- a/plugins/mod_auth_internal_hashed.lua
+++ b/plugins/mod_auth_internal_hashed.lua
@@ -16,6 +16,7 @@ local new_sasl = require "util.sasl".new;
local hex = require"util.hex";
local to_hex, from_hex = hex.to, hex.from;
local saslprep = require "util.encodings".stringprep.saslprep;
+local secure_equals = require "util.hashes".equals;
local log = module._log;
local host = module.host;
@@ -39,7 +40,7 @@ function provider.test_password(username, password)
end
if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
- if saslprep(credentials.password) ~= password then
+ if not secure_equals(saslprep(credentials.password), password) then
return nil, "Auth failed. Provided password is incorrect.";
end
@@ -59,7 +60,7 @@ function provider.test_password(username, password)
local stored_key_hex = to_hex(stored_key);
local server_key_hex = to_hex(server_key);
- if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then
+ if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then
return true;
else
return nil, "Auth failed. Invalid username, password, or password hash information.";
diff --git a/plugins/mod_auth_internal_plain.lua b/plugins/mod_auth_internal_plain.lua
index 56ef52d5..8a50e820 100644
--- a/plugins/mod_auth_internal_plain.lua
+++ b/plugins/mod_auth_internal_plain.lua
@@ -9,6 +9,7 @@
local usermanager = require "core.usermanager";
local new_sasl = require "util.sasl".new;
local saslprep = require "util.encodings".stringprep.saslprep;
+local secure_equals = require "util.hashes".equals;
local log = module._log;
local host = module.host;
@@ -26,7 +27,7 @@ function provider.test_password(username, password)
return nil, "Password fails SASLprep.";
end
- if password == saslprep(credentials.password) then
+ if secure_equals(password, saslprep(credentials.password)) then
return true;
else
return nil, "Auth failed. Invalid username or password.";