From 6a54d2d2c483de3824f57fffc3ab3375fde4e21e Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Mon, 10 May 2021 16:50:24 +0100
Subject: mod_auth_internal_{plain,hashed}: Use constant-time string comparison
 for secrets

---
 plugins/mod_auth_internal_plain.lua | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'plugins/mod_auth_internal_plain.lua')

diff --git a/plugins/mod_auth_internal_plain.lua b/plugins/mod_auth_internal_plain.lua
index 56ef52d5..8a50e820 100644
--- a/plugins/mod_auth_internal_plain.lua
+++ b/plugins/mod_auth_internal_plain.lua
@@ -9,6 +9,7 @@
 local usermanager = require "core.usermanager";
 local new_sasl = require "util.sasl".new;
 local saslprep = require "util.encodings".stringprep.saslprep;
+local secure_equals = require "util.hashes".equals;
 
 local log = module._log;
 local host = module.host;
@@ -26,7 +27,7 @@ function provider.test_password(username, password)
 		return nil, "Password fails SASLprep.";
 	end
 
-	if password == saslprep(credentials.password) then
+	if secure_equals(password, saslprep(credentials.password)) then
 		return true;
 	else
 		return nil, "Auth failed. Invalid username or password.";
-- 
cgit v1.2.3