diff options
| author |   Matthew Wild <mwild1@gmail.com> | 2021-05-10 16:50:24 +0100 |
|---|---|---|
| committer | Matthew Wild <mwild1@gmail.com> | 2021-05-10 16:50:24 +0100 |
| commit | 6a54d2d2c483de3824f57fffc3ab3375fde4e21e (patch) | |
| tree | f311f972f9cc1cc5929e78a189442723bcb8171a | |
| parent | util.xmppstream: Reduce default xmppstream limit to 1MB (diff) | |
| download | prosody-6a54d2d2c483de3824f57fffc3ab3375fde4e21e.tar.xz prosody-6a54d2d2c483de3824f57fffc3ab3375fde4e21e.zip | |
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
| -rw-r--r-- | plugins/mod_auth_internal_hashed.lua | 5 | ||||
| -rw-r--r-- | plugins/mod_auth_internal_plain.lua | 3 |
2 files changed, 5 insertions, 3 deletions
diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua index 15058098b..b29a9ee82 100644 --- a/plugins/mod_auth_internal_hashed.lua +++ b/plugins/mod_auth_internal_hashed.lua @@ -16,6 +16,7 @@ local new_sasl = require "util.sasl".new; local hex = require"util.hex"; local to_hex, from_hex = hex.to, hex.from; local saslprep = require "util.encodings".stringprep.saslprep; +local secure_equals = require "util.hashes".equals; local log = module._log; local host = module.host; @@ -39,7 +40,7 @@ function provider.test_password(username, password) end if credentials.password ~= nil and string.len(credentials.password) ~= 0 then - if saslprep(credentials.password) ~= password then + if not secure_equals(saslprep(credentials.password), password) then return nil, "Auth failed. Provided password is incorrect."; end @@ -59,7 +60,7 @@ function provider.test_password(username, password) local stored_key_hex = to_hex(stored_key); local server_key_hex = to_hex(server_key); - if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then + if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then return true; else return nil, "Auth failed. Invalid username, password, or password hash information."; diff --git a/plugins/mod_auth_internal_plain.lua b/plugins/mod_auth_internal_plain.lua index 56ef52d50..8a50e8202 100644 --- a/plugins/mod_auth_internal_plain.lua +++ b/plugins/mod_auth_internal_plain.lua @@ -9,6 +9,7 @@ local usermanager = require "core.usermanager"; local new_sasl = require "util.sasl".new; local saslprep = require "util.encodings".stringprep.saslprep; +local secure_equals = require "util.hashes".equals; local log = module._log; local host = module.host; @@ -26,7 +27,7 @@ function provider.test_password(username, password) return nil, "Password fails SASLprep."; end - if password == saslprep(credentials.password) then + if secure_equals(password, saslprep(credentials.password)) then return true; else return nil, "Auth failed. Invalid username or password."; |