Mercurial > prosody-hg
comparison plugins/mod_auth_internal_hashed.lua @ 11544:c98aebe601f9 0.11
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 10 May 2021 16:50:24 +0100 |
| parents | 0d7d71dee0a0 |
| children | 3bbb1af92514 |
comparison
equal
deleted
inserted
replaced
| 11543:63fd4c8465fb | 11544:c98aebe601f9 |
|---|---|
| 14 local generate_uuid = require "util.uuid".generate; | 14 local generate_uuid = require "util.uuid".generate; |
| 15 local new_sasl = require "util.sasl".new; | 15 local new_sasl = require "util.sasl".new; |
| 16 local hex = require"util.hex"; | 16 local hex = require"util.hex"; |
| 17 local to_hex, from_hex = hex.to, hex.from; | 17 local to_hex, from_hex = hex.to, hex.from; |
| 18 local saslprep = require "util.encodings".stringprep.saslprep; | 18 local saslprep = require "util.encodings".stringprep.saslprep; |
| 19 local secure_equals = require "util.hashes".equals; | |
| 19 | 20 |
| 20 local log = module._log; | 21 local log = module._log; |
| 21 local host = module.host; | 22 local host = module.host; |
| 22 | 23 |
| 23 local accounts = module:open_store("accounts"); | 24 local accounts = module:open_store("accounts"); |
| 37 if not password then | 38 if not password then |
| 38 return nil, "Password fails SASLprep."; | 39 return nil, "Password fails SASLprep."; |
| 39 end | 40 end |
| 40 | 41 |
| 41 if credentials.password ~= nil and string.len(credentials.password) ~= 0 then | 42 if credentials.password ~= nil and string.len(credentials.password) ~= 0 then |
| 42 if saslprep(credentials.password) ~= password then | 43 if not secure_equals(saslprep(credentials.password), password) then |
| 43 return nil, "Auth failed. Provided password is incorrect."; | 44 return nil, "Auth failed. Provided password is incorrect."; |
| 44 end | 45 end |
| 45 | 46 |
| 46 if provider.set_password(username, credentials.password) == nil then | 47 if provider.set_password(username, credentials.password) == nil then |
| 47 return nil, "Auth failed. Could not set hashed password from plaintext."; | 48 return nil, "Auth failed. Could not set hashed password from plaintext."; |
| 57 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count); | 58 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count); |
| 58 | 59 |
| 59 local stored_key_hex = to_hex(stored_key); | 60 local stored_key_hex = to_hex(stored_key); |
| 60 local server_key_hex = to_hex(server_key); | 61 local server_key_hex = to_hex(server_key); |
| 61 | 62 |
| 62 if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then | 63 if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then |
| 63 return true; | 64 return true; |
| 64 else | 65 else |
| 65 return nil, "Auth failed. Invalid username, password, or password hash information."; | 66 return nil, "Auth failed. Invalid username, password, or password hash information."; |
| 66 end | 67 end |
| 67 end | 68 end |
