diff plugins/mod_auth_internal_plain.lua @ 11544:c98aebe601f9 0.11

mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
author Matthew Wild <mwild1@gmail.com>
date Mon, 10 May 2021 16:50:24 +0100
parents 0d7d71dee0a0
children 3f38f4735c7a
line wrap: on
line diff
--- a/plugins/mod_auth_internal_plain.lua	Mon May 10 16:44:55 2021 +0100
+++ b/plugins/mod_auth_internal_plain.lua	Mon May 10 16:50:24 2021 +0100
@@ -9,6 +9,7 @@
 local usermanager = require "core.usermanager";
 local new_sasl = require "util.sasl".new;
 local saslprep = require "util.encodings".stringprep.saslprep;
+local secure_equals = require "util.hashes".equals;
 
 local log = module._log;
 local host = module.host;
@@ -26,7 +27,7 @@
 		return nil, "Password fails SASLprep.";
 	end
 
-	if password == saslprep(credentials.password) then
+	if secure_equals(password, saslprep(credentials.password)) then
 		return true;
 	else
 		return nil, "Auth failed. Invalid username or password.";