Mercurial Mercurial > prosody > prosody / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
plugins/mod_auth_internal_hashed.lua
changeset 11564 3bbb1af92514
parent 10920 c7ed8f754033
parent 11548 c98aebe601f9
child 12131 baa7cdde69a6 
--- a/plugins/mod_auth_internal_hashed.lua	Fri May 07 16:47:58 2021 +0200
+++ b/plugins/mod_auth_internal_hashed.lua	Thu May 13 11:17:13 2021 +0100
@@ -16,6 +16,7 @@
 local hex = require"util.hex";
 local to_hex, from_hex = hex.to, hex.from;
 local saslprep = require "util.encodings".stringprep.saslprep;
+local secure_equals = require "util.hashes".equals;
 
 local log = module._log;
 local host = module.host;
@@ -41,7 +42,7 @@
 	end
 
 	if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
-		if saslprep(credentials.password) ~= password then
+		if not secure_equals(saslprep(credentials.password), password) then
 			return nil, "Auth failed. Provided password is incorrect.";
 		end
 
@@ -61,7 +62,7 @@
 	local stored_key_hex = to_hex(stored_key);
 	local server_key_hex = to_hex(server_key);
 
-	if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then
+	if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then
 		return true;
 	else
 		return nil, "Auth failed. Invalid username, password, or password hash information.";
prosody