electricdusk
/
rushlink
3
3
Fork 3
Code Issues 21 Pull Requests 2 Releases Activity

use constant-time hash comparison

This commit is contained in:
Yorick van Pelt 2023-04-30 21:08:36 +02:00
parent 0643176ed1
commit 11975d7911
No known key found for this signature in database
GPG Key ID: A36E70F9DC014A15
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
internal/db/user.go
View File

@ -1,8 +1,8 @@
package db
import (
"bytes"
"crypto/rand"
"crypto/subtle"
"encoding/base64"
"errors"
"fmt"
@ -111,8 +111,7 @@ func comparePassword(hashedPassword string, password string) (bool, error) {
computedHash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
// Compare the computed hash with the stored hash
// todo constant time?
return bytes.Equal(hash, computedHash), nil
return subtle.ConstantTimeCompare(hash, computedHash) == 1, nil
}
// DeleteUser deletes a user with the specified username from the database.