electricdusk/rushlink
3
3
Fork 3
Code Issues 21 Pull Requests 2 Releases Activity

use constant-time hash comparison

Browse Source
This commit is contained in:
Yorick van Pelt 2023-04-30 21:08:36 +02:00
parent 0643176ed1
commit 11975d7911
No known key found for this signature in database
GPG Key ID: A36E70F9DC014A15
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
internal/db/user.go
View File

@ -1,8 +1,8 @@
package db package db
import ( import (
"bytes"
"crypto/rand" "crypto/rand"
"crypto/subtle"
"encoding/base64" "encoding/base64"
"errors" "errors"
"fmt" "fmt"
@ -111,8 +111,7 @@ func comparePassword(hashedPassword string, password string) (bool, error) {
computedHash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize) computedHash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
// Compare the computed hash with the stored hash // Compare the computed hash with the stored hash
// todo constant time? return subtle.ConstantTimeCompare(hash, computedHash) == 1, nil
return bytes.Equal(hash, computedHash), nil
} }
// DeleteUser deletes a user with the specified username from the database. // DeleteUser deletes a user with the specified username from the database.