forked from electricdusk/rushlink
use constant-time hash comparison
This commit is contained in:
parent
0643176ed1
commit
11975d7911
@ -1,8 +1,8 @@
|
|||||||
package db
|
package db
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
|
"crypto/subtle"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
@ -111,8 +111,7 @@ func comparePassword(hashedPassword string, password string) (bool, error) {
|
|||||||
computedHash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
|
computedHash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
|
||||||
|
|
||||||
// Compare the computed hash with the stored hash
|
// Compare the computed hash with the stored hash
|
||||||
// todo constant time?
|
return subtle.ConstantTimeCompare(hash, computedHash) == 1, nil
|
||||||
return bytes.Equal(hash, computedHash), nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteUser deletes a user with the specified username from the database.
|
// DeleteUser deletes a user with the specified username from the database.
|
||||||
|
Loading…
Reference in New Issue
Block a user