From a177c2ec2d897ff75ac2c6bcc4d248cd2db20d5c Mon Sep 17 00:00:00 2001 From: Guillaume Horel Date: Thu, 17 Oct 2019 22:33:34 -0400 Subject: proof of concept --- store.go | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) (limited to 'store.go') diff --git a/store.go b/store.go index 1744ada..3bfff1b 100644 --- a/store.go +++ b/store.go @@ -1,8 +1,6 @@ package main import ( - "bytes" - "crypto/subtle" "database/sql" "errors" "log" @@ -20,7 +18,7 @@ type Session struct { type User struct { Id int64 Name string - Password []byte + Password string } type Store interface { @@ -96,24 +94,28 @@ func (store *PgStore) GetUser(name string) (*User, bool) { func (store *PgStore) ValidateUser(name string, password string) (*User, error) { u := &User{Name: name} row := store.QueryRow( - "SELECT id, password FROM users WHERE name = $1", + "SELECT id, password, hash_type FROM users WHERE name = $1", name, ) - if err := row.Scan(&u.Id, &u.Password); err != nil { + var hash_scheme string + if err := row.Scan(&u.Id, &u.Password, &hash_scheme); err != nil { return nil, errors.New("Utilisateur non enregistré") } - z := bytes.SplitN(u.Password, []byte("}"), 2) - scheme := string(z[0][:len(z[0])]) - true_hash := z[1] - var hash []byte - switch scheme { + var concrete_hash PasswordHash + switch hash_scheme { case "PLAIN-MD5": - hash = md5hex([]byte(password)) + concrete_hash = Md5{} + case "ARGON2ID": + concrete_hash = Argon2{} default: return nil, errors.New("Unknown password hashing scheme.") } - if subtle.ConstantTimeCompare(true_hash, hash) != 1 { - return nil, errors.New("Mot de passe incorrect.") + if ok, err := concrete_hash.verify(password, u.Password); !ok { + if err != nil { + return nil, err + } else { + return nil, errors.New("Mot de passe incorrect.") + } } else { return u, nil } -- cgit v1.2.3-70-g09d2