Passwords: check in constant time

[?]
Apr 15, 2021, 2:40 PM
ASPD4MDNLVUI77M2JH2KHQUMIU5B2NRIKI7BXJVSQ3C7OGYEB3YQC

Dependencies

  • [2] YBT5G74Q LDAP: add the required packages to the perlPackage via the overlay
  • [3] 2JJP7673 tests: move to t, allow `yath test` from root
  • [4] NNJZNDVU Plugin::Authentication config: modernize
  • [5] HOI5XQHS * Don't use a config file by default. This frees up $HYDRA_CONFIG so
  • [*] RWNXH3H2 lastModified -> lastModifiedDate
  • [*] S66BOMVU * Added authentication.
  • [*] SYLVCTT6 Start api cleanup with the User model
  • [*] J5UVLXOK * Start of a basic Catalyst web interface.

Change contents

  • edit in flake.nix at line 230
    [2.2737]
    [2.2737]
    };
    };
    StringCompareConstantTime = final.buildPerlPackage {
    pname = "String-Compare-ConstantTime";
    version = "0.321";
    src = final.fetchurl {
    url = "mirror://cpan/authors/id/F/FR/FRACTAL/String-Compare-ConstantTime-0.321.tar.gz";
    sha256 = "0b26ba2b121d8004425d4485d1d46f59001c83763aa26624dff6220d7735d7f7";
  • edit in flake.nix at line 240
    [2.2752]
    [2.2752]
    meta = {
    description = "Timing side-channel protected string compare";
    license = with final.lib.licenses; [ artistic1 gpl1Plus ];
    };
  • edit in flake.nix at line 295
    [7.2623]
    [7.2623]
    StringCompareConstantTime
  • edit in src/lib/Hydra/Schema/Users.pm at line 198
    [9.1839]
    [9.1839]
    use Digest::SHA1 qw(sha1_hex);
    use String::Compare::ConstantTime;
  • edit in src/lib/Hydra/Schema/Users.pm at line 216
    [9.2034]
    [8.4016]
    sub check_password {
    my ($self, $password) = @_;
    return String::Compare::ConstantTime::equals($self->password, sha1_hex($password));
    }
  • replacement in src/lib/Hydra.pm at line 37
    [4.165][4.165:255]()
    password_type => "hashed",
    password_hash_type => "SHA-1",
    [4.165]
    [4.255]
    password_type => "self_check",
  • file addition: Schema (d--r------)
    [3.697]
  • file addition: Users.t (----------)
    [0.895]
    use strict;
    use Setup;
    my %ctx = test_init();
    require Hydra::Schema;
    require Hydra::Model::DB;
    use Test2::V0;
    my $db = Hydra::Model::DB->new;
    hydra_setup($db);
    # Catalyst's default password checking is not constant time. To improve
    # the security of the system, we replaced the check password routine.
    # Verify comparing correct and incorrect passwords work.
    # Starting the user with a sha1 password
    my $user = $db->resultset('Users')->create({
    "username" => "alice",
    "emailaddress" => 'alice@nixos.org',
    "password" => "8843d7f92416211de9ebb963ff4ce28125932878" # SHA1 of "foobar"
    });
    isnt($user, undef, "My user was created.");
    ok(!$user->check_password("barbaz"), "Checking the password, barbaz, is not right");
    ok($user->check_password("foobar"), "Checking the password, foobar, is right");
    done_testing;