Passwords: check in constant time
[?]
Apr 15, 2021, 2:40 PM
ASPD4MDNLVUI77M2JH2KHQUMIU5B2NRIKI7BXJVSQ3C7OGYEB3YQCDependencies
- [2]
YBT5G74QLDAP: add the required packages to the perlPackage via the overlay - [3]
2JJP7673tests: move to t, allow `yath test` from root - [4]
NNJZNDVUPlugin::Authentication config: modernize - [5]
HOI5XQHS* Don't use a config file by default. This frees up $HYDRA_CONFIG so - [*]
RWNXH3H2lastModified -> lastModifiedDate - [*]
S66BOMVU* Added authentication. - [*]
SYLVCTT6Start api cleanup with the User model - [*]
J5UVLXOK* Start of a basic Catalyst web interface.
Change contents
- edit in flake.nix at line 230
};};StringCompareConstantTime = final.buildPerlPackage {pname = "String-Compare-ConstantTime";version = "0.321";src = final.fetchurl {url = "mirror://cpan/authors/id/F/FR/FRACTAL/String-Compare-ConstantTime-0.321.tar.gz";sha256 = "0b26ba2b121d8004425d4485d1d46f59001c83763aa26624dff6220d7735d7f7"; - edit in flake.nix at line 240
meta = {description = "Timing side-channel protected string compare";license = with final.lib.licenses; [ artistic1 gpl1Plus ];}; - edit in flake.nix at line 295
StringCompareConstantTime - edit in src/lib/Hydra/Schema/Users.pm at line 198
use Digest::SHA1 qw(sha1_hex);use String::Compare::ConstantTime; - edit in src/lib/Hydra/Schema/Users.pm at line 216
sub check_password {my ($self, $password) = @_;return String::Compare::ConstantTime::equals($self->password, sha1_hex($password));} - replacement in src/lib/Hydra.pm at line 37
password_type => "hashed",password_hash_type => "SHA-1",password_type => "self_check", - file addition: Schema[3.697]
- file addition: Users.t[0.895]
use strict;use Setup;my %ctx = test_init();require Hydra::Schema;require Hydra::Model::DB;use Test2::V0;my $db = Hydra::Model::DB->new;hydra_setup($db);# Catalyst's default password checking is not constant time. To improve# the security of the system, we replaced the check password routine.# Verify comparing correct and incorrect passwords work.# Starting the user with a sha1 passwordmy $user = $db->resultset('Users')->create({"username" => "alice","emailaddress" => 'alice@nixos.org',"password" => "8843d7f92416211de9ebb963ff4ce28125932878" # SHA1 of "foobar"});isnt($user, undef, "My user was created.");ok(!$user->check_password("barbaz"), "Checking the password, barbaz, is not right");ok($user->check_password("foobar"), "Checking the password, foobar, is right");done_testing;