The default password comparison logic does not use constant time validation. Switching to constant time offers a meager improvement by removing a timing oracle.
A prepatory step in moving to Argon2id password storage, since we'll need this change anyway after for validating existing passwords.
Co-authored-by: Graham Christensen <graham@grahamc.com>
ASPD4MDNLVUI77M2JH2KHQUMIU5B2NRIKI7BXJVSQ3C7OGYEB3YQC
YBT5G74QZQ4F7RIUOSX2HO5SWJPRDINOMPGOTY6H2HHUTCCNLT5AC
2JJP76737U2JWJWQ6UDFEAQCGWRAQH46HC6OCIKWMB5QYRXF6DQQC
NNJZNDVU6ZP5P54KHXHG4O7ZHIAA3F3IVGE5OP6PQ4F4JKXGMBFAC
RWNXH3H26EQHKJNMP4DUJCJKUYQBMV347234ZLE26SIFTVLSUWXQC
SYLVCTT64DMSUBWROO5USFBSK2OCNB2NB72SSGM4MOEHMUQONEPQC
S66BOMVUACAUDSGSDWP7ZIXVMZSQHWXOZYVTB7ILUCWZ7DDFAKVAC
J5UVLXOK6EDIL5I7VKWH4V2QDS4DPD7FHRK6XBWSXFRQS4JKXFZQC
};
};
StringCompareConstantTime = final.buildPerlPackage {
pname = "String-Compare-ConstantTime";
version = "0.321";
src = final.fetchurl {
url = "mirror://cpan/authors/id/F/FR/FRACTAL/String-Compare-ConstantTime-0.321.tar.gz";
sha256 = "0b26ba2b121d8004425d4485d1d46f59001c83763aa26624dff6220d7735d7f7";
use strict;
use Setup;
my %ctx = test_init();
require Hydra::Schema;
require Hydra::Model::DB;
use Test2::V0;
my $db = Hydra::Model::DB->new;
hydra_setup($db);
# Catalyst's default password checking is not constant time. To improve
# the security of the system, we replaced the check password routine.
# Verify comparing correct and incorrect passwords work.
# Starting the user with a sha1 password
my $user = $db->resultset('Users')->create({
"username" => "alice",
"emailaddress" => 'alice@nixos.org',
"password" => "8843d7f92416211de9ebb963ff4ce28125932878" # SHA1 of "foobar"
});
isnt($user, undef, "My user was created.");
ok(!$user->check_password("barbaz"), "Checking the password, barbaz, is not right");
ok($user->check_password("foobar"), "Checking the password, foobar, is right");
done_testing;