From 4bf0f0dee3853501d17fcb34680db04e4aa5bab1 Mon Sep 17 00:00:00 2001
From: Aine <aine@etke.cc>
Date: Fri, 23 Sep 2022 11:17:34 +0300
Subject: [PATCH] switch to password hashes

---
 bot/access.go        |  7 ++++++-
 bot/command_owner.go | 17 +++++++++++++++--
 go.mod               |  3 ++-
 go.sum               |  2 ++
 utils/utils.go       | 22 ----------------------
 5 files changed, 25 insertions(+), 26 deletions(-)

diff --git a/bot/access.go b/bot/access.go
index 5fc04a1..0e05c7f 100644
--- a/bot/access.go
+++ b/bot/access.go
@@ -5,6 +5,7 @@ import (
 	"regexp"
 	"strings"
 
+	"github.com/raja/argon2pw"
 	"gitlab.com/etke.cc/go/mxidwc"
 	"maunium.net/go/mautrix/id"
 
@@ -85,5 +86,9 @@ func (b *Bot) AllowAuth(email, password string) bool {
 		return false
 	}
 
-	return utils.Compare(password, cfg.Password())
+	allow, err := argon2pw.CompareHashWithPassword(cfg.Password(), password)
+	if err != nil {
+		b.log.Warn("Password for %s is not valid: %v", email, err)
+	}
+	return allow
 }
diff --git a/bot/command_owner.go b/bot/command_owner.go
index 3d1490a..709bcce 100644
--- a/bot/command_owner.go
+++ b/bot/command_owner.go
@@ -3,6 +3,8 @@ package bot
 import (
 	"context"
 	"fmt"
+
+	"github.com/raja/argon2pw"
 )
 
 func (b *Bot) runStop(ctx context.Context) {
@@ -63,8 +65,11 @@ func (b *Bot) getOption(ctx context.Context, name string) {
 		"To set it to a new value, send a `%s %s VALUE` command.",
 		name, value, b.prefix, name)
 	if name == roomOptionPassword {
-		msg = msg + "\n\n---\n\n" +
-			"**Please, remove that message after reading.**"
+		msg = fmt.Sprintf("Password hash of this room is `%s`\n"+
+			"To set it to a new value, send a `%s %s VALUE` command.\n\n"+
+			"---\n\n"+
+			"**Please, remove that message after reading.**",
+			value, b.prefix, name)
 	}
 	b.SendNotice(ctx, evt.RoomID, msg)
 }
@@ -91,6 +96,14 @@ func (b *Bot) setOption(ctx context.Context, name, value string) {
 		return
 	}
 
+	if name == roomOptionPassword {
+		value, err = argon2pw.GenerateSaltedHash(value)
+		if err != nil {
+			b.Error(ctx, evt.RoomID, "failed to hash password: %v", err)
+			return
+		}
+	}
+
 	old := cfg.Get(name)
 	cfg.Set(name, value)
 
diff --git a/go.mod b/go.mod
index 143822a..ff8d7a0 100644
--- a/go.mod
+++ b/go.mod
@@ -5,12 +5,14 @@ go 1.18
 require (
 	git.sr.ht/~xn/cache/v2 v2.0.0
 	github.com/emersion/go-msgauth v0.6.6
+	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
 	github.com/emersion/go-smtp v0.15.0
 	github.com/gabriel-vasile/mimetype v1.4.1
 	github.com/getsentry/sentry-go v0.13.0
 	github.com/jhillyerd/enmime v0.10.0
 	github.com/lib/pq v1.10.6
 	github.com/mattn/go-sqlite3 v1.14.15
+	github.com/raja/argon2pw v1.0.2-0.20210910183755-a391af63bd39
 	gitlab.com/etke.cc/go/env v1.0.0
 	gitlab.com/etke.cc/go/logger v1.1.0
 	gitlab.com/etke.cc/go/mxidwc v1.0.0
@@ -22,7 +24,6 @@ require (
 
 require (
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
-	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 // indirect
 	github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28 // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
diff --git a/go.sum b/go.sum
index 4db88fe..e5efcb0 100644
--- a/go.sum
+++ b/go.sum
@@ -61,6 +61,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/raja/argon2pw v1.0.2-0.20210910183755-a391af63bd39 h1:2by0+lF6NfaNWhlpsv1DfBQzwbAyYUPIsMWYapek/Sk=
+github.com/raja/argon2pw v1.0.2-0.20210910183755-a391af63bd39/go.mod h1:idX/fPqwjX31YMTF2iIpEpNApV2YbQhSFr4iIhJaqp4=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
diff --git a/utils/utils.go b/utils/utils.go
index a002cd4..93271da 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -1,7 +1,6 @@
 package utils
 
 import (
-	"crypto/subtle"
 	"strconv"
 	"strings"
 )
@@ -34,24 +33,3 @@ func Bool(str string) bool {
 func SanitizeBoolString(str string) string {
 	return strconv.FormatBool(Bool(str))
 }
-
-// Compare strings with constant time to prevent timing attacks
-func Compare(actual, expected string) bool {
-	actualb := []byte(actual)
-	expectedb := []byte(expected)
-
-	if expected == "" {
-		// Just to keep constant time
-		_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
-		return false
-	}
-
-	// actual comparison
-	if subtle.ConstantTimeEq(int32(len(actual)), int32(len(expected))) == 1 {
-		return subtle.ConstantTimeCompare(actualb, expectedb) == 1
-	}
-
-	// Just to keep constant time
-	_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
-	return false
-}