switch to password hashes
This commit is contained in:
Aine
@@ -5,6 +5,7 @@ import (
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
"github.com/raja/argon2pw"
|
||||
"gitlab.com/etke.cc/go/mxidwc"
|
||||
"maunium.net/go/mautrix/id"
|
||||
|
||||
@@ -85,5 +86,9 @@ func (b *Bot) AllowAuth(email, password string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
return utils.Compare(password, cfg.Password())
|
||||
allow, err := argon2pw.CompareHashWithPassword(cfg.Password(), password)
|
||||
if err != nil {
|
||||
b.log.Warn("Password for %s is not valid: %v", email, err)
|
||||
}
|
||||
return allow
|
||||
}
|
||||
|
||||
@@ -3,6 +3,8 @@ package bot
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/raja/argon2pw"
|
||||
)
|
||||
|
||||
func (b *Bot) runStop(ctx context.Context) {
|
||||
@@ -63,8 +65,11 @@ func (b *Bot) getOption(ctx context.Context, name string) {
|
||||
"To set it to a new value, send a `%s %s VALUE` command.",
|
||||
name, value, b.prefix, name)
|
||||
if name == roomOptionPassword {
|
||||
msg = msg + "\n\n---\n\n" +
|
||||
"**Please, remove that message after reading.**"
|
||||
msg = fmt.Sprintf("Password hash of this room is `%s`\n"+
|
||||
"To set it to a new value, send a `%s %s VALUE` command.\n\n"+
|
||||
"---\n\n"+
|
||||
"**Please, remove that message after reading.**",
|
||||
value, b.prefix, name)
|
||||
}
|
||||
b.SendNotice(ctx, evt.RoomID, msg)
|
||||
}
|
||||
@@ -91,6 +96,14 @@ func (b *Bot) setOption(ctx context.Context, name, value string) {
|
||||
return
|
||||
}
|
||||
|
||||
if name == roomOptionPassword {
|
||||
value, err = argon2pw.GenerateSaltedHash(value)
|
||||
if err != nil {
|
||||
b.Error(ctx, evt.RoomID, "failed to hash password: %v", err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
old := cfg.Get(name)
|
||||
cfg.Set(name, value)
|
||||
|
||||
|
||||
3
go.mod
3
go.mod
@@ -5,12 +5,14 @@ go 1.18
|
||||
require (
|
||||
git.sr.ht/~xn/cache/v2 v2.0.0
|
||||
github.com/emersion/go-msgauth v0.6.6
|
||||
github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
|
||||
github.com/emersion/go-smtp v0.15.0
|
||||
github.com/gabriel-vasile/mimetype v1.4.1
|
||||
github.com/getsentry/sentry-go v0.13.0
|
||||
github.com/jhillyerd/enmime v0.10.0
|
||||
github.com/lib/pq v1.10.6
|
||||
github.com/mattn/go-sqlite3 v1.14.15
|
||||
github.com/raja/argon2pw v1.0.2-0.20210910183755-a391af63bd39
|
||||
gitlab.com/etke.cc/go/env v1.0.0
|
||||
gitlab.com/etke.cc/go/logger v1.1.0
|
||||
gitlab.com/etke.cc/go/mxidwc v1.0.0
|
||||
@@ -22,7 +24,6 @@ require (
|
||||
|
||||
require (
|
||||
github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
|
||||
github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 // indirect
|
||||
github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28 // indirect
|
||||
github.com/google/go-cmp v0.5.8 // indirect
|
||||
github.com/gorilla/mux v1.8.0 // indirect
|
||||
|
||||
2
go.sum
2
go.sum
@@ -61,6 +61,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
|
||||
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/raja/argon2pw v1.0.2-0.20210910183755-a391af63bd39 h1:2by0+lF6NfaNWhlpsv1DfBQzwbAyYUPIsMWYapek/Sk=
|
||||
github.com/raja/argon2pw v1.0.2-0.20210910183755-a391af63bd39/go.mod h1:idX/fPqwjX31YMTF2iIpEpNApV2YbQhSFr4iIhJaqp4=
|
||||
github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
|
||||
github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
|
||||
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
package utils
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"strconv"
|
||||
"strings"
|
||||
)
|
||||
@@ -34,24 +33,3 @@ func Bool(str string) bool {
|
||||
func SanitizeBoolString(str string) string {
|
||||
return strconv.FormatBool(Bool(str))
|
||||
}
|
||||
|
||||
// Compare strings with constant time to prevent timing attacks
|
||||
func Compare(actual, expected string) bool {
|
||||
actualb := []byte(actual)
|
||||
expectedb := []byte(expected)
|
||||
|
||||
if expected == "" {
|
||||
// Just to keep constant time
|
||||
_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
|
||||
return false
|
||||
}
|
||||
|
||||
// actual comparison
|
||||
if subtle.ConstantTimeEq(int32(len(actual)), int32(len(expected))) == 1 {
|
||||
return subtle.ConstantTimeCompare(actualb, expectedb) == 1
|
||||
}
|
||||
|
||||
// Just to keep constant time
|
||||
_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
|
||||
return false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user