mirror of https://gogs.blitter.com/RLabs/xs
-hkexauth now always tries bcrypt even for nonexistent users (user enum timing attack resist)
This commit is contained in:
parent
140523dabb
commit
350f3f375e
11
hkexauth.go
11
hkexauth.go
|
@ -34,7 +34,14 @@ func AuthUser(username string, auth string, fname string) (valid bool, allowedCm
|
||||||
for {
|
for {
|
||||||
record, err := r.Read()
|
record, err := r.Read()
|
||||||
if err == io.EOF {
|
if err == io.EOF {
|
||||||
break
|
// Use dummy entry if user not found
|
||||||
|
// (prevent user enumeration attack via obvious timing diff;
|
||||||
|
// ie., not attempting any auth at all)
|
||||||
|
record = []string{"$nosuchuser$",
|
||||||
|
"$2a$12$l0coBlRDNEJeQVl6GdEPbU",
|
||||||
|
"$2a$12$l0coBlRDNEJeQVl6GdEPbUC/xmuOANvqgmrMVum6S4i.EXPgnTXy6"}
|
||||||
|
username = "$nosuchuser$"
|
||||||
|
err = nil
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatal(err)
|
log.Fatal(err)
|
||||||
|
@ -42,7 +49,7 @@ func AuthUser(username string, auth string, fname string) (valid bool, allowedCm
|
||||||
|
|
||||||
if username == record[0] {
|
if username == record[0] {
|
||||||
tmp, _ := bcrypt.Hash(auth, record[1])
|
tmp, _ := bcrypt.Hash(auth, record[1])
|
||||||
if tmp == record[2] {
|
if tmp == record[2] && username != "$nosuchuser$" {
|
||||||
valid = true
|
valid = true
|
||||||
}
|
}
|
||||||
break
|
break
|
||||||
|
|
Loading…
Reference in New Issue