-hkexauth now always tries bcrypt even for nonexistent users (user enum timing attack resist)

This commit is contained in:
Russ Magee 2018-09-11 22:36:20 -07:00
parent 140523dabb
commit 350f3f375e
1 changed files with 9 additions and 2 deletions

View File

@ -34,7 +34,14 @@ func AuthUser(username string, auth string, fname string) (valid bool, allowedCm
for {
record, err := r.Read()
if err == io.EOF {
break
// Use dummy entry if user not found
// (prevent user enumeration attack via obvious timing diff;
// ie., not attempting any auth at all)
record = []string{"$nosuchuser$",
"$2a$12$l0coBlRDNEJeQVl6GdEPbU",
"$2a$12$l0coBlRDNEJeQVl6GdEPbUC/xmuOANvqgmrMVum6S4i.EXPgnTXy6"}
username = "$nosuchuser$"
err = nil
}
if err != nil {
log.Fatal(err)
@ -42,7 +49,7 @@ func AuthUser(username string, auth string, fname string) (valid bool, allowedCm
if username == record[0] {
tmp, _ := bcrypt.Hash(auth, record[1])
if tmp == record[2] {
if tmp == record[2] && username != "$nosuchuser$" {
valid = true
}
break