Passwords: check in constant time
The default password comparison logic does not use constant time validation. Switching to constant time offers a meager improvement by removing a timing oracle. A prepatory step in moving to Argon2id password storage, since we'll need this change anyway after for validating existing passwords. Co-authored-by: Graham Christensen <graham@grahamc.com>
This commit is contained in:
		
				
					committed by
					
						 Graham Christensen
						Graham Christensen
					
				
			
			
				
	
			
			
			
						parent
						
							d4d8f1ba1b
						
					
				
				
					commit
					29620df85e
				
			| @@ -195,6 +195,9 @@ __PACKAGE__->many_to_many("projects", "projectmembers", "project"); | ||||
| # Created by DBIx::Class::Schema::Loader v0.07049 @ 2020-02-06 12:22:36 | ||||
| # DO NOT MODIFY THIS OR ANYTHING ABOVE! md5sum:4/WZ95asbnGmK+nEHb4sLQ | ||||
|  | ||||
| use Digest::SHA1 qw(sha1_hex); | ||||
| use String::Compare::ConstantTime; | ||||
|  | ||||
| my %hint = ( | ||||
|     columns => [ | ||||
|         "fullname", | ||||
| @@ -210,4 +213,10 @@ sub json_hint { | ||||
|     return \%hint; | ||||
| } | ||||
|  | ||||
| sub check_password { | ||||
|     my ($self, $password) = @_; | ||||
|  | ||||
|     return String::Compare::ConstantTime::equals($self->password, sha1_hex($password)); | ||||
| } | ||||
|  | ||||
| 1; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user