mirror of
https://gogs.blitter.com/RLabs/xs
synced 2024-08-14 10:26:42 +00:00
-hkexauth now always tries bcrypt even for nonexistent users (user enum timing attack resist)
This commit is contained in:
parent
140523dabb
commit
350f3f375e
1 changed files with 9 additions and 2 deletions
11
hkexauth.go
11
hkexauth.go
|
@ -34,7 +34,14 @@ func AuthUser(username string, auth string, fname string) (valid bool, allowedCm
|
|||
for {
|
||||
record, err := r.Read()
|
||||
if err == io.EOF {
|
||||
break
|
||||
// Use dummy entry if user not found
|
||||
// (prevent user enumeration attack via obvious timing diff;
|
||||
// ie., not attempting any auth at all)
|
||||
record = []string{"$nosuchuser$",
|
||||
"$2a$12$l0coBlRDNEJeQVl6GdEPbU",
|
||||
"$2a$12$l0coBlRDNEJeQVl6GdEPbUC/xmuOANvqgmrMVum6S4i.EXPgnTXy6"}
|
||||
username = "$nosuchuser$"
|
||||
err = nil
|
||||
}
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
|
@ -42,7 +49,7 @@ func AuthUser(username string, auth string, fname string) (valid bool, allowedCm
|
|||
|
||||
if username == record[0] {
|
||||
tmp, _ := bcrypt.Hash(auth, record[1])
|
||||
if tmp == record[2] {
|
||||
if tmp == record[2] && username != "$nosuchuser$" {
|
||||
valid = true
|
||||
}
|
||||
break
|
||||
|
|
Loading…
Reference in a new issue