auth
103:0b45e6b9cb94 Browse Files
Store salts and passphrases as hex-encoded strings. Update our passphraseScheme.create function signature to return strings. Hex encode our passphrases and salts when encrypthing them so they're easier to store safely. Decode our salt before using it to check candidate passphrases.
1.1 --- a/oauth2_test.go Sun Dec 14 16:49:34 2014 -0500 1.2 +++ b/oauth2_test.go Sun Dec 14 16:56:12 2014 -0500 1.3 @@ -690,9 +690,9 @@ 1.4 profile := Profile{ 1.5 ID: uuid.NewID(), 1.6 Name: "Test User", 1.7 - Passphrase: "55d87acb9adff90a0d8e4c9b77f239c2d6e3a1945dbd09b0270467411198db25", 1.8 - Iterations: 4096, 1.9 - Salt: "this is a super secure random salt", 1.10 + Passphrase: "febcbe74b9555ab3dd0135bdc3aa86d2ee5c38dd7fd44f7b6e2ea908e93b1362", 1.11 + Iterations: 1048576, 1.12 + Salt: "c0feab6ae682e7f7d14343b669b8afaa3b17ed72e9bb18a73f002be4c6b21686", 1.13 PassphraseScheme: 1, 1.14 Compromised: false, 1.15 LockedUntil: time.Time{}, 1.16 @@ -716,7 +716,7 @@ 1.17 if err != nil { 1.18 t.Error("Error adding login:", err) 1.19 } 1.20 - response, err := authenticate("test@example.com", "a really secure password", context) 1.21 + response, err := authenticate("test@example.com", "mysecurepassphrase", context) 1.22 if err != nil { 1.23 t.Error("Unexpected error:", err) 1.24 } 1.25 @@ -724,7 +724,7 @@ 1.26 if !success { 1.27 t.Errorf(`Expected field %s to be "%v", got "%v"`, field, expectation, result) 1.28 } 1.29 - response, err = authenticate("test2@example.com", "a really secure password", context) 1.30 + response, err = authenticate("test2@example.com", "mysecurepassphrase", context) 1.31 if err != ErrIncorrectAuth { 1.32 t.Error("Expected ErrIncorrectAuth, got", err) 1.33 }
2.1 --- a/session.go Sun Dec 14 16:49:34 2014 -0500 2.2 +++ b/session.go Sun Dec 14 16:56:12 2014 -0500 2.3 @@ -40,7 +40,7 @@ 2.4 2.5 type passphraseScheme struct { 2.6 check func(profile Profile, passphrase string) (bool, error) 2.7 - create func(passphrase string, iterations int) (result, salt []byte, err error) 2.8 + create func(passphrase string, iterations int) (result, salt string, err error) 2.9 calculateIterations func() (int, error) 2.10 } 2.11 2.12 @@ -169,15 +169,25 @@ 2.13 if err != nil { 2.14 return false, err 2.15 } 2.16 - candidate := pass.Check(sha256.New, profile.Iterations, []byte(passphrase), []byte(profile.Salt)) 2.17 + realSalt, err := hex.DecodeString(profile.Salt) 2.18 + if err != nil { 2.19 + return false, err 2.20 + } 2.21 + candidate := pass.Check(sha256.New, profile.Iterations, []byte(passphrase), []byte(realSalt)) 2.22 if !pass.Compare(candidate, realPass) { 2.23 return false, ErrIncorrectAuth 2.24 } 2.25 return true, nil 2.26 } 2.27 2.28 -func pbkdf2sha256create(passphrase string, iters int) (result, salt []byte, err error) { 2.29 - return pass.Create(sha256.New, iters, []byte(passphrase)) 2.30 +func pbkdf2sha256create(passphrase string, iters int) (result, salt string, err error) { 2.31 + passBytes, saltBytes, err := pass.Create(sha256.New, iters, []byte(passphrase)) 2.32 + if err != nil { 2.33 + return "", "", err 2.34 + } 2.35 + result = hex.EncodeToString(passBytes) 2.36 + salt = hex.EncodeToString(saltBytes) 2.37 + return result, salt, err 2.38 } 2.39 2.40 func pbkdf2sha256calc() (int, error) {