mitigation for timing attacks

This commit is contained in:
Jörn-Michael Miehe 2018-12-16 02:37:00 +01:00
parent e4fe00a91a
commit d0f7de6208

View file

@ -2,6 +2,9 @@
bcrypt = (require 'bcrypt') bcrypt = (require 'bcrypt')
sqlite3 = (require 'sqlite3').verbose() sqlite3 = (require 'sqlite3').verbose()
# bruteforce countermeasure
saltRounds = 13
FFTCGDB = (filename) -> FFTCGDB = (filename) ->
@filename = filename @filename = filename
@ -30,8 +33,6 @@ FFTCGDB::close = ->
FFTCGDB::register = (login, password) -> FFTCGDB::register = (login, password) ->
that = @ that = @
# bruteforce countermeasure
saltRounds = 13
new Promise (resolve, reject) -> new Promise (resolve, reject) ->
# validate username # validate username
@ -49,7 +50,7 @@ FFTCGDB::register = (login, password) ->
else else
# registration successful # registration successful
resolve login resolve @lastID
FFTCGDB::login = (login, password) -> FFTCGDB::login = (login, password) ->
that = @ that = @
@ -63,6 +64,8 @@ FFTCGDB::login = (login, password) ->
reject 'db' reject 'db'
else if rows.length == 0 else if rows.length == 0
# hashing the password for timing attack reasons
bcrypt.hash password, saltRounds, (err, hash) ->
reject 'existence' reject 'existence'
else else