mitigation for timing attacks
This commit is contained in:
parent
e4fe00a91a
commit
d0f7de6208
1 changed files with 7 additions and 4 deletions
|
|
@ -2,6 +2,9 @@
|
||||||
bcrypt = (require 'bcrypt')
|
bcrypt = (require 'bcrypt')
|
||||||
sqlite3 = (require 'sqlite3').verbose()
|
sqlite3 = (require 'sqlite3').verbose()
|
||||||
|
|
||||||
|
# bruteforce countermeasure
|
||||||
|
saltRounds = 13
|
||||||
|
|
||||||
FFTCGDB = (filename) ->
|
FFTCGDB = (filename) ->
|
||||||
@filename = filename
|
@filename = filename
|
||||||
|
|
||||||
|
|
@ -30,8 +33,6 @@ FFTCGDB::close = ->
|
||||||
|
|
||||||
FFTCGDB::register = (login, password) ->
|
FFTCGDB::register = (login, password) ->
|
||||||
that = @
|
that = @
|
||||||
# bruteforce countermeasure
|
|
||||||
saltRounds = 13
|
|
||||||
|
|
||||||
new Promise (resolve, reject) ->
|
new Promise (resolve, reject) ->
|
||||||
# validate username
|
# validate username
|
||||||
|
|
@ -49,7 +50,7 @@ FFTCGDB::register = (login, password) ->
|
||||||
|
|
||||||
else
|
else
|
||||||
# registration successful
|
# registration successful
|
||||||
resolve login
|
resolve @lastID
|
||||||
|
|
||||||
FFTCGDB::login = (login, password) ->
|
FFTCGDB::login = (login, password) ->
|
||||||
that = @
|
that = @
|
||||||
|
|
@ -63,7 +64,9 @@ FFTCGDB::login = (login, password) ->
|
||||||
reject 'db'
|
reject 'db'
|
||||||
|
|
||||||
else if rows.length == 0
|
else if rows.length == 0
|
||||||
reject 'existence'
|
# hashing the password for timing attack reasons
|
||||||
|
bcrypt.hash password, saltRounds, (err, hash) ->
|
||||||
|
reject 'existence'
|
||||||
|
|
||||||
else
|
else
|
||||||
row = rows[0]
|
row = rows[0]
|
||||||
|
|
|
||||||
Reference in a new issue