mitigation for timing attacks

This commit is contained in:
Jörn-Michael Miehe 2018-12-16 02:37:00 +01:00
parent e4fe00a91a
commit d0f7de6208

View file

@ -2,6 +2,9 @@
bcrypt = (require 'bcrypt')
sqlite3 = (require 'sqlite3').verbose()
# bruteforce countermeasure
saltRounds = 13
FFTCGDB = (filename) ->
@filename = filename
@ -30,8 +33,6 @@ FFTCGDB::close = ->
FFTCGDB::register = (login, password) ->
that = @
# bruteforce countermeasure
saltRounds = 13
new Promise (resolve, reject) ->
# validate username
@ -49,7 +50,7 @@ FFTCGDB::register = (login, password) ->
else
# registration successful
resolve login
resolve @lastID
FFTCGDB::login = (login, password) ->
that = @
@ -63,6 +64,8 @@ FFTCGDB::login = (login, password) ->
reject 'db'
else if rows.length == 0
# hashing the password for timing attack reasons
bcrypt.hash password, saltRounds, (err, hash) ->
reject 'existence'
else