From e1b5980f27ef60f0e655930d810138b6e2cd2752 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sat, 15 Feb 2020 10:29:46 +0100 Subject: [PATCH] Use Argon2 hash function --- go.mod | 1 + go.sum | 7 +++++++ guichet.hcl.example | 2 +- invite.go | 6 +++--- templates/invite_send_code.html | 7 ++----- 5 files changed, 14 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index f0d83c8..4930fb2 100644 --- a/go.mod +++ b/go.mod @@ -10,4 +10,5 @@ require ( github.com/gorilla/mux v1.7.3 github.com/gorilla/sessions v1.2.0 github.com/sirupsen/logrus v1.4.2 + golang.org/x/crypto v0.0.0-20200214034016-1d94cc7ab1c6 ) diff --git a/go.sum b/go.sum index b2312a3..49da79d 100644 --- a/go.sum +++ b/go.sum @@ -23,5 +23,12 @@ github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20200214034016-1d94cc7ab1c6 h1:Sy5bstxEqwwbYs6n0/pBuxKENqOeZUgD45Gp3Q3pqLg= +golang.org/x/crypto v0.0.0-20200214034016-1d94cc7ab1c6/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/guichet.hcl.example b/guichet.hcl.example index 358421a..b2f2c0b 100644 --- a/guichet.hcl.example +++ b/guichet.hcl.example @@ -12,7 +12,7 @@ job "guichet" { task "server" { driver = "docker" config { - image = "lxpz/guichet_amd64:9" + image = "lxpz/guichet_amd64:10" readonly_rootfs = true port_map { web_port = 9991 diff --git a/invite.go b/invite.go index 83e35a3..2ec6243 100644 --- a/invite.go +++ b/invite.go @@ -3,7 +3,6 @@ package main import ( "bytes" "crypto/rand" - "crypto/sha256" "encoding/binary" "encoding/hex" "fmt" @@ -17,6 +16,7 @@ import ( "github.com/emersion/go-smtp" "github.com/go-ldap/ldap/v3" "github.com/gorilla/mux" + "golang.org/x/crypto/argon2" ) var EMAIL_REGEXP = regexp.MustCompile("^[a-zA-Z0-9.!#$%&'*+\\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$") @@ -332,8 +332,8 @@ func readCode(code string) (code_id string, code_pw string) { } } - id_hash := sha256.Sum256([]byte("Guichet ID " + code_digits)) - pw_hash := sha256.Sum256([]byte("Guichet PW " + code_digits)) + id_hash := argon2.IDKey([]byte(code_digits), []byte("Guichet ID"), 2, 64*1024, 4, 32) + pw_hash := argon2.IDKey([]byte(code_digits), []byte("Guichet PW"), 2, 64*1024, 4, 32) code_id = hex.EncodeToString(id_hash[:8]) code_pw = hex.EncodeToString(pw_hash[:16]) diff --git a/templates/invite_send_code.html b/templates/invite_send_code.html index 6894142..5c823d8 100644 --- a/templates/invite_send_code.html +++ b/templates/invite_send_code.html @@ -17,12 +17,9 @@ Un code d'invitation a bien été envoyé à {{ .CodeSentTo }}. {{end}} {{if .CodeDisplay}} - Le code généré est le suivant: + Lien d'invitation : -

- {{ .CodeDisplay }} -

-

+

{{.WebBaseAddress}}/invitation/{{.CodeDisplay}}

{{end}}