MCPcopy Index your code
hub / github.com/coder/coder / Compare

Function Compare

coderd/userpassword/userpassword.go:75–110  ·  view source on GitHub ↗

Compare checks the equality of passwords from a hashed pbkdf2 string. This uses pbkdf2 to ensure FIPS 140-2 compliance. See: https://csrc.nist.gov/csrc/media/templates/cryptographic-module-validation-program/documents/security-policies/140sp2261.pdf

(hashed string, password string)

Source from the content-addressed store, hash-verified

73// uses pbkdf2 to ensure FIPS 140-2 compliance. See:
74// https://csrc.nist.gov/csrc/media/templates/cryptographic-module-validation-program/documents/security-policies/140sp2261.pdf
75func Compare(hashed string, password string) (bool, error) {
76 // If the hashed password provided is empty, simulate comparing a real hash
77 // to preserve timing. The simulated hash is derived from a random value, so
78 // the comparison below can never succeed.
79 if hashed == "" {
80 hashed = simulatedHash.Load()
81 }
82
83 if len(hashed) < hashLength {
84 return false, xerrors.Errorf("hash too short: %d", len(hashed))
85 }
86 parts := strings.SplitN(hashed, "$", 5)
87 if len(parts) != 5 {
88 return false, xerrors.Errorf("hash has too many parts: %d", len(parts))
89 }
90 if len(parts[0]) != 0 {
91 return false, xerrors.Errorf("hash prefix is invalid")
92 }
93 if parts[1] != hashScheme {
94 return false, xerrors.Errorf("hash isn't %q scheme: %q", hashScheme, parts[1])
95 }
96 iter, err := strconv.Atoi(parts[2])
97 if err != nil {
98 return false, xerrors.Errorf("parse iter from hash: %w", err)
99 }
100 salt, err := base64Encoding.DecodeString(parts[3])
101 if err != nil {
102 return false, xerrors.Errorf("decode salt: %w", err)
103 }
104
105 if subtle.ConstantTimeCompare([]byte(hashWithSaltAndIter(password, salt, iter)), []byte(hashed)) != 1 {
106 return false, nil
107 }
108
109 return true, nil
110}
111
112// Hash generates a hash using pbkdf2.
113// See the Compare() comment for rationale.

Callers 5

putUserPasswordMethod · 0.92
loginRequestMethod · 0.92
TestUserPasswordCompareFunction · 0.92

Calls 4

hashWithSaltAndIterFunction · 0.85
DecodeStringMethod · 0.80
LoadMethod · 0.45
ErrorfMethod · 0.45

Tested by 2

TestUserPasswordCompareFunction · 0.74