Skip to content
This repository has been archived by the owner on Oct 2, 2024. It is now read-only.

Commit

Permalink
DONT MERGE! Use the Argon2 KDF for derivation of the password hash.
Browse files Browse the repository at this point in the history
TODO: Evaluate ideal options and length.
  • Loading branch information
danielrutz committed Feb 3, 2018
1 parent 3d7e59c commit 6d2931b
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions app/Util.hs
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ module Util where
import Control.Arrow
import Control.Monad.IO.Class
import Control.Monad.Logger (LoggingT, runStdoutLoggingT)
import qualified Crypto.Hash as Hash
import qualified Crypto.KDF.Argon2 as Ar2
import Crypto.Error (throwCryptoError)
import Data.Aeson hiding (json)
import qualified Data.ByteArray as BA
import qualified Data.ByteString as BS
import qualified Data.ByteString.Base16 as B16
import qualified Data.Text as T
Expand Down Expand Up @@ -43,7 +43,7 @@ decodeHex = fst . B16.decode . E.encodeUtf8

hashPassword :: T.Text -> BS.ByteString -> T.Text
hashPassword password salt =
makeHex $ BA.convert . Hash.hashFinalize $ Hash.hashUpdates (Hash.hashInitWith Hash.SHA512) [salt, E.encodeUtf8 password]
makeHex . throwCryptoError $ Ar2.hash Ar2.defaultOptions (E.encodeUtf8 password) salt 1024

This comment has been minimized.

Copy link
@JohnAZoidberg

JohnAZoidberg Feb 3, 2018

Contributor

It looks like the error can only occur if either the salt is too small or the output_length is too big/small.
See here.

Therefore if the code is properly written no error should ever be thrown. Am I correct?
I recommend that we add a comment that explains this.
If the error can be thrown under any circumstances we should handle it gracefully.

This comment has been minimized.

Copy link
@danielrutz

danielrutz Feb 3, 2018

Author Contributor

I agree. I added a comment to clarify that.


runSQL
:: (HasSpock m, SpockConn m ~ SqlBackend)
Expand Down

0 comments on commit 6d2931b

Please sign in to comment.