feat: use bcrypt to resist timing attack

Signed-off-by: QuentinN42 <[email protected]>
Escape-Technologies · Aug 16, 2023 · b34d1b2 · b34d1b2
1 parent 353e151
commit b34d1b2
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/go.mod b/go.mod
@@ -5,4 +5,5 @@ go 1.21
 require (
 	github.com/elazarl/goproxy v0.0.0-20190711103511-473e67f1d7d2
 	github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2
+	golang.org/x/crypto v0.12.0
 )
diff --git a/go.sum b/go.sum
@@ -3,3 +3,5 @@ github.com/elazarl/goproxy v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:/Zj4wYkg
 github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2 h1:dWB6v3RcOy03t/bUadywsbyrQwCqZeNIEX6M1OtSZOM=
 github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
 github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
diff --git a/main.go b/main.go
@@ -7,18 +7,39 @@ import (
 
 	"github.com/elazarl/goproxy"
 	"github.com/elazarl/goproxy/ext/auth"
+	"golang.org/x/crypto/bcrypt"
 )
 
 func main() {
-	start("0.0.0.0", "8080", "user", "test")
+	username := "admin"
+	password := "admin"
+
+	start("0.0.0.0", "8080", hash(fmt.Sprintf("%s:%s", username, password)))
+}
+
+func hash(data string) []byte {
+	bytes := []byte(data)
+	hash, err := bcrypt.GenerateFromPassword(bytes, bcrypt.DefaultCost)
+	if err != nil {
+		panic(err)
+	}
+	return hash
+}
+
+func compare(hash []byte, data string) bool {
+	err := bcrypt.CompareHashAndPassword(hash, []byte(data))
+	if err != nil {
+		return false
+	}
+	return true
 }
 
-func start(addr string, port string, user string, password string) {
+func start(addr string, port string, expected_hash []byte) {
 	total := fmt.Sprintf("%s:%s", addr, port)
 	proxy := goproxy.NewProxyHttpServer()
 
-	auth.ProxyBasic(proxy, "realm", func(user, pwd string) bool {
-		return user == "user" && password == pwd
+	auth.ProxyBasic(proxy, "realm", func(user, pass string) bool {
+		return compare(expected_hash, fmt.Sprintf("%s:%s", user, pass))
 	})
 
 	log.Printf("Listening on %s", total)