From a3368d0228abdc511022e234613d06e7a208a822 Mon Sep 17 00:00:00 2001
From: Philippe PITTOLI <karchnu@karchnu.fr>
Date: Thu, 2 May 2024 01:16:01 +0200
Subject: [PATCH] Use libsodium. Cryptographic configuration is WIP.

---
 shard.yml             |  3 +++
 src/requests/login.cr |  9 ++++++++-
 src/service.cr        | 12 +++++++++++-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/shard.yml b/shard.yml
index 526ddee..e1b8ada 100644
--- a/shard.yml
+++ b/shard.yml
@@ -16,6 +16,9 @@ targets:
 crystal: 1.7.1
 
 dependencies:
+  sodium:
+    branch: master
+    github: didactic-drunk/sodium.cr
   grok:
     github: spinscale/grok.cr
   passwd:
diff --git a/src/requests/login.cr b/src/requests/login.cr
index e068286..a95c1c6 100644
--- a/src/requests/login.cr
+++ b/src/requests/login.cr
@@ -1,3 +1,5 @@
+require "sodium"
+
 class AuthD::Request
 	def self.perform_login(authd : AuthD::Service, fd : Int32, user : AuthD::User)
 		user.date_last_connection = Time.local
@@ -38,7 +40,12 @@ class AuthD::Request
 				return Response::ErrorInvalidCredentials.new
 			end
 
-			if user.password_hash != authd.hash_password @password
+			pwhash = Sodium::Password::Hash.new
+			hash = Base64.decode user.password_hash
+
+			begin
+				pwhash.verify hash, @password
+			rescue
 				return Response::ErrorInvalidCredentials.new
 			end
 
diff --git a/src/service.cr b/src/service.cr
index 31c2fdb..8a67d39 100644
--- a/src/service.cr
+++ b/src/service.cr
@@ -1,4 +1,5 @@
 require "./authd.cr"
+require "sodium"
 
 extend AuthD
 
@@ -59,12 +60,21 @@ class AuthD::Service < IPC
 		self.service_init "auth"
 	end
 
-	def hash_password(password : String) : String
+	def obsolete_hash_password(password : String) : String
 		digest = OpenSSL::Digest.new "sha256"
 		digest << password
 		digest.hexfinal
 	end
 
+	def hash_password(password : String) : String
+		pwhash = Sodium::Password::Hash.new
+
+		hash = pwhash.create password
+		pwhash.verify hash, password
+
+		Base64.strict_encode hash
+	end
+
 	# new_uid reads the last given UID and returns it incremented.
 	# Splitting the retrieval and record of new user ids allows to
 	# only increment when an user fully registers, thus avoiding a