From 3f6ef340af9a14dcaa61eb3b2e3ba731f727b414 Mon Sep 17 00:00:00 2001
From: Marvin Borner
Date: Mon, 28 Jan 2019 17:04:20 +0100
Subject: Added pin hashing to prevent brute forcing 4-digit pin

---
 public/scripts/chat.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'public/scripts')

diff --git a/public/scripts/chat.js b/public/scripts/chat.js
index 088cb72..580c818 100644
--- a/public/scripts/chat.js
+++ b/public/scripts/chat.js
@@ -1,5 +1,6 @@
 // general imports
 const $ = require('jquery');
+const crypto = require('crypto');
 const encryption = require('./encryption');
 const wordList = require('./wordlist');
 const pinInput = require('./input_pin');
@@ -40,8 +41,8 @@ async function evaluateKeyGeneration() {
         pinInput.init(async (pin, tryCount) => {
             try {
                 if (await encryption.getId(await encryption.getPublic()) !== peerId) throw "Not verified!";
-                passphrase = pin;
-                await encryption.decryptPrivate(await encryption.getPrivate(), pin);
+                passphrase = new Buffer(crypto.createHmac('SHA256', pin).update(pin).digest('hex')).toString('base64');
+                await encryption.decryptPrivate(await encryption.getPrivate(), passphrase);
                 chat()
             } catch (e) { // decrypting failed
                 if (tryCount === 3) {
@@ -62,7 +63,7 @@ async function evaluateKeyGeneration() {
         pinInput.init(pin => {
             console.log('[LOG] No existing keys found! Generating...');
             pinInput.generate();
-            passphrase = pin;
+            passphrase = new Buffer(crypto.createHmac('SHA256', pin).update(pin).digest('hex')).toString('base64');
             (async () => await encryption.generate(peerId, passphrase).then(() => chat()))()
         });
     }
-- 
cgit v1.2.3