0

I'm making simple perl script for sign up/login with Argon2 for encryption. (The credentials are taken from HTML Forms). The creation of users works fine , username and hashed password are stored in the database. The problem comes with the extraction/authentication. I'm not sure I'm using the verification properly.

#!/usr/bin/perl
use strict;
use warnings;
use Crypt::Argon2 qw/argon2id_pass argon2id_verify/;
use CGI::Simple;
use DBI;
sub get_data{
    my ( $user) = @_;
    my $statement = "SELECT USER_HASH FROM LOGIN_DATA WHERE USER_NAME = ?";
    my $driver = "mysql";
    my $database = "USERS";
    my $dsn = "DBI:$driver:database=$database";
    my $dataUsr = "user";
    my $dataPass = "user123";
    my $dbcon = DBI->connect($dsn,$dataUsr,$dataPass) or die  $!;
    my $preState = $dbcon->prepare($statement);
    $preState->execute($user);
    my @row ;
    my $hash_pass;
    while(@row=$preState->fetchrow_array()){
        $hash_pass = $row[0];
    }
    return $hash_pass;
}
sub check_pass{
    my ($user , $pass) = @_;
    my $encoded = get_data($user);
    return argon2id_verify($encoded , $pass);
}  
my $cgi = CGI::Simple->new;
my $username = $cgi->param("username");
my $password = $cgi->param ("password");
check_pass($username , $password)

This are the erors when i try to run in in the terminal Use of uninitialized value in subroutine entry at checkUser.cgi line 30. Could not verify argon2id tag: Decoding failed at checkUser.cgi line 30.

HoldOffHunger
  • 18,769
  • 10
  • 104
  • 133
Angel
  • 103
  • 4
  • 1
    `$my $password = cgi->param ("password");` typing errors? compare it with the other line with username.. i voted closed this question because it looks like a simple typographical error – Raymond Nijland Sep 29 '18 at 11:24
  • The is no error in the original code i just retyped the last 5 lines to format them . The error for typo would be different than the given – Angel Sep 29 '18 at 11:34
  • Have you checked that you actually get a result in `@row` ? The error that gets raised suggests that either `$encoded` or `$pass` are undefined. – Corion Sep 29 '18 at 11:44
  • Yes i`m getting the hashed password – Angel Sep 29 '18 at 11:48

1 Answers1

2

Removing all the CGI, all the database connectivity and replacing the input with dummy values shows the same error message, so my guess is that you are not getting a result from the database:

#!/usr/bin/perl
use strict;
use warnings;
use Crypt::Argon2 qw/argon2id_pass argon2id_verify/;
sub check_pass{
    my ($user , $pass) = @_;
    return argon2id_verify(undef, $pass);
}  
check_pass("mytest", "some-test-password-2018")

__END__
Use of uninitialized value in subroutine entry at tmp.pl line 7.
Could not verify argon2id tag: Decoding failed at tmp.pl line 7.

So the best step would be for you to isolate the problem by verifying that you actually get a result from the database.

Corion
  • 3,855
  • 1
  • 17
  • 27