+let add_user_no_checkout uid pw cp =
+ try
+ let _ = lookup_user uid in
+ raise (UsernameCollision uid)
+ with Not_found ->
+ (* use a 8 byte salt *)
+ let salt = Cryptokit.Random.string Cryptokit.Random.secure_rng 8 in
+ let sha256 = Cryptokit.Hash.sha256 () in
+ sha256#add_string (salt ^ pw);
+ let crypto_pw = sha256#result in
+ sha256#wipe;
+ (if cp then
+ user_tbl := (uid,(salt,crypto_pw,None))::!user_tbl
+ else
+ luser_tbl := (uid,(salt,crypto_pw,None))::!luser_tbl);
+ serialize ()
+;;
+
+let check_pw uid pw =
+ try
+ let (salt,crypto_pw,_),_ = lookup_user uid in
+ let sha256 = Cryptokit.Hash.sha256 () in
+ sha256#add_string (salt ^ pw);
+ let computed_pw = sha256#result in
+ sha256#wipe;
+ if crypto_pw <> computed_pw
+ then (prerr_endline ("password " ^ pw ^ " incorrect"); raise InvalidPassword)
+ with Not_found _ -> raise InvalidPassword
+;;
+