Kyle Isom
14083b82b4
* Rewrite .golangci.yaml to v2 schema: linters-settings -> linters.settings, issues.exclude-rules -> issues.exclusions.rules, issues.exclude-dirs -> issues.exclusions.paths * Drop deprecated revive exported/package-comments rules: personal project, not a public library; godoc completeness is not a CI req * Add //nolint:gosec G101 on PassphraseEnv default in config.go: environment variable name is not a credential value * Add //nolint:gosec G101 on EventPGCredUpdated in model.go: audit event type string, not a credential Security: no logic changes. gosec G101 suppressions are false positives confirmed by code inspection: neither constant holds a credential value.
251 lines
8.4 KiB
Go
251 lines
8.4 KiB
Go
// Package auth implements login, TOTP verification, and credential management.
|
|
//
|
|
// Security design:
|
|
// - All credential comparisons use constant-time operations to resist timing
|
|
// side-channels. crypto/subtle.ConstantTimeCompare is used wherever secrets
|
|
// are compared.
|
|
// - On any login failure the error returned to the caller is always generic
|
|
// ("invalid credentials"), regardless of which step failed, to prevent
|
|
// user enumeration.
|
|
// - TOTP uses a ±1 time-step window (±30s) per RFC 6238 recommendation.
|
|
// - PHC string format is used for password hashes, enabling transparent
|
|
// parameter upgrades without re-migration.
|
|
package auth
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/sha1" //nolint:gosec // SHA-1 is required by RFC 6238 for TOTP; not used for collision resistance.
|
|
"crypto/subtle"
|
|
"encoding/base32"
|
|
encodingbase64 "encoding/base64"
|
|
"encoding/binary"
|
|
"errors"
|
|
"fmt"
|
|
"math"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"golang.org/x/crypto/argon2"
|
|
|
|
"git.wntrmute.dev/kyle/mcias/internal/crypto"
|
|
)
|
|
|
|
// ErrInvalidCredentials is returned for any authentication failure.
|
|
// It intentionally does not distinguish between wrong password, wrong TOTP,
|
|
// or unknown user — to prevent information leakage to the caller.
|
|
var ErrInvalidCredentials = errors.New("auth: invalid credentials")
|
|
|
|
// ArgonParams holds Argon2id hashing parameters embedded in PHC strings.
|
|
type ArgonParams struct {
|
|
Time uint32
|
|
Memory uint32 // KiB
|
|
Threads uint8
|
|
}
|
|
|
|
// DefaultArgonParams returns OWASP-2023-compliant parameters.
|
|
// Security: These meet the OWASP minimum (time=2, memory=64MiB) and provide
|
|
// additional margin with time=3.
|
|
func DefaultArgonParams() ArgonParams {
|
|
return ArgonParams{
|
|
Time: 3,
|
|
Memory: 64 * 1024, // 64 MiB in KiB
|
|
Threads: 4,
|
|
}
|
|
}
|
|
|
|
// HashPassword hashes a password using Argon2id and returns a PHC-format string.
|
|
// A random 16-byte salt is generated via crypto/rand for each call.
|
|
//
|
|
// Security: Argon2id is selected per OWASP recommendation; it resists both
|
|
// side-channel and GPU brute-force attacks. The random salt ensures each hash
|
|
// is unique even for identical passwords.
|
|
func HashPassword(password string, params ArgonParams) (string, error) {
|
|
if password == "" {
|
|
return "", errors.New("auth: password must not be empty")
|
|
}
|
|
|
|
// Generate a cryptographically-random 16-byte salt.
|
|
salt, err := crypto.RandomBytes(16)
|
|
if err != nil {
|
|
return "", fmt.Errorf("auth: generate salt: %w", err)
|
|
}
|
|
|
|
hash := argon2.IDKey(
|
|
[]byte(password),
|
|
salt,
|
|
params.Time,
|
|
params.Memory,
|
|
params.Threads,
|
|
32, // 256-bit output
|
|
)
|
|
|
|
// PHC format: $argon2id$v=19$m=<M>,t=<T>,p=<P>$<salt-b64>$<hash-b64>
|
|
saltB64 := encodingbase64.RawStdEncoding.EncodeToString(salt)
|
|
hashB64 := encodingbase64.RawStdEncoding.EncodeToString(hash)
|
|
phc := fmt.Sprintf(
|
|
"$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s",
|
|
params.Memory, params.Time, params.Threads,
|
|
saltB64, hashB64,
|
|
)
|
|
return phc, nil
|
|
}
|
|
|
|
// VerifyPassword checks a plaintext password against a PHC-format Argon2id hash.
|
|
// Returns true if the password matches.
|
|
//
|
|
// Security: Comparison uses crypto/subtle.ConstantTimeCompare after computing
|
|
// the candidate hash with identical parameters and the stored salt. This
|
|
// prevents timing attacks that could reveal whether a password is "closer" to
|
|
// the correct value.
|
|
func VerifyPassword(password, phcHash string) (bool, error) {
|
|
params, salt, expectedHash, err := parsePHC(phcHash)
|
|
if err != nil {
|
|
return false, fmt.Errorf("auth: parse PHC hash: %w", err)
|
|
}
|
|
|
|
candidateHash := argon2.IDKey(
|
|
[]byte(password),
|
|
salt,
|
|
params.Time,
|
|
params.Memory,
|
|
params.Threads,
|
|
uint32(len(expectedHash)), //nolint:gosec // G115: hash buffer length is always small and fits uint32
|
|
)
|
|
|
|
// Security: constant-time comparison prevents timing side-channels.
|
|
if subtle.ConstantTimeCompare(candidateHash, expectedHash) != 1 {
|
|
return false, nil
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
// parsePHC parses a PHC-format Argon2id hash string.
|
|
// Expected format: $argon2id$v=19$m=<M>,t=<T>,p=<P>$<salt-b64>$<hash-b64>
|
|
func parsePHC(phc string) (ArgonParams, []byte, []byte, error) {
|
|
parts := strings.Split(phc, "$")
|
|
// Expected: ["", "argon2id", "v=19", "m=M,t=T,p=P", "salt", "hash"]
|
|
if len(parts) != 6 {
|
|
return ArgonParams{}, nil, nil, fmt.Errorf("auth: invalid PHC format: %d parts", len(parts))
|
|
}
|
|
if parts[1] != "argon2id" {
|
|
return ArgonParams{}, nil, nil, fmt.Errorf("auth: unsupported algorithm %q", parts[1])
|
|
}
|
|
|
|
var params ArgonParams
|
|
for _, kv := range strings.Split(parts[3], ",") {
|
|
eq := strings.IndexByte(kv, '=')
|
|
if eq < 0 {
|
|
return ArgonParams{}, nil, nil, fmt.Errorf("auth: invalid PHC param %q", kv)
|
|
}
|
|
k, v := kv[:eq], kv[eq+1:]
|
|
n, err := strconv.ParseUint(v, 10, 32)
|
|
if err != nil {
|
|
return ArgonParams{}, nil, nil, fmt.Errorf("auth: parse PHC param %q: %w", kv, err)
|
|
}
|
|
switch k {
|
|
case "m":
|
|
params.Memory = uint32(n)
|
|
case "t":
|
|
params.Time = uint32(n)
|
|
case "p":
|
|
params.Threads = uint8(n) //nolint:gosec // G115: thread count is validated to be <= 255 by config
|
|
}
|
|
}
|
|
|
|
salt, err := encodingbase64.RawStdEncoding.DecodeString(parts[4])
|
|
if err != nil {
|
|
return ArgonParams{}, nil, nil, fmt.Errorf("auth: decode salt: %w", err)
|
|
}
|
|
hash, err := encodingbase64.RawStdEncoding.DecodeString(parts[5])
|
|
if err != nil {
|
|
return ArgonParams{}, nil, nil, fmt.Errorf("auth: decode hash: %w", err)
|
|
}
|
|
return params, salt, hash, nil
|
|
}
|
|
|
|
// ValidateTOTP checks a 6-digit TOTP code against a raw TOTP secret (bytes).
|
|
// A ±1 time-step window (±30s) is allowed to accommodate clock skew.
|
|
//
|
|
// Security:
|
|
// - Comparison uses crypto/subtle.ConstantTimeCompare to resist timing attacks.
|
|
// - Only RFC 6238-compliant HOTP (HMAC-SHA1) is implemented; no custom crypto.
|
|
// - A ±1 window is the RFC 6238 recommendation; wider windows increase
|
|
// exposure to code interception between generation and submission.
|
|
func ValidateTOTP(secret []byte, code string) (bool, error) {
|
|
if len(code) != 6 {
|
|
return false, nil
|
|
}
|
|
|
|
now := time.Now().Unix()
|
|
step := int64(30) // RFC 6238 default time step in seconds
|
|
|
|
for _, counter := range []int64{
|
|
now/step - 1,
|
|
now / step,
|
|
now/step + 1,
|
|
} {
|
|
expected, err := hotp(secret, uint64(counter)) //nolint:gosec // G115: counter is Unix time / step, always non-negative
|
|
if err != nil {
|
|
return false, fmt.Errorf("auth: compute TOTP: %w", err)
|
|
}
|
|
// Security: constant-time comparison to prevent timing attack.
|
|
if subtle.ConstantTimeCompare([]byte(code), []byte(expected)) == 1 {
|
|
return true, nil
|
|
}
|
|
}
|
|
return false, nil
|
|
}
|
|
|
|
// hotp computes an HMAC-SHA1-based OTP for a given counter value.
|
|
// Implements RFC 4226 §5, which is the base algorithm for RFC 6238 TOTP.
|
|
//
|
|
// Security: SHA-1 is used as required by RFC 4226/6238. It is used here in
|
|
// an HMAC construction for OTP purposes — not for collision-resistant hashing.
|
|
// The HMAC-SHA1 construction is still cryptographically sound for this use case.
|
|
func hotp(key []byte, counter uint64) (string, error) {
|
|
counterBytes := make([]byte, 8)
|
|
binary.BigEndian.PutUint64(counterBytes, counter)
|
|
|
|
mac := hmac.New(sha1.New, key)
|
|
if _, err := mac.Write(counterBytes); err != nil {
|
|
return "", fmt.Errorf("auth: HMAC-SHA1 write: %w", err)
|
|
}
|
|
h := mac.Sum(nil)
|
|
|
|
// Dynamic truncation per RFC 4226 §5.3.
|
|
offset := h[len(h)-1] & 0x0F
|
|
binCode := (int(h[offset]&0x7F)<<24 |
|
|
int(h[offset+1])<<16 |
|
|
int(h[offset+2])<<8 |
|
|
int(h[offset+3])) % int(math.Pow10(6))
|
|
|
|
return fmt.Sprintf("%06d", binCode), nil
|
|
}
|
|
|
|
// DecodeTOTPSecret decodes a base32-encoded TOTP secret string to raw bytes.
|
|
// TOTP authenticator apps present secrets in base32 for display; this function
|
|
// converts them to the raw byte form stored (encrypted) in the database.
|
|
func DecodeTOTPSecret(base32Secret string) ([]byte, error) {
|
|
normalised := strings.ToUpper(strings.ReplaceAll(base32Secret, " ", ""))
|
|
decoded, err := base32.StdEncoding.DecodeString(normalised)
|
|
if err != nil {
|
|
decoded, err = base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(normalised)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("auth: decode base32 TOTP secret: %w", err)
|
|
}
|
|
}
|
|
return decoded, nil
|
|
}
|
|
|
|
// GenerateTOTPSecret generates a random 20-byte TOTP shared secret and returns
|
|
// both the raw bytes and their base32 representation for display to the user.
|
|
func GenerateTOTPSecret() (rawBytes []byte, base32Encoded string, err error) {
|
|
rawBytes, err = crypto.RandomBytes(20)
|
|
if err != nil {
|
|
return nil, "", fmt.Errorf("auth: generate TOTP secret: %w", err)
|
|
}
|
|
base32Encoded = base32.StdEncoding.EncodeToString(rawBytes)
|
|
return rawBytes, base32Encoded, nil
|
|
}
|