mstar/linstrom
1
0
Fork 0
Code Issues 3 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Move hashing and encryption to auth/helpers
Some checks are pending
/ test (push) Waiting to run
Details

Browse source
This commit is contained in:
Melody Becker 2025-03-31 23:06:27 +02:00
parent c269db5b02
commit c59b0c8340
No known key found for this signature in database
3 changed files with 110 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

110
auth-new/helpers.go Normal file
View file

@ -0,0 +1,110 @@
package auth
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"golang.org/x/crypto/argon2"
)
// Len of salt for passwords in bytes
const saltLen = 32
func generateSalt(length int) ([]byte, error) {
salt := make([]byte, length)
if _, err := rand.Read(salt); err != nil {
return nil, err
}
return salt, nil
}
func hashPassword(password string) ([]byte, error) {
salt, err := generateSalt(saltLen)
if err != nil {
return nil, err
}
hash := argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32)
hash = append(hash, salt...)
// return bcrypt.GenerateFromPassword([]byte(password), 14)
return hash, nil
}
// Compare a raw password against a hash + salt
func comparePassword(password string, hash []byte) bool {
// Hash is actually hash(password)+salt
salt := hash[len(hash)-saltLen:]
return bytes.Equal(argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32), hash)
}
// Copied and adjusted from: https://bruinsslot.jp/post/golang-crypto/
func Encrypt(key, data []byte) ([]byte, error) {
key, salt, err := deriveKey(key, nil)
if err != nil {
return nil, err
}
blockCipher, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
gcm, err := cipher.NewGCM(blockCipher)
if err != nil {
return nil, err
}
nonce := make([]byte, gcm.NonceSize())
if _, err = rand.Read(nonce); err != nil {
return nil, err
}
ciphertext := gcm.Seal(nonce, nonce, data, nil)
ciphertext = append(ciphertext, salt...)
return ciphertext, nil
}
func Decrypt(key, data []byte) ([]byte, error) {
salt, data := data[len(data)-32:], data[:len(data)-32]
key, _, err := deriveKey(key, salt)
if err != nil {
return nil, err
}
blockCipher, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
gcm, err := cipher.NewGCM(blockCipher)
if err != nil {
return nil, err
}
nonce, ciphertext := data[:gcm.NonceSize()], data[gcm.NonceSize():]
plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
if err != nil {
return nil, err
}
return plaintext, nil
}
func deriveKey(password, salt []byte) ([]byte, []byte, error) {
if salt == nil {
salt = make([]byte, 32)
if _, err := rand.Read(salt); err != nil {
return nil, nil, err
}
}
key := argon2.IDKey(password, salt, 1, 64*1024, 4, 32)
return key, salt, nil
}

30
auth-new/password.go
View file

@ -1,14 +1,11 @@
package auth package auth
import ( import (
"bytes"
"crypto/rand"
"time" "time"
"git.mstar.dev/mstar/goutils/other" "git.mstar.dev/mstar/goutils/other"
"git.mstar.dev/mstar/goutils/sliceutils" "git.mstar.dev/mstar/goutils/sliceutils"
"github.com/google/uuid" "github.com/google/uuid"
"golang.org/x/crypto/argon2"
"gorm.io/gorm" "gorm.io/gorm"
"gorm.io/gorm/clause" "gorm.io/gorm/clause"
@ -16,33 +13,6 @@ import (
"git.mstar.dev/mstar/linstrom/storage-new/models" "git.mstar.dev/mstar/linstrom/storage-new/models"
) )
const saltLen = 32
func generateSalt(length int) ([]byte, error) {
salt := make([]byte, length)
if _, err := rand.Read(salt); err != nil {
return nil, err
}
return salt, nil
}
func hashPassword(password string) ([]byte, error) {
salt, err := generateSalt(saltLen)
if err != nil {
return nil, err
}
hash := argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32)
hash = append(hash, salt...)
// return bcrypt.GenerateFromPassword([]byte(password), 14)
return hash, nil
}
func comparePassword(password string, hash []byte) bool {
salt := hash[len(hash)-saltLen:]
return bytes.Equal(argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32), hash)
}
// Start a login process with a username (NOT account ID) and password // Start a login process with a username (NOT account ID) and password
// Returns the next state, a token corresponding to that state and error // Returns the next state, a token corresponding to that state and error
// Token will be empty on failure, error describes the reason for the // Token will be empty on failure, error describes the reason for the

65
storage-new/helpers.go
View file

@ -1,65 +0,0 @@
package storage
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
)
// Copied and adjusted from: https://bruinsslot.jp/post/golang-crypto/
func Encrypt(key, data []byte) ([]byte, error) {
// key, salt, err := DeriveKey(key, nil)
// if err != nil {
// return nil, err
// }
//
blockCipher, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
gcm, err := cipher.NewGCM(blockCipher)
if err != nil {
return nil, err
}
nonce := make([]byte, gcm.NonceSize())
if _, err = rand.Read(nonce); err != nil {
return nil, err
}
ciphertext := gcm.Seal(nonce, nonce, data, nil)
// ciphertext = append(ciphertext, salt...)
return ciphertext, nil
}
func Decrypt(key, data []byte) ([]byte, error) {
// salt, data := data[len(data)-32:], data[:len(data)-32]
// key, _, err := DeriveKey(key, salt)
// if err != nil {
// return nil, err
// }
//
blockCipher, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
gcm, err := cipher.NewGCM(blockCipher)
if err != nil {
return nil, err
}
nonce, ciphertext := data[:gcm.NonceSize()], data[gcm.NonceSize():]
plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
if err != nil {
return nil, err
}
return plaintext, nil
}