authelia/internal/authentication/password_hash.go

package authentication

import (
	"errors"
	"fmt"
	"log"
	"math/rand"
	"strconv"
	"strings"

	"github.com/simia-tech/crypt"
)

// PasswordHash represents all characteristics of a password hash.
// Authelia only supports salted SHA512 method, i.e., $6$ mode.
type PasswordHash struct {
	// The number of rounds.
	Rounds int
	// The salt with a max size of 16 characters for SHA512.
	Salt string
	// The password hash.
	Hash string
}

// ParseHash extracts all characteristics of a hash given its string representation.
func ParseHash(hash string) (*PasswordHash, error) {
	parts := strings.Split(hash, "$")

	if len(parts) != 5 {
		return nil, fmt.Errorf("Cannot parse the hash %s", hash)
	}

	// Only supports salted sha 512.
	if parts[1] != "6" {
		return nil, fmt.Errorf("Authelia only supports salted SHA512 hashing ($6$), not $%s$", parts[1])
	}

	roundsKV := strings.Split(parts[2], "=")
	if len(roundsKV) != 2 {
		return nil, errors.New("Cannot match pattern 'rounds=<int>' to find the number of rounds")
	}

	rounds, err := strconv.ParseInt(roundsKV[1], 10, 0)
	if err != nil {
		return nil, fmt.Errorf("Cannot find the number of rounds from %s using pattern 'rounds=<int>'. Cause: %s", roundsKV[1], err.Error())
	}

	return &PasswordHash{
		Rounds: int(rounds),
		Salt:   parts[3],
		Hash:   parts[4],
	}, nil
}

// The set of letters RandomString can pick in.
var possibleLetters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")

// RandomString generate a random string of n characters.
func RandomString(n int) string {
	b := make([]rune, n)
	for i := range b {
		b[i] = possibleLetters[rand.Intn(len(possibleLetters))]
	}
	return string(b)
}

// HashPassword generate a salt and hash the password with the salt and a constant
// number of rounds.
func HashPassword(password string, salt string) string {
	if salt == "" {
		salt = fmt.Sprintf("$6$rounds=50000$%s", RandomString(16))
	}
	hash, err := crypt.Crypt(password, salt)
	if err != nil {
		log.Fatal(err)
	}
	return hash
}

// CheckPassword check a password against a hash.
func CheckPassword(password string, hash string) (bool, error) {
	passwordHash, err := ParseHash(hash)
	if err != nil {
		return false, err
	}
	salt := fmt.Sprintf("$6$rounds=%d$%s$", passwordHash.Rounds, passwordHash.Salt)
	pHash := HashPassword(password, salt)
	return pHash == hash, nil
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package authentication`

			`import (`
			`"errors"`
			`"fmt"`
Use pure implementation of crypt to generate and check password hashes. This allows to remove the dependency to libc. 2019-11-01 18:31:51 +00:00			`"log"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`"math/rand"`
			`"strconv"`
			`"strings"`

Use pure implementation of crypt to generate and check password hashes. This allows to remove the dependency to libc. 2019-11-01 18:31:51 +00:00			`"github.com/simia-tech/crypt"`
			`)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
			`// PasswordHash represents all characteristics of a password hash.`
			`// Authelia only supports salted SHA512 method, i.e., $6$ mode.`
			`type PasswordHash struct {`
			`// The number of rounds.`
			`Rounds int`
			`// The salt with a max size of 16 characters for SHA512.`
			`Salt string`
			`// The password hash.`
			`Hash string`
			`}`

Improve logs of password hashing to help troubleshoot issues. 2019-12-27 16:55:00 +00:00			`// ParseHash extracts all characteristics of a hash given its string representation.`
			`func ParseHash(hash string) (*PasswordHash, error) {`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`parts := strings.Split(hash, "$")`

			`if len(parts) != 5 {`
Improve logs of password hashing to help troubleshoot issues. 2019-12-27 16:55:00 +00:00			`return nil, fmt.Errorf("Cannot parse the hash %s", hash)`
			`}`

			`// Only supports salted sha 512.`
			`if parts[1] != "6" {`
			`return nil, fmt.Errorf("Authelia only supports salted SHA512 hashing ($6$), not $%s$", parts[1])`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

			`roundsKV := strings.Split(parts[2], "=")`
			`if len(roundsKV) != 2 {`
Improve logs of password hashing to help troubleshoot issues. 2019-12-27 16:55:00 +00:00			`return nil, errors.New("Cannot match pattern 'rounds=<int>' to find the number of rounds")`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

			`rounds, err := strconv.ParseInt(roundsKV[1], 10, 0)`
			`if err != nil {`
Improve logs of password hashing to help troubleshoot issues. 2019-12-27 16:55:00 +00:00			`return nil, fmt.Errorf("Cannot find the number of rounds from %s using pattern 'rounds=<int>'. Cause: %s", roundsKV[1], err.Error())`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

			`return &PasswordHash{`
			`Rounds: int(rounds),`
			`Salt: parts[3],`
			`Hash: parts[4],`
			`}, nil`
			`}`

			`// The set of letters RandomString can pick in.`
			`var possibleLetters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")`

			`// RandomString generate a random string of n characters.`
			`func RandomString(n int) string {`
			`b := make([]rune, n)`
			`for i := range b {`
			`b[i] = possibleLetters[rand.Intn(len(possibleLetters))]`
			`}`
			`return string(b)`
			`}`

			`// HashPassword generate a salt and hash the password with the salt and a constant`
			`// number of rounds.`
Use pure implementation of crypt to generate and check password hashes. This allows to remove the dependency to libc. 2019-11-01 18:31:51 +00:00			`func HashPassword(password string, salt string) string {`
			`if salt == "" {`
			`salt = fmt.Sprintf("$6$rounds=50000$%s", RandomString(16))`
			`}`
			`hash, err := crypt.Crypt(password, salt)`
			`if err != nil {`
			`log.Fatal(err)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`
Use pure implementation of crypt to generate and check password hashes. This allows to remove the dependency to libc. 2019-11-01 18:31:51 +00:00			`return hash`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

			`// CheckPassword check a password against a hash.`
			`func CheckPassword(password string, hash string) (bool, error) {`
Improve logs of password hashing to help troubleshoot issues. 2019-12-27 16:55:00 +00:00			`passwordHash, err := ParseHash(hash)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`if err != nil {`
			`return false, err`
			`}`
			`salt := fmt.Sprintf("$6$rounds=%d$%s$", passwordHash.Rounds, passwordHash.Salt)`
Use pure implementation of crypt to generate and check password hashes. This allows to remove the dependency to libc. 2019-11-01 18:31:51 +00:00			`pHash := HashPassword(password, salt)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`return pHash == hash, nil`
			`}`