From 2fca6d9a7fbe6d3b511af234bf0da6dcc9254e11 Mon Sep 17 00:00:00 2001 From: Matti Ranta Date: Wed, 27 Jun 2018 22:58:09 -0400 Subject: [PATCH 01/15] switch plaintext tokens to use hash instead --- models/migrations/migrations.go | 2 + models/migrations/v70.go | 81 ++++++++++++++++++++++++++ models/twofactor.go | 28 +++++++-- routers/user/setting/security_twofa.go | 7 ++- 4 files changed, 109 insertions(+), 9 deletions(-) create mode 100644 models/migrations/v70.go diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index cc262d810232a..0fef460541945 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -192,6 +192,8 @@ var migrations = []Migration{ NewMigration("Reformat and remove incorrect topics", reformatAndRemoveIncorrectTopics), // v69 -> v70 NewMigration("move team units to team_unit table", moveTeamUnitsToTeamUnitTable), + // v70 -> v71 + NewMigration("protect each scratch token", addScratchHash), } // Migrate database to current version diff --git a/models/migrations/v70.go b/models/migrations/v70.go new file mode 100644 index 0000000000000..cf4165d09048f --- /dev/null +++ b/models/migrations/v70.go @@ -0,0 +1,81 @@ +// Copyright 2018 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package migrations + +import ( + "crypto/sha256" + "fmt" + + "github.com/go-xorm/xorm" + "golang.org/x/crypto/pbkdf2" + + "code.gitea.io/gitea/modules/generate" + "code.gitea.io/gitea/modules/util" +) + +func addScratchHash(x *xorm.Engine) error { + // TeamUnit see models/twofactor.go + type TwoFactor struct { + ID int64 `xorm:"pk autoincr"` + UID int64 `xorm:"UNIQUE"` + Secret string + ScratchToken string + ScratchSalt string + ScratchHash string + LastUsedPasscode string `xorm:"VARCHAR(10)"` + CreatedUnix util.TimeStamp `xorm:"INDEX created"` + UpdatedUnix util.TimeStamp `xorm:"INDEX updated"` + } + + if err := x.Sync2(new(TwoFactor)); err != nil { + return fmt.Errorf("Sync2: %v", err) + } + + sess := x.NewSession() + defer sess.Close() + + if err := sess.Begin(); err != nil { + return err + } + + // transform all tokens to hashes + const batchSize = 100 + for start := 0; ; start += batchSize { + tfas := make([]*TwoFactor, 0, batchSize) + if err := x.Limit(batchSize, start).Find(&tfas); err != nil { + return err + } + if len(tfas) == 0 { + break + } + + for _, tfa := range tfas { + // generate salt + salt, _ := generateSalt() + tfa.ScratchSalt = salt + tfa.ScratchHash = hashToken(tfa.ScratchToken, salt) + + if _, err := sess.ID(tfa.ID).Cols("scratch_salt, scratch_hash").Update(tfa); err != nil { + return fmt.Errorf("couldn't add in scratch_hash and scratch_salt: %v", err) + } + + } + } + + if err := dropTableColumns(sess, "two_factor", "scratch_token"); err != nil { + return err + } + return sess.Commit() + +} + +func generateSalt() (string, error) { + return generate.GetRandomString(10) +} + +func hashToken(token, salt string) string { + tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New) + return fmt.Sprintf("%x", tempHash) +} diff --git a/models/twofactor.go b/models/twofactor.go index 5f3c6efc21bbd..2348fc297043b 100644 --- a/models/twofactor.go +++ b/models/twofactor.go @@ -9,12 +9,15 @@ import ( "crypto/cipher" "crypto/md5" "crypto/rand" + "crypto/sha256" "crypto/subtle" "encoding/base64" "errors" + "fmt" "io" "github.com/pquerna/otp/totp" + "golang.org/x/crypto/pbkdf2" "code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/setting" @@ -27,19 +30,31 @@ type TwoFactor struct { UID int64 `xorm:"UNIQUE"` Secret string ScratchToken string + ScratchSalt string + ScratchHash string LastUsedPasscode string `xorm:"VARCHAR(10)"` CreatedUnix util.TimeStamp `xorm:"INDEX created"` UpdatedUnix util.TimeStamp `xorm:"INDEX updated"` } // GenerateScratchToken recreates the scratch token the user is using. -func (t *TwoFactor) GenerateScratchToken() error { +func (t *TwoFactor) GenerateScratchToken() (string, error) { token, err := generate.GetRandomString(8) if err != nil { - return err + return "", err } - t.ScratchToken = token - return nil + t.ScratchSalt, _ = generateSalt() + t.ScratchHash = hashToken(token, t.ScratchSalt) + return token, nil +} + +func generateSalt() (string, error) { + return generate.GetRandomString(10) +} + +func hashToken(token, salt string) string { + tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New) + return fmt.Sprintf("%x", tempHash) } // VerifyScratchToken verifies if the specified scratch token is valid. @@ -47,7 +62,8 @@ func (t *TwoFactor) VerifyScratchToken(token string) bool { if len(token) == 0 { return false } - return subtle.ConstantTimeCompare([]byte(token), []byte(t.ScratchToken)) == 1 + tempHash := hashPassword(token, t.ScratchSalt) + return subtle.ConstantTimeCompare([]byte(t.ScratchHash), []byte(tempHash)) == 1 } func (t *TwoFactor) getEncryptionKey() []byte { @@ -118,7 +134,7 @@ func aesDecrypt(key, text []byte) ([]byte, error) { // NewTwoFactor creates a new two-factor authentication token. func NewTwoFactor(t *TwoFactor) error { - err := t.GenerateScratchToken() + _, err := t.GenerateScratchToken() if err != nil { return err } diff --git a/routers/user/setting/security_twofa.go b/routers/user/setting/security_twofa.go index 55101ed1a4895..6b1a213adcf33 100644 --- a/routers/user/setting/security_twofa.go +++ b/routers/user/setting/security_twofa.go @@ -32,7 +32,8 @@ func RegenerateScratchTwoFactor(ctx *context.Context) { return } - if err = t.GenerateScratchToken(); err != nil { + token, err := t.GenerateScratchToken() + if err != nil { ctx.ServerError("SettingsTwoFactor", err) return } @@ -42,7 +43,7 @@ func RegenerateScratchTwoFactor(ctx *context.Context) { return } - ctx.Flash.Success(ctx.Tr("settings.twofa_scratch_token_regenerated", t.ScratchToken)) + ctx.Flash.Success(ctx.Tr("settings.twofa_scratch_token_regenerated", token)) ctx.Redirect(setting.AppSubURL + "/user/settings/security") } @@ -169,7 +170,7 @@ func EnrollTwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) { ctx.ServerError("SettingsTwoFactor", err) return } - err = t.GenerateScratchToken() + _, err = t.GenerateScratchToken() if err != nil { ctx.ServerError("SettingsTwoFactor", err) return From 050c96f05f7e4f826b6c3207f961c50987d961a7 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 27 Jun 2018 23:05:48 -0400 Subject: [PATCH 02/15] remove attrib that wasn't needed --- models/twofactor.go | 1 - 1 file changed, 1 deletion(-) diff --git a/models/twofactor.go b/models/twofactor.go index 2348fc297043b..37019a77a294f 100644 --- a/models/twofactor.go +++ b/models/twofactor.go @@ -29,7 +29,6 @@ type TwoFactor struct { ID int64 `xorm:"pk autoincr"` UID int64 `xorm:"UNIQUE"` Secret string - ScratchToken string ScratchSalt string ScratchHash string LastUsedPasscode string `xorm:"VARCHAR(10)"` From 412e27b414c6514fbade798d2f485c20ce8b47a3 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 27 Jun 2018 23:11:35 -0400 Subject: [PATCH 03/15] correct function call --- models/twofactor.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/twofactor.go b/models/twofactor.go index 37019a77a294f..67c6920b2722f 100644 --- a/models/twofactor.go +++ b/models/twofactor.go @@ -61,7 +61,7 @@ func (t *TwoFactor) VerifyScratchToken(token string) bool { if len(token) == 0 { return false } - tempHash := hashPassword(token, t.ScratchSalt) + tempHash := hashToken(token, t.ScratchSalt) return subtle.ConstantTimeCompare([]byte(t.ScratchHash), []byte(tempHash)) == 1 } From fd4445fa98dcee49892d50a1aa1e57e93c2f61c5 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 27 Jun 2018 23:13:00 -0400 Subject: [PATCH 04/15] show scratch token once to user --- routers/user/setting/security_twofa.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routers/user/setting/security_twofa.go b/routers/user/setting/security_twofa.go index 6b1a213adcf33..85ff518d92da6 100644 --- a/routers/user/setting/security_twofa.go +++ b/routers/user/setting/security_twofa.go @@ -170,7 +170,7 @@ func EnrollTwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) { ctx.ServerError("SettingsTwoFactor", err) return } - _, err = t.GenerateScratchToken() + token, err := t.GenerateScratchToken() if err != nil { ctx.ServerError("SettingsTwoFactor", err) return @@ -183,6 +183,6 @@ func EnrollTwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) { ctx.Session.Delete("twofaSecret") ctx.Session.Delete("twofaUri") - ctx.Flash.Success(ctx.Tr("settings.twofa_enrolled", t.ScratchToken)) + ctx.Flash.Success(ctx.Tr("settings.twofa_enrolled", token)) ctx.Redirect(setting.AppSubURL + "/user/settings/security") } From e46e0bc8a55916284bc7afebce8ea67bc73c7fad Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 27 Jun 2018 23:20:59 -0400 Subject: [PATCH 05/15] fix error --- routers/user/auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/user/auth.go b/routers/user/auth.go index 317b4af3bb042..b0fca7d968ba5 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -304,7 +304,7 @@ func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthFo // Validate the passcode with the stored TOTP secret. if twofa.VerifyScratchToken(form.Token) { // Invalidate the scratch token. - twofa.ScratchToken = "" + twofa.GenerateScratchToken() if err = models.UpdateTwoFactor(twofa); err != nil { ctx.ServerError("UserSignIn", err) return From d9d8e0c55b0a3e0be2d5c5b72835b787f9a041e0 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 27 Jun 2018 23:23:54 -0400 Subject: [PATCH 06/15] correct redirect URL --- routers/user/auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/user/auth.go b/routers/user/auth.go index b0fca7d968ba5..2cca05a2d9d51 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -319,7 +319,7 @@ func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthFo handleSignInFull(ctx, u, remember, false) ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used")) - ctx.Redirect(setting.AppSubURL + "/user/settings/two_factor") + ctx.Redirect(setting.AppSubURL + "/user/settings/security") return } From fa2b6e5e0f6868aba0cba8a24ff16695de6d3933 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Wed, 27 Jun 2018 23:24:22 -0400 Subject: [PATCH 07/15] add copyright --- routers/user/auth.go | 1 + 1 file changed, 1 insertion(+) diff --git a/routers/user/auth.go b/routers/user/auth.go index 2cca05a2d9d51..150f46ca41e5c 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -1,4 +1,5 @@ // Copyright 2014 The Gogs Authors. All rights reserved. +// Copyright 2018 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. From 7caff96777142262afb48dffdd79b18ec6e9e99e Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Thu, 5 Jul 2018 10:21:05 -0400 Subject: [PATCH 08/15] fix copy paste issue --- models/migrations/v70.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/migrations/v70.go b/models/migrations/v70.go index cf4165d09048f..b766363facc33 100644 --- a/models/migrations/v70.go +++ b/models/migrations/v70.go @@ -16,7 +16,7 @@ import ( ) func addScratchHash(x *xorm.Engine) error { - // TeamUnit see models/twofactor.go + // TwoFactor see models/twofactor.go type TwoFactor struct { ID int64 `xorm:"pk autoincr"` UID int64 `xorm:"UNIQUE"` From 25ca551ea6880f54664ef382b33e367fe31089cb Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Thu, 5 Jul 2018 10:23:00 -0400 Subject: [PATCH 09/15] Don't ignore error --- models/migrations/v70.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/models/migrations/v70.go b/models/migrations/v70.go index b766363facc33..834aca566dfcb 100644 --- a/models/migrations/v70.go +++ b/models/migrations/v70.go @@ -53,7 +53,10 @@ func addScratchHash(x *xorm.Engine) error { for _, tfa := range tfas { // generate salt - salt, _ := generateSalt() + salt, err := generateSalt() + if err != nil { + return err + } tfa.ScratchSalt = salt tfa.ScratchHash = hashToken(tfa.ScratchToken, salt) From c703bd54423e928c7b0a351709640adbf4d9a260 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Thu, 5 Jul 2018 10:24:45 -0400 Subject: [PATCH 10/15] don't ignore error --- routers/user/auth.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/routers/user/auth.go b/routers/user/auth.go index 150f46ca41e5c..603415b337001 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -305,7 +305,11 @@ func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthFo // Validate the passcode with the stored TOTP secret. if twofa.VerifyScratchToken(form.Token) { // Invalidate the scratch token. - twofa.GenerateScratchToken() + _, err = twofa.GenerateScratchToken() + if err != nil { + ctx.ServerError("UserSignIn", err) + return + } if err = models.UpdateTwoFactor(twofa); err != nil { ctx.ServerError("UserSignIn", err) return From 5cbf3b8b63cb36b2eda251d023e22cda59a9784a Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Fri, 13 Jul 2018 10:20:43 -0400 Subject: [PATCH 11/15] commit changes before dropping columns --- models/migrations/v70.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/models/migrations/v70.go b/models/migrations/v70.go index 834aca566dfcb..565d5804e36a4 100644 --- a/models/migrations/v70.go +++ b/models/migrations/v70.go @@ -66,6 +66,14 @@ func addScratchHash(x *xorm.Engine) error { } } + + // Commit and begin new transaction for dropping columns + if err := sess.Commit(); err != nil { + return err + } + if err := sess.Begin(); err != nil { + return err + } if err := dropTableColumns(sess, "two_factor", "scratch_token"); err != nil { return err From d499fc8445cd6f520e255142b937f419784310fa Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Fri, 13 Jul 2018 10:47:06 -0400 Subject: [PATCH 12/15] make fmt --- models/migrations/v70.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/migrations/v70.go b/models/migrations/v70.go index 565d5804e36a4..dc4df5a650155 100644 --- a/models/migrations/v70.go +++ b/models/migrations/v70.go @@ -66,7 +66,7 @@ func addScratchHash(x *xorm.Engine) error { } } - + // Commit and begin new transaction for dropping columns if err := sess.Commit(); err != nil { return err From 616585711c813ed8bac11945b070a23a59017891 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Fri, 13 Jul 2018 15:09:20 -0400 Subject: [PATCH 13/15] remove gensalt func --- models/twofactor.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/models/twofactor.go b/models/twofactor.go index 67c6920b2722f..be37c50b46917 100644 --- a/models/twofactor.go +++ b/models/twofactor.go @@ -42,15 +42,11 @@ func (t *TwoFactor) GenerateScratchToken() (string, error) { if err != nil { return "", err } - t.ScratchSalt, _ = generateSalt() + t.ScratchSalt, _ = generate.GetRandomString(10) t.ScratchHash = hashToken(token, t.ScratchSalt) return token, nil } -func generateSalt() (string, error) { - return generate.GetRandomString(10) -} - func hashToken(token, salt string) string { tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New) return fmt.Sprintf("%x", tempHash) From dc55b928446794c18ef84b9907ac7de55f3f0575 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Fri, 13 Jul 2018 15:10:19 -0400 Subject: [PATCH 14/15] remove gen salt function --- models/migrations/v70.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/models/migrations/v70.go b/models/migrations/v70.go index dc4df5a650155..c725908bd579e 100644 --- a/models/migrations/v70.go +++ b/models/migrations/v70.go @@ -53,7 +53,7 @@ func addScratchHash(x *xorm.Engine) error { for _, tfa := range tfas { // generate salt - salt, err := generateSalt() + salt, err := generate.GetRandomString(10) if err != nil { return err } @@ -82,10 +82,6 @@ func addScratchHash(x *xorm.Engine) error { } -func generateSalt() (string, error) { - return generate.GetRandomString(10) -} - func hashToken(token, salt string) string { tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New) return fmt.Sprintf("%x", tempHash) From e07acd13aab1308e8f8662116bd4a489c7b9a9ff Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Fri, 27 Jul 2018 08:36:24 -0400 Subject: [PATCH 15/15] Rename v70.go to v71.go --- models/migrations/{v70.go => v71.go} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename models/migrations/{v70.go => v71.go} (100%) diff --git a/models/migrations/v70.go b/models/migrations/v71.go similarity index 100% rename from models/migrations/v70.go rename to models/migrations/v71.go