mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 209 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7867 Commits
16 Branches
Tree: 85202d4784
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '85202d4784'
${ noResults }
gitea/models/twofactor.go

twofactor.go 4.4KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package models

  6. 

  7. import (

  8. 	"crypto/aes"

  9. 	"crypto/cipher"

  10. 	"crypto/md5"

  11. 	"crypto/rand"

  12. 	"crypto/sha256"

  13. 	"crypto/subtle"

  14. 	"encoding/base64"

  15. 	"errors"

  16. 	"fmt"

  17. 	"io"

  18. 

  19. 	"code.gitea.io/gitea/modules/generate"

  20. 	"code.gitea.io/gitea/modules/setting"

  21. 	"code.gitea.io/gitea/modules/timeutil"

  22. 

  23. 	"github.com/pquerna/otp/totp"

  24. 	"golang.org/x/crypto/pbkdf2"

  25. )

  26. 

  27. // TwoFactor represents a two-factor authentication token.

  28. type TwoFactor struct {

  29. 	ID               int64 `xorm:"pk autoincr"`

  30. 	UID              int64 `xorm:"UNIQUE"`

  31. 	Secret           string

  32. 	ScratchSalt      string

  33. 	ScratchHash      string

  34. 	LastUsedPasscode string             `xorm:"VARCHAR(10)"`

  35. 	CreatedUnix      timeutil.TimeStamp `xorm:"INDEX created"`

  36. 	UpdatedUnix      timeutil.TimeStamp `xorm:"INDEX updated"`

  37. }

  38. 

  39. // GenerateScratchToken recreates the scratch token the user is using.

  40. func (t *TwoFactor) GenerateScratchToken() (string, error) {

  41. 	token, err := generate.GetRandomString(8)

  42. 	if err != nil {

  43. 		return "", err

  44. 	}

  45. 	t.ScratchSalt, _ = generate.GetRandomString(10)

  46. 	t.ScratchHash = hashToken(token, t.ScratchSalt)

  47. 	return token, nil

  48. }

  49. 

  50. func hashToken(token, salt string) string {

  51. 	tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New)

  52. 	return fmt.Sprintf("%x", tempHash)

  53. }

  54. 

  55. // VerifyScratchToken verifies if the specified scratch token is valid.

  56. func (t *TwoFactor) VerifyScratchToken(token string) bool {

  57. 	if len(token) == 0 {

  58. 		return false

  59. 	}

  60. 	tempHash := hashToken(token, t.ScratchSalt)

  61. 	return subtle.ConstantTimeCompare([]byte(t.ScratchHash), []byte(tempHash)) == 1

  62. }

  63. 

  64. func (t *TwoFactor) getEncryptionKey() []byte {

  65. 	k := md5.Sum([]byte(setting.SecretKey))

  66. 	return k[:]

  67. }

  68. 

  69. // SetSecret sets the 2FA secret.

  70. func (t *TwoFactor) SetSecret(secret string) error {

  71. 	secretBytes, err := aesEncrypt(t.getEncryptionKey(), []byte(secret))

  72. 	if err != nil {

  73. 		return err

  74. 	}

  75. 	t.Secret = base64.StdEncoding.EncodeToString(secretBytes)

  76. 	return nil

  77. }

  78. 

  79. // ValidateTOTP validates the provided passcode.

  80. func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {

  81. 	decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)

  82. 	if err != nil {

  83. 		return false, err

  84. 	}

  85. 	secret, err := aesDecrypt(t.getEncryptionKey(), decodedStoredSecret)

  86. 	if err != nil {

  87. 		return false, err

  88. 	}

  89. 	secretStr := string(secret)

  90. 	return totp.Validate(passcode, secretStr), nil

  91. }

  92. 

  93. // aesEncrypt encrypts text and given key with AES.

  94. func aesEncrypt(key, text []byte) ([]byte, error) {

  95. 	block, err := aes.NewCipher(key)

  96. 	if err != nil {

  97. 		return nil, err

  98. 	}

  99. 	b := base64.StdEncoding.EncodeToString(text)

  100. 	ciphertext := make([]byte, aes.BlockSize+len(b))

  101. 	iv := ciphertext[:aes.BlockSize]

  102. 	if _, err := io.ReadFull(rand.Reader, iv); err != nil {

  103. 		return nil, err

  104. 	}

  105. 	cfb := cipher.NewCFBEncrypter(block, iv)

  106. 	cfb.XORKeyStream(ciphertext[aes.BlockSize:], []byte(b))

  107. 	return ciphertext, nil

  108. }

  109. 

  110. // aesDecrypt decrypts text and given key with AES.

  111. func aesDecrypt(key, text []byte) ([]byte, error) {

  112. 	block, err := aes.NewCipher(key)

  113. 	if err != nil {

  114. 		return nil, err

  115. 	}

  116. 	if len(text) < aes.BlockSize {

  117. 		return nil, errors.New("ciphertext too short")

  118. 	}

  119. 	iv := text[:aes.BlockSize]

  120. 	text = text[aes.BlockSize:]

  121. 	cfb := cipher.NewCFBDecrypter(block, iv)

  122. 	cfb.XORKeyStream(text, text)

  123. 	data, err := base64.StdEncoding.DecodeString(string(text))

  124. 	if err != nil {

  125. 		return nil, err

  126. 	}

  127. 	return data, nil

  128. }

  129. 

  130. // NewTwoFactor creates a new two-factor authentication token.

  131. func NewTwoFactor(t *TwoFactor) error {

  132. 	_, err := x.Insert(t)

  133. 	return err

  134. }

  135. 

  136. // UpdateTwoFactor updates a two-factor authentication token.

  137. func UpdateTwoFactor(t *TwoFactor) error {

  138. 	_, err := x.ID(t.ID).AllCols().Update(t)

  139. 	return err

  140. }

  141. 

  142. // GetTwoFactorByUID returns the two-factor authentication token associated with

  143. // the user, if any.

  144. func GetTwoFactorByUID(uid int64) (*TwoFactor, error) {

  145. 	twofa := &TwoFactor{UID: uid}

  146. 	has, err := x.Get(twofa)

  147. 	if err != nil {

  148. 		return nil, err

  149. 	} else if !has {

  150. 		return nil, ErrTwoFactorNotEnrolled{uid}

  151. 	}

  152. 	return twofa, nil

  153. }

  154. 

  155. // DeleteTwoFactorByID deletes two-factor authentication token by given ID.

  156. func DeleteTwoFactorByID(id, userID int64) error {

  157. 	cnt, err := x.ID(id).Delete(&TwoFactor{

  158. 		UID: userID,

  159. 	})

  160. 	if err != nil {

  161. 		return err

  162. 	} else if cnt != 1 {

  163. 		return ErrTwoFactorNotEnrolled{userID}

  164. 	}

  165. 	return nil

  166. }