bcrypt support

Author: abbot

auth.go

@@ -1,13 +1,14 @@
+// Package auth is an implementation of HTTP Basic and HTTP Digest authentication.
 package auth
 
 import "net/http"
 
-/* 
+/*
  Request handlers must take AuthenticatedRequest instead of http.Request
 */
 type AuthenticatedRequest struct {
 	http.Request
-	/* 
+	/*
 	 Authenticated user name. Current API implies that Username is
 	 never empty, which means that authentication is always done
 	 before calling the request handler.

basic.go

@@ -1,11 +1,30 @@
 package auth
 
 import (
+	"bytes"
 	"crypto/sha1"
 	"crypto/subtle"
 	"encoding/base64"
+	"errors"
 	"net/http"
 	"strings"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+type compareFunc func(hashedPassword, password []byte) error
+
+var (
+	errMismatchedHashAndPassword = errors.New("mismatched hash and password")
+
+	compareFuncs = []struct {
+		prefix  string
+		compare compareFunc
+	}{
+		{"", compareMD5HashAndPassword}, // default compareFunc
+		{"{SHA}", compareShaHashAndPassword},
+		{"$2y$", bcrypt.CompareHashAndPassword},
+	}
 )
 
 type BasicAuth struct {
@@ -34,28 +53,46 @@ func (a *BasicAuth) CheckAuth(r *http.Request) string {
 	if len(pair) != 2 {
 		return ""
 	}
-	passwd := a.Secrets(pair[0], a.Realm)
-	if passwd == "" {
+	user, password := pair[0], pair[1]
+	secret := a.Secrets(user, a.Realm)
+	if secret == "" {
 		return ""
 	}
-	if strings.HasPrefix(passwd, "{SHA}") {
-		d := sha1.New()
-		d.Write([]byte(pair[1]))
-		if subtle.ConstantTimeCompare([]byte(passwd[5:]), []byte(base64.StdEncoding.EncodeToString(d.Sum(nil)))) != 1 {
-			return ""
-		}
-	} else {
-		e := NewMD5Entry(passwd)
-		if e == nil {
-			return ""
-		}
-		if subtle.ConstantTimeCompare([]byte(passwd), MD5Crypt([]byte(pair[1]), e.Salt, e.Magic)) != 1 {
-			return ""
+	compare := compareFuncs[0].compare
+	for _, cmp := range compareFuncs[1:] {
+		if strings.HasPrefix(secret, cmp.prefix) {
+			compare = cmp.compare
+			break
 		}
 	}
+	if compare([]byte(secret), []byte(password)) != nil {
+		return ""
+	}
 	return pair[0]
 }
 
+func compareShaHashAndPassword(hashedPassword, password []byte) error {
+	d := sha1.New()
+	d.Write(password)
+	if subtle.ConstantTimeCompare(hashedPassword[5:], []byte(base64.StdEncoding.EncodeToString(d.Sum(nil)))) != 1 {
+		return errMismatchedHashAndPassword
+	}
+	return nil
+}
+
+func compareMD5HashAndPassword(hashedPassword, password []byte) error {
+	parts := bytes.SplitN(hashedPassword, []byte("$"), 4)
+	if len(parts) != 4 {
+		return errMismatchedHashAndPassword
+	}
+	magic := []byte("$" + string(parts[1]) + "$")
+	salt := parts[2]
+	if subtle.ConstantTimeCompare(hashedPassword, MD5Crypt(password, salt, magic)) != 1 {
+		return errMismatchedHashAndPassword
+	}
+	return nil
+}
+
 /*
  http.Handler for BasicAuth which initiates the authentication process
  (or requires reauthentication).

basic_test.go

@@ -27,6 +27,7 @@ func TestAuthBasic(t *testing.T) {
 	data := [][]string{
 		{"test", "hello"},
 		{"test2", "hello2"},
+		{"test3", "hello3"},
 		{"test16", "topsecret"},
 	}
 	for _, tc := range data {

test.htpasswd

@@ -1,3 +1,4 @@
 test:{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00=
 test2:$apr1$a0j62R97$mYqFkloXH0/UOaUnAiV2b0
 test16:$apr1$JI4wh3am$AmhephVqLTUyAVpFQeHZC0
+test3:$2y$05$ih3C91zUBSTFcAh2mQnZYuob0UOZVEf16wl/ukgjDhjvj.xgM1WwS

users_test.go

@@ -26,7 +26,7 @@ func TestHtpasswdFile(t *testing.T) {
 	if passwd != "{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00=" {
 		t.Fatal("Incorrect passwd for test user:", passwd)
 	}
-	passwd = secrets("test3", "blah")
+	passwd = secrets("nosuchuser", "blah")
 	if passwd != "" {
 		t.Fatal("Got passwd for non-existant user:", passwd)
 	}