Implement Admin Password hashing using sha256

Author: ukane-philemon

cmd/vspd/config.go

@@ -66,7 +66,7 @@ type config struct {
 	BackupInterval  time.Duration `long:"backupinterval" ini-name:"backupinterval" description:"Time period between automatic database backups. Valid time units are {s,m,h}. Minimum 30 seconds."`
 	VspClosed       bool          `long:"vspclosed" ini-name:"vspclosed" description:"Closed prevents the VSP from accepting new tickets."`
 	VspClosedMsg    string        `long:"vspclosedmsg" ini-name:"vspclosedmsg" description:"A short message displayed on the webpage and returned by the status API endpoint if vspclosed is true."`
-	AdminPass       string        `long:"adminpass" ini-name:"adminpass" description:"Password for accessing admin page."`
+	AdminPass       string        `long:"adminpass" ini-name:"adminpass" description:"Password for accessing admin page. INSECURE. Do not set unless absolutely necessary."`
 	Designation     string        `long:"designation" ini-name:"designation" description:"Short name for the VSP. Customizes the logo in the top toolbar."`
 
 	// The following flags should be set on CLI only, not via config file.
@@ -170,7 +170,6 @@ func normalizeAddress(addr, defaultPort string) string {
 // while still allowing the user to override settings with config files and
 // command line options.  Command line options always take precedence.
 func loadConfig() (*config, error) {
-
 	// Default config.
 	cfg := config{
 		Listen:         defaultListen,
@@ -307,11 +306,6 @@ func loadConfig() (*config, error) {
 		return nil, errors.New("the supportemail option is not set")
 	}
 
-	// Ensure the administrator password is set.
-	if cfg.AdminPass == "" {
-		return nil, errors.New("the adminpass option is not set")
-	}
-
 	// Ensure the dcrd RPC username is set.
 	if cfg.DcrdUser == "" {
 		return nil, errors.New("the dcrduser option is not set")

cmd/vspd/main.go

@@ -6,6 +6,7 @@ package main
 
 import (
 	"context"
+	"crypto/sha256"
 	"fmt"
 	"os"
 	"runtime"
@@ -56,6 +57,20 @@ func run() int {
 	shutdownCtx := withShutdownCancel(context.Background())
 	go shutdownListener(log)
 
+	// Request admin password if admin password is not set in config.
+	var adminAuthSHA [32]byte
+	if cfg.AdminPass == "" {
+		adminAuthSHA, err = passwordHashPrompt(shutdownCtx, "Admin password for accessing admin page: ")
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "cannot use password: %v\n", err)
+			return 1
+		}
+	} else {
+		adminAuthSHA = sha256.Sum256([]byte(cfg.AdminPass))
+		// Clear password string
+		cfg.AdminPass = ""
+	}
+
 	// Show version at startup.
 	log.Criticalf("Version %s (Go version %s %s/%s)", version.String(), runtime.Version(),
 		runtime.GOOS, runtime.GOARCH)
@@ -175,7 +190,7 @@ func run() int {
 		SupportEmail:         cfg.SupportEmail,
 		VspClosed:            cfg.VspClosed,
 		VspClosedMsg:         cfg.VspClosedMsg,
-		AdminPass:            cfg.AdminPass,
+		AdminAuthSHA:         adminAuthSHA,
 		Debug:                cfg.WebServerDebug,
 		Designation:          cfg.Designation,
 		MaxVoteChangeRecords: maxVoteChangeRecords,

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/jrick/logrotate v1.0.0
 	github.com/jrick/wsrpc/v2 v2.3.5
 	go.etcd.io/bbolt v1.3.6
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 )
 
 require (

go.sum

@@ -253,6 +253,8 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

prompt.go

@@ -0,0 +1,81 @@
+// Copyright (c) 2021 The Decred developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"context"
+	"crypto/sha256"
+	"fmt"
+	"os"
+
+	"golang.org/x/term"
+)
+
+type passwordReadResponse struct {
+	password []byte
+	err      error
+}
+
+// clearBytes zeroes the byte slice.
+func clearBytes(b []byte) {
+	for i := range b {
+		b[i] = 0
+	}
+}
+
+// passwordPrompt prompts the user to enter a password. Password must not be an
+// empty string.
+func passwordPrompt(ctx context.Context, prompt string) ([]byte, error) {
+	// Get the initial state of the terminal.
+	initialTermState, err := term.GetState(int(os.Stdin.Fd()))
+	if err != nil {
+		return nil, err
+	}
+
+	passwordReadChan := make(chan passwordReadResponse, 1)
+
+	go func() {
+		fmt.Print(prompt)
+		pass, err := term.ReadPassword(int(os.Stdin.Fd()))
+		fmt.Println()
+		passwordReadChan <- passwordReadResponse{
+			password: pass,
+			err:      err,
+		}
+	}()
+
+	select {
+	case <-ctx.Done():
+		_ = term.Restore(int(os.Stdin.Fd()), initialTermState)
+		return nil, ctx.Err()
+
+	case res := <-passwordReadChan:
+		if res.err != nil {
+			return nil, res.err
+		}
+		return res.password, nil
+	}
+}
+
+// passwordHashPrompt prompts the user to enter a password and returns its
+// SHA256 hash. Password must not be an empty string.
+func passwordHashPrompt(ctx context.Context, prompt string) ([sha256.Size]byte, error) {
+	var passBytes []byte
+	var err error
+	var authSHA [sha256.Size]byte
+
+	// Ensure passBytes is not empty.
+	for len(passBytes) == 0 {
+		passBytes, err = passwordPrompt(ctx, prompt)
+		if err != nil {
+			return authSHA, err
+		}
+	}
+
+	authSHA = sha256.Sum256(passBytes)
+	// Zero password bytes.
+	clearBytes(passBytes)
+	return authSHA, nil
+}

webapi/admin.go

@@ -5,6 +5,8 @@
 package webapi
 
 import (
+	"crypto/sha256"
+	"crypto/subtle"
 	"net/http"
 
 	"github.com/decred/vspd/database"
@@ -196,8 +198,8 @@ func (s *Server) ticketSearch(c *gin.Context) {
 // the current session will be authenticated as an admin.
 func (s *Server) adminLogin(c *gin.Context) {
 	password := c.PostForm("password")
-
-	if password != s.cfg.AdminPass {
+	authSHA := sha256.Sum256([]byte(password))
+	if subtle.ConstantTimeCompare(s.cfg.AdminAuthSHA[:], authSHA[:]) != 1 {
 		s.log.Warnf("Failed login attempt from %s", c.ClientIP())
 		c.HTML(http.StatusUnauthorized, "login.html", gin.H{
 			"WebApiCache":       s.cache.getData(),

webapi/middleware.go

@@ -6,6 +6,8 @@ package webapi
 
 import (
 	"bytes"
+	"crypto/sha256"
+	"crypto/subtle"
 	"errors"
 	"io"
 	"net/http"
@@ -373,3 +375,19 @@ func (s *Server) vspAuth(c *gin.Context) {
 	c.Set(knownTicketKey, ticketFound)
 	c.Set(commitmentAddressKey, commitmentAddress)
 }
+
+// authMiddleware checks incoming requests for authentication.
+func (s *Server) authMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// User is ignored
+		_, password, ok := c.Request.BasicAuth()
+		passAuthSHA := sha256.Sum256([]byte(password))
+		if !ok || subtle.ConstantTimeCompare(passAuthSHA[:], s.cfg.AdminAuthSHA[:]) != 1 {
+			s.log.Warnf("Failed authentication attempt from %s", c.ClientIP())
+			// Credentials doesn't match, we return 401 and abort handlers chain.
+			c.Header("WWW-Authenticate", `Basic realm="Authorization Required"`)
+			c.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
+	}
+}

webapi/webapi.go

@@ -35,7 +35,7 @@ type Config struct {
 	SupportEmail         string
 	VspClosed            bool
 	VspClosedMsg         string
-	AdminPass            string
+	AdminAuthSHA         [32]byte
 	Debug                bool
 	Designation          string
 	MaxVoteChangeRecords int
@@ -261,9 +261,7 @@ func (s *Server) router(cookieSecret []byte, dcrd rpc.DcrdConnect, wallets rpc.W
 
 	// Require Basic HTTP Auth on /admin/status endpoint.
 	basic := router.Group("/admin").Use(
-		s.withDcrdClient(dcrd), s.withWalletClients(wallets), gin.BasicAuth(gin.Accounts{
-			"admin": s.cfg.AdminPass,
-		}),
+		withDcrdClient(dcrd), withWalletClients(wallets), s.authMiddleware(),
 	)
 	basic.GET("/status", s.statusJSON)