Fix issue with unifying random byte generation in web admin login

commands/webadmin.go

@@ -66,7 +66,7 @@ func (g *webadmin) Check() error {
 	switch g.action {
 	case "del", "unlockaccount", "lockaccount":
 		if g.username == "" {
-			return errors.New("address must be supplied")
+			return errors.New("username must be supplied")
 		}
 	case "list":
 

internal/data/devices.go

@@ -98,7 +98,7 @@ func GetDevice(username, id string) (device Device, err error) {
 // Set device as authorized and clear authentication attempts
 func AuthoriseDevice(username, address string) (string, error) {
 
-	challenge, err := utils.GenerateRandomBytes(32)
+	challenge, err := utils.GenerateRandomHex(32)
 	if err != nil {
 		return "", fmt.Errorf("failed to generate random challenge on device authorisation: %s", err)
 	}

internal/data/events.go

@@ -84,7 +84,7 @@ func RegisterEventListener[T any](path string, isPrefix bool, f func(key string,
 		options = append(options, clientv3.WithPrefix())
 	}
 
-	key, err := utils.GenerateRandomBytes(16)
+	key, err := utils.GenerateRandomHex(16)
 	if err != nil {
 		return "", err
 	}
@@ -167,7 +167,7 @@ func RegisterClusterHealthListener(f func(status string)) (string, error) {
 	clusterHealthLck.Lock()
 	defer clusterHealthLck.Unlock()
 
-	key, err := utils.GenerateRandomBytes(16)
+	key, err := utils.GenerateRandomHex(16)
 	if err != nil {
 		return "", err
 	}
@@ -260,7 +260,7 @@ func RaiseError(raisedError error, value []byte) (err error) {
 		Time:            time.Now(),
 	}
 
-	ee.ErrorID, err = utils.GenerateRandomBytes(16)
+	ee.ErrorID, err = utils.GenerateRandomHex(16)
 	if err != nil {
 		return err
 	}

internal/data/init.go

@@ -112,7 +112,7 @@ func Load(path, joinToken string, testing bool) error {
 			}
 		}
 	}
-	part, err := utils.GenerateRandomBytes(10)
+	part, err := utils.GenerateRandomHex(10)
 	if err != nil {
 		return err
 	}

internal/data/registration.go

@@ -110,7 +110,7 @@ func FinaliseRegistration(token string) error {
 
 // Randomly generate a token for a specific username
 func GenerateToken(username, overwrite string, groups []string, uses int) (token string, err error) {
-	token, err = utils.GenerateRandomBytes(32)
+	token, err = utils.GenerateRandomHex(32)
 	if err != nil {
 		return "", err
 	}

internal/data/ui.go

@@ -65,7 +65,7 @@ func CreateAdminUser(username, password string, changeOnFirstUse bool) error {
 		return fmt.Errorf("password is too short for administrative console (must be greater than %d characters)", minPasswordLength)
 	}
 
-	salt, err := utils.GenerateRandomBytes(32)
+	salt, err := utils.GenerateRandomHex(8)
 	if err != nil {
 		return err
 	}
@@ -93,7 +93,7 @@ func CompareAdminKeys(username, password string) error {
 	wasteTime := func() {
 		// Null op to stop timing discovery attacks
 
-		salt, _ := utils.GenerateRandomBytes(32)
+		salt, _ := utils.GenerateRandomHex(32)
 
 		hash := argon2.IDKey([]byte(password), []byte(salt), 1, 10*1024, 4, 32)
 
@@ -122,9 +122,12 @@ func CompareAdminKeys(username, password string) error {
 			return "", err
 		}
 
-		thisHash := argon2.IDKey([]byte(password), rawHashSalt[len(rawHashSalt)-16:], 1, 10*1024, 4, 32)
+		salt := rawHashSalt[len(rawHashSalt)-16:]
+		expectedHash := rawHashSalt[:len(rawHashSalt)-16]
 
-		if subtle.ConstantTimeCompare(thisHash, rawHashSalt[:len(rawHashSalt)-16]) != 1 {
+		thisHash := argon2.IDKey([]byte(password), salt, 1, 10*1024, 4, 32)
+
+		if subtle.ConstantTimeCompare(thisHash, expectedHash) != 1 {
 			return "", errors.New("passwords did not match")
 		}
 
@@ -226,7 +229,7 @@ func SetAdminPassword(username, password string) error {
 		return fmt.Errorf("password is too short for administrative console (must be greater than %d characters)", minPasswordLength)
 	}
 
-	salt, err := utils.GenerateRandomBytes(32)
+	salt, err := utils.GenerateRandomHex(32)
 	if err != nil {
 		return err
 	}

internal/utils/utils.go

@@ -42,7 +42,7 @@ func GetIPFromRequest(r *http.Request) net.IP {
 	return net.ParseIP(GetIP(r.RemoteAddr)).To4()
 }
 
-func GenerateRandomBytes(n uint32) (string, error) {
+func GenerateRandomHex(n uint32) (string, error) {
 	b := make([]byte, n)
 	_, err := rand.Read(b)
 	if err != nil {

internal/webserver/authenticators/oidc.go

@@ -39,7 +39,7 @@ func (o *Oidc) LogoutPath() string {
 
 func (o *Oidc) Init() error {
 
-	key, err := utils.GenerateRandomBytes(32)
+	key, err := utils.GenerateRandomHex(32)
 	if err != nil {
 		return errors.New("failed to get random key: " + err.Error())
 	}
@@ -125,7 +125,7 @@ func (o *Oidc) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 	}
 
 	rp.AuthURLHandler(func() string {
-		r, _ := utils.GenerateRandomBytes(32)
+		r, _ := utils.GenerateRandomHex(32)
 		return r
 	}, o.provider)(w, r)
 }
@@ -245,7 +245,7 @@ func (o *Oidc) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 
 func (o *Oidc) MFAPromptUI(w http.ResponseWriter, r *http.Request, _, _ string) {
 	rp.AuthURLHandler(func() string {
-		r, _ := utils.GenerateRandomBytes(32)
+		r, _ := utils.GenerateRandomHex(32)
 		return r
 	}, o.provider)(w, r)
 }

ui/ui_webserver.go

@@ -192,12 +192,12 @@ func StartWebServer(errs chan<- error) error {
 	if len(admins) == 0 {
 		log.Println("[INFO] *************** Web interface enabled but no administrator users exist, generating new ones CREDENTIALS FOLLOW ***************")
 
-		password, err := utils.GenerateRandomBytes(8)
+		password, err := utils.GenerateRandomHex(8)
 		if err != nil {
 			return err
 		}
 
-		username, err := utils.GenerateRandomBytes(16)
+		username, err := utils.GenerateRandomHex(16)
 		if err != nil {
 			return err
 		}