use legacy ssha algorithm, new one is incompatible
All checks were successful
continuous-integration/drone/pr Build is passing
continuous-integration/drone/push Build is passing

This commit is contained in:
Quentin 2023-03-26 09:35:28 +02:00
parent 9cab98d2ce
commit a2be316d91
Signed by: quentin
GPG key ID: E9602264D639FF68
2 changed files with 66 additions and 5 deletions

1
.gitignore vendored
View file

@ -3,3 +3,4 @@ bottin.static
config.json config.json
test/test test/test
result result
ldap.json

70
ssha.go
View file

@ -2,8 +2,16 @@ package main
import ( import (
"errors" "errors"
"strings"
"github.com/jsimonetti/pwscheme/ssha" "bytes"
"crypto/rand"
"crypto/sha1"
"encoding/base64"
"fmt"
log "github.com/sirupsen/logrus"
//"github.com/jsimonetti/pwscheme/ssha"
"github.com/jsimonetti/pwscheme/ssha256" "github.com/jsimonetti/pwscheme/ssha256"
"github.com/jsimonetti/pwscheme/ssha512" "github.com/jsimonetti/pwscheme/ssha512"
) )
@ -26,9 +34,12 @@ func SSHAMatches(encodedPassPhrase string, rawPassPhrase string) (bool, error) {
return false, errors.New("invalid password hash stored") return false, errors.New("invalid password hash stored")
} }
var is_ok bool
switch hashType { switch hashType {
case SSHA: case SSHA:
return ssha.Validate(rawPassPhrase, encodedPassPhrase) is_ok = LegacySSHAMatches(encodedPassPhrase, []byte(rawPassPhrase))
return is_ok, nil
//return ssha.Validate(rawPassPhrase, encodedPassPhrase)
case SSHA256: case SSHA256:
return ssha256.Validate(rawPassPhrase, encodedPassPhrase) return ssha256.Validate(rawPassPhrase, encodedPassPhrase)
case SSHA512: case SSHA512:
@ -39,15 +50,64 @@ func SSHAMatches(encodedPassPhrase string, rawPassPhrase string) (bool, error) {
} }
func determineHashType(hash string) (string, error) { func determineHashType(hash string) (string, error) {
if len(hash) >= 7 && string(hash[0:6]) == SSHA { if len(hash) >= 7 && strings.ToUpper(string(hash[0:6])) == SSHA {
return SSHA, nil return SSHA, nil
} }
if len(hash) >= 10 && string(hash[0:9]) == SSHA256 { if len(hash) >= 10 && strings.ToUpper(string(hash[0:9])) == SSHA256 {
return SSHA256, nil return SSHA256, nil
} }
if len(hash) >= 10 && string(hash[0:9]) == SSHA512 { if len(hash) >= 10 && strings.ToUpper(string(hash[0:9])) == SSHA512 {
return SSHA512, nil return SSHA512, nil
} }
return "", errors.New("no valid hash found") return "", errors.New("no valid hash found")
} }
// --- legacy
// Encode encodes the []byte of raw password
func LegacySSHAEncode(rawPassPhrase []byte) string {
hash := legacyMakeSSHAHash(rawPassPhrase, legacyMakeSalt())
b64 := base64.StdEncoding.EncodeToString(hash)
return fmt.Sprintf("{ssha}%s", b64)
}
// Matches matches the encoded password and the raw password
func LegacySSHAMatches(encodedPassPhrase string, rawPassPhrase []byte) bool {
if !strings.EqualFold(encodedPassPhrase[:6], "{ssha}") {
return false
}
bhash, err := base64.StdEncoding.DecodeString(encodedPassPhrase[6:])
if err != nil {
return false
}
salt := bhash[20:]
newssha := legacyMakeSSHAHash(rawPassPhrase, salt)
if bytes.Compare(newssha, bhash) != 0 {
return false
}
return true
}
// makeSalt make a 32 byte array containing random bytes.
func legacyMakeSalt() []byte {
sbytes := make([]byte, 32)
_, err := rand.Read(sbytes)
if err != nil {
log.Panicf("Could not read random bytes: %s", err)
}
return sbytes
}
// makeSSHAHash make hasing using SHA-1 with salt. This is not the final output though. You need to append {SSHA} string with base64 of this hash.
func legacyMakeSSHAHash(passphrase, salt []byte) []byte {
sha := sha1.New()
sha.Write(passphrase)
sha.Write(salt)
h := sha.Sum(nil)
return append(h, salt...)
}