-
Notifications
You must be signed in to change notification settings - Fork 171
/
hasher.go
129 lines (115 loc) · 3.89 KB
/
hasher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
/*
* Copyright (c) 2019-2021. Abstrium SAS <team (at) pydio.com>
* This file is part of Pydio Cells.
*
* Pydio Cells is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Pydio Cells is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with Pydio Cells. If not, see <http://www.gnu.org/licenses/>.
*
* The latest code can be found at <https://pydio.com>.
*/
package auth
import (
"bytes"
"crypto/md5"
"crypto/sha1"
"crypto/sha256"
"encoding/base64"
"encoding/hex"
"fmt"
"math/rand"
"strconv"
"strings"
"time"
"golang.org/x/crypto/pbkdf2"
)
type PydioPW struct {
PBKDF2_HASH_ALGORITHM string
PBKDF2_ITERATIONS int
PBKDF2_SALT_BYTE_SIZE int
PBKDF2_HASH_BYTE_SIZE int
HASH_SECTIONS int
HASH_ALGORITHM_INDEX int
HASH_ITERATION_INDEX int
HASH_SALT_INDEX int
HASH_PBKDF2_INDEX int
}
func (p PydioPW) pbkdf2CreateHash(password []byte, salt []byte, iter, totalSize int, algo string) (hash []byte, err error) {
switch strings.ToLower(algo) {
case "sha256":
key := pbkdf2.Key(password, salt, iter, totalSize, sha256.New)
return key, nil
case "sha1":
key := pbkdf2.Key(password, salt, iter, totalSize, sha1.New)
return key, nil
}
return nil, fmt.Errorf("Hash algorithm not supported")
}
func (p PydioPW) checkPasswordMD5(password string, storePassword string) bool {
hasher := md5.New()
hasher.Write([]byte(password))
return strings.Compare(hex.EncodeToString(hasher.Sum(nil)), storePassword) == 0
}
func (p PydioPW) checkPasswordDBKDF2(password string, storePassword []byte, salt []byte, iter, totalSize int, algo string) (bool, error) {
pwd, err := p.pbkdf2CreateHash([]byte(password), salt, iter, totalSize, algo)
if err != nil {
return false, err
}
if bytes.Equal(pwd, storePassword) {
return true, nil
}
return false, fmt.Errorf("Password does not match")
}
func (p PydioPW) CheckDBKDF2PydioPwd(password string, hashedPw string, legacySalt ...bool) (bool, error) {
arrPwd := strings.Split(hashedPw, ":")
if len(arrPwd) < p.HASH_SECTIONS {
// MD5 password
return p.checkPasswordMD5(password, hashedPw), nil
}
if len(arrPwd) == p.HASH_SECTIONS {
base64Salt := arrPwd[p.HASH_SALT_INDEX]
var salt []byte
if len(legacySalt) > 0 && legacySalt[0] {
salt = []byte(base64Salt)
} else {
salt, _ = base64.StdEncoding.DecodeString(base64Salt)
}
iter, err := strconv.Atoi(arrPwd[p.HASH_ITERATION_INDEX])
if err != nil {
return false, err
}
algo := arrPwd[p.HASH_ALGORITHM_INDEX]
base64Pw := arrPwd[p.HASH_PBKDF2_INDEX]
storePw, err := base64.StdEncoding.DecodeString(base64Pw)
if err != nil {
return false, err
}
size := len(storePw)
return p.checkPasswordDBKDF2(password, storePw, salt, iter, size, algo)
}
return false, fmt.Errorf("Password format invalid")
}
func (p PydioPW) CreateHash(password string) (base64Pw string) {
salt := RandStringBytes(p.PBKDF2_SALT_BYTE_SIZE)
hashedPw, _ := p.pbkdf2CreateHash([]byte(password), salt, p.PBKDF2_ITERATIONS, p.PBKDF2_HASH_BYTE_SIZE, p.PBKDF2_HASH_ALGORITHM)
return strings.ToLower(p.PBKDF2_HASH_ALGORITHM) + ":" + strconv.Itoa(p.PBKDF2_ITERATIONS) + ":" + base64.StdEncoding.EncodeToString(salt) + ":" + base64.StdEncoding.EncodeToString(hashedPw)
}
// Use stronger random []byte
const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
func RandStringBytes(n int) []byte {
rand.Seed(time.Now().UTC().UnixNano())
b := make([]byte, n)
for i := range b {
b[i] = letterBytes[rand.Intn(len(letterBytes))]
}
return b
}