Implement SHA-256 and SHA-512 hashed passwords

Fix abbot#72
pitpalme · May 8, 2021 · 544327f · 544327f
1 parent d3faa31
commit 544327f
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/basic.go b/basic.go
@@ -3,7 +3,7 @@ package auth
 import (
 	"bytes"
 	"context"
-	"crypto/sha1"
+	"crypto"
 	"crypto/subtle"
 	"encoding/base64"
 	"errors"
@@ -24,6 +24,8 @@ var (
 	}{
 		{"", compareMD5HashAndPassword}, // default compareFunc
 		{"{SHA}", compareShaHashAndPassword},
+		{"{SHA256}", compareSha256HashAndPassword},
+		{"{SHA512}", compareSha512HashAndPassword},
 		// Bcrypt is complicated. According to crypt(3) from
 		// crypt_blowfish version 1.3 (fetched from
 		// http://www.openwall.com/crypt/crypt_blowfish-1.3.tar.gz), there
@@ -94,10 +96,22 @@ func CheckSecret(password, secret string) bool {
 	return compare([]byte(secret), []byte(password)) == nil
 }
 
+func compareSha512HashAndPassword(hashedPassword, password []byte) error {
+	return compareShaXHashAndPassword(crypto.SHA512, "{SHA512}", hashedPassword, password)
+}
+
+func compareSha256HashAndPassword(hashedPassword, password []byte) error {
+	return compareShaXHashAndPassword(crypto.SHA256, "{SHA256}", hashedPassword, password)
+}
+
 func compareShaHashAndPassword(hashedPassword, password []byte) error {
-	d := sha1.New()
+	return compareShaXHashAndPassword(crypto.SHA1, "{SHA}", hashedPassword, password)
+}
+
+func compareShaXHashAndPassword(hash crypto.Hash, prefix string, hashedPassword, password []byte) error {
+	d := hash.New()
 	d.Write(password)
-	if subtle.ConstantTimeCompare(hashedPassword[5:], []byte(base64.StdEncoding.EncodeToString(d.Sum(nil)))) != 1 {
+	if subtle.ConstantTimeCompare(hashedPassword[len(prefix):], []byte(base64.StdEncoding.EncodeToString(d.Sum(nil)))) != 1 {
 		return errMismatchedHashAndPassword
 	}
 	return nil

diff --git a/basic_test.go b/basic_test.go
@@ -15,6 +15,8 @@ var basicSecrets = map[string]string{
 	"testsha":       "{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00=",
 	"testmd5":       "$apr1$0.KbAJur$4G9MiqUjDLCuihkMfmg6e1",
 	"testmd5broken": "$apr10.KbAJur$4G9MiqUjDLCuihkMfmg6e1",
+	"testsha256":    "{SHA256}$5$Eg2QLTpmL3TegBv7$h8PsM/fa1xxOXmhUWWIQvV8.BVl9o3vax2S0C4C7Km3",
+	"testsha512":    "{SHA512}$6$uqVy33l0y9YMJV15$UeR3rqmGvrgmc6cn6ZMKUrUqH9YBdrCbjTQK3K2gvprRWay45S6TC3fGQX4Ml4RY8cqkQ2f9CFqFmV02pyGhx.",
 }
 
 type credentials struct {
@@ -125,6 +127,10 @@ func TestBasicAuthWrap(t *testing.T) {
 		{"", "", http.StatusUnauthorized},
 		{"testsha", "invalid", http.StatusUnauthorized},
 		{"testsha", "hello", http.StatusOK},
+		{"testsha256", "invalid", http.StatusUnauthorized},
+		{"testsha256", "hello", http.StatusOK},
+		{"testsha512", "invalid", http.StatusUnauthorized},
+		{"testsha512", "hello", http.StatusOK},
 	} {
 		r, err := http.NewRequest("GET", ts.URL, nil)
 		if err != nil {
@@ -151,6 +157,8 @@ func TestCheckSecret(t *testing.T) {
 		{"openssl-md5", "$1$mvmz31IB$U9KpHBLegga2doA0e3s3N0"},
 		{"htpasswd-sha", "{SHA}vFznddje0Ht4+pmO0FaxwrUKN/M="},
 		{"htpasswd-bcrypt", "$2y$10$Q6GeMFPd0dAxhQULPDdAn.DFy6NDmLaU0A7e2XoJz7PFYAEADFKbC"},
+		{"openssl-sha256", "{SHA256}$5$qgB401R/ggz11Q5U$QAsQZuMF.xfkj7A0QrEvWpYgcStxtU8V3Wj5DSLOSI0"},
+		{"openssl-sha512", "{SHA512}$6$lseRR5fEdsK0sOkR$QTkArA5Z/arPmd78I7qmi8Wj/4bc8CbNw0FH59SYVXCfesr.AqOJINkGx/aaZ6gKYDbmYeFPSSMjMFW9HrMwR."},
 		// common bcrypt test vectors
 		{"", "$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s."},
 		{"", "$2a$08$HqWuK6/Ng6sg9gQzbLrgb.Tl.ZHfXLhvt/SgVyWhQqgqcZ7ZuUtye"},