asciigoat
/
httools
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Merge pull request 'htpasswd: refactor and add Passwd methods' (#3) 

Reviewed-on: #3
master
Alejandro Mery 1 year ago
parent
c2737bef29 5f5cbeab4f
commit
afac3a836f
9 changed files with 380 additions and 286 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 22
      htpasswd/apr1.go
  2. 26
      htpasswd/bcrypt.go
  3. 342
      htpasswd/htpasswd.go
  4. 41
      htpasswd/htpasswd_test.go
  5. 8
      htpasswd/htpasswd_testdata
  6. 52
      htpasswd/sha.go
  7. 52
      htpasswd/sha256.go
  8. 52
      htpasswd/sha512.go
  9. 71
      htpasswd/ssha.go

22
htpasswd/apr1.go
Unescape View File

@ -0,0 +1,22 @@
package htpasswd
import "github.com/GehirnInc/crypt/apr1_crypt"
// Apr1 facilitates apr1 style hashing
type Apr1 struct{}
// Hash returns the hashed variant of the password or an error
func (*Apr1) Hash(passwd string) (string, error) {
return apr1_crypt.New().Generate([]byte(passwd), nil)
}
// Match verifier the hashed password using the original
func (*Apr1) Match(password, hashedPassword string) error {
return apr1_crypt.New().Verify(hashedPassword, []byte(password))
}
// Name returns the name of the hasher
func (*Apr1) Name() string { return "apr1" }
// Prefix returns the hasher's prefix
func (*Apr1) Prefix() string { return "$apr1$" }

26
htpasswd/bcrypt.go
Unescape View File

@ -0,0 +1,26 @@
package htpasswd
import "golang.org/x/crypto/bcrypt"
// Bcrypt facilitates bcrypt style hashing
type Bcrypt struct{}
// Hash returns the hashed variant of the password or an error
func (*Bcrypt) Hash(password string) (string, error) {
passwordBytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return "", err
}
return string(passwordBytes), nil
}
// Match verifier the hashed password using the original
func (*Bcrypt) Match(password, hashedPassword string) error {
return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password))
}
// Name returns the name of the hasher
func (*Bcrypt) Name() string { return "bcrypt" }
// Prefix returns the hasher's prefix
func (*Bcrypt) Prefix() string { return "$2a$" }

342
htpasswd/htpasswd.go
Unescape View File

@ -2,41 +2,22 @@
package htpasswd package htpasswd
import ( import (
"bytes"
"crypto/rand"
"crypto/sha1"
"crypto/sha256"
"crypto/sha512"
"encoding/base64"
"errors" "errors"
"fmt" "fmt"
"os" "os"
"strings" "strings"
"github.com/GehirnInc/crypt/apr1_crypt"
"golang.org/x/crypto/bcrypt"
) )
// Passwds name => hash // Passwds name => hash
type Passwds map[string]string type Passwds map[string]string
// HashAlgorithm enum for hashing algorithms // Hasher interface implemented by hash algos
type HashAlgorithm string type Hasher interface {
Hash(password string) (string, error)
const ( Match(password, hashedPassword string) error
// HashAPR1 Apache MD5 crypt Name() string
HashAPR1 HashAlgorithm = "apr1" Prefix() string
// HashBCrypt bcrypt }
HashBCrypt HashAlgorithm = "bcrypt"
// HashSHA SHA
HashSHA HashAlgorithm = "sha"
// HashSSHA Salted SHA
HashSSHA HashAlgorithm = "ssha"
// HashSHA256 256 variant of SHA
HashSHA256 HashAlgorithm = "sha256"
// HashSHA512 512 variant of SHA
HashSHA512 HashAlgorithm = "sha512"
)
// ParseHtpasswdFile parses a .htpasswd file // ParseHtpasswdFile parses a .htpasswd file
// and returns a Passwd type // and returns a Passwd type
@ -79,58 +60,60 @@ func ParseHtpasswd(htpasswdBytes []byte) (Passwds, error) {
return passwords, err return passwords, err
} }
func validLine(parts []string, lineNumber int, line string) (bool, error) {
var err error
if len(parts) != 2 {
err = errors.New(fmt.Sprintln("invalid line", lineNumber+1,
"unexpected number of parts split by", ":", len(parts),
"instead of 2 in\"", line, "\""))
return false, err
}
return true, nil
}
func trimParts(parts []string) []string {
for i, part := range parts {
parts[i] = strings.Trim(part, " ")
}
return parts
}
// CreateUser creates a record in the named file with // CreateUser creates a record in the named file with
// the named password and hash algorithm // the named password and hash algorithm
func CreateUser(file, user, passwd string, algo HashAlgorithm) error { func CreateUser(file, user, passwd string, algo Hasher) error {
pp, err := ParseHtpasswdFile(file) pp, err := ParseHtpasswdFile(file)
if err != nil { if err != nil {
return err return err
} }
err = pp.CreateUser(user, passwd, algo)
if err != nil {
return err
}
return pp.Write(file)
}
// CreateUser will create a new user in the given Passwd object
// using the given name, password and hashing algorithm
func (pp Passwds) CreateUser(user, passwd string, algo Hasher) error {
if _, exists := pp[user]; exists { if _, exists := pp[user]; exists {
return fmt.Errorf("user %s already exists", user) return fmt.Errorf("user %s already exists", user)
} }
h, err := createHash(passwd, algo) h, err := algo.Hash(passwd)
if err != nil { if err != nil {
return err return err
} }
pp[user] = h pp[user] = h
return os.WriteFile(file, pp.toByte(), os.ModePerm) return nil
} }
// UpdateUser will update the password for the named user // UpdateUser will update the password for the named user
// in the named file // in the named file
func UpdateUser(file, user, passwd string, algo HashAlgorithm) error { func UpdateUser(file, user, passwd string, algo Hasher) error {
pp, err := ParseHtpasswdFile(file) pp, err := ParseHtpasswdFile(file)
if err != nil { if err != nil {
return err return err
} }
err = pp.UpdateUser(user, passwd, algo)
if err != nil {
return err
}
return pp.Write(file)
}
// UpdateUser will update the password for the named user
// using the given name, password and hashing algorithm
func (pp Passwds) UpdateUser(user, passwd string, algo Hasher) error {
if _, exists := pp[user]; !exists { if _, exists := pp[user]; !exists {
return fmt.Errorf("user %s does not exist", user) return fmt.Errorf("user %s does not exist", user)
} }
h, err := createHash(passwd, algo) h, err := algo.Hash(passwd)
if err != nil { if err != nil {
return err return err
} }
pp[user] = h pp[user] = h
return os.WriteFile(file, pp.toByte(), os.ModePerm) return nil
} }
// DeleteUser deletes the named user from the named file // DeleteUser deletes the named user from the named file
@ -139,12 +122,22 @@ func DeleteUser(file, user string) error {
if err != nil { if err != nil {
return err return err
} }
err = pp.DeleteUser(user)
if err != nil {
return err
}
return pp.Write(file)
}
// DeleteUser deletes the named user from the named file
func (pp Passwds) DeleteUser(user string) error {
if _, exists := pp[user]; !exists { if _, exists := pp[user]; !exists {
return fmt.Errorf("user %s does not exist", user) return fmt.Errorf("user %s does not exist", user)
} }
delete(pp, user) delete(pp, user)
return os.WriteFile(file, pp.toByte(), os.ModePerm) return nil
} }
// VerifyUser will check if the given user and password are matching // VerifyUser will check if the given user and password are matching
@ -154,12 +147,12 @@ func VerifyUser(file, user, passwd string) error {
if err != nil { if err != nil {
return err return err
} }
return pp.Verify(user, passwd) return pp.VerifyUser(user, passwd)
} }
// Verify will check if the given user and password are matching // VerifyUser will check if the given user and password are matching
// with the given Passwd object content // with the given Passwd object
func (pp Passwds) Verify(user, passwd string) error { func (pp Passwds) VerifyUser(user, passwd string) error {
if _, ok := pp[user]; !ok { if _, ok := pp[user]; !ok {
return fmt.Errorf("user %s does not exist", user) return fmt.Errorf("user %s does not exist", user)
} }
@ -167,132 +160,16 @@ func (pp Passwds) Verify(user, passwd string) error {
if err != nil { if err != nil {
return fmt.Errorf("cannot identify algo %v", alg) return fmt.Errorf("cannot identify algo %v", alg)
} }
return verifyPass(passwd, pp[user], alg) return alg.Match(passwd, pp[user])
}
func verifyPass(pass, hash string, alg HashAlgorithm) error {
switch alg {
case HashAPR1:
return verifyAPR1(pass, hash)
case HashBCrypt:
return bcrypt.CompareHashAndPassword([]byte(hash), []byte(pass))
case HashSHA:
return verifySHA(pass, hash)
case HashSSHA:
return verifySSHA(pass, hash)
case HashSHA256:
return verifySHA256(pass, hash)
case HashSHA512:
return verifySHA512(pass, hash)
}
return fmt.Errorf("unsupported hash algorithm %v", alg)
}
func verifyAPR1(password, hashedPassword string) error {
return apr1_crypt.New().Verify(hashedPassword, []byte(password))
}
func verifySHA(password, hashedPassword string) error {
eppS := hashedPassword[5:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
}
sha := sha1.New()
_, err = sha.Write([]byte(password))
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash) {
return fmt.Errorf("wrong password")
}
return nil
}
func verifySSHA(password, hashedPassword string) error {
eppS := hashedPassword[6:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
} }
salt := hash[len(hash)-4:] // Write will cwrite the Passwd object to the given file
sha := sha1.New() func (pp Passwds) Write(file string) error {
_, err = sha.Write([]byte(password)) return os.WriteFile(file, pp.Bytes(), os.ModePerm)
if err != nil {
return err
} }
_, err = sha.Write(salt) // Bytes will return the Passwd as a byte slice
func (pp Passwds) Bytes() []byte {
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash[:len(hash)-4]) {
return fmt.Errorf("wrong password")
}
return nil
}
func verifySHA256(password, hashedPassword string) error {
eppS := hashedPassword[3:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
}
sha := sha256.New()
_, err = sha.Write([]byte(password))
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash) {
return fmt.Errorf("wrong password")
}
return nil
}
func verifySHA512(password, hashedPassword string) error {
eppS := hashedPassword[3:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
}
sha := sha512.New()
_, err = sha.Write([]byte(password))
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash) {
return fmt.Errorf("wrong password")
}
return nil
}
func (pp Passwds) toByte() []byte {
pass := []byte{} pass := []byte{}
for name, hash := range pp { for name, hash := range pp {
pass = append(pass, []byte(name+":"+hash+"\n")...) pass = append(pass, []byte(name+":"+hash+"\n")...)
@ -300,113 +177,40 @@ func (pp Passwds) toByte() []byte {
return pass return pass
} }
func identifyHash(h string) (HashAlgorithm, error) { func identifyHash(h string) (Hasher, error) {
switch { switch {
case strings.HasPrefix(h, "$2a$"), strings.HasPrefix(h, "$2y$"), case strings.HasPrefix(h, "$2a$"), strings.HasPrefix(h, "$2y$"),
strings.HasPrefix(h, "$2x$"), strings.HasPrefix(h, "$2b$"): strings.HasPrefix(h, "$2x$"), strings.HasPrefix(h, "$2b$"):
return HashBCrypt, nil return new(Bcrypt), nil
case strings.HasPrefix(h, "$apr1$"): case strings.HasPrefix(h, "$apr1$"):
return HashAPR1, nil return new(Apr1), nil
case strings.HasPrefix(h, "{SHA}"): case strings.HasPrefix(h, "{SHA}"):
return HashSHA, nil return new(Sha), nil
case strings.HasPrefix(h, "{SSHA}"): case strings.HasPrefix(h, "{SSHA}"):
return HashSSHA, nil return new(Ssha), nil
case strings.HasPrefix(h, "$5$"): case strings.HasPrefix(h, "$5$"):
return HashSHA256, nil return new(Sha256), nil
case strings.HasPrefix(h, "$6$"): case strings.HasPrefix(h, "$6$"):
return HashSHA512, nil return new(Sha512), nil
} }
return "", fmt.Errorf("unsupported hash algorithm") return nil, fmt.Errorf("unsupported hash algorithm")
} }
func createHash(passwd string, algo HashAlgorithm) (string, error) { func validLine(parts []string, lineNumber int, line string) (bool, error) {
hash := ""
prefix := ""
var err error var err error
switch algo { if len(parts) != 2 {
case HashAPR1: err = errors.New(fmt.Sprintln("invalid line", lineNumber+1,
hash, err = hashApr1(passwd) "unexpected number of parts split by", ":", len(parts),
case HashBCrypt: "instead of 2 in\"", line, "\""))
hash, err = hashBcrypt(passwd) return false, err
case HashSHA:
prefix = "{SHA}"
hash, err = hashSha(passwd)
case HashSSHA:
prefix = "{SSHA}"
hash, err = hashSSha(passwd)
case HashSHA256:
prefix = "$5$"
hash, err = hashSha256(passwd)
case HashSHA512:
prefix = "$6$"
hash, err = hashSha512(passwd)
}
if err != nil {
return "", err
}
return prefix + hash, nil
}
func hashApr1(passwd string) (string, error) {
return apr1_crypt.New().Generate([]byte(passwd), nil)
}
func hashBcrypt(passwd string) (string, error) {
passwordBytes, err := bcrypt.GenerateFromPassword([]byte(passwd), bcrypt.DefaultCost)
if err != nil {
return "", err
}
return string(passwordBytes), nil
}
func hashSha(passwd string) (string, error) {
s := sha1.New()
_, err := s.Write([]byte(passwd))
if err != nil {
return "", err
}
passwordSum := []byte(s.Sum(nil))
return base64.StdEncoding.EncodeToString(passwordSum), nil
}
func hashSha256(passwd string) (string, error) {
s := sha256.New()
_, err := s.Write([]byte(passwd))
if err != nil {
return "", err
}
passwordSum := []byte(s.Sum(nil))
return base64.StdEncoding.EncodeToString(passwordSum), nil
}
func hashSha512(passwd string) (string, error) {
s := sha512.New()
_, err := s.Write([]byte(passwd))
if err != nil {
return "", err
} }
passwordSum := []byte(s.Sum(nil)) return true, nil
return base64.StdEncoding.EncodeToString(passwordSum), nil
} }
func hashSSha(passwd string) (string, error) { func trimParts(parts []string) []string {
s := sha1.New() for i, part := range parts {
_, err := s.Write([]byte(passwd)) parts[i] = strings.Trim(part, " ")
if err != nil {
return "", err
}
salt := make([]byte, 4)
_, err = rand.Read(salt)
if err != nil {
return "", err
}
_, err = s.Write([]byte(salt))
if err != nil {
return "", err
} }
passwordSum := []byte(s.Sum(nil)) return parts
ret := append(passwordSum, salt...)
return base64.StdEncoding.EncodeToString(ret), nil
} }

41
htpasswd/htpasswd_test.go
Unescape View File

@ -5,7 +5,7 @@ import (
"testing" "testing"
) )
func TestParseHtpassd(t *testing.T) { func TestParseHtpasswd(t *testing.T) {
passwords, err := ParseHtpasswd([]byte("sha:{SHA}IRRjboXT92QSYXm8lpGPCZUvU1E=\n")) passwords, err := ParseHtpasswd([]byte("sha:{SHA}IRRjboXT92QSYXm8lpGPCZUvU1E=\n"))
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -26,15 +26,15 @@ func TestCreateUser(t *testing.T) {
} }
testCases := []struct { testCases := []struct {
user, password string user, password string
hash HashAlgorithm hash Hasher
expected error expected error
}{ }{
{"apr1", "123456@", HashAPR1, nil}, {"apr1", "123456@", new(Apr1), nil},
{"bcrypt", "123456@", HashBCrypt, nil}, {"bcrypt", "123456@", new(Bcrypt), nil},
{"ssha", "123456@", HashSSHA, nil}, {"ssha", "123456@", new(Ssha), nil},
{"sha", "123456@", HashSHA, nil}, {"sha", "123456@", new(Sha), nil},
{"sha256", "123456@", HashSHA256, nil}, {"sha256", "123456@", new(Sha256), nil},
{"sha512", "123456@", HashSHA512, nil}, {"sha512", "123456@", new(Sha512), nil},
} }
for _, tc := range testCases { for _, tc := range testCases {
@ -71,13 +71,13 @@ func TestVerifyPassword(t *testing.T) {
for _, tc := range testCases { for _, tc := range testCases {
err := VerifyUser(f.Name(), tc.user, tc.password) err := VerifyUser(f.Name(), tc.user, tc.password)
if err != tc.expected { if err != tc.expected {
t.Errorf("VerifyUser(%s %s, %s) = %v; want %v", t.Errorf("VerifyUser(%v %v, %v) = %v; want %v",
f, tc.user, tc.password, err, tc.expected) f, tc.user, tc.password, err, tc.expected)
} }
} }
} }
func TestVerify(t *testing.T) { func TestVerifyUser(t *testing.T) {
f, err := os.Stat("htpasswd_testdata") f, err := os.Stat("htpasswd_testdata")
if err != nil { if err != nil {
TestCreateUser(t) TestCreateUser(t)
@ -87,8 +87,23 @@ func TestVerify(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
err = pp.Verify("bcrypt", "123456@") testCases := []struct {
if err != nil { user, password string
t.Fatalf(err.Error()) expected error
}{
{"apr1", "123456@", nil},
{"bcrypt", "123456@", nil},
{"ssha", "123456@", nil},
{"sha", "123456@", nil},
{"sha256", "123456@", nil},
{"sha512", "123456@", nil},
}
for _, tc := range testCases {
err := pp.VerifyUser(tc.user, tc.password)
if err != tc.expected {
t.Errorf("VerifyUser(%s, %s) = %v; want %v",
tc.user, tc.password, err, tc.expected)
}
} }
} }

8
htpasswd/htpasswd_testdata
Unescape View File

@ -1,6 +1,6 @@
apr1:$apr1$v0FnbGJM$b2P3y1ltZYHakDaHrWx3N1 bcrypt:$2a$10$YNEmQcVCrvcA8m1DNCwR9eXaTySDEa1sC/T5xUUTFnVnP.RIP3O2u
bcrypt:$2a$10$pBSUext6NDsFYrm8GviW.OFe6SczH91INRC3YmsfE3HJp/fPmRaee ssha:{SSHA}fSLbdty+JHr+q3p/lHAPvNkOU3H8NLmI
ssha:{SSHA}LoTRQgCdeGIeJ3nxDQMCmQSWdnMEsLqj
sha512:$6$78RjySv19bx/knbdL6q1cpoV8WblZwc3x+wmPGQUvrSycxc4liKbksvDr9HZj76hgRuZZCyEngP+WEJmePArCQ==
sha:{SHA}YEn9/RmoXLdbyB9TEDJ0OqWoPy8= sha:{SHA}YEn9/RmoXLdbyB9TEDJ0OqWoPy8=
sha256:$5$ufJ2S16IOhB6XLTGrVLqGQBKv/odjE3rypxnUDLqaS0= sha256:$5$ufJ2S16IOhB6XLTGrVLqGQBKv/odjE3rypxnUDLqaS0=
sha512:$6$78RjySv19bx/knbdL6q1cpoV8WblZwc3x+wmPGQUvrSycxc4liKbksvDr9HZj76hgRuZZCyEngP+WEJmePArCQ==
apr1:$apr1$mO.FA9Gg$1LbPaKe7HCVHezEYzMCnn.

52
htpasswd/sha.go
Unescape View File

@ -0,0 +1,52 @@
package htpasswd
import (
"bytes"
"crypto/sha1"
"encoding/base64"
"fmt"
)
// Sha facilitates sha1 style hashing
type Sha struct{}
// Hash returns the hashed variant of the password or an error
func (ss *Sha) Hash(passwd string) (string, error) {
s := sha1.New()
_, err := s.Write([]byte(passwd))
if err != nil {
return "", err
}
passwordSum := []byte(s.Sum(nil))
return ss.Prefix() + base64.StdEncoding.EncodeToString(passwordSum), nil
}
// Match verifier the hashed password using the original
func (*Sha) Match(password, hashedPassword string) error {
eppS := hashedPassword[5:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
}
sha := sha1.New()
_, err = sha.Write([]byte(password))
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash) {
return fmt.Errorf("wrong password")
}
return nil
}
// Name returns the name of the hasher
func (*Sha) Name() string { return "sha" }
// Prefix returns the hasher's prefix
func (*Sha) Prefix() string { return "{SHA}" }

52
htpasswd/sha256.go
Unescape View File

@ -0,0 +1,52 @@
package htpasswd
import (
"bytes"
"crypto/sha256"
"encoding/base64"
"fmt"
)
// Sha256 facilitates sha256 style hashing
type Sha256 struct{}
// Hash returns the hashed variant of the password or an error
func (ss *Sha256) Hash(passwd string) (string, error) {
s := sha256.New()
_, err := s.Write([]byte(passwd))
if err != nil {
return "", err
}
passwordSum := []byte(s.Sum(nil))
return ss.Prefix() + base64.StdEncoding.EncodeToString(passwordSum), nil
}
// Match verifier the hashed password using the original
func (*Sha256) Match(password, hashedPassword string) error {
eppS := hashedPassword[3:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
}
sha := sha256.New()
_, err = sha.Write([]byte(password))
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash) {
return fmt.Errorf("wrong password")
}
return nil
}
// Name returns the name of the hasher
func (*Sha256) Name() string { return "sha256" }
// Prefix returns the hasher's prefix
func (*Sha256) Prefix() string { return "$5$" }

52
htpasswd/sha512.go
Unescape View File

@ -0,0 +1,52 @@
package htpasswd
import (
"bytes"
"crypto/sha512"
"encoding/base64"
"fmt"
)
// Sha512 facilitates sha512 style hashing
type Sha512 struct{}
// Hash returns the hashed variant of the password or an error
func (ss *Sha512) Hash(passwd string) (string, error) {
s := sha512.New()
_, err := s.Write([]byte(passwd))
if err != nil {
return "", err
}
passwordSum := []byte(s.Sum(nil))
return ss.Prefix() + base64.StdEncoding.EncodeToString(passwordSum), nil
}
// Match verifier the hashed password using the original
func (*Sha512) Match(password, hashedPassword string) error {
eppS := hashedPassword[3:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
}
sha := sha512.New()
_, err = sha.Write([]byte(password))
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash) {
return fmt.Errorf("wrong password")
}
return nil
}
// Name returns the name of the hasher
func (*Sha512) Name() string { return "sha512" }
// Prefix returns the hasher's prefix
func (*Sha512) Prefix() string { return "$6$" }

71
htpasswd/ssha.go
Unescape View File

@ -0,0 +1,71 @@
package htpasswd
import (
"bytes"
"crypto/rand"
"crypto/sha1"
"encoding/base64"
"fmt"
)
// Ssha facilitates ssha style hashing
type Ssha struct{}
// Hash returns the hashed variant of the password or an error
func (ss *Ssha) Hash(passwd string) (string, error) {
s := sha1.New()
_, err := s.Write([]byte(passwd))
if err != nil {
return "", err
}
salt := make([]byte, 4)
_, err = rand.Read(salt)
if err != nil {
return "", err
}
_, err = s.Write([]byte(salt))
if err != nil {
return "", err
}
passwordSum := []byte(s.Sum(nil))
ret := append(passwordSum, salt...)
return ss.Prefix() + base64.StdEncoding.EncodeToString(ret), nil
}
// Match verifier the hashed password using the original
func (*Ssha) Match(password, hashedPassword string) error {
eppS := hashedPassword[6:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
}
salt := hash[len(hash)-4:]
sha := sha1.New()
_, err = sha.Write([]byte(password))
if err != nil {
return err
}
_, err = sha.Write(salt)
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash[:len(hash)-4]) {
return fmt.Errorf("wrong password")
}
return nil
}
// Name returns the name of the hasher
func (*Ssha) Name() string { return "ssha" }
// Prefix returns the hasher's prefix
func (*Ssha) Prefix() string { return "{SSHA}" }
Write Preview
Loading…
Cancel
Save