mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Accept lowercase ldap pwd hashes (#3444)

Browse source
This commit is contained in:
Firstyear 2025-02-20 14:34:27 +10:00 committed by GitHub
parent 848af4cecd
commit 52824b58f1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 50 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
libs/crypto/src/lib.rs
View file

@ -662,9 +662,13 @@ impl TryFrom<&str> for Password {
}); });
} }
// Test 389ds formats // Test 389ds/openldap formats. Shout outs openldap which sometimes makes these
// lowercase.
if let Some(ds_ssha1) = value.strip_prefix("{SHA}") { if let Some(ds_ssha1) = value
.strip_prefix("{SHA}")
.or_else(|| value.strip_prefix("{sha}"))
{
let h = general_purpose::STANDARD.decode(ds_ssha1).map_err(|_| ())?; let h = general_purpose::STANDARD.decode(ds_ssha1).map_err(|_| ())?;
if h.len() != DS_SHA1_HASH_LEN { if h.len() != DS_SHA1_HASH_LEN {
return Err(()); return Err(());
@ -674,7 +678,10 @@ impl TryFrom<&str> for Password {
}); });
} }
if let Some(ds_ssha1) = value.strip_prefix("{SSHA}") { if let Some(ds_ssha1) = value
.strip_prefix("{SSHA}")
.or_else(|| value.strip_prefix("{ssha}"))
{
let sh = general_purpose::STANDARD.decode(ds_ssha1).map_err(|_| ())?; let sh = general_purpose::STANDARD.decode(ds_ssha1).map_err(|_| ())?;
let (h, s) = sh.split_at(DS_SHA1_HASH_LEN); let (h, s) = sh.split_at(DS_SHA1_HASH_LEN);
if s.len() != DS_SHA_SALT_LEN { if s.len() != DS_SHA_SALT_LEN {
@ -685,7 +692,10 @@ impl TryFrom<&str> for Password {
}); });
} }
if let Some(ds_ssha256) = value.strip_prefix("{SHA256}") { if let Some(ds_ssha256) = value
.strip_prefix("{SHA256}")
.or_else(|| value.strip_prefix("{sha256}"))
{
let h = general_purpose::STANDARD let h = general_purpose::STANDARD
.decode(ds_ssha256) .decode(ds_ssha256)
.map_err(|_| ())?; .map_err(|_| ())?;
@ -697,7 +707,10 @@ impl TryFrom<&str> for Password {
}); });
} }
if let Some(ds_ssha256) = value.strip_prefix("{SSHA256}") { if let Some(ds_ssha256) = value
.strip_prefix("{SSHA256}")
.or_else(|| value.strip_prefix("{ssha256}"))
{
let sh = general_purpose::STANDARD let sh = general_purpose::STANDARD
.decode(ds_ssha256) .decode(ds_ssha256)
.map_err(|_| ())?; .map_err(|_| ())?;
@ -710,7 +723,10 @@ impl TryFrom<&str> for Password {
}); });
} }
if let Some(ds_ssha512) = value.strip_prefix("{SHA512}") { if let Some(ds_ssha512) = value
.strip_prefix("{SHA512}")
.or_else(|| value.strip_prefix("{sha512}"))
{
let h = general_purpose::STANDARD let h = general_purpose::STANDARD
.decode(ds_ssha512) .decode(ds_ssha512)
.map_err(|_| ())?; .map_err(|_| ())?;
@ -722,7 +738,10 @@ impl TryFrom<&str> for Password {
}); });
} }
if let Some(ds_ssha512) = value.strip_prefix("{SSHA512}") { if let Some(ds_ssha512) = value
.strip_prefix("{SSHA512}")
.or_else(|| value.strip_prefix("{ssha512}"))
{
let sh = general_purpose::STANDARD let sh = general_purpose::STANDARD
.decode(ds_ssha512) .decode(ds_ssha512)
.map_err(|_| ())?; .map_err(|_| ())?;
@ -1441,8 +1460,12 @@ mod tests {
#[test] #[test]
fn test_password_from_ds_sha1() { fn test_password_from_ds_sha1() {
let im_pw = "{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g="; let im_pw = "{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=";
let _r = Password::try_from(im_pw).expect("Failed to parse");
let im_pw = "{sha}W6ph5Mm5Pz8GgiULbPgzG37mj9g=";
let password = "password"; let password = "password";
let r = Password::try_from(im_pw).expect("Failed to parse"); let r = Password::try_from(im_pw).expect("Failed to parse");
// Known weak, require upgrade. // Known weak, require upgrade.
assert!(r.requires_upgrade()); assert!(r.requires_upgrade());
assert!(r.verify(password).unwrap_or(false)); assert!(r.verify(password).unwrap_or(false));
@ -1451,8 +1474,12 @@ mod tests {
#[test] #[test]
fn test_password_from_ds_ssha1() { fn test_password_from_ds_ssha1() {
let im_pw = "{SSHA}EyzbBiP4u4zxOrLpKTORI/RX3HC6TCTJtnVOCQ=="; let im_pw = "{SSHA}EyzbBiP4u4zxOrLpKTORI/RX3HC6TCTJtnVOCQ==";
let _r = Password::try_from(im_pw).expect("Failed to parse");
let im_pw = "{ssha}EyzbBiP4u4zxOrLpKTORI/RX3HC6TCTJtnVOCQ==";
let password = "password"; let password = "password";
let r = Password::try_from(im_pw).expect("Failed to parse"); let r = Password::try_from(im_pw).expect("Failed to parse");
// Known weak, require upgrade. // Known weak, require upgrade.
assert!(r.requires_upgrade()); assert!(r.requires_upgrade());
assert!(r.verify(password).unwrap_or(false)); assert!(r.verify(password).unwrap_or(false));
@ -1461,8 +1488,12 @@ mod tests {
#[test] #[test]
fn test_password_from_ds_sha256() { fn test_password_from_ds_sha256() {
let im_pw = "{SHA256}XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg="; let im_pw = "{SHA256}XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg=";
let _r = Password::try_from(im_pw).expect("Failed to parse");
let im_pw = "{sha256}XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg=";
let password = "password"; let password = "password";
let r = Password::try_from(im_pw).expect("Failed to parse"); let r = Password::try_from(im_pw).expect("Failed to parse");
// Known weak, require upgrade. // Known weak, require upgrade.
assert!(r.requires_upgrade()); assert!(r.requires_upgrade());
assert!(r.verify(password).unwrap_or(false)); assert!(r.verify(password).unwrap_or(false));
@ -1471,8 +1502,12 @@ mod tests {
#[test] #[test]
fn test_password_from_ds_ssha256() { fn test_password_from_ds_ssha256() {
let im_pw = "{SSHA256}luYWfFJOZgxySTsJXHgIaCYww4yMpu6yest69j/wO5n5OycuHFV/GQ=="; let im_pw = "{SSHA256}luYWfFJOZgxySTsJXHgIaCYww4yMpu6yest69j/wO5n5OycuHFV/GQ==";
let _r = Password::try_from(im_pw).expect("Failed to parse");
let im_pw = "{ssha256}luYWfFJOZgxySTsJXHgIaCYww4yMpu6yest69j/wO5n5OycuHFV/GQ==";
let password = "password"; let password = "password";
let r = Password::try_from(im_pw).expect("Failed to parse"); let r = Password::try_from(im_pw).expect("Failed to parse");
// Known weak, require upgrade. // Known weak, require upgrade.
assert!(r.requires_upgrade()); assert!(r.requires_upgrade());
assert!(r.verify(password).unwrap_or(false)); assert!(r.verify(password).unwrap_or(false));
@ -1481,8 +1516,12 @@ mod tests {
#[test] #[test]
fn test_password_from_ds_sha512() { fn test_password_from_ds_sha512() {
let im_pw = "{SHA512}sQnzu7wkTrgkQZF+0G1hi5AI3Qmzvv0bXgc5THBqi7mAsdd4Xll27ASbRt9fEyavWi6m0QP9B8lThf+rDKy8hg=="; let im_pw = "{SHA512}sQnzu7wkTrgkQZF+0G1hi5AI3Qmzvv0bXgc5THBqi7mAsdd4Xll27ASbRt9fEyavWi6m0QP9B8lThf+rDKy8hg==";
let _r = Password::try_from(im_pw).expect("Failed to parse");
let im_pw = "{sha512}sQnzu7wkTrgkQZF+0G1hi5AI3Qmzvv0bXgc5THBqi7mAsdd4Xll27ASbRt9fEyavWi6m0QP9B8lThf+rDKy8hg==";
let password = "password"; let password = "password";
let r = Password::try_from(im_pw).expect("Failed to parse"); let r = Password::try_from(im_pw).expect("Failed to parse");
// Known weak, require upgrade. // Known weak, require upgrade.
assert!(r.requires_upgrade()); assert!(r.requires_upgrade());
assert!(r.verify(password).unwrap_or(false)); assert!(r.verify(password).unwrap_or(false));
@ -1491,8 +1530,12 @@ mod tests {
#[test] #[test]
fn test_password_from_ds_ssha512() { fn test_password_from_ds_ssha512() {
let im_pw = "{SSHA512}JwrSUHkI7FTAfHRVR6KoFlSN0E3dmaQWARjZ+/UsShYlENOqDtFVU77HJLLrY2MuSp0jve52+pwtdVl2QUAHukQ0XUf5LDtM"; let im_pw = "{SSHA512}JwrSUHkI7FTAfHRVR6KoFlSN0E3dmaQWARjZ+/UsShYlENOqDtFVU77HJLLrY2MuSp0jve52+pwtdVl2QUAHukQ0XUf5LDtM";
let _r = Password::try_from(im_pw).expect("Failed to parse");
let im_pw = "{ssha512}JwrSUHkI7FTAfHRVR6KoFlSN0E3dmaQWARjZ+/UsShYlENOqDtFVU77HJLLrY2MuSp0jve52+pwtdVl2QUAHukQ0XUf5LDtM";
let password = "password"; let password = "password";
let r = Password::try_from(im_pw).expect("Failed to parse"); let r = Password::try_from(im_pw).expect("Failed to parse");
// Known weak, require upgrade. // Known weak, require upgrade.
assert!(r.requires_upgrade()); assert!(r.requires_upgrade());
assert!(r.verify(password).unwrap_or(false)); assert!(r.verify(password).unwrap_or(false));