Adding Crypt with SHA-256 and SHA-512 algorithm support (#6)

jespersoderlund · Jesper Söderlund · web-flow · commit 1fa2fb0b08c9 · 2021-08-16T14:23:34.000-07:00
* Adding Crypt with SHA-256 and SHA-512 algorithm support

* Stating Crypt as supported

Co-authored-by: Jesper Söderlund &lt;jesper.soderlund@klarna.com&gt;
diff --git a/README.md b/README.md
@@ -5,10 +5,10 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/tg123/go-htpasswd)](https://goreportcard.com/report/github.com/tg123/go-htpasswd)
 
 
-This is a libary to validate user credentials against an HTTPasswd file. 
+This is a libary to validate user credentials against an HTTPasswd file.
 
-This was forked from <https://github.com/jimstudt/http-authentication/tree/master/basic> 
-with modifications by @brian-avery to support SSHA, Md5Crypt, and Bcrypt.
+This was forked from <https://github.com/jimstudt/http-authentication/tree/master/basic>
+with modifications by @brian-avery to support SSHA, Md5Crypt, and Bcrypt and @jespersoderlund to support Crypt with SHA-256 and SHA-512 support.
 
 ## Currently, this supports:
 * SSHA
@@ -17,6 +17,4 @@ with modifications by @brian-avery to support SSHA, Md5Crypt, and Bcrypt.
 * SHA
 * Bcrypt
 * Plain text
-
-## Not supported:
-* Crypt
+* Crypt with SHA-256 and SHA-512
diff --git a/cryptsha.go b/cryptsha.go
@@ -0,0 +1,77 @@
+package htpasswd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/GehirnInc/crypt"
+	_ "github.com/GehirnInc/crypt/sha256_crypt"
+	_ "github.com/GehirnInc/crypt/sha512_crypt"
+)
+
+type cryptPassword struct {
+	salt   string
+	hashed string
+	prefix string
+}
+
+// Prefixes
+const PrefixCryptSha256 = "$5$"
+const PrefixCryptSha512 = "$6$"
+
+// Accepts valid passwords
+func AcceptCryptSha(src string) (EncodedPasswd, error) {
+	if !strings.HasPrefix(src, PrefixCryptSha256) && !strings.HasPrefix(src, PrefixCryptSha512) {
+		return nil, nil
+	}
+
+	prefix := PrefixCryptSha512
+	if strings.HasPrefix(src, PrefixCryptSha256) {
+		prefix = PrefixCryptSha256
+	}
+
+	rest := strings.TrimPrefix(src, prefix)
+	mparts := strings.SplitN(rest, "$", 2)
+	if len(mparts) != 2 {
+		return nil, fmt.Errorf("malformed crypt-SHA password: %s", src)
+	}
+
+	salt, hashed := mparts[0], mparts[1]
+	if len(salt) > 16 {
+		salt = salt[0:16]
+	}
+	return &cryptPassword{salt, hashed, prefix}, nil
+}
+
+// RejectCryptSha known indexes
+func RejectCryptSha(src string) (EncodedPasswd, error) {
+	if !strings.HasPrefix(src, PrefixCryptSha512) && !strings.HasPrefix(src, PrefixCryptSha256) {
+		return nil, nil
+	}
+	return nil, fmt.Errorf("crypt-sha password rejected: %s", src)
+}
+
+func shaCrypt(password string, salt string, prefix string) string {
+
+	var ret string
+	var sb strings.Builder
+	sb.WriteString(prefix)
+	sb.WriteString(salt)
+	totalSalt := sb.String()
+
+	if prefix == PrefixCryptSha512 {
+		crypt := crypt.SHA512.New()
+		ret, _ = crypt.Generate([]byte(password), []byte(totalSalt))
+
+	} else if prefix == PrefixCryptSha256 {
+		crypt := crypt.SHA256.New()
+		ret, _ = crypt.Generate([]byte(password), []byte(totalSalt))
+	}
+
+	return ret[len(totalSalt)+1:]
+}
+
+func (m *cryptPassword) MatchesPassword(pw string) bool {
+	hashed := shaCrypt(pw, m.salt, m.prefix)
+	return constantTimeEquals(hashed, m.hashed)
+}
diff --git a/cryptsha_test.go b/cryptsha_test.go
@@ -0,0 +1,44 @@
+package htpasswd
+
+import (
+	"fmt"
+	"testing"
+)
+
+type shacryptDatum struct {
+	password string
+	salt     string
+	hashed   string
+	prefix   string
+}
+
+var sha256TestData = []shacryptDatum{
+	{"mickey", "123456", "2hClNSDw3lZ0X/9PFBSI2eCGMOS06v6IbChiRsjy6tA", PrefixCryptSha256},
+	{"paul1", "654321", "yXh20wwTHRwjSLcw20kQtiViO9n7HXDgEvzWf.cDks4", PrefixCryptSha256},
+	{"princessbuttercup", "gildor", "/96zrUL6Si5ApMDxKlIvMHefBZz04JXJeg.Lp1fjhg1", PrefixCryptSha256},
+}
+
+var sha512TestData = []shacryptDatum{
+	{"vinnie6", "123456", "By3XGEfRf2RwFvWYR0kHRVJGq2/IKwLEGQxwyncoP88TGiBzHMBmvrTNxHgyqrmhZ/M7CGtkfIw0rBRfewW.y1", PrefixCryptSha512},
+	{"mickey5", "iklkG8zV969+0x+f", "XKxre3pm8QNHezNxyEXj51AkNy5AXJQKifFhVWqhVaLLUAUAZkDy6Dp1Th/mTE/e/MkImK30.pByqu0CGsQZW1", PrefixCryptSha512},
+	{"andrew1", "654321", "Qro3QWOs61UCarx1PAwAlL1.vJgZJXsIXml3.3vVhV.2xUwIRBmmyQzK9yFAqYY5iD1wkAdhUko6hl6T9N7s5.", PrefixCryptSha512},
+	{"dreadpirateroberts", "98765432101234567890", "FPU3HtJ9RcPVUvxifkIJ/AlrBxWLqJQvyxK2f8x4qDX/A1RpcIvgjToU5erVkR6XUl7qwPsm7idpbMH5f/pBn0", PrefixCryptSha512},
+}
+
+func Test_CryptSha(t *testing.T) {
+
+	for _, v := range sha256TestData {
+		text := fmt.Sprintf(v.prefix+"%s$%s", v.salt, v.hashed)
+		testParserGood(t, "crypt-sha512", AcceptCryptSha, RejectCryptSha, text, v.password)
+	}
+
+	for _, v := range sha512TestData {
+		text := fmt.Sprintf(v.prefix+"%s$%s", v.salt, v.hashed)
+		testParserGood(t, "crypt-sha512", AcceptCryptSha, RejectCryptSha, text, v.password)
+	}
+
+	testParserBad(t, "crypt-sha256", AcceptCryptSha, RejectCryptSha, "$5$nosalt")
+	testParserBad(t, "crypt-sha512", AcceptCryptSha, RejectCryptSha, "$6$nosalt")
+	testParserNot(t, "crypt-sha512", AcceptCryptSha, RejectCryptSha, "plain")
+	testParserNot(t, "crypt-sha512", AcceptCryptSha, RejectCryptSha, "{SHA}plain")
+}
diff --git a/go.mod b/go.mod
@@ -2,4 +2,7 @@ module github.com/tg123/go-htpasswd
 
 go 1.12
 
-require golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25
+require (
+	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
+	golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25
+)
diff --git a/go.sum b/go.sum
@@ -1,3 +1,5 @@
+github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaaSyd+DyQRrsQjhbSeS7qe4nEw8aQw=
+github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo=
 golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25 h1:jsG6UpNLt9iAsb0S2AGW28DveNzzgmbXR+ENoPjUeIU=
 golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
diff --git a/htpasswd.go b/htpasswd.go
@@ -57,7 +57,7 @@ type File struct {
 }
 
 // DefaultSystems is an array of PasswdParser including all builtin parsers. Notice that Plain is last, since it accepts anything
-var DefaultSystems = []PasswdParser{AcceptMd5, AcceptSha, AcceptBcrypt, AcceptSsha, AcceptPlain}
+var DefaultSystems = []PasswdParser{AcceptMd5, AcceptSha, AcceptBcrypt, AcceptSsha, AcceptCryptSha, AcceptPlain}
 
 // New creates an File from an Apache-style htpasswd file for HTTP Basic Authentication.
 //
diff --git a/htpasswd_test.go b/htpasswd_test.go

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ type File struct {`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`// DefaultSystems is an array of PasswdParser including all builtin parsers. Notice that Plain is last, since it accepts anything`
`60`		`-var DefaultSystems = []PasswdParser{AcceptMd5, AcceptSha, AcceptBcrypt, AcceptSsha, AcceptPlain}`
	`60`	`+var DefaultSystems = []PasswdParser{AcceptMd5, AcceptSha, AcceptBcrypt, AcceptSsha, AcceptCryptSha, AcceptPlain}`
`61`	`61`
`62`	`62`	`// New creates an File from an Apache-style htpasswd file for HTTP Basic Authentication.`
`63`	`63`	`//`