From 1ea94dd403bedbf255c4456079e8793576fd0aeb Mon Sep 17 00:00:00 2001 From: James Elliott Date: Fri, 5 Nov 2021 14:49:45 +1100 Subject: [PATCH] fix(authentication): only check argon2id salt for b64 encoding (#2529) This changes the validation of salts for sha512 to be done by the upstream API rather than locally. This allows the salts used in Linux to be utilized with Authelia provided the hash is a sha512 hash. Co-authored-by: Amir Zarrinkafsh --- internal/authentication/password_hash.go | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/internal/authentication/password_hash.go b/internal/authentication/password_hash.go index 70f30d47d..5c1fb5ea6 100644 --- a/internal/authentication/password_hash.go +++ b/internal/authentication/password_hash.go @@ -56,11 +56,6 @@ func ParseHash(hash string) (passwordHash *PasswordHash, err error) { return nil, fmt.Errorf("Hash key contains no characters or the field length is invalid (%s)", hash) } - _, err = crypt.Base64Encoding.DecodeString(h.Salt) - if err != nil { - return nil, errors.New("Salt contains invalid base64 characters") - } - switch code { case HashingAlgorithmSHA512: h.Iterations = parameters.GetInt("rounds", HashingDefaultSHA512Iterations) @@ -70,6 +65,11 @@ func ParseHash(hash string) (passwordHash *PasswordHash, err error) { return nil, fmt.Errorf("SHA512 iterations is not numeric (%s)", parameters["rounds"]) } case HashingAlgorithmArgon2id: + _, err = crypt.Base64Encoding.DecodeString(h.Salt) + if err != nil { + return nil, errors.New("Salt contains invalid base64 characters") + } + version := parameters.GetInt("v", 0) if version < 19 { if version == 0 { @@ -118,9 +118,11 @@ func HashPassword(password, salt string, algorithm CryptAlgo, iterations, memory } } - err = validateSalt(salt, saltLength) - if err != nil { - return "", err + if algorithm != HashingAlgorithmSHA512 { + err = validateSalt(salt, saltLength) + if err != nil { + return "", err + } } if salt == "" {