fix(authentication): only check argon2id salt for b64 encoding (#2529)
This changes the validation of salts for sha512 to be done by the upstream API rather than locally. This allows the salts used in Linux to be utilized with Authelia provided the hash is a sha512 hash. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>pull/2535/head^2
parent
eae353e315
commit
1ea94dd403
|
@ -56,11 +56,6 @@ func ParseHash(hash string) (passwordHash *PasswordHash, err error) {
|
|||
return nil, fmt.Errorf("Hash key contains no characters or the field length is invalid (%s)", hash)
|
||||
}
|
||||
|
||||
_, err = crypt.Base64Encoding.DecodeString(h.Salt)
|
||||
if err != nil {
|
||||
return nil, errors.New("Salt contains invalid base64 characters")
|
||||
}
|
||||
|
||||
switch code {
|
||||
case HashingAlgorithmSHA512:
|
||||
h.Iterations = parameters.GetInt("rounds", HashingDefaultSHA512Iterations)
|
||||
|
@ -70,6 +65,11 @@ func ParseHash(hash string) (passwordHash *PasswordHash, err error) {
|
|||
return nil, fmt.Errorf("SHA512 iterations is not numeric (%s)", parameters["rounds"])
|
||||
}
|
||||
case HashingAlgorithmArgon2id:
|
||||
_, err = crypt.Base64Encoding.DecodeString(h.Salt)
|
||||
if err != nil {
|
||||
return nil, errors.New("Salt contains invalid base64 characters")
|
||||
}
|
||||
|
||||
version := parameters.GetInt("v", 0)
|
||||
if version < 19 {
|
||||
if version == 0 {
|
||||
|
@ -118,10 +118,12 @@ func HashPassword(password, salt string, algorithm CryptAlgo, iterations, memory
|
|||
}
|
||||
}
|
||||
|
||||
if algorithm != HashingAlgorithmSHA512 {
|
||||
err = validateSalt(salt, saltLength)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
}
|
||||
|
||||
if salt == "" {
|
||||
salt = crypt.Base64Encoding.EncodeToString([]byte(utils.RandomString(saltLength, HashingPossibleSaltCharacters)))
|
||||
|
|
Loading…
Reference in New Issue