• R/O
  • HTTP
  • SSH
  • HTTPS

pukiwiki: Commit


Commit MetaInfo

Revision9d67cfb2c07ff0b8c995bf3c344b61882bfb03d2 (tree)
Time2018-05-10 00:20:42
Authorumorigu <umorigu@gmai...>
Commiterumorigu

Log Message

BugTrack/2469 OpenLDAP SHA-2 Support on password (patched by henoheno)

Supported SHA-2 password schemes:
* SHA256, SHA384, SHA512 (LDAP: OpenLDAP compatible)
* SSHA256, SSHA384, SSHA512 (OpenLDAP compatible - Salted version)
* x-php-sha256, x-php-sha384, x-php-512 (Simple hex version)

RFC 6234: US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)
https://tools.ietf.org/html/rfc6234

Internet-Draft: Lightweight Directory Access Protocol (LDAP): Hashed Attribute values for 'userPassword' (March 13, 2013)
https://tools.ietf.org/html/draft-stroeder-hashed-userpassword-values-01

Change Summary

Incremental Difference

--- a/lib/auth.php
+++ b/lib/auth.php
@@ -85,6 +85,12 @@ function pkwk_hash_compute($phrase = '', $scheme = '{x-php-md5}', $prefix = TRUE
8585 hash('sha256', $phrase);
8686 break;
8787
88+ // PHP sha384
89+ case '{x-php-sha384}' :
90+ $hash = ($prefix ? ($canonical ? '{x-php-sha384}' : $scheme) : '') .
91+ hash('sha384', $phrase);
92+ break;
93+
8894 // PHP sha512
8995 case '{x-php-sha512}' :
9096 $hash = ($prefix ? ($canonical ? '{x-php-sha512}' : $scheme) : '') .
@@ -125,6 +131,48 @@ function pkwk_hash_compute($phrase = '', $scheme = '{x-php-md5}', $prefix = TRUE
125131 base64_encode(pkwk_hex2bin(sha1($phrase . $salt)) . $salt);
126132 break;
127133
134+ // LDAP SHA256
135+ case '{sha256}' :
136+ $hash = ($prefix ? ($canonical ? '{SHA256}' : $scheme) : '') .
137+ base64_encode(hash('sha256', $phrase, TRUE));
138+ break;
139+
140+ // LDAP SSHA256
141+ case '{ssha256}' :
142+ // SHA-2 SHA-256 Key length = 256bits = 32bytes
143+ $salt = ($salt != '' ? substr(base64_decode($salt), 32) : substr(crypt(''), -8));
144+ $hash = ($prefix ? ($canonical ? '{SSHA256}' : $scheme) : '') .
145+ base64_encode(hash('sha256', $phrase . $salt, TRUE) . $salt);
146+ break;
147+
148+ // LDAP SHA384
149+ case '{sha384}' :
150+ $hash = ($prefix ? ($canonical ? '{SHA384}' : $scheme) : '') .
151+ base64_encode(hash('sha384', $phrase, TRUE));
152+ break;
153+
154+ // LDAP SSHA384
155+ case '{ssha384}' :
156+ // SHA-2 SHA-384 Key length = 384bits = 48bytes
157+ $salt = ($salt != '' ? substr(base64_decode($salt), 48) : substr(crypt(''), -8));
158+ $hash = ($prefix ? ($canonical ? '{SSHA384}' : $scheme) : '') .
159+ base64_encode(hash('sha384', $phrase . $salt, TRUE) . $salt);
160+ break;
161+
162+ // LDAP SHA512
163+ case '{sha512}' :
164+ $hash = ($prefix ? ($canonical ? '{SHA512}' : $scheme) : '') .
165+ base64_encode(hash('sha512', $phrase, TRUE));
166+ break;
167+
168+ // LDAP SSHA512
169+ case '{ssha512}' :
170+ // SHA-2 SHA-512 Key length = 512bits = 64bytes
171+ $salt = ($salt != '' ? substr(base64_decode($salt), 64) : substr(crypt(''), -8));
172+ $hash = ($prefix ? ($canonical ? '{SSHA512}' : $scheme) : '') .
173+ base64_encode(hash('sha512', $phrase . $salt, TRUE) . $salt);
174+ break;
175+
128176 // LDAP CLEARTEXT and just cleartext
129177 case '{cleartext}' : /* FALLTHROUGH */
130178 case '' :
--- a/plugin/md5.inc.php
+++ b/plugin/md5.inc.php
@@ -37,10 +37,10 @@ function plugin_md5_action()
3737 array_push($scheme_list, 'x-php-sha1', 'SHA', 'SSHA');
3838 }
3939 if ($algos_enabled->sha256) {
40- array_push($scheme_list, 'x-php-sha256');
40+ array_push($scheme_list, 'x-php-sha256', 'SHA256', 'SSHA256');
4141 }
4242 if ($algos_enabled->sha512) {
43- array_push($scheme_list, 'x-php-sha512');
43+ array_push($scheme_list, 'x-php-sha512', 'SHA512', 'SSHA512');
4444 }
4545 if (!in_array($scheme, $scheme_list)) {
4646 return array(
@@ -113,7 +113,20 @@ EOD;
113113 <label for="_p_md5_lsmd5">LDAP SMD5 (md5 with a seed) *</label><br />
114114 <input type="radio" name="scheme" id="_p_md5_lmd5" value="MD5" />
115115 <label for="_p_md5_lmd5">LDAP MD5</label><br />
116-
116+EOD;
117+ if ($algos_enabled->sha256) $form .= <<<EOD
118+ <input type="radio" name="scheme" id="_p_md5_lssha256" value="SSHA256"/>
119+ <label for="_p_md5_lssha256">LDAP SSHA256 (sha256 with a seed) *</label><br />
120+ <input type="radio" name="scheme" id="_p_md5_lsha256" value="SHA256" />
121+ <label for="_p_md5_lsha256">LDAP SHA256</label><br />
122+EOD;
123+ if ($algos_enabled->sha512) $form .= <<<EOD
124+ <input type="radio" name="scheme" id="_p_md5_lssha512" value="SSHA512"/>
125+ <label for="_p_md5_lssha512">LDAP SSHA512 (sha512 with a seed) *</label><br />
126+ <input type="radio" name="scheme" id="_p_md5_lsha512" value="SHA512" />
127+ <label for="_p_md5_lsha512">LDAP SHA512</label><br />
128+EOD;
129+ $form .= <<<EOD
117130 <input type="checkbox" name="prefix" id="_p_md5_prefix" checked="checked" />
118131 <label for="_p_md5_prefix">Add scheme prefix (RFC2307, Using LDAP as NIS)</label><br />
119132
--- a/pukiwiki.ini.php
+++ b/pukiwiki.ini.php
@@ -185,6 +185,7 @@ $adminpass = '{x-php-md5}!';
185185 //$adminpass = '{CRYPT}$1$AR.Gk94x$uCe8fUUGMfxAPH83psCZG/'; // LDAP CRYPT 'pass'
186186 //$adminpass = '{MD5}Gh3JHJBzJcaScd3wyUS8cg=='; // LDAP MD5 'pass'
187187 //$adminpass = '{SMD5}o7lTdtHFJDqxFOVX09C8QnlmYmZnd2Qx'; // LDAP SMD5 'pass'
188+//$adminpass = '{SHA256}10/w7o2juYBrGMh32/KbveULW9jk2tejpyUAD+uC6PE=' // LDAP SHA256 'pass'
188189
189190 /////////////////////////////////////////////////
190191 // Page-reading feature settings
Show on old repository browser