Add error handling for base64 DecodeString operations

Modify pw to use 0 for default key length, which will then cause algorithum default hash size to be used, vs hard-coded default of '32' Make salt_encoding option plugin specific by adding plugin prefix
iegomez · Jan 18, 2020 · dd60047 · dd60047
1 parent 07e5cab
commit dd60047
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 11 deletions.
diff --git a/backends/mongo.go b/backends/mongo.go
@@ -73,7 +73,7 @@ func NewMongo(authOpts map[string]string, logLevel log.Level) (Mongo, error) {
  m.Password = mongoPassword
  }
 
- if saltEncoding, ok := authOpts["salt_encoding"]; ok {
+ if saltEncoding, ok := authOpts["mongo_salt_encoding"]; ok {
  m.SaltEncoding = saltEncoding
  log.Infof("Mongo set salt encoding to: %s", saltEncoding)
  } else {

diff --git a/backends/mysql.go b/backends/mysql.go
@@ -94,7 +94,7 @@ func NewMysql(authOpts map[string]string, logLevel log.Level) (Mysql, error) {
  missingOptions += " mysql_password"
  }
 
- if saltEncoding, ok := authOpts["salt_encoding"]; ok {
+ if saltEncoding, ok := authOpts["mysql_salt_encoding"]; ok {
  mysql.SaltEncoding = saltEncoding
  } else {
  mysql.SaltEncoding = "base64"

diff --git a/backends/postgres.go b/backends/postgres.go
@@ -78,7 +78,7 @@ func NewPostgres(authOpts map[string]string, logLevel log.Level) (Postgres, erro
  missingOptions += " pg_password"
  }
 
- if saltEncoding, ok := authOpts["salt_encoding"]; ok {
+ if saltEncoding, ok := authOpts["pg_salt_encoding"]; ok {
  postgres.SaltEncoding = saltEncoding
  } else {
  postgres.SaltEncoding = "base64"

diff --git a/backends/redis.go b/backends/redis.go
@@ -44,7 +44,7 @@ func NewRedis(authOpts map[string]string, logLevel log.Level) (Redis, error) {
  redis.Password = redisPassword
  }
 
- if saltEncoding, ok := authOpts["salt_encoding"]; ok {
+ if saltEncoding, ok := authOpts["redis_salt_encoding"]; ok {
  redis.SaltEncoding = saltEncoding
  } else {
  redis.SaltEncoding = "base64"

diff --git a/backends/sqlite.go b/backends/sqlite.go
@@ -59,7 +59,7 @@ func NewSqlite(authOpts map[string]string, logLevel log.Level) (Sqlite, error) {
  sqlite.AclQuery = aclQuery
  }
 
- if saltEncoding, ok := authOpts["salt_encoding"]; ok {
+ if saltEncoding, ok := authOpts["sqlite_salt_encoding"]; ok {
  sqlite.SaltEncoding = saltEncoding
  } else {
  sqlite.SaltEncoding = "base64"

diff --git a/common/utils.go b/common/utils.go
@@ -122,28 +122,37 @@ func hashWithSalt(password string, salt []byte, iterations int, algorithm string
  }
  buffer.WriteString("$")
  buffer.WriteString(base64.StdEncoding.EncodeToString(hash))
- //log.Println("Generated: ", buffer.String())
+ //log.Debugf("Generated: ", buffer.String())
  return buffer.String()
 }
 
 // HashCompare verifies that passed password hashes to the same value as the
 // passed passwordHash.
 // Taken from brocaar's lora-app-server: https://github.com/brocaar/lora-app-server
 func HashCompare(password string, passwordHash string, saltEncoding string) bool {
- //log.Println("Supplied: ", passwordHash)
+ //log.Debugf("Supplied: ", passwordHash)
  // Split the hash string into its parts.
  hashSplit := strings.Split(passwordHash, "$")
  // Get the iterations from PBKDF2 string
  iterations, _ := strconv.Atoi(hashSplit[2])
  // Convert salt to bytes, using encoding supplied in saltEncoding param
  salt := []byte{}
+ var err error
  if saltEncoding == "utf-8" {
  salt = []byte(hashSplit[3])
  } else {
- salt, _ = base64.StdEncoding.DecodeString(hashSplit[3])
+ salt, err = base64.StdEncoding.DecodeString(hashSplit[3])
+ if err != nil {
+ log.Errorf("Error decoding supplied base64 salt")
+ return false
+ }
  }
  // Work out key length, assumes base64 encoding
- hash, _ := base64.StdEncoding.DecodeString(hashSplit[4])
+ hash, err := base64.StdEncoding.DecodeString(hashSplit[4])
+ if err != nil {
+ log.Errorf("Error decoding supplied base64 hash")
+ return false
+ }
  keylen := len(hash)
  // Get the algorithm from PBKDF2 string
  algorithm := hashSplit[1]

diff --git a/pw-gen/pw.go b/pw-gen/pw.go
@@ -9,16 +9,33 @@ import (
 
 func main() {
 
+ const(
+ sha256Size = 32
+ sha512Size = 64
+ )
+
  var algorithm = flag.String("a", "sha512", "algorithm: sha256 or sha512")
  var HashIterations = flag.Int("i", 100000, "hash iterations")
  var password = flag.String("p", "", "password")
  var saltSize = flag.Int("s", 16, "salt size")
  var saltEncoding = flag.String("e", "base64", "salt encoding")
- var keylen = flag.Int("l", 64, "key length, reccommend 32 for sha256 and 64 for sha512")
+ var keylen = flag.Int("l", 0, "key length, recommend 32 for sha256 and 64 for sha512")
 
  flag.Parse()
 
- pwHash, err := common.Hash(*password, *saltSize, *HashIterations, *algorithm, *saltEncoding, *keylen)
+ // If supplied keylength is 0, use pre-defined key length
+ shaSize := *keylen
+ if shaSize == 0 {
+ switch *algorithm {
+ case "sha265": shaSize = sha256Size
+ case "sha512": shaSize = sha512Size
+ default:
+ fmt.Printf("Invalid password hash algorithm", *algorithm)
+ return
+ }
+ }
+
+ pwHash, err := common.Hash(*password, *saltSize, *HashIterations, *algorithm, *saltEncoding, shaSize)
  if err != nil {
  fmt.Printf("error: %s\n", err)
  } else {