On 03/27/2018 09:11 PM, Joe Cooter wrote:
Hi,
I’m attempting to build an application using the userPassword attribute, with hashes
stored using PBKDF2_SHA256. However, using the passlib hash library for pbkdf2_sha256 is
complaining about a malformed hash. Looking at the hash, it appears that there aren’t any
delimiters between the salt, iterations, etc.
Is there some additional encoding happening on the userPassword attribute?
The
server stores the password as follows:
dn: uid=mark,dc=example,dc=com
userpassword::
e1BCS0RGMl9TSEEyNTZ9QUFBSUFFb3A0VVVUUFRjL2E2NStDS3U5cmdFa0RML0V
2NmhIamZaRDlQRXFLSFNraStrYXZYTWx6ZTZzOGsrNnFYT3I3amtjZXFpMUlZR0dndlpyK2hMczVn
cjhSRXNSSVRzSUxZVzlJTnU5RUNWOVQ2ZzhvTUphQTErbDkxZGxNR20yUjVYR0h2UmlqczlmQlk3T
zg0NGYvYk1OR0tqaXJKUHlVKzJwVVhoMzBGaS9GV0I0VW1ia2JOVmg0RGd5c0ZFOHZLOXI4RVN3RV
JJUXdHUkJOVXpuZXBJUVNmNEhUYTBQQU1HaEZjelhjekdTeUY1a3pDWGo2LzBpVWRDRDVydWJGMzc
0TWl3VXVrQmlKaklsRkhheUMwV0N2dWtZNkVmQ1BESFNrRjNGaThlVHNjZGxGSitDcFRSME1pVStP
T1R3Qkt4MGRsMGpUYU8yVzQyVFFCcnY2MUtsUUovV05NQkpMVmRreWRhT3J1L0xJcVhha3hrblZMe
G9kTS96d1dzVmZYempSQjhQRGxZalpyR3lhSjZ1YWlYSStEWXUzYzVvWlcrSUx3YjdEazB3
base64 decoding the password gives us:
{PBKDF2_SHA256}AAAIAEop4UUTPTc/a65+CKu9rgEkDL/Ev6hHjfZD9PEqKHSki+kavXMlze6s8k+6qXOr7jkceqi1IYGGgvZr+hLs5gr8REsRITsILYW9INu9ECV9T6g8oMJaA1+l91dlMGm2R5XGHvRijs9fBY7O844f/bMNGKjirJPyU+2pUXh30Fi/FWB4UmbkbNVh4DgysFE8vK9r8ESwERIQwGRBNUznepIQSf4HTa0PAMGhFczXczGSyF5kzCXj6/0iUdCD5rubF374MiwUukBiJjIlFHayC0WCvukY6EfCPDHSkF3Fi8eTscdlFJ+CpTR0MiU+OOTwBKx0dl0jTaO2W42TQBrv61KlQJ/WNMBJLVdkydaOru/LIqXakxknVLxodM/zwWsVfXzjRB8PDlYjZrGyaJ6uaiXI+DYu3c5oZW+ILwb7Dk0w
In 389 Directory Server it looks at the password encoding prefix:
{ALGO} --> {PBKDF2_SHA256} the rest is the complete password hash
The salt length is 64 and iterations length is 4:
#define PBKDF2_SALT_LENGTH 64
#define PBKDF2_ITERATIONS_LENGTH 4
In pbkdf2_sha256_pw_enc_rounds() in
ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
we write the hash like so:
pbkdf2_sha256_hash(hash + PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH,
...);
So the password hash itself should be everything after an offset of 68
(PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH).
HTH,
Mark
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org