From 1ea94dd403bedbf255c4456079e8793576fd0aeb Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Fri, 5 Nov 2021 14:49:45 +1100
Subject: [PATCH] fix(authentication): only check argon2id salt for b64
 encoding (#2529)

This changes the validation of salts for sha512 to be done by the upstream API rather than locally. This allows the salts used in Linux to be utilized with Authelia provided the hash is a sha512 hash.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
---
 internal/authentication/password_hash.go | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/internal/authentication/password_hash.go b/internal/authentication/password_hash.go
index 70f30d47..5c1fb5ea 100644
--- a/internal/authentication/password_hash.go
+++ b/internal/authentication/password_hash.go
@@ -56,11 +56,6 @@ func ParseHash(hash string) (passwordHash *PasswordHash, err error) {
 		return nil, fmt.Errorf("Hash key contains no characters or the field length is invalid (%s)", hash)
 	}
 
-	_, err = crypt.Base64Encoding.DecodeString(h.Salt)
-	if err != nil {
-		return nil, errors.New("Salt contains invalid base64 characters")
-	}
-
 	switch code {
 	case HashingAlgorithmSHA512:
 		h.Iterations = parameters.GetInt("rounds", HashingDefaultSHA512Iterations)
@@ -70,6 +65,11 @@ func ParseHash(hash string) (passwordHash *PasswordHash, err error) {
 			return nil, fmt.Errorf("SHA512 iterations is not numeric (%s)", parameters["rounds"])
 		}
 	case HashingAlgorithmArgon2id:
+		_, err = crypt.Base64Encoding.DecodeString(h.Salt)
+		if err != nil {
+			return nil, errors.New("Salt contains invalid base64 characters")
+		}
+
 		version := parameters.GetInt("v", 0)
 		if version < 19 {
 			if version == 0 {
@@ -118,9 +118,11 @@ func HashPassword(password, salt string, algorithm CryptAlgo, iterations, memory
 		}
 	}
 
-	err = validateSalt(salt, saltLength)
-	if err != nil {
-		return "", err
+	if algorithm != HashingAlgorithmSHA512 {
+		err = validateSalt(salt, saltLength)
+		if err != nil {
+			return "", err
+		}
 	}
 
 	if salt == "" {