1

I have tried to implement a Drupal compatible authentication in Go and use this package for base64 encoding: golang.org/src/encoding/base64/base64.go

The Result: the created and in Drupal saved hashes don't matches. Only after reimplementing Go's base64-package, where I do the bit shifting like in Drupals base64Encode() the hashes matched:

input bit location:                 abcdefgh ijklmnop qrstuvwx
Go's base64.go bit location:        ..abcdef ..ghijkl ..mnopqr ..stuvwx
PHP's base64Encode() bit location:  ..cdefgh ..mnopab ..wxijkl ..qrstuv

Well, I do instead of Google's implementation:

...

for si < n {
            // Convert 3x 8bit source bytes into 4 bytes
            val := uint(src[si+0])<<16 | uint(src[si+1])<<8 | uint(src[si+2])

            dst[di+0] = enc.encode[val>>18&0x3F]
            dst[di+1] = enc.encode[val>>12&0x3F]
            dst[di+2] = enc.encode[val>>6&0x3F]
            dst[di+3] = enc.encode[val&0x3F]

            si += 3
            di += 4
        }

...

my own implementation now with behalf of Drupal's base64Encode()

...

for si < n {
        // Convert 3x 8bit source bytes into 4 bytes
        // val := uint(src[si+0])<<16 | uint(src[si+1])<<8 | uint(src[si+2])
        val := uint(src[si+0]) | uint(src[si+1])<<8 | uint(src[si+2])<<16

        dst[di+0] = enc.encode[val&0x3F] 
        dst[di+1] = enc.encode[val>>6&0x3F]
        dst[di+2] = enc.encode[val>>12&0x3F]
        dst[di+3] = enc.encode[val>>18&0x3F]

        si += 3
        di += 4
    }

...

My Questions:

  • is already there in Go an implementation like I did (reimplemented Drupal's base64Encode())?
  • does this special base64 encoding have a name? Are there Literature/Publication references?
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
Hermann Schwarz
  • 1,495
  • 1
  • 15
  • 30
  • Which go base64 encoding did you use? There are four standards: Standard encoding or URL encoding, with our without padding. My guess is one of these will match what you want. – Burak Serdar Jun 16 '20 at 20:49
  • 1
    Drupal's implementation is from [Portable PHP password hashing framework](https://www.openwall.com/phpass/). If you go to their site and download, you'll find some C code that might be easier to port to GO. – Chris Haas Jun 16 '20 at 20:50
  • 3
    Can you tell us about the actual authentication problem [X] instead of this bizarre encoding problem that you think is happening? [Y] http://xyproblem.info/ – Sammitch Jun 16 '20 at 20:52
  • 3
    @ChrisHaas it's really just a wrapper around [crypt](https://en.wikipedia.org/wiki/Crypt_(C)), and I'd find it hard to believe if Go didn't have something for that already. The only sticking point might be if the PHP side is using the new Argon hashing. – Sammitch Jun 16 '20 at 20:54
  • 2
    The hashing part is, but the bas64 encoding is native. I honestly don't know why a custom base64 function is needed except that framework used to support PHP 3. I agree that this is probably xy problem. – Chris Haas Jun 16 '20 at 20:57
  • Just because I'm curious, I see that Go does support custom alphabets using [`NewEncoding`](https://golang.org/src/encoding/base64/base64.go?s=14795:14848), should be pretty straight forward. The OP would be targetting crypt's radix-64 format for the `/etc/password` file that uses the alphabet `./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz` – Chris Haas Jun 16 '20 at 21:14
  • My issue is NOT about a special alphabet. Yes, I can set a custom alphabet. That's not the point. The bit shifting implementations used in phpass and in Go's golang.org/src/encoding/base64/base64.go are different. – Hermann Schwarz Jun 17 '20 at 07:55
  • @BurakSerdar I posted im my question which base64 I mean: golang.org/src/encoding/base64/base64.go – Hermann Schwarz Jun 17 '20 at 08:00
  • @ChrisHaas thank you! I already ported the PHP's implementation. But I hope there is a Googles official implementation. I just didn't found something like this. – Hermann Schwarz Jun 17 '20 at 08:02
  • @Sammitch the actual problem is: if one try to implement an authentication to the Drupal (8) database (hashes saved by Drupal) and use the same hashing algorithm (sha512), nevertheless the matching fails. And I found it out, it fails just because of different Base64 implementation. The different implementation in Drupal and in Go. I could reimplement the Drupals way (phpass) to Base64 encode, but I want to know now, is there really no implementation of phpass's Base64 done by Google? So I will publish my implementation. – Hermann Schwarz Jun 19 '20 at 06:48

0 Answers0