wneessen/go-hibp
1
1
Fork 0
mirror of https://github.com/wneessen/go-hibp.git synced 2024-11-09 15:32:52 +01:00
Code Issues Projects Releases Packages Wiki Activity
go-hibp/password.go

242 lines
6.9 KiB
Go
Raw Permalink Normal View History

v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
package hibp
import (
"bufio"
"crypto/sha1"
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
"encoding/hex"
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
"fmt"
"net/http"
"strconv"
"strings"
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
"unicode/utf16"
"github.com/wneessen/go-hibp/md4"
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
)
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
// PwnedPassAPI is a HIBP Pwned Passwords API client
type PwnedPassAPI struct {
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// References back to the parent HIBP client
hibp *Client
// Query parameter map for additional query parameters passed to request
ParamMap map[string]string
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}
// Match represents a match in the Pwned Passwords API
type Match struct {
Introducing the breaches API So far only the "list all breaches" API is implemented, though
2021-09-21 19:46:48 +02:00
Hash string // SHA1 hash of the matching password
Count int64 // Represents the number of leaked accounts that hold/held this password
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
type HashMode int
const (
// HashModeSHA1 is the default hash mode expecting SHA-1 hashes
HashModeSHA1 HashMode = iota
// HashModeNTLM represents the mode that expects and returns NTLM hashes
HashModeNTLM
)
Added breaches
2021-09-21 18:21:23 +02:00
// PwnedPasswordOptions is a struct of additional options for the PP API
type PwnedPasswordOptions struct {
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// HashMode controls whether the provided hash is in SHA-1 or NTLM format
// HashMode defaults to SHA-1 and can be overridden using the WithNTLMHash() Option
// See: https://haveibeenpwned.com/API/v3#PwnedPasswordsNTLM
HashMode HashMode
Introducing the breaches API So far only the "list all breaches" API is implemented, though
2021-09-21 19:46:48 +02:00
// WithPadding controls if the PwnedPassword API returns with padding or not
// See: https://haveibeenpwned.com/API/v3#PwnedPasswordsPadding
Added breaches
2021-09-21 18:21:23 +02:00
WithPadding bool
}
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
// CheckPassword checks the Pwned Passwords database against a given password string
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
//
// This method will automatically decide whether the hash is in SHA-1 or NTLM format based on
// the Option when the Client was initialized
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
func (p *PwnedPassAPI) CheckPassword(pw string) (*Match, *http.Response, error) {
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
switch p.hibp.PwnedPassAPIOpts.HashMode {
case HashModeSHA1:
shaSum := fmt.Sprintf("%x", sha1.Sum([]byte(pw)))
return p.CheckSHA1(shaSum)
case HashModeNTLM:
d := md4.New()
d.Write(stringToUTF16(pw))
md4Sum := fmt.Sprintf("%x", d.Sum(nil))
return p.CheckNTLM(md4Sum)
default:
return nil, nil, ErrUnsupportedHashMode
}
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
// CheckSHA1 checks the Pwned Passwords database against a given SHA1 checksum of a password string
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
func (p *PwnedPassAPI) CheckSHA1(h string) (*Match, *http.Response, error) {
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
if len(h) != 40 {
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
return nil, nil, ErrSHA1LengthMismatch
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
p.hibp.PwnedPassAPIOpts.HashMode = HashModeSHA1
pwMatches, hr, err := p.ListHashesPrefix(h[:5])
if err != nil {
return &Match{}, hr, err
}
for _, m := range pwMatches {
if m.Hash == strings.ToLower(h) {
return &m, hr, nil
}
}
return nil, hr, nil
}
// CheckNTLM checks the Pwned Passwords database against a given NTLM hash of a password string
func (p *PwnedPassAPI) CheckNTLM(h string) (*Match, *http.Response, error) {
if len(h) != 32 {
return nil, nil, ErrNTLMLengthMismatch
}
p.hibp.PwnedPassAPIOpts.HashMode = HashModeNTLM
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
pwMatches, hr, err := p.ListHashesPrefix(h[:5])
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
if err != nil {
return &Match{}, hr, err
}
for _, m := range pwMatches {
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
if m.Hash == strings.ToLower(h) {
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
return &m, hr, nil
}
}
return nil, hr, nil
}
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
// ListHashesPassword checks the Pwned Password API endpoint for all hashes based on a given
// password string and returns the a slice of Match as well as the http.Response
//
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// This method will automatically decide whether the hash is in SHA-1 or NTLM format based on
// the Option when the Client was initialized
//
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
// NOTE: If the `WithPwnedPadding` option is set to true, the returned list will be padded and might
// contain junk data
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
func (p *PwnedPassAPI) ListHashesPassword(pw string) ([]Match, *http.Response, error) {
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
switch p.hibp.PwnedPassAPIOpts.HashMode {
case HashModeSHA1:
shaSum := fmt.Sprintf("%x", sha1.Sum([]byte(pw)))
return p.ListHashesSHA1(shaSum)
case HashModeNTLM:
d := md4.New()
d.Write(stringToUTF16(pw))
md4Sum := fmt.Sprintf("%x", d.Sum(nil))
return p.ListHashesNTLM(md4Sum)
default:
return nil, nil, ErrUnsupportedHashMode
}
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
}
// ListHashesSHA1 checks the Pwned Password API endpoint for all hashes based on a given
// SHA1 checksum and returns the a slice of Match as well as the http.Response
//
// NOTE: If the `WithPwnedPadding` option is set to true, the returned list will be padded and might
// contain junk data
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
func (p *PwnedPassAPI) ListHashesSHA1(h string) ([]Match, *http.Response, error) {
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
if len(h) != 40 {
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
return nil, nil, ErrSHA1LengthMismatch
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
p.hibp.PwnedPassAPIOpts.HashMode = HashModeSHA1
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
dst := make([]byte, hex.DecodedLen(len(h)))
if _, err := hex.Decode(dst, []byte(h)); err != nil {
return nil, nil, ErrSHA1Invalid
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
}
return p.ListHashesPrefix(h[:5])
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// ListHashesNTLM checks the Pwned Password API endpoint for all hashes based on a given
// NTLM hash and returns the a slice of Match as well as the http.Response
//
// NOTE: If the `WithPwnedPadding` option is set to true, the returned list will be padded and might
// contain junk data
func (p *PwnedPassAPI) ListHashesNTLM(h string) ([]Match, *http.Response, error) {
if len(h) != 32 {
return nil, nil, ErrNTLMLengthMismatch
}
p.hibp.PwnedPassAPIOpts.HashMode = HashModeNTLM
dst := make([]byte, hex.DecodedLen(len(h)))
if _, err := hex.Decode(dst, []byte(h)); err != nil {
return nil, nil, ErrNTLMInvalid
}
return p.ListHashesPrefix(h[:5])
}
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
// ListHashesPrefix checks the Pwned Password API endpoint for all hashes based on a given
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// SHA-1 or NTLM hash prefix and returns the a slice of Match as well as the http.Response
//
// To decide which HashType is queried for, make sure to set the appropriate HashMode in
// the PwnedPassAPI struct
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
//
// NOTE: If the `WithPwnedPadding` option is set to true, the returned list will be padded and might
// contain junk data
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
func (p *PwnedPassAPI) ListHashesPrefix(pf string) ([]Match, *http.Response, error) {
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
if len(pf) != 5 {
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
return nil, nil, ErrPrefixLengthMismatch
v1.0.2: More tests and better README.md.
2022-05-08 12:44:20 +02:00
}
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
switch p.hibp.PwnedPassAPIOpts.HashMode {
case HashModeSHA1:
delete(p.ParamMap, "mode")
case HashModeNTLM:
p.ParamMap["mode"] = "ntlm"
default:
delete(p.ParamMap, "mode")
}
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
au := fmt.Sprintf("%s/range/%s", PasswdBaseURL, pf)
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
hreq, err := p.hibp.HTTPReq(http.MethodGet, au, p.ParamMap)
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
if err != nil {
return nil, nil, err
}
Added breaches
2021-09-21 18:21:23 +02:00
hr, err := p.hibp.hc.Do(hreq)
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
if err != nil {
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
return nil, hr, err
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}
defer func() {
_ = hr.Body.Close()
}()
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
if hr.StatusCode != 200 {
return nil, hr, fmt.Errorf("HTTP %s: %w", hr.Status, ErrNonPositiveResponse)
}
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
var pm []Match
so := bufio.NewScanner(hr.Body)
for so.Scan() {
hp := strings.SplitN(so.Text(), ":", 2)
Add sanity check for split strings in password handling In order to avoid potential indexing issues in password handling, a conditional statement has been added. This ensures that there are two resultant parts after the string splitting operation; if the condition isn't met, the operation simply continues without processing further. This enhances code robustness and reliability.
2024-03-14 22:14:48 +01:00
if len(hp) != 2 {
continue
}
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
fh := fmt.Sprintf("%s%s", strings.ToLower(pf), strings.ToLower(hp[0]))
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
hc, err := strconv.ParseInt(hp[1], 10, 64)
if err != nil {
continue
}
#14: Skip `padding` results in the API response, which can be identified by having a zero count
2022-06-09 16:21:10 +02:00
if hc == 0 {
continue
}
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
pm = append(pm, Match{
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
Hash: fh,
Count: hc,
})
}
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
if err := so.Err(); err != nil {
return nil, hr, err
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
return pm, hr, nil
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// stringToUTF16 converts a given string to a UTF-16 little-endian encoded byte slice
func stringToUTF16(s string) []byte {
e := utf16.Encode([]rune(s))
r := make([]byte, len(e)*2)
for i := 0; i < len(e); i++ {
r[i*2] = byte(e[i])
r[i*2+1] = byte(e[i] << 8)
}
return r
}
Reference in a new issue Copy permalink