From 02b10b0ed44d6fc214100cc65432393b9e6ba068 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 7 Dec 2020 07:58:50 +0100
Subject: [PATCH] [Web] Add SSHA

---
 data/web/inc/functions.inc.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index c49cccb2..e3f28822 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -89,6 +89,10 @@ function hash_password($password) {
   global $default_pass_scheme;
   $pw_hash = NULL;
   switch (strtoupper($default_pass_scheme)) {
+    case "SSHA":
+      $salt_str = bin2hex(openssl_random_pseudo_bytes(8));
+      $pw_hash = "{SSHA}".base64_encode(hash('sha1', $password . $salt_str, true) . $salt_str);
+      break;
     case "SSHA256":
       $salt_str = bin2hex(openssl_random_pseudo_bytes(8));
       $pw_hash = "{SSHA256}".base64_encode(hash('sha256', $password . $salt_str, true) . $salt_str);
@@ -494,6 +498,20 @@ function verify_hash($hash, $password) {
       return true;
     }
   }
+  elseif (preg_match('/^{SSHA}/i', $hash)) {
+    // Remove tag if any
+    $hash = preg_replace('/^{SSHA}/i', '', $hash);
+    // Decode hash
+    $dhash = base64_decode($hash);
+    // Get first 20 bytes of binary which equals a SSHA hash
+    $ohash = substr($dhash, 0, 20);
+    // Remove SSHA hash from decoded hash to get original salt string
+    $osalt = str_replace($ohash, '', $dhash);
+    // Check single salted SSHA hash against extracted hash
+    if (hash_equals(hash('sha1', $password . $osalt, true), $ohash)) {
+      return true;
+    }
+  }
   elseif (preg_match('/^{PLAIN-MD5}/i', $hash)) {
     $hash = preg_replace('/^{PLAIN-MD5}/i', '', $hash);
     if (md5($password) == $hash) {