From 54bb4743aa9b79e64127280bdc69140907c81e6a Mon Sep 17 00:00:00 2001
From: Bert Van de Poel <bert@bhack.net>
Date: Sun, 25 Apr 2021 01:32:10 +0200
Subject: [PATCH] Add hash support for salted and non-salted sha256 and sha384
 (therefore adding full support for all hashes in the sha2 openLDAP module)

---
 lib/functions.php | 70 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/lib/functions.php b/lib/functions.php
index 51d856a..513638c 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -2166,6 +2166,10 @@ function password_types() {
 		'sha'=>'sha',
 		'smd5'=>'smd5',
 		'ssha'=>'ssha',
+		'sha256'=>'sha256',
+		'ssha256'=>'ssha256',
+		'sha384'=>'sha384',
+		'ssha384'=>'ssha384',
 		'sha512'=>'sha512',
 		'sha256crypt'=>'sha256crypt',
 		'sha512crypt'=>'sha512crypt',
@@ -2284,6 +2288,28 @@ function pla_password_hash($password_clear,$enc_type) {
 
 			break;
 
+		case 'sha256':
+			$new_value = sprintf('{SHA256}%s', base64_encode(hash('sha256', $password_clear, true)));
+
+			break;
+
+		case 'ssha256':
+			$salt = hex2bin(random_salt(8));
+			$new_value = sprintf('{SSHA256}%s', base64_encode(hash('sha256', $password_clear.$salt, true).$salt));
+
+			break;
+
+		case 'sha384':
+			$new_value = sprintf('{SHA384}%s', base64_encode(hash('sha384', $password_clear, true)));
+
+			break;
+
+		case 'ssha384':
+			$salt = hex2bin(random_salt(8));
+			$new_value = sprintf('{SSHA384}%s', base64_encode(hash('sha384', $password_clear.$salt, true).$salt));
+
+			break;
+
 		case 'sha512':
 			if (function_exists('openssl_digest') && function_exists('base64_encode')) {
 				$new_value = sprintf('{SHA512}%s', base64_encode(openssl_digest($password_clear, 'sha512', true)));
@@ -2489,6 +2515,50 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
 
 			break;
 
+		# SHA256 crypted passwords
+		case 'sha256':
+			if (strcasecmp(pla_password_hash($plainpassword,'sha256'),'{SHA256}'.$cryptedpassword) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
+		# Salted SHA256 crypted passwords
+		case 'ssha256':
+			$hash = base64_decode($cryptedpassword);
+			$salt = substr($hash,64);
+			$new_hash = base64_encode(hash('sha256', $plainpassword.$salt, true).$salt);
+
+			if (strcmp($cryptedpassword,$new_hash) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
+		# SHA384 crypted passwords
+		case 'sha384':
+			if (strcasecmp(pla_password_hash($plainpassword,'sha384'),'{SHA384}'.$cryptedpassword) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
+		# Salted SHA384 crypted passwords
+		case 'ssha384':
+			$hash = base64_decode($cryptedpassword);
+			$salt = substr($hash,64);
+			$new_hash = base64_encode(hash('sha384', $plainpassword.$salt, true).$salt);
+
+			if (strcmp($cryptedpassword,$new_hash) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
 		# SHA512 crypted passwords
 		case 'sha512':
 			if (strcasecmp(pla_password_hash($plainpassword,'sha512'),'{SHA512}'.$cryptedpassword) == 0)