Merge pull request #1045 from normano/master

Fix #1044
sidorares · Oct 26, 2019 · f4e7c96 · f4e7c96
2 parents 26d1de9 + 8f25442
commit f4e7c96
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 29 deletions.
diff --git a/lib/auth_41.js b/lib/auth_41.js
@@ -57,17 +57,15 @@ function xor(a, b) {
   return result;
 }
 
+exports.xor = xor;
+
 function token(password, scramble1, scramble2) {
   // TODO: use buffers (not sure why strings here)
   if (!password) {
     return Buffer.alloc(0);
   }
   const stage1 = sha1(password);
-  return exports.calculateTokenFromPasswordSha(
-    stage1,
-    scramble1,
-    scramble2
-  );
+  return exports.calculateTokenFromPasswordSha(stage1, scramble1, scramble2);
 }
 
 exports.calculateTokenFromPasswordSha = function(
@@ -82,12 +80,7 @@ exports.calculateTokenFromPasswordSha = function(
 
 exports.calculateToken = token;
 
-exports.verifyToken = function(
-  publicSeed1,
-  publicSeed2,
-  token,
-  doubleSha
-) {
+exports.verifyToken = function(publicSeed1, publicSeed2, token, doubleSha) {
   const hashStage1 = xor(token, sha1(publicSeed1, publicSeed2, doubleSha));
   const candidateHash2 = sha1(hashStage1);
   return candidateHash2.compare(doubleSha) === 0;
@@ -96,3 +89,22 @@ exports.verifyToken = function(
 exports.doubleSha1 = function(password) {
   return sha1(sha1(password));
 };
+
+function xorRotating(a, seed) {
+  if (!Buffer.isBuffer(a)) {
+    a = Buffer.from(a, 'binary');
+  }
+
+  if (!Buffer.isBuffer(seed)) {
+    seed = Buffer.from(seed, 'binary');
+  }
+
+  const result = Buffer.allocUnsafe(a.length);
+  const seedLen = seed.length;
+
+  for (let i = 0; i < a.length; i++) {
+    result[i] = a[i] ^ seed[i % seedLen];
+  }
+  return result;
+}
+exports.xorRotating = xorRotating;
diff --git a/lib/auth_plugins/caching_sha2_password.js b/lib/auth_plugins/caching_sha2_password.js
@@ -4,6 +4,7 @@
 
 const PLUGIN_NAME = 'caching_sha2_password';
 const crypto = require('crypto');
+const { xor, xorRotating } = require('../auth_41');
 
 const REQUEST_SERVER_KEY_PACKET = Buffer.from([2]);
 const FAST_AUTH_SUCCESS_PACKET = Buffer.from([3]);
@@ -20,23 +21,6 @@ function sha256(msg) {
   return hash.digest('binary');
 }
 
-function xor(a, b) {
-  if (!Buffer.isBuffer(a)) {
-    a = Buffer.from(a, 'binary');
-  }
-
-  if (!Buffer.isBuffer(b)) {
-    b = Buffer.from(b, 'binary');
-  }
-
-  const result = Buffer.allocUnsafe(a.length);
-
-  for (let i = 0; i < a.length; i++) {
-    result[i] = a[i] ^ b[i];
-  }
-  return result;
-}
-
 function calculateToken(password, scramble) {
   if (!password) {
     return Buffer.alloc(0);
@@ -48,7 +32,7 @@ function calculateToken(password, scramble) {
 }
 
 function encrypt(password, scramble, key) {
-  const stage1 = xor(
+  const stage1 = xorRotating(
     Buffer.from(`${password}\0`, 'utf8').toString('binary'),
     scramble.toString('binary')
   );