From d7f7cb53de87b77c98502a3e37fee01285290d66 Mon Sep 17 00:00:00 2001
From: Mattias Andrée <maandree@kth.se>
Date: Tue, 13 Apr 2021 02:07:44 +0200
Subject: Add pepper to input hash ("password"), not to salt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mattias Andrée <maandree@kth.se>
---
 libsecauth_server_hash.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/libsecauth_server_hash.c b/libsecauth_server_hash.c
index 80f9318..1d4b2fa 100644
--- a/libsecauth_server_hash.c
+++ b/libsecauth_server_hash.c
@@ -11,7 +11,7 @@ libsecauth_server_hash(const struct libsecauth_spec *spec, const char *inhash, c
 {
 	struct crypt_data hashbuf[2];
 	const char *hash = inhash, *result;
-	char *posthash = NULL, *p;
+	char *pepperedhash = NULL;
 	uint32_t rounds;
 	size_t i = 0;
 
@@ -26,17 +26,15 @@ libsecauth_server_hash(const struct libsecauth_spec *spec, const char *inhash, c
 	}
 
 	if (pepper) {
-		posthash = malloc(strlen(spec->posthash) + strlen(pepper) + 2);
-		if (!posthash)
+		pepperedhash = malloc(strlen(pepper) + strlen(hash) + 1);
+		if (!pepperedhash)
 			return -1;
-		p = stpcpy(posthash, spec->posthash);
-		if (*posthash && p[-1] == '$')
-			p -= 1;
-		stpcpy(p, pepper);
+		stpcpy(stpcpy(pepperedhash, pepper), hash);
+		hash = pepperedhash;
 	}
 
-	hash = crypt_r(hash, posthash ? posthash : spec->posthash, &hashbuf[i]);
-	free(posthash);
+	hash = crypt_r(hash, spec->posthash, &hashbuf[i]);
+	free(pepperedhash);
 	if (!hash)
 		return -1;
 
-- 
cgit v1.2.3-70-g09d2