From 82a236a67c669faa2ffb634003c81b76df48fe36 Mon Sep 17 00:00:00 2001
From: Benjamin Renard <brenard@easter-eggs.com>
Date: Mon, 8 Feb 2021 11:11:23 +0100
Subject: [PATCH] LSattr_ldap_password: fix verify method for Salted SHA2
 passwords

---
 src/includes/class/class.LSattr_ldap_password.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/includes/class/class.LSattr_ldap_password.php b/src/includes/class/class.LSattr_ldap_password.php
index a7c9b8cc..e71fe6d3 100644
--- a/src/includes/class/class.LSattr_ldap_password.php
+++ b/src/includes/class/class.LSattr_ldap_password.php
@@ -262,8 +262,12 @@ class LSattr_ldap_password extends LSattr_ldap {
       case 'ssha512':
       case 'smd5':
         $data = base64_decode($hashedPasswordData);
-        # Salt = last 4 bytes
-        $salt = substr($data, -4);
+        # Salt = last 4 bytes for SSHA / SMD5 and last 8 bytes for SSH256 / SSHA512
+        if ($cypher == 'ssha' || $cypher == 'smd5')
+          $salt_size = 4;
+        else
+          $salt_size = 8;
+        $salt = substr($data, -$salt_size);
         $new_hash = $this -> encodePassword($clearPassword, $cypher, null, $salt);
         return (strcmp($hashedPassword,$new_hash) == 0);
         break;