Fix the password hashing function of mac_user.enable_auto_login

Fixes #64226
2025-04-16 09:40:20 +00:00 · 2023-05-03 18:55:24 +00:00 · 2023-05-03 18:55:24 +00:00 · 402aa367ed
commit 402aa367ed
parent 6867accbc4
3 changed files with 30 additions and 7 deletions
--- a/salt/modules/mac_user.py
+++ b/salt/modules/mac_user.py
@ -529,10 +529,10 @@ def _kcpassword(password):
    # The magic 11 bytes - these are just repeated
    # 0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F
    key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]
-    key_len = len(key)
+    key_len = len(key) + 1  # macOS adds an extra byte for the trailing null

-    # Convert each character to a byte
-    password = list(map(ord, password))
+    # Convert each character to a byte and add a trailing null
+    password = list(map(ord, password)) + [0]

    # pad password length out to an even multiple of key length
    remainder = len(password) % key_len
@ -554,9 +554,8 @@ def _kcpassword(password):
            password[password_index] = password[password_index] ^ key[key_index]
            key_index += 1

-    # Convert each byte back to a character
-    password = list(map(chr, password))
-    return b"".join(salt.utils.data.encode(password))
+    # Return the raw bytes
+    return bytes(password)


 def enable_auto_login(name, password):
--- a/tests/integration/modules/test_mac_user.py
+++ b/tests/integration/modules/test_mac_user.py
@ -157,7 +157,7 @@ class MacUserModuleTest(ModuleCase):
            self.assertTrue(os.path.exists("/etc/kcpassword"))

            # Are the contents of the file correct
-            test_data = b".\xc3\xb8'B\xc2\xa0\xc3\x99\xc2\xad\xc2\x8b\xc3\x8d\xc3\x8dl"
+            test_data = bytes.fromhex("2e f8 27 42 a0 d9 ad 8b cd cd 6c 7d")
            with salt.utils.files.fopen("/etc/kcpassword", "rb") as f:
                file_data = f.read()
            self.assertEqual(test_data, file_data)
--- a/tests/unit/modules/test_mac_user.py
+++ b/tests/unit/modules/test_mac_user.py
@ -0,0 +1,24 @@
+import salt.modules.mac_user as user
+from tests.support.unit import TestCase
+
+
+class MacUserTestCase(TestCase):
+    def test_kcpass(self):
+        hashes = {
+            # Actual hashes from macOS, since reference implementation didn't account for trailing null
+            "0": "4d 89 f9 91 1f 7a 46 5e f7 a8 11 ff",
+            "password": "0d e8 21 50 a5 d3 af 8e a3 de d9 14",
+            "shorterpwd": "0e e1 3d 51 a6 d9 af 9a d4 dd 1f 27",
+            "Squarepants": "2e f8 27 42 a0 d9 ad 8b cd cd 6c 7d",
+            "longerpasswd": "11 e6 3c 44 b7 ce ad 8b d0 ca 68 19 89 b1 65 ae 7e 89 12 b8 51 f8 f0 ff",
+            "ridiculouslyextendedpass": "0f e0 36 4a b1 c9 b1 85 d6 ca 73 04 ec 2a 57 b7 d2 b9 8f c7 c9 7e 0e fa 52 7b 71 e6 f8 b7 a6 ae 47 94 d7 86",
+        }
+        for password, hash in hashes.items():
+            kcpass = user._kcpassword(password)
+            hash = bytes.fromhex(hash)
+
+            # macOS adds a trailing null and pads the rest with random data
+            length = len(password) + 1
+
+            self.assertEqual(kcpass[:length], hash[:length])
+            self.assertEqual(len(kcpass), len(hash))