From 1bc1256daf308e6332485395271072a6e931597c Mon Sep 17 00:00:00 2001
From: Bruno Thomas <bruno@barreverte.fr>
Date: Mon, 16 Apr 2018 15:48:47 +0200
Subject: [PATCH 1/2] format remove trailing spaces

---
 lib/net/ldap/filter.rb                   | 2 +-
 test/integration/test_password_modify.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/net/ldap/filter.rb b/lib/net/ldap/filter.rb
index 6f064488..b7a92c60 100644
--- a/lib/net/ldap/filter.rb
+++ b/lib/net/ldap/filter.rb
@@ -646,7 +646,7 @@ def match(entry)
   ##
   # Converts escaped characters (e.g., "\\28") to unescaped characters
   # @note slawson20170317: Don't attempt to unescape 16 byte binary data which we assume are objectGUIDs
-  # The binary form of 5936AE79-664F-44EA-BCCB-5C39399514C6 triggers a BINARY -> UTF-8 conversion error        
+  # The binary form of 5936AE79-664F-44EA-BCCB-5C39399514C6 triggers a BINARY -> UTF-8 conversion error
   def unescape(right)
     right = right.to_s
     if right.length == 16 && right.encoding == Encoding::BINARY
diff --git a/test/integration/test_password_modify.rb b/test/integration/test_password_modify.rb
index ed8d4f5b..db1a00a7 100644
--- a/test/integration/test_password_modify.rb
+++ b/test/integration/test_password_modify.rb
@@ -3,7 +3,7 @@
 class TestPasswordModifyIntegration < LDAPIntegrationTestCase
   def setup
     super
-    @admin_account = {dn: 'cn=admin,dc=rubyldap,dc=com', password: 'passworD1', method: :simple}
+    @admin_account = { dn: 'cn=admin,dc=rubyldap,dc=com', password: 'passworD1', method: :simple }
     @ldap.authenticate @admin_account[:dn], @admin_account[:password]
 
     @dn = 'uid=modify-password-user1,ou=People,dc=rubyldap,dc=com'

From a07710c6446e2b1d00cdc3c6ae881bc60aa3a2f7 Mon Sep 17 00:00:00 2001
From: Bruno Thomas <bruno@barreverte.fr>
Date: Mon, 16 Apr 2018 16:39:17 +0200
Subject: [PATCH 2/2] adds a SSHA256 type and uses strict_encode64

Base64.encode64 adds \n every 60 encoded chars. This was originally an encoding mechanism for sending binary
content in e-mail, where the line length is limited. For passwords we dont want this.
cf https://stackoverflow.com/questions/2620975/strange-n-in-base64-encoded-string-in-ruby
---
 lib/net/ldap/password.rb | 10 +++++++---
 test/test_password.rb    |  5 +++++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib/net/ldap/password.rb b/lib/net/ldap/password.rb
index 28406f03..00447c17 100644
--- a/lib/net/ldap/password.rb
+++ b/lib/net/ldap/password.rb
@@ -1,5 +1,6 @@
 # -*- ruby encoding: utf-8 -*-
 require 'digest/sha1'
+require 'digest/sha2'
 require 'digest/md5'
 require 'base64'
 require 'securerandom'
@@ -23,12 +24,15 @@ class << self
     def generate(type, str)
       case type
       when :md5
-         attribute_value = '{MD5}' + Base64.encode64(Digest::MD5.digest(str)).chomp!
+         attribute_value = '{MD5}' + Base64.strict_encode64(Digest::MD5.digest(str))
       when :sha
-         attribute_value = '{SHA}' + Base64.encode64(Digest::SHA1.digest(str)).chomp!
+         attribute_value = '{SHA}' + Base64.strict_encode64(Digest::SHA1.digest(str))
       when :ssha
          salt = SecureRandom.random_bytes(16)
-         attribute_value = '{SSHA}' + Base64.encode64(Digest::SHA1.digest(str + salt) + salt).chomp!
+         attribute_value = '{SSHA}' + Base64.strict_encode64(Digest::SHA1.digest(str + salt) + salt)
+      when :ssha256
+        salt = SecureRandom.random_bytes(16)
+        attribute_value = '{SSHA256}' + Base64.strict_encode64(Digest::SHA256.digest(str + salt) + salt)
       else
          raise Net::LDAP::HashTypeUnsupportedError, "Unsupported password-hash type (#{type})"
       end
diff --git a/test/test_password.rb b/test/test_password.rb
index 87b47d91..3ecd8d1b 100644
--- a/test/test_password.rb
+++ b/test/test_password.rb
@@ -7,4 +7,9 @@ def test_psw
     assert_equal("{MD5}xq8jwrcfibi0sZdZYNkSng==", Net::LDAP::Password.generate( :md5, "cashflow" ))
     assert_equal("{SHA}YE4eGkN4BvwNN1f5R7CZz0kFn14=", Net::LDAP::Password.generate( :sha, "cashflow" ))
   end
+
+  def test_psw_with_ssha256_should_not_contain_linefeed
+    flexmock(SecureRandom).should_receive(:random_bytes).and_return('\xE5\x8A\x99\xF8\xCB\x15GW\xE8\xEA\xAD\x0F\xBF\x95\xB0\xDC')
+    assert_equal("{SSHA256}Cc7MXboTyUP5PnPAeJeCrgMy8+7Gus0sw7kBJuTrmf1ceEU1XHg4QVx4OTlceEY4XHhDQlx4MTVHV1x4RThceEVBXHhBRFx4MEZceEJGXHg5NVx4QjBceERD", Net::LDAP::Password.generate( :ssha256, "cashflow" ))
+  end
 end