Mercurial > p > roundup > code

annotate roundup/password.py @ 4480:1613754d2646

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix first part of Password handling security issue2550688 (thanks Joseph Myers for reporting and Eli Collins for fixing) Small change against original patch: We still accept plaintext passwords (in known_schemes) when parsing encrypted password (e.g. from database). This way existing databases with plaintext passwords continue to work (I don't know of any, this would need patching on the users side) and all regression tests pass.
author Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
date Thu, 14 Apr 2011 12:24:59 +0000
parents eddb82d0964c
children 22bc0426e348
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1 #
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 # Copyright (c) 2001 Bizar Software Pty Ltd (http://www.bizarsoftware.com.au/)
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
3 # This module is free software, and you may redistribute it and/or modify
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4 # under the same terms as Python, so long as this copyright message and
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
5 # disclaimer are retained in their original form.
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6 #
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
7 # IN NO EVENT SHALL BIZAR SOFTWARE PTY LTD BE LIABLE TO ANY PARTY FOR
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8 # DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
9 # OUT OF THE USE OF THIS CODE, EVEN IF THE AUTHOR HAS BEEN ADVISED OF THE
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10 # POSSIBILITY OF SUCH DAMAGE.
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11 #
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12 # BIZAR SOFTWARE PTY LTD SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
13 # BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
14 # FOR A PARTICULAR PURPOSE. THE CODE PROVIDED HEREUNDER IS ON AN "AS IS"
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
15 # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16 # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
3434
1f860b50fa5f encodePassword: don't trim the salt string...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2277
diff changeset
17 #
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
18 # $Id: password.py,v 1.15 2005-12-25 15:38:40 a1s Exp $
406
bdc2ea127ae9 Added module docstrings to all modules.
Jürgen Hermann <jhermann@users.sourceforge.net>
parents: 302
diff changeset
19
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1905
diff changeset
20 """Password handling (encoding, decoding).
406
bdc2ea127ae9 Added module docstrings to all modules.
Jürgen Hermann <jhermann@users.sourceforge.net>
parents: 302
diff changeset
21 """
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1905
diff changeset
22 __docformat__ = 'restructuredtext'
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
23
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
24 import re, string, random
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
25 from base64 import b64encode, b64decode
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
26 from roundup.anypy.hashlib_ import md5, sha1
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
27 try:
1231
c0a40d7ec47c fix typo
Gordon B. McMillan <gmcm@users.sourceforge.net>
parents: 1229
diff changeset
28 import crypt
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
29 except ImportError:
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
30 crypt = None
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
31
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
32 _bempty = ""
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
33 _bjoin = _bempty.join
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
34
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
35 def getrandbytes(count):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
36 return _bjoin(chr(random.randint(0,255)) for i in xrange(count))
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
37
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
38 #NOTE: PBKDF2 hash is using this variant of base64 to minimize encoding size,
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
39 # and have charset that's compatible w/ unix crypt variants
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
40 def h64encode(data):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
41 """encode using variant of base64"""
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
42 return b64encode(data, "./").strip("=\n")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
43
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
44 def h64decode(data):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
45 """decode using variant of base64"""
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
46 off = len(data) % 4
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
47 if off == 0:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
48 return b64decode(data, "./")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
49 elif off == 1:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
50 raise ValueError("invalid bas64 input")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
51 elif off == 2:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
52 return b64decode(data + "==", "./")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
53 else:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
54 return b64decode(data + "=", "./")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
55
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
56 try:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
57 from M2Crypto.EVP import pbkdf2 as _pbkdf2
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
58 except ImportError:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
59 #no m2crypto - make our own pbkdf2 function
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
60 from struct import pack
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
61 from hmac import HMAC
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
62 try:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
63 from hashlib import sha1
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
64 except ImportError:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
65 from sha import new as sha1
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
66
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
67 def xor_bytes(left, right):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
68 "perform bitwise-xor of two byte-strings"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
69 return _bjoin(chr(ord(l) ^ ord(r)) for l, r in zip(left, right))
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
70
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
71 def _pbkdf2(password, salt, rounds, keylen):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
72 digest_size = 20 # sha1 generates 20-byte blocks
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
73 total_blocks = int((keylen+digest_size-1)/digest_size)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
74 hmac_template = HMAC(password, None, sha1)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
75 out = _bempty
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
76 for i in xrange(1, total_blocks+1):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
77 hmac = hmac_template.copy()
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
78 hmac.update(salt + pack(">L",i))
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
79 block = tmp = hmac.digest()
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
80 for j in xrange(rounds-1):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
81 hmac = hmac_template.copy()
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
82 hmac.update(tmp)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
83 tmp = hmac.digest()
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
84 #TODO: need to speed up this call
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
85 block = xor_bytes(block, tmp)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
86 out += block
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
87 return out[:keylen]
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
88
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
89 def pbkdf2(password, salt, rounds, keylen):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
90 """pkcs#5 password-based key derivation v2.0
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
91
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
92 :arg password: passphrase to use to generate key (if unicode, converted to utf-8)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
93 :arg salt: salt string to use when generating key (if unicode, converted to utf-8)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
94 :param rounds: number of rounds to use to generate key
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
95 :arg keylen: number of bytes to generate
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
96
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
97 If M2Crypto is present, uses it's implementation as backend.
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
98
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
99 :returns:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
100 raw bytes of generated key
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
101 """
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
102 if isinstance(password, unicode):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
103 password = password.encode("utf-8")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
104 if isinstance(salt, unicode):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
105 salt = salt.encode("utf-8")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
106 if keylen > 40:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
107 #NOTE: pbkdf2 allows up to (2**31-1)*20 bytes,
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
108 # but m2crypto has issues on some platforms above 40,
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
109 # and such sizes aren't needed for a password hash anyways...
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
110 raise ValueError, "key length too large"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
111 if rounds < 1:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
112 raise ValueError, "rounds must be positive number"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
113 return _pbkdf2(password, salt, rounds, keylen)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
114
1905
dc43e339e607 Centralised conversion of user-input data to hyperdb values
Richard Jones <richard@users.sourceforge.net>
parents: 1583
diff changeset
115 class PasswordValueError(ValueError):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
116 """ The password value is not valid """
1905
dc43e339e607 Centralised conversion of user-input data to hyperdb values
Richard Jones <richard@users.sourceforge.net>
parents: 1583
diff changeset
117 pass
dc43e339e607 Centralised conversion of user-input data to hyperdb values
Richard Jones <richard@users.sourceforge.net>
parents: 1583
diff changeset
118
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
119 def encodePassword(plaintext, scheme, other=None):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
120 """Encrypt the plaintext password.
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
121 """
1343
2e557762ee87 fixed handling of missing password [SF#655632]
Richard Jones <richard@users.sourceforge.net>
parents: 1231
diff changeset
122 if plaintext is None:
2e557762ee87 fixed handling of missing password [SF#655632]
Richard Jones <richard@users.sourceforge.net>
parents: 1231
diff changeset
123 plaintext = ""
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
124 if scheme == "PBKDF2":
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
125 if other:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
126 #assume it has format "{rounds}${salt}${digest}"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
127 if isinstance(other, unicode):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
128 other = other.encode("ascii")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
129 try:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
130 rounds, salt, digest = other.split("$")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
131 except ValueError:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
132 raise PasswordValueError, "invalid PBKDF2 hash (wrong number of separators)"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
133 if rounds.startswith("0"):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
134 raise PasswordValueError, "invalid PBKDF2 hash (zero-padded rounds)"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
135 try:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
136 rounds = int(rounds)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
137 except ValueError:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
138 raise PasswordValueError, "invalid PBKDF2 hash (invalid rounds)"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
139 raw_salt = h64decode(salt)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
140 else:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
141 raw_salt = getrandbytes(20)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
142 salt = h64encode(raw_salt)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
143 #FIXME: find way to access config, so default rounds
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
144 # can be altered for faster/slower hosts via config.ini
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
145 rounds = 10000
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
146 if rounds < 1000:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
147 raise PasswordValueError, "invalid PBKDF2 hash (rounds too low)"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
148 raw_digest = pbkdf2(plaintext, raw_salt, rounds, 20)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
149 return "%d$%s$%s" % (rounds, salt, h64encode(raw_digest))
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
150 elif scheme == 'SHA':
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
151 s = sha1(plaintext).hexdigest()
2277
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
152 elif scheme == 'MD5':
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
153 s = md5(plaintext).hexdigest()
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
154 elif scheme == 'crypt' and crypt is not None:
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
155 if other is not None:
3434
1f860b50fa5f encodePassword: don't trim the salt string...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2277
diff changeset
156 salt = other
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
157 else:
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
158 saltchars = './0123456789'+string.letters
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
159 salt = random.choice(saltchars) + random.choice(saltchars)
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
160 s = crypt.crypt(plaintext, salt)
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
161 elif scheme == 'plaintext':
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
162 s = plaintext
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
163 else:
1905
dc43e339e607 Centralised conversion of user-input data to hyperdb values
Richard Jones <richard@users.sourceforge.net>
parents: 1583
diff changeset
164 raise PasswordValueError, 'unknown encryption scheme %r'%scheme
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
165 return s
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
166
1583
caae7d8934dc set new email rego user password to random string
Richard Jones <richard@users.sourceforge.net>
parents: 1343
diff changeset
167 def generatePassword(length=8):
caae7d8934dc set new email rego user password to random string
Richard Jones <richard@users.sourceforge.net>
parents: 1343
diff changeset
168 chars = string.letters+string.digits
caae7d8934dc set new email rego user password to random string
Richard Jones <richard@users.sourceforge.net>
parents: 1343
diff changeset
169 return ''.join([random.choice(chars) for x in range(length)])
caae7d8934dc set new email rego user password to random string
Richard Jones <richard@users.sourceforge.net>
parents: 1343
diff changeset
170
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
171 class Password:
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
172 """The class encapsulates a Password property type value in the database.
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
173
2277
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
174 The encoding of the password is one if None, 'SHA', 'MD5' or 'plaintext'.
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
175 The encodePassword function is used to actually encode the password from
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
176 plaintext. The None encoding is used in legacy databases where no
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
177 encoding scheme is identified.
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
178
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
179 The scheme is stored with the encoded data in the database:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
180 {scheme}data
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
181
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
182 Example usage:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
183 >>> p = Password('sekrit')
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
184 >>> p == 'sekrit'
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
185 1
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
186 >>> p != 'not sekrit'
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
187 1
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
188 >>> 'sekrit' == p
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
189 1
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
190 >>> 'not sekrit' != p
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
191 1
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
192 """
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
193 #TODO: code to migrate from old password schemes.
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
194
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
195 default_scheme = 'PBKDF2' # new encryptions use this scheme
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
196 known_schemes = [ "PBKDF2", "SHA", "MD5", "crypt", "plaintext" ]
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
197 pwre = re.compile(r'{(\w+)}(.+)')
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
198
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
199 def __init__(self, plaintext=None, scheme=None, encrypted=None, strict=False):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
200 """Call setPassword if plaintext is not None."""
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
201 if scheme is None:
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
202 scheme = self.default_scheme
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
203 if plaintext is not None:
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
204 self.setPassword (plaintext, scheme)
2098
18addf2a8596 Implemented proper datatypes in mysql and postgresql backends...
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
205 elif encrypted is not None:
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
206 self.unpack(encrypted, scheme, strict=strict)
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
207 else:
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
208 self.scheme = self.default_scheme
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
209 self.password = None
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
210 self.plaintext = None
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
211
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
212 def unpack(self, encrypted, scheme=None, strict=False):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
213 """Set the password info from the scheme:<encryted info> string
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
214 (the inverse of __str__)
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
215 """
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
216 m = self.pwre.match(encrypted)
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
217 if m:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
218 self.scheme = m.group(1)
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
219 self.password = m.group(2)
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
220 self.plaintext = None
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
221 else:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
222 # currently plaintext - encrypt
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
223 self.setPassword(encrypted, scheme)
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
224 if strict and self.scheme not in self.known_schemes:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
225 raise PasswordValueError, "unknown encryption scheme: %r" % (self.scheme,)
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
226
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
227 def setPassword(self, plaintext, scheme=None):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
228 """Sets encrypts plaintext."""
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
229 if scheme is None:
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
230 scheme = self.default_scheme
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
231 self.scheme = scheme
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
232 self.password = encodePassword(plaintext, scheme)
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
233 self.plaintext = plaintext
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
234
302
d1fb3fcdb11b Catch errors in login - no username or password supplied.
Richard Jones <richard@users.sourceforge.net>
parents: 275
diff changeset
235 def __cmp__(self, other):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
236 """Compare this password against another password."""
302
d1fb3fcdb11b Catch errors in login - no username or password supplied.
Richard Jones <richard@users.sourceforge.net>
parents: 275
diff changeset
237 # check to see if we're comparing instances
d1fb3fcdb11b Catch errors in login - no username or password supplied.
Richard Jones <richard@users.sourceforge.net>
parents: 275
diff changeset
238 if isinstance(other, Password):
d1fb3fcdb11b Catch errors in login - no username or password supplied.
Richard Jones <richard@users.sourceforge.net>
parents: 275
diff changeset
239 if self.scheme != other.scheme:
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
240 return cmp(self.scheme, other.scheme)
302
d1fb3fcdb11b Catch errors in login - no username or password supplied.
Richard Jones <richard@users.sourceforge.net>
parents: 275
diff changeset
241 return cmp(self.password, other.password)
d1fb3fcdb11b Catch errors in login - no username or password supplied.
Richard Jones <richard@users.sourceforge.net>
parents: 275
diff changeset
242
d1fb3fcdb11b Catch errors in login - no username or password supplied.
Richard Jones <richard@users.sourceforge.net>
parents: 275
diff changeset
243 # assume password is plaintext
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
244 if self.password is None:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
245 raise ValueError, 'Password not set'
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
246 return cmp(self.password, encodePassword(other, self.scheme,
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
247 self.password))
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
248
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
249 def __str__(self):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
250 """Stringify the encrypted password for database storage."""
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
251 if self.password is None:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
252 raise ValueError, 'Password not set'
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
253 return '{%s}%s'%(self.scheme, self.password)
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
254
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
255 def test():
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
256 # SHA
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
257 p = Password('sekrit')
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
258 assert p == 'sekrit'
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
259 assert p != 'not sekrit'
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
260 assert 'sekrit' == p
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
261 assert 'not sekrit' != p
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
262
2277
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
263 # MD5
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
264 p = Password('sekrit', 'MD5')
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
265 assert p == 'sekrit'
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
266 assert p != 'not sekrit'
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
267 assert 'sekrit' == p
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
268 assert 'not sekrit' != p
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
269
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
270 # crypt
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
271 p = Password('sekrit', 'crypt')
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
272 assert p == 'sekrit'
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
273 assert p != 'not sekrit'
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
274 assert 'sekrit' == p
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
275 assert 'not sekrit' != p
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
276
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
277 # PBKDF2 - low level function
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
278 from binascii import unhexlify
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
279 k = pbkdf2("password", "ATHENA.MIT.EDUraeburn", 1200, 32)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
280 assert k == unhexlify("5c08eb61fdf71e4e4ec3cf6ba1f5512ba7e52ddbc5e5142f708a31e2e62b1e13")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
281
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
282 # PBKDF2 - hash function
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
283 h = "5000$7BvbBq.EZzz/O0HuwX3iP.nAG3s$g3oPnFFaga2BJaX5PoPRljl4XIE"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
284 assert encodePassword("sekrit", "PBKDF2", h) == h
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
285
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
286 # PBKDF2 - high level integration
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
287 p = Password('sekrit', 'PBKDF2')
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
288 assert p == 'sekrit'
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
289 assert p != 'not sekrit'
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
290 assert 'sekrit' == p
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
291 assert 'not sekrit' != p
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
292
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
293 if __name__ == '__main__':
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
294 test()
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
295
3434
1f860b50fa5f encodePassword: don't trim the salt string...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2277
diff changeset
296 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/