Mercurial > p > roundup > code

annotate roundup/password.py @ 5660:d8d2b7724292

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
First attempt at REST-API documentation Also fix operator of patch to be '@op', not 'op'. Example for retire/restore using both, DELETE and PATCH with @op=action.
author Ralf Schlatterbeck <rsc@runtux.com>
date Fri, 22 Mar 2019 11:23:02 +0100
parents 07abc8d36940
children 6c3826600610
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1 #
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 # Copyright (c) 2001 Bizar Software Pty Ltd (http://www.bizarsoftware.com.au/)
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
3 # This module is free software, and you may redistribute it and/or modify
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4 # under the same terms as Python, so long as this copyright message and
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
5 # disclaimer are retained in their original form.
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6 #
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
7 # IN NO EVENT SHALL BIZAR SOFTWARE PTY LTD BE LIABLE TO ANY PARTY FOR
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8 # DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
9 # OUT OF THE USE OF THIS CODE, EVEN IF THE AUTHOR HAS BEEN ADVISED OF THE
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10 # POSSIBILITY OF SUCH DAMAGE.
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11 #
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12 # BIZAR SOFTWARE PTY LTD SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
13 # BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
14 # FOR A PARTICULAR PURPOSE. THE CODE PROVIDED HEREUNDER IS ON AN "AS IS"
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
15 # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16 # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
3434
1f860b50fa5f encodePassword: don't trim the salt string...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2277
diff changeset
17 #
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1905
diff changeset
18 """Password handling (encoding, decoding).
406
bdc2ea127ae9 Added module docstrings to all modules.
Jürgen Hermann <jhermann@users.sourceforge.net>
parents: 302
diff changeset
19 """
2005
fc52d57c6c3e documentation cleanup
Richard Jones <richard@users.sourceforge.net>
parents: 1905
diff changeset
20 __docformat__ = 'restructuredtext'
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
21
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5483
diff changeset
22 import re, string
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
23 from base64 import b64encode, b64decode
4982
9ba03348f923 Remove roundup/anypy/hashlib_.py
John Kristensen <john@jerrykan.com>
parents: 4760
diff changeset
24 from hashlib import md5, sha1
9ba03348f923 Remove roundup/anypy/hashlib_.py
John Kristensen <john@jerrykan.com>
parents: 4760
diff changeset
25
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
26 from roundup.anypy.strings import us2s, b2s, s2b
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5483
diff changeset
27 import roundup.anypy.random_ as random_
5416
56c9bcdea47f Python 3 preparation: unicode.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5415
diff changeset
28
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
29 try:
1231
c0a40d7ec47c fix typo
Gordon B. McMillan <gmcm@users.sourceforge.net>
parents: 1229
diff changeset
30 import crypt
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
31 except ImportError:
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
32 crypt = None
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
33
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
34 _bempty = b""
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
35 _bjoin = _bempty.join
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
36
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
37 def bchr(c):
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
38 if bytes == str:
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
39 # Python 2.
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
40 return chr(c)
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
41 else:
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
42 # Python 3.
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
43 return bytes((c,))
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
44
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
45 def bord(c):
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
46 if bytes == str:
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
47 # Python 2.
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
48 return ord(c)
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
49 else:
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
50 # Python 3. Elements of bytes are integers.
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
51 return c
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
52
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
53 #NOTE: PBKDF2 hash is using this variant of base64 to minimize encoding size,
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
54 # and have charset that's compatible w/ unix crypt variants
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
55 def h64encode(data):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
56 """encode using variant of base64"""
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
57 return b2s(b64encode(data, b"./").strip(b"=\n"))
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
58
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
59 def h64decode(data):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
60 """decode using variant of base64"""
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
61 data = s2b(data)
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
62 off = len(data) % 4
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
63 if off == 0:
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
64 return b64decode(data, b"./")
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
65 elif off == 1:
4683
2f66d44616ad windows: Fix failing password tests due to missing crypt module
anatoly techtonik <techtonik@gmail.com>
parents: 4570
diff changeset
66 raise ValueError("Invalid base64 input")
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
67 elif off == 2:
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
68 return b64decode(data + b"==", b"./")
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
69 else:
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
70 return b64decode(data + b"=", b"./")
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
71
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
72 try:
5483
3d0f71775e42 use PBKDF2 implementation from Python's hashlib, if available
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5454
diff changeset
73 from hashlib import pbkdf2_hmac
3d0f71775e42 use PBKDF2 implementation from Python's hashlib, if available
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5454
diff changeset
74 def _pbkdf2(password, salt, rounds, keylen):
3d0f71775e42 use PBKDF2 implementation from Python's hashlib, if available
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5454
diff changeset
75 return pbkdf2_hmac('sha1', password, salt, rounds, keylen)
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
76 except ImportError:
5483
3d0f71775e42 use PBKDF2 implementation from Python's hashlib, if available
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5454
diff changeset
77 #no hashlib.pbkdf2_hmac - make our own pbkdf2 function
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
78 from struct import pack
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
79 from hmac import HMAC
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
80
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
81 def xor_bytes(left, right):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
82 "perform bitwise-xor of two byte-strings"
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
83 return _bjoin(bchr(bord(l) ^ bord(r)) for l, r in zip(left, right))
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
84
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
85 def _pbkdf2(password, salt, rounds, keylen):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
86 digest_size = 20 # sha1 generates 20-byte blocks
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
87 total_blocks = int((keylen+digest_size-1)/digest_size)
4982
9ba03348f923 Remove roundup/anypy/hashlib_.py
John Kristensen <john@jerrykan.com>
parents: 4760
diff changeset
88 hmac_template = HMAC(password, None, sha1)
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
89 out = _bempty
5391
a391a071d045 Python 3 preparation: use range() instead of xrange().
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
90 for i in range(1, total_blocks+1):
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
91 hmac = hmac_template.copy()
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
92 hmac.update(salt + pack(">L",i))
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
93 block = tmp = hmac.digest()
5391
a391a071d045 Python 3 preparation: use range() instead of xrange().
Joseph Myers <jsm@polyomino.org.uk>
parents: 5378
diff changeset
94 for j in range(rounds-1):
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
95 hmac = hmac_template.copy()
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
96 hmac.update(tmp)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
97 tmp = hmac.digest()
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
98 #TODO: need to speed up this call
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
99 block = xor_bytes(block, tmp)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
100 out += block
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
101 return out[:keylen]
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
102
5053
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
103 def ssha(password, salt):
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
104 ''' Make ssha digest from password and salt.
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
105 Based on code of Roberto Aguilar <roberto@baremetal.io>
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
106 https://gist.github.com/rca/7217540
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
107 '''
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
108 shaval = sha1(password)
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
109 shaval.update( salt )
5454
fbbcbfc6dad0 fix encoding for hash functions
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5428
diff changeset
110 ssha_digest = b64encode( shaval.digest() + salt ).strip()
5053
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
111 return ssha_digest
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
112
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
113 def pbkdf2(password, salt, rounds, keylen):
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
114 """pkcs#5 password-based key derivation v2.0
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
115
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
116 :arg password: passphrase to use to generate key (if unicode, converted to utf-8)
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
117 :arg salt: salt bytes to use when generating key
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
118 :param rounds: number of rounds to use to generate key
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
119 :arg keylen: number of bytes to generate
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
120
5483
3d0f71775e42 use PBKDF2 implementation from Python's hashlib, if available
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5454
diff changeset
121 If hashlib supports pbkdf2, uses it's implementation as backend.
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
122
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
123 :returns:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
124 raw bytes of generated key
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
125 """
5416
56c9bcdea47f Python 3 preparation: unicode.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5415
diff changeset
126 password = s2b(us2s(password))
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
127 if keylen > 40:
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
128 #NOTE: pbkdf2 allows up to (2**31-1)*20 bytes,
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
129 # but m2crypto has issues on some platforms above 40,
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
130 # and such sizes aren't needed for a password hash anyways...
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
131 raise ValueError("key length too large")
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
132 if rounds < 1:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
133 raise ValueError("rounds must be positive number")
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
134 return _pbkdf2(password, salt, rounds, keylen)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
135
1905
dc43e339e607 Centralised conversion of user-input data to hyperdb values
Richard Jones <richard@users.sourceforge.net>
parents: 1583
diff changeset
136 class PasswordValueError(ValueError):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
137 """ The password value is not valid """
1905
dc43e339e607 Centralised conversion of user-input data to hyperdb values
Richard Jones <richard@users.sourceforge.net>
parents: 1583
diff changeset
138 pass
dc43e339e607 Centralised conversion of user-input data to hyperdb values
Richard Jones <richard@users.sourceforge.net>
parents: 1583
diff changeset
139
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
140 def pbkdf2_unpack(pbkdf2):
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
141 """ unpack pbkdf2 encrypted password into parts,
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
142 assume it has format "{rounds}${salt}${digest}
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
143 """
5416
56c9bcdea47f Python 3 preparation: unicode.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5415
diff changeset
144 pbkdf2 = us2s(pbkdf2)
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
145 try:
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
146 rounds, salt, digest = pbkdf2.split("$")
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
147 except ValueError:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
148 raise PasswordValueError("invalid PBKDF2 hash (wrong number of separators)")
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
149 if rounds.startswith("0"):
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
150 raise PasswordValueError("invalid PBKDF2 hash (zero-padded rounds)")
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
151 try:
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
152 rounds = int(rounds)
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
153 except ValueError:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
154 raise PasswordValueError("invalid PBKDF2 hash (invalid rounds)")
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
155 raw_salt = h64decode(salt)
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
156 return rounds, salt, raw_salt, digest
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
157
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
158 def encodePassword(plaintext, scheme, other=None, config=None):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
159 """Encrypt the plaintext password.
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
160 """
1343
2e557762ee87 fixed handling of missing password [SF#655632]
Richard Jones <richard@users.sourceforge.net>
parents: 1231
diff changeset
161 if plaintext is None:
2e557762ee87 fixed handling of missing password [SF#655632]
Richard Jones <richard@users.sourceforge.net>
parents: 1231
diff changeset
162 plaintext = ""
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
163 if scheme == "PBKDF2":
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
164 if other:
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
165 rounds, salt, raw_salt, digest = pbkdf2_unpack(other)
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
166 else:
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5483
diff changeset
167 raw_salt = random_.token_bytes(20)
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
168 salt = h64encode(raw_salt)
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
169 if config:
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
170 rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
171 else:
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
172 rounds = 10000
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
173 if rounds < 1000:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
174 raise PasswordValueError("invalid PBKDF2 hash (rounds too low)")
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
175 raw_digest = pbkdf2(plaintext, raw_salt, rounds, 20)
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
176 return "%d$%s$%s" % (rounds, salt, h64encode(raw_digest))
5053
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
177 elif scheme == 'SSHA':
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
178 if other:
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
179 raw_other = b64decode(other)
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
180 salt = raw_other[20:]
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
181 else:
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
182 #new password
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
183 # variable salt length
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5483
diff changeset
184 salt_len = random_.randbelow(52-36) + 36
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5483
diff changeset
185 salt = random_.token_bytes(salt_len)
5454
fbbcbfc6dad0 fix encoding for hash functions
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5428
diff changeset
186 s = ssha(s2b(plaintext), salt)
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
187 elif scheme == 'SHA':
5454
fbbcbfc6dad0 fix encoding for hash functions
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5428
diff changeset
188 s = sha1(s2b(plaintext)).hexdigest()
2277
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
189 elif scheme == 'MD5':
5454
fbbcbfc6dad0 fix encoding for hash functions
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5428
diff changeset
190 s = md5(s2b(plaintext)).hexdigest()
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
191 elif scheme == 'crypt' and crypt is not None:
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
192 if other is not None:
3434
1f860b50fa5f encodePassword: don't trim the salt string...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2277
diff changeset
193 salt = other
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
194 else:
5415
2d6a92c3e212 Python 3 preparation: use string.ascii_letters instead of string.letters.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5414
diff changeset
195 saltchars = './0123456789'+string.ascii_letters
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5483
diff changeset
196 salt = random_.choice(saltchars) + random_.choice(saltchars)
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
197 s = crypt.crypt(plaintext, salt)
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
198 elif scheme == 'plaintext':
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
199 s = plaintext
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
200 else:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
201 raise PasswordValueError('Unknown encryption scheme %r'%scheme)
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
202 return s
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
203
4760
efdce3d32698 Increase generated password length to 12 symbols.
anatoly techtonik <techtonik@gmail.com>
parents: 4683
diff changeset
204 def generatePassword(length=12):
5415
2d6a92c3e212 Python 3 preparation: use string.ascii_letters instead of string.letters.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5414
diff changeset
205 chars = string.ascii_letters+string.digits
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5483
diff changeset
206 password = [random_.choice(chars) for x in range(length - 1)]
4760
efdce3d32698 Increase generated password length to 12 symbols.
anatoly techtonik <techtonik@gmail.com>
parents: 4683
diff changeset
207 # make sure there is at least one digit
5488
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5483
diff changeset
208 digitidx = random_.randbelow(length)
52cb53eedf77 reworked random number use
Christof Meerwald <cmeerw@cmeerw.org>
parents: 5483
diff changeset
209 password[digitidx:digitidx] = [random_.choice(string.digits)]
4760
efdce3d32698 Increase generated password length to 12 symbols.
anatoly techtonik <techtonik@gmail.com>
parents: 4683
diff changeset
210 return ''.join(password)
1583
caae7d8934dc set new email rego user password to random string
Richard Jones <richard@users.sourceforge.net>
parents: 1343
diff changeset
211
4483
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
212 class JournalPassword:
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
213 """ Password dummy instance intended for journal operation.
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
214 We do not store passwords in the journal any longer. The dummy
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
215 version only reads the encryption scheme from the given
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
216 encrypted password.
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
217 """
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
218 default_scheme = 'PBKDF2' # new encryptions use this scheme
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
219 pwre = re.compile(r'{(\w+)}(.+)')
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
220
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
221 def __init__ (self, encrypted=''):
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
222 if isinstance(encrypted, self.__class__):
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
223 self.scheme = encrypted.scheme or self.default_scheme
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
224 else:
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
225 m = self.pwre.match(encrypted)
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
226 if m:
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
227 self.scheme = m.group(1)
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
228 else:
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
229 self.scheme = self.default_scheme
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
230 self.password = ''
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
231
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
232 def dummystr(self):
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
233 """ return dummy string to store in journal
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
234 - reports scheme, but nothing else
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
235 """
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
236 return "{%s}*encrypted*" % (self.scheme,)
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
237
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
238 __str__ = dummystr
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
239
5414
3fa026621f69 Python 3 preparation: comparisons.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5391
diff changeset
240 def __eq__(self, other):
4483
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
241 """Compare this password against another password."""
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
242 # check to see if we're comparing instances
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
243 if isinstance(other, self.__class__):
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
244 if self.scheme != other.scheme:
5414
3fa026621f69 Python 3 preparation: comparisons.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5391
diff changeset
245 return False
3fa026621f69 Python 3 preparation: comparisons.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5391
diff changeset
246 return self.password == other.password
4483
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
247
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
248 # assume password is plaintext
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
249 if self.password is None:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
250 raise ValueError('Password not set')
5414
3fa026621f69 Python 3 preparation: comparisons.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5391
diff changeset
251 return self.password == encodePassword(other, self.scheme,
3fa026621f69 Python 3 preparation: comparisons.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5391
diff changeset
252 self.password or None)
3fa026621f69 Python 3 preparation: comparisons.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5391
diff changeset
253
3fa026621f69 Python 3 preparation: comparisons.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5391
diff changeset
254 def __ne__(self, other):
3fa026621f69 Python 3 preparation: comparisons.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5391
diff changeset
255 return not self.__eq__(other)
4483
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
256
22bc0426e348 Second patch from issue2550688 -- with some changes:
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4480
diff changeset
257 class Password(JournalPassword):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
258 """The class encapsulates a Password property type value in the database.
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
259
2277
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
260 The encoding of the password is one if None, 'SHA', 'MD5' or 'plaintext'.
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
261 The encodePassword function is used to actually encode the password from
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
262 plaintext. The None encoding is used in legacy databases where no
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
263 encoding scheme is identified.
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
264
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
265 The scheme is stored with the encoded data in the database:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
266 {scheme}data
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
267
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
268 Example usage:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
269 >>> p = Password('sekrit')
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
270 >>> p == 'sekrit'
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
271 1
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
272 >>> p != 'not sekrit'
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
273 1
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
274 >>> 'sekrit' == p
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
275 1
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
276 >>> 'not sekrit' != p
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
277 1
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
278 """
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
279 #TODO: code to migrate from old password schemes.
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
280
4485
95aace124a8e use idea from Eli Collins to use a list of deprecated password encoding schemes
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
281 deprecated_schemes = ["SHA", "MD5", "crypt", "plaintext"]
5053
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
282 known_schemes = ["PBKDF2", "SSHA"] + deprecated_schemes
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
283
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
284 def __init__(self, plaintext=None, scheme=None, encrypted=None, strict=False, config=None):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
285 """Call setPassword if plaintext is not None."""
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
286 if scheme is None:
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
287 scheme = self.default_scheme
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
288 if plaintext is not None:
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
289 self.setPassword (plaintext, scheme, config=config)
2098
18addf2a8596 Implemented proper datatypes in mysql and postgresql backends...
Richard Jones <richard@users.sourceforge.net>
parents: 2005
diff changeset
290 elif encrypted is not None:
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
291 self.unpack(encrypted, scheme, strict=strict, config=config)
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
292 else:
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
293 self.scheme = self.default_scheme
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
294 self.password = None
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
295 self.plaintext = None
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
296
5630
07abc8d36940 Add etag support to rest interface to prevent multiple users from
John Rouillard <rouilj@ieee.org>
parents: 5490
diff changeset
297 def __repr__(self):
07abc8d36940 Add etag support to rest interface to prevent multiple users from
John Rouillard <rouilj@ieee.org>
parents: 5490
diff changeset
298 return self.__str__()
07abc8d36940 Add etag support to rest interface to prevent multiple users from
John Rouillard <rouilj@ieee.org>
parents: 5490
diff changeset
299
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
300 def needs_migration(self):
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
301 """ Password has insecure scheme or other insecure parameters
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
302 and needs migration to new password scheme
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
303 """
4485
95aace124a8e use idea from Eli Collins to use a list of deprecated password encoding schemes
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4484
diff changeset
304 if self.scheme in self.deprecated_schemes:
4484
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
305 return True
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
306 rounds, salt, raw_salt, digest = pbkdf2_unpack(self.password)
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
307 if rounds < 1000:
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
308 return True
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
309 return False
52e13bf0bb40 Add new config-option 'migrate_passwords' in section 'web'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4483
diff changeset
310
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
311 def unpack(self, encrypted, scheme=None, strict=False, config=None):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
312 """Set the password info from the scheme:<encryted info> string
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
313 (the inverse of __str__)
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
314 """
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
315 m = self.pwre.match(encrypted)
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
316 if m:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
317 self.scheme = m.group(1)
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
318 self.password = m.group(2)
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
319 self.plaintext = None
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
320 else:
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
321 # currently plaintext - encrypt
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
322 self.setPassword(encrypted, scheme, config=config)
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
323 if strict and self.scheme not in self.known_schemes:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
324 raise PasswordValueError("Unknown encryption scheme: %r" % (self.scheme,))
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
325
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
326 def setPassword(self, plaintext, scheme=None, config=None):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
327 """Sets encrypts plaintext."""
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
328 if scheme is None:
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
329 scheme = self.default_scheme
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
330 self.scheme = scheme
4486
693c75d56ebe Add new config-option 'password_pbkdf2_default_rounds'...
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4485
diff changeset
331 self.password = encodePassword(plaintext, scheme, config=config)
3439
822a2719b81b keep plaintext password in Password object property (rfe [SF#1379447])
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 3434
diff changeset
332 self.plaintext = plaintext
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
333
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
334 def __str__(self):
4089
eddb82d0964c Add compatibility package to allow us to deal with Python versions 2.3..2.6.
Richard Jones <richard@users.sourceforge.net>
parents: 3439
diff changeset
335 """Stringify the encrypted password for database storage."""
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
336 if self.password is None:
5378
35ea9b1efc14 Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5356
diff changeset
337 raise ValueError('Password not set')
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
338 return '{%s}%s'%(self.scheme, self.password)
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
339
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
340 def test():
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
341 # SHA
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
342 p = Password('sekrit')
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
343 assert p == 'sekrit'
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
344 assert p != 'not sekrit'
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
345 assert 'sekrit' == p
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
346 assert 'not sekrit' != p
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
347
2277
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
348 # MD5
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
349 p = Password('sekrit', 'MD5')
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
350 assert p == 'sekrit'
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
351 assert p != 'not sekrit'
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
352 assert 'sekrit' == p
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
353 assert 'not sekrit' != p
c9e52addda42 added MD5 scheme for password hiding
Richard Jones <richard@users.sourceforge.net>
parents: 2098
diff changeset
354
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
355 # crypt
4683
2f66d44616ad windows: Fix failing password tests due to missing crypt module
anatoly techtonik <techtonik@gmail.com>
parents: 4570
diff changeset
356 if crypt: # not available on Windows
2f66d44616ad windows: Fix failing password tests due to missing crypt module
anatoly techtonik <techtonik@gmail.com>
parents: 4570
diff changeset
357 p = Password('sekrit', 'crypt')
2f66d44616ad windows: Fix failing password tests due to missing crypt module
anatoly techtonik <techtonik@gmail.com>
parents: 4570
diff changeset
358 assert p == 'sekrit'
2f66d44616ad windows: Fix failing password tests due to missing crypt module
anatoly techtonik <techtonik@gmail.com>
parents: 4570
diff changeset
359 assert p != 'not sekrit'
2f66d44616ad windows: Fix failing password tests due to missing crypt module
anatoly techtonik <techtonik@gmail.com>
parents: 4570
diff changeset
360 assert 'sekrit' == p
2f66d44616ad windows: Fix failing password tests due to missing crypt module
anatoly techtonik <techtonik@gmail.com>
parents: 4570
diff changeset
361 assert 'not sekrit' != p
1229
5c581b120738 added "crypt" password encoding...
Richard Jones <richard@users.sourceforge.net>
parents: 1090
diff changeset
362
5053
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
363 # SSHA
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
364 p = Password('sekrit', 'SSHA')
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
365 assert p == 'sekrit'
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
366 assert p != 'not sekrit'
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
367 assert 'sekrit' == p
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
368 assert 'not sekrit' != p
9792b18e0b19 issue 2550880: Ability to choose password store scheme and SSHA support.
John Rouillard <rouilj@ieee.org>
parents: 4982
diff changeset
369
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
370 # PBKDF2 - low level function
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
371 from binascii import unhexlify
5428
1f1899658115 Python 3 preparation: use bytes more in password handling.
Joseph Myers <jsm@polyomino.org.uk>
parents: 5416
diff changeset
372 k = pbkdf2("password", b"ATHENA.MIT.EDUraeburn", 1200, 32)
4480
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
373 assert k == unhexlify("5c08eb61fdf71e4e4ec3cf6ba1f5512ba7e52ddbc5e5142f708a31e2e62b1e13")
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
374
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
375 # PBKDF2 - hash function
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
376 h = "5000$7BvbBq.EZzz/O0HuwX3iP.nAG3s$g3oPnFFaga2BJaX5PoPRljl4XIE"
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
377 assert encodePassword("sekrit", "PBKDF2", h) == h
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
378
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
379 # PBKDF2 - high level integration
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
380 p = Password('sekrit', 'PBKDF2')
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
381 assert p == 'sekrit'
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
382 assert p != 'not sekrit'
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
383 assert 'sekrit' == p
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
384 assert 'not sekrit' != p
1613754d2646 Fix first part of Password handling security issue2550688
Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
parents: 4089
diff changeset
385
270
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
386 if __name__ == '__main__':
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
387 test()
a4241ddd22d7 Added the Password property type.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
388
3434
1f860b50fa5f encodePassword: don't trim the salt string...
Alexander Smishlajev <a1s@users.sourceforge.net>
parents: 2277
diff changeset
389 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/