From 2f2f6b73e9dfaffdcf9621735036036b0df295e9 Mon Sep 17 00:00:00 2001 From: s3lph Date: Fri, 15 Jun 2018 22:30:35 +0200 Subject: [PATCH] Use crypt with SHA512 instead of bcrypt. Going to change to BLOWFISH when adopting Python 3.7. --- matemat/db/facade.py | 22 ++++++++++++++-------- matemat/db/test/test_facade.py | 4 ++-- requirements.txt | 1 - 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/matemat/db/facade.py b/matemat/db/facade.py index 027c62f..4bd27cd 100644 --- a/matemat/db/facade.py +++ b/matemat/db/facade.py @@ -1,12 +1,18 @@ from typing import List, Optional, Any, Type -import bcrypt +import crypt from matemat.primitives import User, Product from matemat.exceptions import AuthenticationError, DatabaseConsistencyError from matemat.db import DatabaseWrapper +# TODO: Change to METHOD_BLOWFISH when adopting Python 3.7 +""" +The method to use for password hashing. +""" +_CRYPT_METHOD = crypt.METHOD_SHA512 + class MatematDatabase(object): """ @@ -92,7 +98,7 @@ class MatematDatabase(object): :raises ValueError: If a user with the same name already exists. """ # Hash the password. - pwhash: str = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(12)) + pwhash: str = crypt.crypt(password, crypt.mksalt(_CRYPT_METHOD)) user_id: int = -1 with self.db.transaction() as c: # Look up whether a user with the same name already exists. @@ -138,9 +144,9 @@ class MatematDatabase(object): if row is None: raise AuthenticationError('User does not exist') user_id, username, email, pwhash, tkhash, admin, member = row - if password is not None and not bcrypt.checkpw(password.encode('utf-8'), pwhash): + if password is not None and crypt.crypt(password, pwhash) != pwhash: raise AuthenticationError('Password mismatch') - elif touchkey is not None and tkhash is not None and not bcrypt.checkpw(touchkey.encode('utf-8'), tkhash): + elif touchkey is not None and tkhash is not None and crypt.crypt(touchkey, tkhash) != tkhash: raise AuthenticationError('Touchkey mismatch') elif touchkey is not None and tkhash is None: raise AuthenticationError('Touchkey not set') @@ -165,10 +171,10 @@ class MatematDatabase(object): if row is None: raise AuthenticationError('User does not exist in database.') # Verify the old password, if it should be verified. - if verify_password and not bcrypt.checkpw(oldpass.encode('utf-8'), row[0]): + if verify_password and crypt.crypt(oldpass, row[0]) != row[0]: raise AuthenticationError('Old password does not match.') # Hash the new password and write it to the database. - pwhash: str = bcrypt.hashpw(newpass.encode('utf-8'), bcrypt.gensalt(12)) + pwhash: str = crypt.crypt(newpass, crypt.mksalt(_CRYPT_METHOD)) c.execute(''' UPDATE users SET password = :pwhash, lastchange = STRFTIME('%s', 'now') WHERE user_id = :user_id ''', { @@ -195,10 +201,10 @@ class MatematDatabase(object): if row is None: raise AuthenticationError('User does not exist in database.') # Verify the password, if it should be verified. - if verify_password and not bcrypt.checkpw(password.encode('utf-8'), row[0]): + if verify_password and crypt.crypt(password, row[0]) != row[0]: raise AuthenticationError('Password does not match.') # Hash the new touchkey and write it to the database. - tkhash: str = bcrypt.hashpw(touchkey.encode('utf-8'), bcrypt.gensalt(12)) if touchkey is not None else None + tkhash: str = crypt.crypt(touchkey, crypt.mksalt(_CRYPT_METHOD)) if touchkey is not None else None c.execute(''' UPDATE users SET touchkey = :tkhash, lastchange = STRFTIME('%s', 'now') WHERE user_id = :user_id ''', { diff --git a/matemat/db/test/test_facade.py b/matemat/db/test/test_facade.py index d7236b6..b17262f 100644 --- a/matemat/db/test/test_facade.py +++ b/matemat/db/test/test_facade.py @@ -1,7 +1,7 @@ import unittest -import bcrypt +import crypt from matemat.db import MatematDatabase from matemat.exceptions import AuthenticationError, DatabaseConsistencyError @@ -58,7 +58,7 @@ class DatabaseTest(unittest.TestCase): u = db.create_user('testuser', 'supersecurepassword', 'testuser@example.com') # Add a touchkey without using the provided function c.execute('''UPDATE users SET touchkey = :tkhash WHERE user_id = :user_id''', { - 'tkhash': bcrypt.hashpw(b'0123', bcrypt.gensalt(12)), + 'tkhash': crypt.crypt('0123', crypt.mksalt(crypt.METHOD_SHA512)), 'user_id': u.id }) user = db.login('testuser', 'supersecurepassword') diff --git a/requirements.txt b/requirements.txt index f2fa21b..b8ab4ea 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1 @@ -bcrypt apsw