Use crypt with SHA512 instead of bcrypt. Going to change to BLOWFISH when adopting Python 3.7.

This commit is contained in:
s3lph 2018-06-15 22:30:35 +02:00
parent 2313237773
commit 2f2f6b73e9
3 changed files with 16 additions and 11 deletions

View file

@ -1,12 +1,18 @@
from typing import List, Optional, Any, Type from typing import List, Optional, Any, Type
import bcrypt import crypt
from matemat.primitives import User, Product from matemat.primitives import User, Product
from matemat.exceptions import AuthenticationError, DatabaseConsistencyError from matemat.exceptions import AuthenticationError, DatabaseConsistencyError
from matemat.db import DatabaseWrapper from matemat.db import DatabaseWrapper
# TODO: Change to METHOD_BLOWFISH when adopting Python 3.7
"""
The method to use for password hashing.
"""
_CRYPT_METHOD = crypt.METHOD_SHA512
class MatematDatabase(object): class MatematDatabase(object):
""" """
@ -92,7 +98,7 @@ class MatematDatabase(object):
:raises ValueError: If a user with the same name already exists. :raises ValueError: If a user with the same name already exists.
""" """
# Hash the password. # Hash the password.
pwhash: str = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(12)) pwhash: str = crypt.crypt(password, crypt.mksalt(_CRYPT_METHOD))
user_id: int = -1 user_id: int = -1
with self.db.transaction() as c: with self.db.transaction() as c:
# Look up whether a user with the same name already exists. # Look up whether a user with the same name already exists.
@ -138,9 +144,9 @@ class MatematDatabase(object):
if row is None: if row is None:
raise AuthenticationError('User does not exist') raise AuthenticationError('User does not exist')
user_id, username, email, pwhash, tkhash, admin, member = row user_id, username, email, pwhash, tkhash, admin, member = row
if password is not None and not bcrypt.checkpw(password.encode('utf-8'), pwhash): if password is not None and crypt.crypt(password, pwhash) != pwhash:
raise AuthenticationError('Password mismatch') raise AuthenticationError('Password mismatch')
elif touchkey is not None and tkhash is not None and not bcrypt.checkpw(touchkey.encode('utf-8'), tkhash): elif touchkey is not None and tkhash is not None and crypt.crypt(touchkey, tkhash) != tkhash:
raise AuthenticationError('Touchkey mismatch') raise AuthenticationError('Touchkey mismatch')
elif touchkey is not None and tkhash is None: elif touchkey is not None and tkhash is None:
raise AuthenticationError('Touchkey not set') raise AuthenticationError('Touchkey not set')
@ -165,10 +171,10 @@ class MatematDatabase(object):
if row is None: if row is None:
raise AuthenticationError('User does not exist in database.') raise AuthenticationError('User does not exist in database.')
# Verify the old password, if it should be verified. # Verify the old password, if it should be verified.
if verify_password and not bcrypt.checkpw(oldpass.encode('utf-8'), row[0]): if verify_password and crypt.crypt(oldpass, row[0]) != row[0]:
raise AuthenticationError('Old password does not match.') raise AuthenticationError('Old password does not match.')
# Hash the new password and write it to the database. # Hash the new password and write it to the database.
pwhash: str = bcrypt.hashpw(newpass.encode('utf-8'), bcrypt.gensalt(12)) pwhash: str = crypt.crypt(newpass, crypt.mksalt(_CRYPT_METHOD))
c.execute(''' c.execute('''
UPDATE users SET password = :pwhash, lastchange = STRFTIME('%s', 'now') WHERE user_id = :user_id UPDATE users SET password = :pwhash, lastchange = STRFTIME('%s', 'now') WHERE user_id = :user_id
''', { ''', {
@ -195,10 +201,10 @@ class MatematDatabase(object):
if row is None: if row is None:
raise AuthenticationError('User does not exist in database.') raise AuthenticationError('User does not exist in database.')
# Verify the password, if it should be verified. # Verify the password, if it should be verified.
if verify_password and not bcrypt.checkpw(password.encode('utf-8'), row[0]): if verify_password and crypt.crypt(password, row[0]) != row[0]:
raise AuthenticationError('Password does not match.') raise AuthenticationError('Password does not match.')
# Hash the new touchkey and write it to the database. # Hash the new touchkey and write it to the database.
tkhash: str = bcrypt.hashpw(touchkey.encode('utf-8'), bcrypt.gensalt(12)) if touchkey is not None else None tkhash: str = crypt.crypt(touchkey, crypt.mksalt(_CRYPT_METHOD)) if touchkey is not None else None
c.execute(''' c.execute('''
UPDATE users SET touchkey = :tkhash, lastchange = STRFTIME('%s', 'now') WHERE user_id = :user_id UPDATE users SET touchkey = :tkhash, lastchange = STRFTIME('%s', 'now') WHERE user_id = :user_id
''', { ''', {

View file

@ -1,7 +1,7 @@
import unittest import unittest
import bcrypt import crypt
from matemat.db import MatematDatabase from matemat.db import MatematDatabase
from matemat.exceptions import AuthenticationError, DatabaseConsistencyError from matemat.exceptions import AuthenticationError, DatabaseConsistencyError
@ -58,7 +58,7 @@ class DatabaseTest(unittest.TestCase):
u = db.create_user('testuser', 'supersecurepassword', 'testuser@example.com') u = db.create_user('testuser', 'supersecurepassword', 'testuser@example.com')
# Add a touchkey without using the provided function # Add a touchkey without using the provided function
c.execute('''UPDATE users SET touchkey = :tkhash WHERE user_id = :user_id''', { c.execute('''UPDATE users SET touchkey = :tkhash WHERE user_id = :user_id''', {
'tkhash': bcrypt.hashpw(b'0123', bcrypt.gensalt(12)), 'tkhash': crypt.crypt('0123', crypt.mksalt(crypt.METHOD_SHA512)),
'user_id': u.id 'user_id': u.id
}) })
user = db.login('testuser', 'supersecurepassword') user = db.login('testuser', 'supersecurepassword')

View file

@ -1,2 +1 @@
bcrypt
apsw apsw