Use crypt with SHA512 instead of bcrypt. Going to change to BLOWFISH when adopting Python 3.7.

2018-06-15 22:30:35 +02:00 · 2018-06-15 22:30:35 +02:00 · 2f2f6b73e9
commit 2f2f6b73e9
parent 2313237773
3 changed files with 16 additions and 11 deletions
--- a/matemat/db/facade.py
+++ b/matemat/db/facade.py
@ -1,12 +1,18 @@

 from typing import List, Optional, Any, Type

-import bcrypt
+import crypt

 from matemat.primitives import User, Product
 from matemat.exceptions import AuthenticationError, DatabaseConsistencyError
 from matemat.db import DatabaseWrapper

+# TODO: Change to METHOD_BLOWFISH when adopting Python 3.7
+"""
+The method to use for password hashing.
+"""
+_CRYPT_METHOD = crypt.METHOD_SHA512
+

 class MatematDatabase(object):
    """
@ -92,7 +98,7 @@ class MatematDatabase(object):
        :raises ValueError: If a user with the same name already exists.
        """
        # Hash the password.
-        pwhash: str = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(12))
+        pwhash: str = crypt.crypt(password, crypt.mksalt(_CRYPT_METHOD))
        user_id: int = -1
        with self.db.transaction() as c:
            # Look up whether a user with the same name already exists.
@ -138,9 +144,9 @@ class MatematDatabase(object):
            if row is None:
                raise AuthenticationError('User does not exist')
            user_id, username, email, pwhash, tkhash, admin, member = row
-            if password is not None and not bcrypt.checkpw(password.encode('utf-8'), pwhash):
+            if password is not None and crypt.crypt(password, pwhash) != pwhash:
                raise AuthenticationError('Password mismatch')
-            elif touchkey is not None and tkhash is not None and not bcrypt.checkpw(touchkey.encode('utf-8'), tkhash):
+            elif touchkey is not None and tkhash is not None and crypt.crypt(touchkey, tkhash) != tkhash:
                raise AuthenticationError('Touchkey mismatch')
            elif touchkey is not None and tkhash is None:
                raise AuthenticationError('Touchkey not set')
@ -165,10 +171,10 @@ class MatematDatabase(object):
            if row is None:
                raise AuthenticationError('User does not exist in database.')
            # Verify the old password, if it should be verified.
-            if verify_password and not bcrypt.checkpw(oldpass.encode('utf-8'), row[0]):
+            if verify_password and crypt.crypt(oldpass, row[0]) != row[0]:
                raise AuthenticationError('Old password does not match.')
            # Hash the new password and write it to the database.
-            pwhash: str = bcrypt.hashpw(newpass.encode('utf-8'), bcrypt.gensalt(12))
+            pwhash: str = crypt.crypt(newpass, crypt.mksalt(_CRYPT_METHOD))
            c.execute('''
            UPDATE users SET password = :pwhash, lastchange = STRFTIME('%s', 'now') WHERE user_id = :user_id
            ''', {
@ -195,10 +201,10 @@ class MatematDatabase(object):
            if row is None:
                raise AuthenticationError('User does not exist in database.')
            # Verify the password, if it should be verified.
-            if verify_password and not bcrypt.checkpw(password.encode('utf-8'), row[0]):
+            if verify_password and crypt.crypt(password, row[0]) != row[0]:
                raise AuthenticationError('Password does not match.')
            # Hash the new touchkey and write it to the database.
-            tkhash: str = bcrypt.hashpw(touchkey.encode('utf-8'), bcrypt.gensalt(12)) if touchkey is not None else None
+            tkhash: str = crypt.crypt(touchkey, crypt.mksalt(_CRYPT_METHOD)) if touchkey is not None else None
            c.execute('''
            UPDATE users SET touchkey = :tkhash, lastchange = STRFTIME('%s', 'now') WHERE user_id = :user_id
            ''', {
--- a/matemat/db/test/test_facade.py
+++ b/matemat/db/test/test_facade.py
@ -1,7 +1,7 @@

 import unittest

-import bcrypt
+import crypt

 from matemat.db import MatematDatabase
 from matemat.exceptions import AuthenticationError, DatabaseConsistencyError
@ -58,7 +58,7 @@ class DatabaseTest(unittest.TestCase):
                u = db.create_user('testuser', 'supersecurepassword', 'testuser@example.com')
                # Add a touchkey without using the provided function
                c.execute('''UPDATE users SET touchkey = :tkhash WHERE user_id = :user_id''', {
-                    'tkhash': bcrypt.hashpw(b'0123', bcrypt.gensalt(12)),
+                    'tkhash': crypt.crypt('0123', crypt.mksalt(crypt.METHOD_SHA512)),
                    'user_id': u.id
                })
            user = db.login('testuser', 'supersecurepassword')
--- a/requirements.txt
+++ b/requirements.txt
@ -1,2 +1 @@
-bcrypt
 apsw