def get_salt(request): """ return the user password salt. If the user doesn't exist return a pseudo salt. """ try: username = request.POST["username"] except KeyError: # log.error("No 'username' in POST data?!?") return HttpResponseBadRequest() try: request.server_challenge = request.session[SERVER_CHALLENGE_KEY] except KeyError as err: # log.error("Can't get challenge from session: %s", err) return HttpResponseBadRequest() # log.debug("old challenge: %r", request.server_challenge) send_pseudo_salt=True form = UsernameForm(request, data=request.POST) if form.is_valid(): send_pseudo_salt=False user_profile = form.user_profile init_pbkdf2_salt = user_profile.init_pbkdf2_salt if not init_pbkdf2_salt: # log.error("No init_pbkdf2_salt set in user profile!") send_pseudo_salt=True if len(init_pbkdf2_salt)!=app_settings.PBKDF2_SALT_LENGTH: # log.error("Salt for user %r has wrong length: %r" % (request.POST["username"], init_pbkdf2_salt)) send_pseudo_salt=True # else: # log.error("Salt Form is not valid: %r", form.errors) if send_pseudo_salt: # log.debug("\nUse pseudo salt!!!") init_pbkdf2_salt = crypt.get_pseudo_salt(app_settings.PBKDF2_SALT_LENGTH, username) response = HttpResponse(init_pbkdf2_salt, content_type="text/plain") if not send_pseudo_salt: response.add_duration=True # collect duration time in @TimingAttackPreventer # log.debug("\nsend init_pbkdf2_salt %r to client.", init_pbkdf2_salt) return response