def compare_password(self, password):
"""
compare the password of the password token
the password token contains the unix hashed (hmac256) password format
and is using the standard libcryp password hash compare. the iv is used
as indicator for the new password format, which is :1:
- legacy -
the seed for some tokens contains the encrypted password
insetead of decrypting the password and running the comparison,
the new otp will be encrypted as well.
:param password: the password - for the password token this is the
to be compared password
:return: boolean
"""
if self.iv == b":1:":
return utils.compare_password(password, self.val.decode("utf-8"))
# the legacy comparison: compare the ecrypted password
enc_otp_key = utils.encrypt(password, self.iv, hsm=self.hsm)
return compare(binascii.hexlify(enc_otp_key),
binascii.hexlify(self.val))
def compare_password(self, password):
'''
compare the password of the password token
the password token contains the unix hashed (hmac256) password format
and is using the standard libcryp password hash compare. the iv is used
as indicator for the new password format, which is :1:
- legacy -
the seed for some tokens contains the encrypted password
insetead of decrypting the password and running the comparison,
the new otp will be encrypted as well.
:param password: the password - for the password token this is the
to be compared password
:return: boolean
'''
if self.iv == ':1:':
crypted_password = libcrypt_password(password, self.val)
# position independend string comparison
result = True
for tup1, tup2 in zip(crypted_password, self.val):
result = result and (tup1 == tup2)
return result
# the legacy comparison: compare the ecrypted password
enc_otp_key = encrypt(password, self.iv, hsm=self.hsm)
return binascii.hexlify(enc_otp_key) == binascii.hexlify(self.val)
def encrypt(seed, iv=None, hsm=None):
if not iv:
iv = geturandom(16)
enc_seed = encrypt(seed, iv, hsm=hsm)
return iv, enc_seed
def compare(self, key):
bhOtpKey = binascii.unhexlify(key)
enc_otp_key = encrypt(bhOtpKey, self.iv, hsm=self.hsm)
otpKeyEnc = binascii.hexlify(enc_otp_key)
return (otpKeyEnc == self.val)
def encrypt(seed: str, iv=None, hsm=None):
if not iv:
iv = utils.geturandom(16)
enc_seed = utils.encrypt(seed, iv, hsm=hsm)
return iv, enc_seed