def gen_user_pwrd_hash_and_salt(self,
user_pass,
hash_func=SHA256.new,
rand_pool=Random.new()):
def gen_user_salt(rand_pool, num_salt_bytes=USR_DB_SALT_SIZE):
return (rand_pool.read(num_salt_bytes))
def gen_user_hash(user_pwrd, user_salt, hash_func=SHA256_HASH_FUNC):
assert (type(user_pwrd) == str)
assert (type(user_salt) == str)
user_hash = hash_func(user_pwrd + user_salt)
for i in xrange(PWRD_HASH_ROUNDS):
user_hash = hash_func(user_hash.digest() + user_salt)
return (user_hash.digest())
user_pass = DECODE_FUNC(user_pass.encode("utf-8"))
user_salt = gen_user_salt(rand_pool)
user_hash = gen_user_hash(user_pass, user_salt, hash_func)
assert (type(user_salt) == str)
assert (type(user_hash) == str)
return (ENCODE_FUNC(user_hash), ENCODE_FUNC(user_salt))
def secure_test_user_pwrd(self, user_inst, user_pwrd, hash_func = SHA256_HASH_FUNC): user_pwrd = DECODE_FUNC(user_pwrd.encode(UNICODE_ENCODING)) user_salt = DECODE_FUNC(user_inst.randsalt.encode(UNICODE_ENCODING)) user_hash = hash_func(user_pwrd + user_salt) for i in xrange(PWRD_HASH_ROUNDS): user_hash = hash_func(user_hash.digest() + user_salt) return (user_inst.password.encode(UNICODE_ENCODING) == ENCODE_FUNC(user_hash.digest()))
def secure_test_user_pwrd(self,
user_inst,
user_pwrd,
hash_func=SHA256.new):
user_pwrd = DECODE_FUNC(user_pwrd.encode("utf-8"))
user_salt = DECODE_FUNC(user_inst.randsalt.encode("utf-8"))
user_hash = hash_func(user_pwrd + user_salt)
for i in xrange(PWRD_HASH_ROUNDS):
user_hash = hash_func(user_hash.digest() + user_salt)
return (user_inst.password.encode("utf-8") == ENCODE_FUNC(
user_hash.digest()))
def gen_user_pwrd_hash_and_salt(self, user_pass, hash_func = SHA256_HASH_FUNC, rand_pool = GLOBAL_RAND_POOL): def gen_user_salt(rand_pool, num_salt_bytes = USR_DB_SALT_SIZE): return (rand_pool.read(num_salt_bytes)) def gen_user_hash(user_pwrd, user_salt, hash_func = SHA256_HASH_FUNC): assert(type(user_pwrd) == str) assert(type(user_salt) == str) user_hash = hash_func(user_pwrd + user_salt) for i in xrange(PWRD_HASH_ROUNDS): user_hash = hash_func(user_hash.digest() + user_salt) return (user_hash.digest()) user_pass = DECODE_FUNC(user_pass.encode(UNICODE_ENCODING)) user_salt = gen_user_salt(rand_pool) user_hash = gen_user_hash(user_pass, user_salt, hash_func) assert(type(user_salt) == str) assert(type(user_hash) == str) return (ENCODE_FUNC(user_hash), ENCODE_FUNC(user_salt))
def convert_legacy_user_pwrd(self, session, db_user, password):
assert (db_user != None)
assert (len(db_user.randsalt) == 0)
## in a secure session, so password was only base64-encoded
## by client and we must apply B64ENCODE(MD5(B64DECODE(..)))
## to it first
legacy_pwrd = password.encode("utf-8")
legacy_pwrd = DECODE_FUNC(legacy_pwrd)
legacy_pwrd = MD5.new(legacy_pwrd)
legacy_pwrd = ENCODE_FUNC(legacy_pwrd.digest())
legacy_pwrd = legacy_pwrd.decode("utf-8")
## check if a legacy LOGIN would succeed with given password
if (not self.legacy_test_user_pwrd(db_user, legacy_pwrd)):
return False
## commit new-style password(-hash) and salt to DB
db_user.set_pwrd_salt(self.gen_user_pwrd_hash_and_salt(password))
session.commit()
assert (not db_user.has_legacy_password())
assert (self.secure_test_user_pwrd(db_user, password))
return True
def convert_legacy_user_pwrd(self, session, db_user, password): assert(db_user != None) assert(len(db_user.randsalt) == 0) ## in a secure session, so password was only base64-encoded ## by client and we must apply B64ENCODE(MD5(B64DECODE(..))) ## to it first legacy_pwrd = password.encode(UNICODE_ENCODING) legacy_pwrd = DECODE_FUNC(legacy_pwrd) legacy_pwrd = MD5LEG_HASH_FUNC(legacy_pwrd) legacy_pwrd = ENCODE_FUNC(legacy_pwrd.digest()) legacy_pwrd = legacy_pwrd.decode(UNICODE_ENCODING) ## check if a legacy LOGIN would succeed with given password if (not self.legacy_test_user_pwrd(db_user, legacy_pwrd)): return False ## commit new-style password(-hash) and salt to DB db_user.set_pwrd_salt(self.gen_user_pwrd_hash_and_salt(password)) session.commit() assert(not db_user.has_legacy_password()) assert(self.secure_test_user_pwrd(db_user, password)) return True
