def _validatePassword(self, data, password): """ Check user password. This is a private method and should not be used by clients. @param data: dict with user data (from storage) @param password: password to verify [unicode] @rtype: 2 tuple (bool, bool) @return: password is valid, enc_password changed """ epwd = data['enc_password'] # If we have no password set, we don't accept login with username if not epwd: return False, False # require non empty password if not password: return False, False # Check and upgrade passwords from earlier MoinMoin versions and # passwords imported from other wiki systems. for method in ['{SHA}', '{APR1}', '{MD5}', '{DES}']: if epwd.startswith(method): d = epwd[len(method):] if method == '{SHA}': enc = base64.encodestring( hash_new('sha1', password.encode('utf-8')).digest()).rstrip() elif method == '{APR1}': # d is of the form "$apr1$<salt>$<hash>" salt = d.split('$')[2] enc = md5crypt.apache_md5_crypt(password.encode('utf-8'), salt.encode('ascii')) elif method == '{MD5}': # d is of the form "$1$<salt>$<hash>" salt = d.split('$')[2] enc = md5crypt.unix_md5_crypt(password.encode('utf-8'), salt.encode('ascii')) elif method == '{DES}': if crypt is None: return False, False # d is 2 characters salt + 11 characters hash salt = d[:2] enc = crypt.crypt(password.encode('utf-8'), salt.encode('ascii')) if epwd == method + enc: data['enc_password'] = encodePassword(password) # upgrade to SSHA return True, True return False, False if epwd[:6] == '{SSHA}': data = base64.decodestring(epwd[6:]) salt = data[20:] hash = hash_new('sha1', password.encode('utf-8')) hash.update(salt) return hash.digest() == data[:20], False # No encoded password match, this must be wrong password return False, False
def _validatePassword(self, data, password): """ Check user password. This is a private method and should not be used by clients. @param data: dict with user data (from storage) @param password: password to verify [unicode] @rtype: 2 tuple (bool, bool) @return: password is valid, enc_password changed """ epwd = data['enc_password'] # If we have no password set, we don't accept login with username if not epwd: return False, False # require non empty password if not password: return False, False password_correct = recompute_hash = False wanted_scheme = self._cfg.password_scheme # Check password and upgrade weak hashes to strong default algorithm: for scheme in config.password_schemes_supported: if epwd.startswith(scheme): is_passlib = False d = epwd[len(scheme):] if scheme == '{PASSLIB}': # a password hash to be checked by passlib library code if not self._cfg.passlib_support: logging.error('in user profile %r, password hash with {PASSLIB} scheme encountered, but passlib_support is False' % (self.id, )) else: pwd_context = self._cfg.cache.pwd_context try: password_correct = pwd_context.verify(password, d) except ValueError, err: # can happen for unknown scheme logging.error('in user profile %r, verifying the passlib pw hash crashed [%s]' % (self.id, str(err))) if password_correct: # check if we need to recompute the hash. this is needed if either the # passlib hash scheme / hash params changed or if we shall change to a # builtin hash scheme (not recommended): recompute_hash = pwd_context.hash_needs_update(d) or wanted_scheme != '{PASSLIB}' else: # a password hash to be checked by legacy, builtin code if scheme == '{SSHA}': d = base64.decodestring(d) salt = d[20:] hash = hash_new('sha1', password.encode('utf-8')) hash.update(salt) enc = base64.encodestring(hash.digest() + salt).rstrip() elif scheme == '{SHA}': enc = base64.encodestring( hash_new('sha1', password.encode('utf-8')).digest()).rstrip() elif scheme == '{APR1}': # d is of the form "$apr1$<salt>$<hash>" salt = d.split('$')[2] enc = md5crypt.apache_md5_crypt(password.encode('utf-8'), salt.encode('ascii')) elif scheme == '{MD5}': # d is of the form "$1$<salt>$<hash>" salt = d.split('$')[2] enc = md5crypt.unix_md5_crypt(password.encode('utf-8'), salt.encode('ascii')) elif scheme == '{DES}': if crypt is None: return False, False # d is 2 characters salt + 11 characters hash salt = d[:2] enc = crypt.crypt(password.encode('utf-8'), salt.encode('ascii')) else: logging.error('in user profile %r, password hash with unknown scheme encountered: %r' % (self.id, scheme)) raise NotImplementedError if safe_str_equal(epwd, scheme + enc): password_correct = True recompute_hash = scheme != wanted_scheme if recompute_hash: data['enc_password'] = encodePassword(self._cfg, password) return password_correct, recompute_hash
def realEncode(self, data): if self._salt == None: return md5crypt.apache_md5_crypt(data, data[:2]) return md5crypt.apache_md5_crypt(data, self._salt)
def _validatePassword(self, data, password): """ Check user password. This is a private method and should not be used by clients. @param data: dict with user data (from storage) @param password: password to verify [unicode] @rtype: 2 tuple (bool, bool) @return: password is valid, enc_password changed """ epwd = data['enc_password'] # If we have no password set, we don't accept login with username if not epwd: return False, False # require non empty password if not password: return False, False password_correct = recompute_hash = False wanted_scheme = self._cfg.password_scheme # Check password and upgrade weak hashes to strong default algorithm: for scheme in config.password_schemes_supported: if epwd.startswith(scheme): is_passlib = False d = epwd[len(scheme):] if scheme == '{PASSLIB}': # a password hash to be checked by passlib library code if not self._cfg.passlib_support: logging.error( 'in user profile %r, password hash with {PASSLIB} scheme encountered, but passlib_support is False' % (self.id, )) else: pwd_context = self._cfg.cache.pwd_context try: password_correct = pwd_context.verify(password, d) except ValueError, err: # can happen for unknown scheme logging.error( 'in user profile %r, verifying the passlib pw hash crashed [%s]' % (self.id, str(err))) if password_correct: # check if we need to recompute the hash. this is needed if either the # passlib hash scheme / hash params changed or if we shall change to a # builtin hash scheme (not recommended): recompute_hash = pwd_context.hash_needs_update( d) or wanted_scheme != '{PASSLIB}' else: # a password hash to be checked by legacy, builtin code if scheme == '{SSHA}': d = base64.decodestring(d) salt = d[20:] hash = hash_new('sha1', password.encode('utf-8')) hash.update(salt) enc = base64.encodestring(hash.digest() + salt).rstrip() elif scheme == '{SHA}': enc = base64.encodestring( hash_new( 'sha1', password.encode('utf-8')).digest()).rstrip() elif scheme == '{APR1}': # d is of the form "$apr1$<salt>$<hash>" salt = d.split('$')[2] enc = md5crypt.apache_md5_crypt( password.encode('utf-8'), salt.encode('ascii')) elif scheme == '{MD5}': # d is of the form "$1$<salt>$<hash>" salt = d.split('$')[2] enc = md5crypt.unix_md5_crypt(password.encode('utf-8'), salt.encode('ascii')) elif scheme == '{DES}': if crypt is None: return False, False # d is 2 characters salt + 11 characters hash salt = d[:2] enc = crypt.crypt(password.encode('utf-8'), salt.encode('ascii')) else: logging.error( 'in user profile %r, password hash with unknown scheme encountered: %r' % (self.id, scheme)) raise NotImplementedError if safe_str_equal(epwd, scheme + enc): password_correct = True recompute_hash = scheme != wanted_scheme if recompute_hash: data['enc_password'] = encodePassword(self._cfg, password) return password_correct, recompute_hash
def realTransform(self, data): if self._salt == None: return md5crypt.apache_md5_crypt(data, data[:2]) return md5crypt.apache_md5_crypt(data, self._salt)