def _validatePassword(self, data, password):
"""
Check user password.
This is a private method and should not be used by clients.
@param data: dict with user data (from storage)
@param password: password to verify [unicode]
@rtype: 2 tuple (bool, bool)
@return: password is valid, enc_password changed
"""
epwd = data['enc_password']
# If we have no password set, we don't accept login with username
if not epwd:
return False, False
# require non empty password
if not password:
return False, False
# Check and upgrade passwords from earlier MoinMoin versions and
# passwords imported from other wiki systems.
for method in ['{SHA}', '{APR1}', '{MD5}', '{DES}']:
if epwd.startswith(method):
d = epwd[len(method):]
if method == '{SHA}':
enc = base64.encodestring(
hash_new('sha1', password.encode('utf-8')).digest()).rstrip()
elif method == '{APR1}':
# d is of the form "$apr1$<salt>$<hash>"
salt = d.split('$')[2]
enc = md5crypt.apache_md5_crypt(password.encode('utf-8'),
salt.encode('ascii'))
elif method == '{MD5}':
# d is of the form "$1$<salt>$<hash>"
salt = d.split('$')[2]
enc = md5crypt.unix_md5_crypt(password.encode('utf-8'),
salt.encode('ascii'))
elif method == '{DES}':
if crypt is None:
return False, False
# d is 2 characters salt + 11 characters hash
salt = d[:2]
enc = crypt.crypt(password.encode('utf-8'), salt.encode('ascii'))
if epwd == method + enc:
data['enc_password'] = encodePassword(password) # upgrade to SSHA
return True, True
return False, False
if epwd[:6] == '{SSHA}':
data = base64.decodestring(epwd[6:])
salt = data[20:]
hash = hash_new('sha1', password.encode('utf-8'))
hash.update(salt)
return hash.digest() == data[:20], False
# No encoded password match, this must be wrong password
return False, False
def _validatePassword(self, data, password):
"""
Check user password.
This is a private method and should not be used by clients.
@param data: dict with user data (from storage)
@param password: password to verify [unicode]
@rtype: 2 tuple (bool, bool)
@return: password is valid, enc_password changed
"""
epwd = data['enc_password']
# If we have no password set, we don't accept login with username
if not epwd:
return False, False
# require non empty password
if not password:
return False, False
password_correct = recompute_hash = False
wanted_scheme = self._cfg.password_scheme
# Check password and upgrade weak hashes to strong default algorithm:
for scheme in config.password_schemes_supported:
if epwd.startswith(scheme):
is_passlib = False
d = epwd[len(scheme):]
if scheme == '{PASSLIB}':
# a password hash to be checked by passlib library code
if not self._cfg.passlib_support:
logging.error('in user profile %r, password hash with {PASSLIB} scheme encountered, but passlib_support is False' % (self.id, ))
else:
pwd_context = self._cfg.cache.pwd_context
try:
password_correct = pwd_context.verify(password, d)
except ValueError, err:
# can happen for unknown scheme
logging.error('in user profile %r, verifying the passlib pw hash crashed [%s]' % (self.id, str(err)))
if password_correct:
# check if we need to recompute the hash. this is needed if either the
# passlib hash scheme / hash params changed or if we shall change to a
# builtin hash scheme (not recommended):
recompute_hash = pwd_context.hash_needs_update(d) or wanted_scheme != '{PASSLIB}'
else:
# a password hash to be checked by legacy, builtin code
if scheme == '{SSHA}':
d = base64.decodestring(d)
salt = d[20:]
hash = hash_new('sha1', password.encode('utf-8'))
hash.update(salt)
enc = base64.encodestring(hash.digest() + salt).rstrip()
elif scheme == '{SHA}':
enc = base64.encodestring(
hash_new('sha1', password.encode('utf-8')).digest()).rstrip()
elif scheme == '{APR1}':
# d is of the form "$apr1$<salt>$<hash>"
salt = d.split('$')[2]
enc = md5crypt.apache_md5_crypt(password.encode('utf-8'),
salt.encode('ascii'))
elif scheme == '{MD5}':
# d is of the form "$1$<salt>$<hash>"
salt = d.split('$')[2]
enc = md5crypt.unix_md5_crypt(password.encode('utf-8'),
salt.encode('ascii'))
elif scheme == '{DES}':
if crypt is None:
return False, False
# d is 2 characters salt + 11 characters hash
salt = d[:2]
enc = crypt.crypt(password.encode('utf-8'), salt.encode('ascii'))
else:
logging.error('in user profile %r, password hash with unknown scheme encountered: %r' % (self.id, scheme))
raise NotImplementedError
if safe_str_equal(epwd, scheme + enc):
password_correct = True
recompute_hash = scheme != wanted_scheme
if recompute_hash:
data['enc_password'] = encodePassword(self._cfg, password)
return password_correct, recompute_hash
def realEncode(self, data): if self._salt == None: return md5crypt.apache_md5_crypt(data, data[:2]) return md5crypt.apache_md5_crypt(data, self._salt)
def _validatePassword(self, data, password):
"""
Check user password.
This is a private method and should not be used by clients.
@param data: dict with user data (from storage)
@param password: password to verify [unicode]
@rtype: 2 tuple (bool, bool)
@return: password is valid, enc_password changed
"""
epwd = data['enc_password']
# If we have no password set, we don't accept login with username
if not epwd:
return False, False
# require non empty password
if not password:
return False, False
password_correct = recompute_hash = False
wanted_scheme = self._cfg.password_scheme
# Check password and upgrade weak hashes to strong default algorithm:
for scheme in config.password_schemes_supported:
if epwd.startswith(scheme):
is_passlib = False
d = epwd[len(scheme):]
if scheme == '{PASSLIB}':
# a password hash to be checked by passlib library code
if not self._cfg.passlib_support:
logging.error(
'in user profile %r, password hash with {PASSLIB} scheme encountered, but passlib_support is False'
% (self.id, ))
else:
pwd_context = self._cfg.cache.pwd_context
try:
password_correct = pwd_context.verify(password, d)
except ValueError, err:
# can happen for unknown scheme
logging.error(
'in user profile %r, verifying the passlib pw hash crashed [%s]'
% (self.id, str(err)))
if password_correct:
# check if we need to recompute the hash. this is needed if either the
# passlib hash scheme / hash params changed or if we shall change to a
# builtin hash scheme (not recommended):
recompute_hash = pwd_context.hash_needs_update(
d) or wanted_scheme != '{PASSLIB}'
else:
# a password hash to be checked by legacy, builtin code
if scheme == '{SSHA}':
d = base64.decodestring(d)
salt = d[20:]
hash = hash_new('sha1', password.encode('utf-8'))
hash.update(salt)
enc = base64.encodestring(hash.digest() +
salt).rstrip()
elif scheme == '{SHA}':
enc = base64.encodestring(
hash_new(
'sha1',
password.encode('utf-8')).digest()).rstrip()
elif scheme == '{APR1}':
# d is of the form "$apr1$<salt>$<hash>"
salt = d.split('$')[2]
enc = md5crypt.apache_md5_crypt(
password.encode('utf-8'), salt.encode('ascii'))
elif scheme == '{MD5}':
# d is of the form "$1$<salt>$<hash>"
salt = d.split('$')[2]
enc = md5crypt.unix_md5_crypt(password.encode('utf-8'),
salt.encode('ascii'))
elif scheme == '{DES}':
if crypt is None:
return False, False
# d is 2 characters salt + 11 characters hash
salt = d[:2]
enc = crypt.crypt(password.encode('utf-8'),
salt.encode('ascii'))
else:
logging.error(
'in user profile %r, password hash with unknown scheme encountered: %r'
% (self.id, scheme))
raise NotImplementedError
if safe_str_equal(epwd, scheme + enc):
password_correct = True
recompute_hash = scheme != wanted_scheme
if recompute_hash:
data['enc_password'] = encodePassword(self._cfg, password)
return password_correct, recompute_hash
def realEncode(self, data): if self._salt == None: return md5crypt.apache_md5_crypt(data, data[:2]) return md5crypt.apache_md5_crypt(data, self._salt)
def realTransform(self, data): if self._salt == None: return md5crypt.apache_md5_crypt(data, data[:2]) return md5crypt.apache_md5_crypt(data, self._salt)
