Drop old login algorithm
This commit is contained in:
Alexandre Iooss
parent
5b86781881
commit
698ae42c9d
84
med/login.py
84
med/login.py
|
|
@ -1,84 +0,0 @@
|
||||||
# -*- mode: python; coding: utf-8 -*-
|
|
||||||
# Copyright (C) 2017-2019 by BDE ENS Paris-Saclay
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
|
|
||||||
|
|
||||||
import binascii
|
|
||||||
import hashlib
|
|
||||||
import os
|
|
||||||
from base64 import decodestring
|
|
||||||
from base64 import encodestring
|
|
||||||
from collections import OrderedDict
|
|
||||||
|
|
||||||
from django.contrib.auth import hashers
|
|
||||||
|
|
||||||
ALGO_NAME = "{SSHA}"
|
|
||||||
ALGO_LEN = len(ALGO_NAME + "$")
|
|
||||||
DIGEST_LEN = 20
|
|
||||||
|
|
||||||
|
|
||||||
def make_secret(password):
|
|
||||||
salt = os.urandom(4)
|
|
||||||
h = hashlib.sha1(password.encode())
|
|
||||||
h.update(salt)
|
|
||||||
return ALGO_NAME + "$" + encodestring(h.digest() + salt).decode()[:-1]
|
|
||||||
|
|
||||||
|
|
||||||
def check_password(challenge_password, password):
|
|
||||||
challenge_bytes = decodestring(challenge_password[ALGO_LEN:].encode())
|
|
||||||
digest = challenge_bytes[:DIGEST_LEN]
|
|
||||||
salt = challenge_bytes[DIGEST_LEN:]
|
|
||||||
hr = hashlib.sha1(password.encode())
|
|
||||||
hr.update(salt)
|
|
||||||
valid_password = True
|
|
||||||
# La comparaison est volontairement en temps constant
|
|
||||||
# (pour éviter les timing-attacks)
|
|
||||||
for i, j in zip(digest, hr.digest()):
|
|
||||||
valid_password &= i == j
|
|
||||||
return valid_password
|
|
||||||
|
|
||||||
|
|
||||||
class SSHAPasswordHasher(hashers.BasePasswordHasher):
|
|
||||||
"""
|
|
||||||
SSHA password hashing to allow for LDAP auth compatibility
|
|
||||||
"""
|
|
||||||
|
|
||||||
algorithm = ALGO_NAME
|
|
||||||
|
|
||||||
def encode(self, password, salt, iterations=None):
|
|
||||||
"""
|
|
||||||
Hash and salt the given password using SSHA algorithm
|
|
||||||
|
|
||||||
salt is overridden
|
|
||||||
"""
|
|
||||||
assert password is not None
|
|
||||||
return make_secret(password)
|
|
||||||
|
|
||||||
def verify(self, password, encoded):
|
|
||||||
"""
|
|
||||||
Check password against encoded using SSHA algorithm
|
|
||||||
"""
|
|
||||||
assert encoded.startswith(self.algorithm)
|
|
||||||
return check_password(encoded, password)
|
|
||||||
|
|
||||||
def safe_summary(self, encoded):
|
|
||||||
"""
|
|
||||||
Provides a safe summary ofthe password
|
|
||||||
"""
|
|
||||||
assert encoded.startswith(self.algorithm)
|
|
||||||
hash = encoded[ALGO_LEN:]
|
|
||||||
hash = binascii.hexlify(decodestring(hash.encode())).decode()
|
|
||||||
return OrderedDict([
|
|
||||||
('algorithm', self.algorithm),
|
|
||||||
('iterations', 0),
|
|
||||||
('salt', hashers.mask_hash(hash[2 * DIGEST_LEN:], show=2)),
|
|
||||||
('hash', hashers.mask_hash(hash[:2 * DIGEST_LEN])),
|
|
||||||
])
|
|
||||||
|
|
||||||
def harden_runtime(self, password, encoded):
|
|
||||||
"""
|
|
||||||
Method implemented to shut up BasePasswordHasher warning
|
|
||||||
|
|
||||||
As we are not using multiple iterations the method is pretty useless
|
|
||||||
"""
|
|
||||||
pass
|
|
||||||
|
|
@ -162,14 +162,6 @@ REST_FRAMEWORK = {
|
||||||
# Med configuration
|
# Med configuration
|
||||||
PAGINATION_NUMBER = 25
|
PAGINATION_NUMBER = 25
|
||||||
|
|
||||||
PASSWORD_HASHERS = [
|
|
||||||
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
|
|
||||||
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
|
|
||||||
'django.contrib.auth.hashers.Argon2PasswordHasher',
|
|
||||||
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
|
|
||||||
'med.login.SSHAPasswordHasher',
|
|
||||||
]
|
|
||||||
|
|
||||||
AUTH_USER_MODEL = 'users.User'
|
AUTH_USER_MODEL = 'users.User'
|
||||||
|
|
||||||
MAX_EMPRUNT = 5 # Max emprunts
|
MAX_EMPRUNT = 5 # Max emprunts
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue