146 lines
4.6 KiB
Python
146 lines
4.6 KiB
Python
# -*- coding: utf-8 -*- vim:sw=4:sts=4:et:ai:si:sta:fenc=utf-8
|
|
|
|
"""Des fonctions pour gérer les formes cryptées des mots de passe
|
|
|
|
Les scheme supportés sont {CRYPT}, {SSHA}, {SMD5}, {SHA}, {MD5}
|
|
"""
|
|
|
|
__all__ = (
|
|
'is_crypt_scheme', 'is_smd5_scheme', 'is_ssha_scheme', 'is_md5_scheme', 'is_sha_scheme', 'get_scheme',
|
|
'get_crypt_salt', 'get_smd5_salt', 'get_ssha_salt', 'get_salt',
|
|
'gen_crypt_salt', 'gen_binary_salt', 'gen_salt',
|
|
'gen_crypt_hash', 'gen_binary_hash', 'gen_hash',
|
|
)
|
|
|
|
import base64, random, hashlib
|
|
|
|
try: from crypt import crypt
|
|
except: crypt = None
|
|
|
|
from .uio import Utf8IO
|
|
_utf8 = Utf8IO()
|
|
|
|
def is_crypt_scheme(pw):
|
|
if pw is None: return False
|
|
return pw[:7].lower() == '{crypt}' or pw.lower() == 'crypt'
|
|
|
|
def is_smd5_scheme(pw):
|
|
if pw is None: return False
|
|
return pw[:6].lower() == '{smd5}' or pw.lower() == 'smd5'
|
|
|
|
def is_ssha_scheme(pw):
|
|
if pw is None: return False
|
|
return pw[:6].lower() == '{ssha}' or pw.lower() == 'ssha'
|
|
|
|
def is_md5_scheme(pw):
|
|
if pw is None: return False
|
|
return pw[:5].lower() == '{md5}' or pw.lower() == 'md5'
|
|
|
|
def is_sha_scheme(pw):
|
|
if pw is None: return False
|
|
return pw[:5].lower() == '{sha}' or pw.lower() == 'sha'
|
|
|
|
def get_scheme(pw):
|
|
if pw is None: return None
|
|
if is_crypt_scheme(pw): return '{CRYPT}'
|
|
elif is_smd5_scheme(pw): return '{SMD5}'
|
|
elif is_ssha_scheme(pw): return '{SSHA}'
|
|
elif is_md5_scheme(pw): return '{MD5}'
|
|
elif is_sha_scheme(pw): return '{SHA}'
|
|
else: return '{CRYPT}'
|
|
|
|
def get_crypt_salt(pw):
|
|
if pw is None: return None
|
|
if pw[:7].lower() == '{crypt}': pw = pw[7:]
|
|
return pw[:2]
|
|
|
|
def get_smd5_salt(pw):
|
|
if pw is None: return None
|
|
if pw[:6].lower() == '{smd5}': pw = pw[6:]
|
|
return base64.decodestring(pw)[16:]
|
|
|
|
def get_ssha_salt(pw):
|
|
if pw is None: return None
|
|
if pw[:6].lower() == '{ssha}': pw = pw[6:]
|
|
return base64.decodestring(pw)[20:]
|
|
|
|
def get_salt(pw):
|
|
if pw is None: return None
|
|
if pw[:7].lower() == '{crypt}': return get_crypt_salt(pw)
|
|
if pw[:6].lower() == '{smd5}': return get_smd5_salt(pw)
|
|
if pw[:6].lower() == '{ssha}': return get_ssha_salt(pw)
|
|
# pas de salt
|
|
if pw[:5].lower() == '{md5}': return ''
|
|
if pw[:5].lower() == '{sha}': return ''
|
|
# par défaut, considérer le salt comme pour crypt
|
|
return get_crypt_salt(pw)
|
|
|
|
CRYPT_SALT_CHARS = "./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
|
|
def gen_crypt_salt():
|
|
return random.choice(CRYPT_SALT_CHARS) + random.choice(CRYPT_SALT_CHARS)
|
|
|
|
def gen_binary_salt(length=20):
|
|
salt = []
|
|
for i in range(length):
|
|
salt.append(chr(random.randint(0, 255)))
|
|
return ''.join(salt)
|
|
|
|
def gen_salt(pw=None, length=20):
|
|
if pw is not None:
|
|
if pw[:7].lower() == '{crypt}' or pw.lower() == 'crypt': return gen_crypt_salt()
|
|
if pw[:6].lower() == '{smd5}' or pw.lower() == 'smd5': return gen_binary_salt(length)
|
|
if pw[:6].lower() == '{ssha}' or pw.lower() == 'ssha': return gen_binary_salt(length)
|
|
# pas de salt pour MD5 et SHA
|
|
if pw[:5].lower() == '{md5}' or pw.lower() == 'md5': return ''
|
|
if pw[:5].lower() == '{sha}' or pw.lower() == 'sha': return ''
|
|
# par défaut, générer un salt pour crypt
|
|
return gen_crypt_salt()
|
|
|
|
def gen_crypt_hash(pw, salt=None):
|
|
if salt is None: salt = gen_crypt_salt()
|
|
if crypt is None: raise ValueError("crypt is unvailable")
|
|
return crypt(pw, salt)
|
|
|
|
def gen_binary_hash(pw, scheme, salt=None):
|
|
if is_md5_scheme(scheme):
|
|
m = hashlib.md5()
|
|
elif is_sha_scheme(scheme):
|
|
m = hashlib.sha1()
|
|
elif is_smd5_scheme(scheme):
|
|
m = hashlib.md5()
|
|
if salt is None: salt = gen_binary_salt()
|
|
elif is_ssha_scheme(scheme):
|
|
m = hashlib.sha1()
|
|
if salt is None: salt = gen_binary_salt()
|
|
else: raise ValueError("unsupported scheme: %s" % scheme)
|
|
|
|
pw = _utf8.s(pw)
|
|
m.update(pw)
|
|
if salt is not None: m.update(salt)
|
|
|
|
hash = m.digest()
|
|
if salt is not None: hash += salt
|
|
|
|
return base64.b64encode(hash)
|
|
|
|
def gen_hash(pw, scheme=None, ref=None, salt=None, normalized=True):
|
|
if ref is not None:
|
|
scheme = get_scheme(ref)
|
|
if salt is None: salt = get_salt(ref)
|
|
if is_crypt_scheme(scheme):
|
|
hash = gen_crypt_hash(pw, salt)
|
|
else:
|
|
hash = gen_binary_hash(pw, scheme, salt)
|
|
elif scheme is not None:
|
|
scheme = get_scheme(scheme)
|
|
if is_crypt_scheme(scheme):
|
|
hash = gen_crypt_hash(pw, salt)
|
|
else:
|
|
hash = gen_binary_hash(pw, scheme, salt)
|
|
else:
|
|
# Par défaut, hasher en crypt
|
|
scheme = '{CRYPT}'
|
|
hash = gen_crypt_hash(pw, salt)
|
|
if normalized: hash = scheme + hash
|
|
return hash
|