django.contrib.auth.hashers: 201 total statements, 0.0% covered

Generated: Wed 2013-03-13 10:33 CET

Source file: /media/Envs/Envs/filer-gallery/lib/python2.7/site-packages/django/contrib/auth/hashers.py

Stats: 0 executed, 192 missed, 9 excluded, 192 ignored

  1. import hashlib
  2. from django.conf import settings
  3. from django.utils import importlib
  4. from django.utils.datastructures import SortedDict
  5. from django.utils.encoding import smart_str
  6. from django.core.exceptions import ImproperlyConfigured
  7. from django.utils.crypto import (
  8. pbkdf2, constant_time_compare, get_random_string)
  9. from django.utils.translation import ugettext_noop as _
  10. UNUSABLE_PASSWORD = '!' # This will never be a valid encoded hash
  11. HASHERS = None # lazily loaded from PASSWORD_HASHERS
  12. PREFERRED_HASHER = None # defaults to first item in PASSWORD_HASHERS
  13. def is_password_usable(encoded):
  14. return (encoded is not None and encoded != UNUSABLE_PASSWORD)
  15. def check_password(password, encoded, setter=None, preferred='default'):
  16. """
  17. Returns a boolean of whether the raw password matches the three
  18. part encoded digest.
  19. If setter is specified, it'll be called when you need to
  20. regenerate the password.
  21. """
  22. if not password or not is_password_usable(encoded):
  23. return False
  24. preferred = get_hasher(preferred)
  25. raw_password = password
  26. password = smart_str(password)
  27. encoded = smart_str(encoded)
  28. if len(encoded) == 32 and '$' not in encoded:
  29. hasher = get_hasher('unsalted_md5')
  30. else:
  31. algorithm = encoded.split('$', 1)[0]
  32. hasher = get_hasher(algorithm)
  33. must_update = hasher.algorithm != preferred.algorithm
  34. is_correct = hasher.verify(password, encoded)
  35. if setter and is_correct and must_update:
  36. setter(raw_password)
  37. return is_correct
  38. def make_password(password, salt=None, hasher='default'):
  39. """
  40. Turn a plain-text password into a hash for database storage
  41. Same as encode() but generates a new random salt. If
  42. password is None or blank then UNUSABLE_PASSWORD will be
  43. returned which disallows logins.
  44. """
  45. if not password:
  46. return UNUSABLE_PASSWORD
  47. hasher = get_hasher(hasher)
  48. password = smart_str(password)
  49. if not salt:
  50. salt = hasher.salt()
  51. salt = smart_str(salt)
  52. return hasher.encode(password, salt)
  53. def load_hashers(password_hashers=None):
  54. global HASHERS
  55. global PREFERRED_HASHER
  56. hashers = []
  57. if not password_hashers:
  58. password_hashers = settings.PASSWORD_HASHERS
  59. for backend in password_hashers:
  60. try:
  61. mod_path, cls_name = backend.rsplit('.', 1)
  62. mod = importlib.import_module(mod_path)
  63. hasher_cls = getattr(mod, cls_name)
  64. except (AttributeError, ImportError, ValueError):
  65. raise ImproperlyConfigured("hasher not found: %s" % backend)
  66. hasher = hasher_cls()
  67. if not getattr(hasher, 'algorithm'):
  68. raise ImproperlyConfigured("hasher doesn't specify an "
  69. "algorithm name: %s" % backend)
  70. hashers.append(hasher)
  71. HASHERS = dict([(hasher.algorithm, hasher) for hasher in hashers])
  72. PREFERRED_HASHER = hashers[0]
  73. def get_hasher(algorithm='default'):
  74. """
  75. Returns an instance of a loaded password hasher.
  76. If algorithm is 'default', the default hasher will be returned.
  77. This function will also lazy import hashers specified in your
  78. settings file if needed.
  79. """
  80. if hasattr(algorithm, 'algorithm'):
  81. return algorithm
  82. elif algorithm == 'default':
  83. if PREFERRED_HASHER is None:
  84. load_hashers()
  85. return PREFERRED_HASHER
  86. else:
  87. if HASHERS is None:
  88. load_hashers()
  89. if algorithm not in HASHERS:
  90. raise ValueError("Unknown password hashing algorithm '%s'. "
  91. "Did you specify it in the PASSWORD_HASHERS "
  92. "setting?" % algorithm)
  93. return HASHERS[algorithm]
  94. def mask_hash(hash, show=6, char="*"):
  95. """
  96. Returns the given hash, with only the first ``show`` number shown. The
  97. rest are masked with ``char`` for security reasons.
  98. """
  99. masked = hash[:show]
  100. masked += char * len(hash[show:])
  101. return masked
  102. class BasePasswordHasher(object):
  103. """
  104. Abstract base class for password hashers
  105. When creating your own hasher, you need to override algorithm,
  106. verify(), encode() and safe_summary().
  107. PasswordHasher objects are immutable.
  108. """
  109. algorithm = None
  110. library = None
  111. def _load_library(self):
  112. if self.library is not None:
  113. if isinstance(self.library, (tuple, list)):
  114. name, mod_path = self.library
  115. else:
  116. name = mod_path = self.library
  117. try:
  118. module = importlib.import_module(mod_path)
  119. except ImportError:
  120. raise ValueError("Couldn't load %s password algorithm "
  121. "library" % name)
  122. return module
  123. raise ValueError("Hasher '%s' doesn't specify a library attribute" %
  124. self.__class__)
  125. def salt(self):
  126. """
  127. Generates a cryptographically secure nonce salt in ascii
  128. """
  129. return get_random_string()
  130. def verify(self, password, encoded):
  131. """
  132. Checks if the given password is correct
  133. """
  134. raise NotImplementedError()
  135. def encode(self, password, salt):
  136. """
  137. Creates an encoded database value
  138. The result is normally formatted as "algorithm$salt$hash" and
  139. must be fewer than 128 characters.
  140. """
  141. raise NotImplementedError()
  142. def safe_summary(self, encoded):
  143. """
  144. Returns a summary of safe values
  145. The result is a dictionary and will be used where the password field
  146. must be displayed to construct a safe representation of the password.
  147. """
  148. raise NotImplementedError()
  149. class PBKDF2PasswordHasher(BasePasswordHasher):
  150. """
  151. Secure password hashing using the PBKDF2 algorithm (recommended)
  152. Configured to use PBKDF2 + HMAC + SHA256 with 10000 iterations.
  153. The result is a 64 byte binary string. Iterations may be changed
  154. safely but you must rename the algorithm if you change SHA256.
  155. """
  156. algorithm = "pbkdf2_sha256"
  157. iterations = 10000
  158. digest = hashlib.sha256
  159. def encode(self, password, salt, iterations=None):
  160. assert password
  161. assert salt and '$' not in salt
  162. if not iterations:
  163. iterations = self.iterations
  164. hash = pbkdf2(password, salt, iterations, digest=self.digest)
  165. hash = hash.encode('base64').strip()
  166. return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
  167. def verify(self, password, encoded):
  168. algorithm, iterations, salt, hash = encoded.split('$', 3)
  169. assert algorithm == self.algorithm
  170. encoded_2 = self.encode(password, salt, int(iterations))
  171. return constant_time_compare(encoded, encoded_2)
  172. def safe_summary(self, encoded):
  173. algorithm, iterations, salt, hash = encoded.split('$', 3)
  174. assert algorithm == self.algorithm
  175. return SortedDict([
  176. (_('algorithm'), algorithm),
  177. (_('iterations'), iterations),
  178. (_('salt'), mask_hash(salt)),
  179. (_('hash'), mask_hash(hash)),
  180. ])
  181. class PBKDF2SHA1PasswordHasher(PBKDF2PasswordHasher):
  182. """
  183. Alternate PBKDF2 hasher which uses SHA1, the default PRF
  184. recommended by PKCS #5. This is compatible with other
  185. implementations of PBKDF2, such as openssl's
  186. PKCS5_PBKDF2_HMAC_SHA1().
  187. """
  188. algorithm = "pbkdf2_sha1"
  189. digest = hashlib.sha1
  190. class BCryptPasswordHasher(BasePasswordHasher):
  191. """
  192. Secure password hashing using the bcrypt algorithm (recommended)
  193. This is considered by many to be the most secure algorithm but you
  194. must first install the py-bcrypt library. Please be warned that
  195. this library depends on native C code and might cause portability
  196. issues.
  197. """
  198. algorithm = "bcrypt"
  199. library = ("py-bcrypt", "bcrypt")
  200. rounds = 12
  201. def salt(self):
  202. bcrypt = self._load_library()
  203. return bcrypt.gensalt(self.rounds)
  204. def encode(self, password, salt):
  205. bcrypt = self._load_library()
  206. data = bcrypt.hashpw(password, salt)
  207. return "%s$%s" % (self.algorithm, data)
  208. def verify(self, password, encoded):
  209. algorithm, data = encoded.split('$', 1)
  210. assert algorithm == self.algorithm
  211. bcrypt = self._load_library()
  212. return constant_time_compare(data, bcrypt.hashpw(password, data))
  213. def safe_summary(self, encoded):
  214. algorithm, empty, algostr, work_factor, data = encoded.split('$', 4)
  215. assert algorithm == self.algorithm
  216. salt, checksum = data[:22], data[22:]
  217. return SortedDict([
  218. (_('algorithm'), algorithm),
  219. (_('work factor'), work_factor),
  220. (_('salt'), mask_hash(salt)),
  221. (_('checksum'), mask_hash(checksum)),
  222. ])
  223. class SHA1PasswordHasher(BasePasswordHasher):
  224. """
  225. The SHA1 password hashing algorithm (not recommended)
  226. """
  227. algorithm = "sha1"
  228. def encode(self, password, salt):
  229. assert password
  230. assert salt and '$' not in salt
  231. hash = hashlib.sha1(salt + password).hexdigest()
  232. return "%s$%s$%s" % (self.algorithm, salt, hash)
  233. def verify(self, password, encoded):
  234. algorithm, salt, hash = encoded.split('$', 2)
  235. assert algorithm == self.algorithm
  236. encoded_2 = self.encode(password, salt)
  237. return constant_time_compare(encoded, encoded_2)
  238. def safe_summary(self, encoded):
  239. algorithm, salt, hash = encoded.split('$', 2)
  240. assert algorithm == self.algorithm
  241. return SortedDict([
  242. (_('algorithm'), algorithm),
  243. (_('salt'), mask_hash(salt, show=2)),
  244. (_('hash'), mask_hash(hash)),
  245. ])
  246. class MD5PasswordHasher(BasePasswordHasher):
  247. """
  248. The Salted MD5 password hashing algorithm (not recommended)
  249. """
  250. algorithm = "md5"
  251. def encode(self, password, salt):
  252. assert password
  253. assert salt and '$' not in salt
  254. hash = hashlib.md5(salt + password).hexdigest()
  255. return "%s$%s$%s" % (self.algorithm, salt, hash)
  256. def verify(self, password, encoded):
  257. algorithm, salt, hash = encoded.split('$', 2)
  258. assert algorithm == self.algorithm
  259. encoded_2 = self.encode(password, salt)
  260. return constant_time_compare(encoded, encoded_2)
  261. def safe_summary(self, encoded):
  262. algorithm, salt, hash = encoded.split('$', 2)
  263. assert algorithm == self.algorithm
  264. return SortedDict([
  265. (_('algorithm'), algorithm),
  266. (_('salt'), mask_hash(salt, show=2)),
  267. (_('hash'), mask_hash(hash)),
  268. ])
  269. class UnsaltedMD5PasswordHasher(BasePasswordHasher):
  270. """
  271. I am an incredibly insecure algorithm you should *never* use;
  272. stores unsalted MD5 hashes without the algorithm prefix.
  273. This class is implemented because Django used to store passwords
  274. this way. Some older Django installs still have these values
  275. lingering around so we need to handle and upgrade them properly.
  276. """
  277. algorithm = "unsalted_md5"
  278. def salt(self):
  279. return ''
  280. def encode(self, password, salt):
  281. return hashlib.md5(password).hexdigest()
  282. def verify(self, password, encoded):
  283. encoded_2 = self.encode(password, '')
  284. return constant_time_compare(encoded, encoded_2)
  285. def safe_summary(self, encoded):
  286. return SortedDict([
  287. (_('algorithm'), self.algorithm),
  288. (_('hash'), mask_hash(encoded, show=3)),
  289. ])
  290. class CryptPasswordHasher(BasePasswordHasher):
  291. """
  292. Password hashing using UNIX crypt (not recommended)
  293. The crypt module is not supported on all platforms.
  294. """
  295. algorithm = "crypt"
  296. library = "crypt"
  297. def salt(self):
  298. return get_random_string(2)
  299. def encode(self, password, salt):
  300. crypt = self._load_library()
  301. assert len(salt) == 2
  302. data = crypt.crypt(password, salt)
  303. # we don't need to store the salt, but Django used to do this
  304. return "%s$%s$%s" % (self.algorithm, '', data)
  305. def verify(self, password, encoded):
  306. crypt = self._load_library()
  307. algorithm, salt, data = encoded.split('$', 2)
  308. assert algorithm == self.algorithm
  309. return constant_time_compare(data, crypt.crypt(password, data))
  310. def safe_summary(self, encoded):
  311. algorithm, salt, data = encoded.split('$', 2)
  312. assert algorithm == self.algorithm
  313. return SortedDict([
  314. (_('algorithm'), algorithm),
  315. (_('salt'), salt),
  316. (_('hash'), mask_hash(data, show=3)),
  317. ])