Commit 2b4227c5 authored by lhark's avatar lhark

Custom password hasher for SSHA

parent 50945f0d
......@@ -2,29 +2,89 @@
# Module d'authentification
# David Sinquin, Gabriel Détraz, Goulven Kermarec
import hashlib, binascii
import hashlib
import binascii
import os
from base64 import urlsafe_b64encode as encode
from base64 import urlsafe_b64decode as decode
from base64 import encodestring
from base64 import decodestring
from collections import OrderedDict
from django.contrib.auth import hashers
ALGO_LEN = len(ALGO_NAME + "$")
def makeSecret(password):
salt = os.urandom(4)
h = hashlib.sha1(password.encode())
return "{SSHA}" + encode(h.digest() + salt).decode()
return ALGO_NAME + "$" + encodestring(h.digest() + salt).decode()[:-1]
def hashNT(password):
hash ='md4', password.encode()).digest()
return binascii.hexlify(hash)
def checkPassword(challenge_password, password):
challenge_bytes = decode(challenge_password[6:])
digest = challenge_bytes[:20]
salt = challenge_bytes[20:]
challenge_bytes = decodestring(challenge_password[ALGO_LEN:].encode())
digest = challenge_bytes[:DIGEST_LEN]
salt = challenge_bytes[DIGEST_LEN:]
hr = hashlib.sha1(password.encode())
valid_password = True
# La comparaison est volontairement en temps constant (pour éviter les timing-attacks)
# La comparaison est volontairement en temps constant
# (pour éviter les timing-attacks)
for i, j in zip(digest, hr.digest()):
valid_password &= i == j
return valid_password
class SSHAPasswordHasher(hashers.BasePasswordHasher):
SSHA password hashing to allow for LDAP auth compatibility
algorithm = ALGO_NAME
def encode(self, password, salt, iterations=None):
Hash and salt the given password using SSHA algorithm
salt is overridden
assert password is not None
return makeSecret(password)
def verify(self, password, encoded):
Check password against encoded using SSHA algorithm
assert encoded.startswith(self.algorithm)
return checkPassword(encoded, password)
def safe_summary(self, encoded):
Provides a safe summary ofthe password
assert encoded.startswith(self.algorithm)
hash = encoded[ALGO_LEN:]
hash = binascii.hexlify(decodestring(hash.encode())).decode()
return OrderedDict([
('algorithm', self.algorithm),
('iterations', 0),
('salt', hashers.mask_hash(hash[2*DIGEST_LEN:], show=2)),
('hash', hashers.mask_hash(hash[:2*DIGEST_LEN])),
def harden_runtime(self, password, encoded):
Method implemented to shut up BasePasswordHasher warning
As we are not using multiple iterations the method is pretty useless
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment