kallithea Changeset - 4e0442f914b9

Changeset - 4e0442f914b9

Parent rev.

Child rev.

[Not reviewed]

stable

0 1 0

Mads Kiilerich - 6 years ago 2019-12-30 01:02:36
mads@kiilerich.com

Grafted from: 132de80af0f2

auth: accept sha256 passwords on all platforms - not only on Windows

Give less surprises when changing platform.

Still, bcrypt is only supported and used on Posix.

bcrypt "hashes" will have length 60 and start with '$' and will thus
immediately skip the sha256 check.

The change should be safe: Users can't influence what kind of hashed key will
be in the database and can thus not influence the auth method.

(We really should use bcrypt on Windows too ... or change to something more
state of the art.)

1 file changed with 4 insertions and 2 deletions:

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -19,24 +19,25 @@ authentication and permission libraries @@
 This file was forked by the Kallithea project in July 2014.
 Original author and date, and relevant copyright and licensing information is below:
 :created_on: Apr 4, 2010
 :author: marcink
 :copyright: (c) 2013 RhodeCode GmbH, and others.
 :license: GPLv3, see LICENSE.md for more details.
 """
 import hashlib
 import itertools
 import logging
 import os
 import string
 import ipaddr
 from decorator import decorator
 from sqlalchemy.orm import joinedload
 from sqlalchemy.orm.exc import ObjectDeletedError
 from tg import request
 from tg.i18n import ugettext as _
 from webob.exc import HTTPForbidden, HTTPFound
 from kallithea import __platform__, is_unix, is_windows
 from kallithea.config.routing import url
 from kallithea.lib.caching_query import FromCache
@@ @@ -100,26 +101,27 @@ def get_crypt_password(password): @@
         raise Exception('Unknown or unsupported platform %s'
                         % __platform__)
 def check_password(password, hashed):
     """
     Checks matching password with it's hashed value, runs different
     implementation based on platform it runs on
     :param password: password
     :param hashed: password in hashed form
     """
     if is_windows:
     # sha256 hashes will always be 64 hex chars
     # bcrypt hashes will always contain $ (and be shorter)
     if is_windows or len(hashed) == 64 and all(x in string.hexdigits for x in hashed):
         return hashlib.sha256(password).hexdigest() == hashed
     elif is_unix:
         import bcrypt
         try:
             return bcrypt.checkpw(safe_str(password), safe_str(hashed))
         except ValueError as e:
             # bcrypt will throw ValueError 'Invalid hashed_password salt' on all password errors
             log.error('error from bcrypt checking password: %s', e)
             return False
     else:
         raise Exception('Unknown or unsupported platform %s'
                         % __platform__)

0 comments (0 inline, 0 general)