[mediagoblin.git] / mediagoblin / auth / lib.py

# GNU Mediagoblin -- federated, autonomous media hosting
# Copyright (C) 2011 Free Software Foundation, Inc
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import os

import random


def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
    """
    Check to see if this password matches.

    Args:
    - raw_pass: user submitted password to check for authenticity.
    - stored_hash: The hash of the raw password (and possibly extra
      salt) to check against
    - extra_salt: (optional) If this password is with stored with a
      non-database extra salt (probably in the config file) for extra
      security, factor this into the check.

    Returns:
      True or False depending on success.
    """
    if extra_salt:
        raw_pass = u"%s:%s" % (extra_salt, raw_pass)

    hashed_pass = bcrypt.hashpw(raw_pass, stored_hash)

    # Reduce risk of timing attacks by hashing again with a random
    # number (thx to zooko on this advice, which I hopefully
    # incorporated right.)
    #
    # See also: 
    rand_salt = bcrypt.gensalt(5)
    randplus_stored_hash = bcrypt.hashpw(stored_hash, rand_salt)
    randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)

    return randplus_stored_hash == randplus_hashed_pass


def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
    """
    Generate a salt for this new password.

    Args:
    - raw_pass: user submitted password
    - extra_salt: (optional) If this password is with stored with a
      non-database extra salt
    """
    if extra_salt:
        raw_pass = u"%s:%s" % (extra_salt, raw_pass)

    return unicode(bcrypt.hashpw(raw_pass, bcrypt.gensalt()))


def fake_login_attempt():
    """
    Pretend we're trying to login.

    Nothing actually happens here, we're just trying to take up some
    time.
    """
    rand_salt = bcrypt.gensalt(5)

    hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt)

    randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt)
    randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)

    randplus_stored_hash == randplus_hashed_pass
Commit	Line	Data
6755f50e CAW	1	# GNU Mediagoblin -- federated, autonomous media hosting
	2	# Copyright (C) 2011 Free Software Foundation, Inc
	3	#
	4	# This program is free software: you can redistribute it and/or modify
	5	# it under the terms of the GNU Affero General Public License as published by
	6	# the Free Software Foundation, either version 3 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU Affero General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16
	17	import os
	18
c15c9843	19	import random
6755f50e CAW	20
	21
	22	def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
	23	"""
	24	Check to see if this password matches.
	25
	26	Args:
	27	- raw_pass: user submitted password to check for authenticity.
	28	- stored_hash: The hash of the raw password (and possibly extra
	29	salt) to check against
	30	- extra_salt: (optional) If this password is with stored with a
	31	non-database extra salt (probably in the config file) for extra
	32	security, factor this into the check.
	33
	34	Returns:
	35	True or False depending on success.
	36	"""
	37	if extra_salt:
	38	raw_pass = u"%s:%s" % (extra_salt, raw_pass)
	39
	40	hashed_pass = bcrypt.hashpw(raw_pass, stored_hash)
	41
	42	# Reduce risk of timing attacks by hashing again with a random
	43	# number (thx to zooko on this advice, which I hopefully
	44	# incorporated right.)
	45	#
	46	# See also:
	47	rand_salt = bcrypt.gensalt(5)
	48	randplus_stored_hash = bcrypt.hashpw(stored_hash, rand_salt)
	49	randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
	50
	51	return randplus_stored_hash == randplus_hashed_pass
	52
	53
	54	def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
	55	"""
	56	Generate a salt for this new password.
	57
	58	Args:
	59	- raw_pass: user submitted password
	60	- extra_salt: (optional) If this password is with stored with a
	61	non-database extra salt
	62	"""
	63	if extra_salt:
	64	raw_pass = u"%s:%s" % (extra_salt, raw_pass)
	65
e0bc23d3	66	return unicode(bcrypt.hashpw(raw_pass, bcrypt.gensalt()))
c15c9843 CAW	67
	68
	69	def fake_login_attempt():
	70	"""
	71	Pretend we're trying to login.
	72
	73	Nothing actually happens here, we're just trying to take up some
	74	time.
	75	"""
	76	rand_salt = bcrypt.gensalt(5)
	77
	78	hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt)
	79
	80	randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt)
	81	randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
	82
	83	randplus_stored_hash == randplus_hashed_pass