make CRYPT with salt but not key compatible with third party systems

2012-08-07 12:26:33 -05:00
parent 176bf74d49
commit 228387bf4f
3 changed files with 11 additions and 17 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-Version 2.00.0 (2012-08-07 12:12:40) dev
+Version 2.00.0 (2012-08-07 12:26:30) dev
--- a/gluon/utils.py
+++ b/gluon/utils.py
@@ -34,7 +34,7 @@ def md5_hash(text):
    """ Generate a md5 hash with the given text """
    return hashlib.md5(text).hexdigest()

-def simple_hash(text, salt = '', digest_alg = 'md5'):
+def simple_hash(text, key='', salt = '', digest_alg = 'md5'):
    """
    Generates hash with the given text using the specified
    digest hashing algorithm
@@ -42,12 +42,12 @@ def simple_hash(text, salt = '', digest_alg = 'md5'):
    if not digest_alg:
        raise RuntimeError, "simple_hash with digest_alg=None"
    elif not isinstance(digest_alg,str):
-        h = digest_alg(text)
-    elif salt:
-        return hmac_hash(text, salt, digest_alg)
-    else:
+        h = digest_alg(text+key+salt)
+    elif key+salt: # backward compatile
+        return hmac_hash(text, key+salt, digest_alg)
+    else: # compatible with third party systems
        h = hashlib.new(digest_alg)
-        h.update(text)
+        h.update(text+salt)
    return h.hexdigest()

 def get_digest(value):
--- a/gluon/validators.py
+++ b/gluon/validators.py
@@ -19,7 +19,7 @@ import struct
 import decimal
 import unicodedata
 from cStringIO import StringIO
-from utils import simple_hash, hmac_hash, web2py_uuid, DIGEST_ALG_BY_SIZE
+from utils import simple_hash, web2py_uuid, DIGEST_ALG_BY_SIZE

 __all__ = [
    'CLEANUP',
@@ -2546,10 +2546,6 @@ class LazyCrypt(object):
        else assume the default digest_alg. If not key at all, set key=''

        If a salt is specified use it, if salt is True, set salt to uuid
-
-        masterkey is the key (as specified in argument) + salt
-        if masterkey is '' then simple_hash does not do HMAC
-        else simple_hash calls hmac_hash
        (this should all be backward compatible)

        Options:
@@ -2575,8 +2571,7 @@ class LazyCrypt(object):
                salt = self.crypt.salt
        else:
            salt = ''
-        masterkey = key+salt
-        hashed = simple_hash(self.password, masterkey, digest_alg)
+        hashed = simple_hash(self.password, key, salt, digest_alg)
        self.crypted = '%s$%s$%s' % (digest_alg, salt, hashed)
        return self.crypted

@@ -2593,8 +2588,7 @@ class LazyCrypt(object):
            key = ''
        if stored_password.count('$')==2:
            (digest_alg, salt, hash) = stored_password.split('$')
-            masterkey = key+salt
-            h = simple_hash(self.password, masterkey, digest_alg)
+            h = simple_hash(self.password, key, salt, digest_alg)
            temp_pass = '%s$%s$%s' % (digest_alg, salt, h)            
        else: # no salting
            # guess digest_alg
@@ -2602,7 +2596,7 @@ class LazyCrypt(object):
            if not digest_alg:   
                return False
            else:
-                temp_pass = simple_hash(self.password, key, digest_alg)
+                temp_pass = simple_hash(self.password, key, '', digest_alg)
        return temp_pass == stored_password