changeset 1912:324c44142b6a

Add salt to sha of password
author Cédric Krier <ced@b2ck.com>
date Wed, 29 Jul 2009 16:27:18 +0200
parents 189156fe23c3
children 59010ca75a37
files CHANGELOG trytond/res/user.py trytond/security.py trytond/server.py
diffstat 4 files changed, 24 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGELOG	Wed Jul 29 16:25:26 2009 +0200
+++ b/CHANGELOG	Wed Jul 29 16:27:18 2009 +0200
@@ -1,3 +1,4 @@
+* Add salt to sha of password
 * Add strftime to ir.lang to handle locale's format
 * Add sqlite backend
 * Add validate test for required and size
--- a/trytond/res/user.py	Wed Jul 29 16:25:26 2009 +0200
+++ b/trytond/res/user.py	Wed Jul 29 16:27:18 2009 +0200
@@ -7,6 +7,8 @@
 from lxml import etree
 from trytond.tools import Cache
 from trytond.backend import TableHandler
+import string
+import random
 
 
 class User(ModelSQL, ModelView):
@@ -16,6 +18,7 @@
     name = fields.Char('Name', required=True, select=1, translate=True)
     login = fields.Char('Login', required=True)
     password = fields.Sha('Password')
+    salt = fields.Char('Salt', size=8)
     signature = fields.Text('Signature')
     active = fields.Boolean('Active')
     action = fields.Many2One('ir.action', 'Home Action')
@@ -114,8 +117,13 @@
         if 'menu' in vals:
             vals['menu'] = action_obj.get_action_id(cursor, user,
                     vals['menu'], context=context)
-        if 'password' in vals and vals['password'] == 'x' * 10:
-            del vals['password']
+        if 'password' in vals:
+            if vals['password'] == 'x' * 10:
+                del vals['password']
+            else:
+                vals['salt'] = ''.join(random.sample(
+                    string.letters + string.digits, 8))
+                vals['password'] += vals['salt']
         return vals
 
     def create(self, cursor, user, vals, context=None):
--- a/trytond/security.py	Wed Jul 29 16:25:26 2009 +0200
+++ b/trytond/security.py	Wed Jul 29 16:27:18 2009 +0200
@@ -18,11 +18,7 @@
     _USER_TRY.setdefault(dbname, {})
     database = Database(dbname).connect()
     cursor = database.cursor()
-    if hashlib:
-        password_sha = hashlib.sha1(password).hexdigest()
-    else:
-        password_sha = sha.new(password).hexdigest()
-    cursor.execute('SELECT id, password, active FROM res_user '
+    cursor.execute('SELECT id, password, active, salt FROM res_user '
         'WHERE login = %s', (loginname,))
     res = cursor.fetchone()
     if res:
@@ -31,6 +27,12 @@
         if user_id == 0:
             return False
         _USER_TRY[dbname].setdefault(user_id, 0)
+        # Add salt
+        password += res[3] or ''
+        if hashlib:
+            password_sha = hashlib.sha1(password).hexdigest()
+        else:
+            password_sha = sha.new(password).hexdigest()
         if res[1] == password_sha and res[2]:
             _USER_TRY[dbname][user_id] = 0
             if cache:
--- a/trytond/server.py	Wed Jul 29 16:25:26 2009 +0200
+++ b/trytond/server.py	Wed Jul 29 16:27:18 2009 +0200
@@ -27,6 +27,8 @@
     import sha
 import threading
 from pool import Pool
+import string
+import random
 
 
 class TrytonServer(object):
@@ -128,13 +130,15 @@
 
                 database = Database(db_name).connect()
                 cursor = database.cursor()
+                salt = ''.join(random.sample(string.letters + string.digits, 8))
+                password += salt
                 if hashlib:
                     password = hashlib.sha1(password).hexdigest()
                 else:
                     password = sha.new(password).hexdigest()
                 cursor.execute('UPDATE res_user ' \
-                        'SET password = %s ' \
-                        'WHERE login = \'admin\'', (password,))
+                        'SET password = %s, salt = %s ' \
+                        'WHERE login = \'admin\'', (password, salt))
                 cursor.commit()
                 cursor.close()
 

Repository Layout

/ Tryton top level repositories
modules Modules
public Public repositories
tpf Tryton Foundation repositories
sandbox Sandbox