2 # Implements encrypting functions.
4 # Copyright (c) 2008, F S 3 Consulting Inc.
7 # Alec Joseph Rivera (agi<at>fs3.ph)
8 # refactored by Antony Lesuisse <al<at>openerp.com>
14 from random import sample
15 from string import ascii_letters, digits
18 from openerp.osv import fields, osv
20 _logger = logging.getLogger(__name__)
25 def gen_salt(length=8, symbols=None):
27 symbols = ascii_letters + digits
28 return ''.join(sample(symbols, length))
30 def md5crypt( raw_pw, salt, magic=magic_md5 ):
31 """ md5crypt FreeBSD crypt(3) based on but different from md5
33 The md5crypt is based on Mark Johnson's md5crypt.py, which in turn is
34 based on FreeBSD src/lib/libcrypt/crypt.c (1.2) by Poul-Henning Kamp.
35 Mark's port can be found in ActiveState ASPN Python Cookbook. Kudos to
40 * "THE BEER-WARE LICENSE" (Revision 42):
42 * <phk@login.dknet.dk> wrote this file. As long as you retain this
43 * notice you can do whatever you want with this stuff. If we meet some
44 * day, and you think this stuff is worth it, you can buy me a beer in
49 raw_pw = raw_pw.encode('utf-8')
50 salt = salt.encode('utf-8')
52 hash.update( raw_pw + magic + salt )
54 st.update( raw_pw + salt + raw_pw)
57 for i in range( 0, len( raw_pw ) ):
58 hash.update( stretch[i % 16] )
66 hash.update( raw_pw[0] )
69 saltedmd5 = hash.digest()
71 for i in range( 1000 ):
77 hash.update( saltedmd5 )
84 hash.update( saltedmd5 )
88 saltedmd5 = hash.digest()
90 itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
93 for a, b, c in ((0, 6, 12), (1, 7, 13), (2, 8, 14), (3, 9, 15), (4, 10, 5)):
94 v = ord( saltedmd5[a] ) << 16 | ord( saltedmd5[b] ) << 8 | ord( saltedmd5[c] )
97 rearranged += itoa64[v & 0x3f]
100 v = ord( saltedmd5[11] )
103 rearranged += itoa64[v & 0x3f]
106 return magic + salt + '$' + rearranged
108 def sh256crypt(cls, password, salt, magic=magic_sha256):
110 # see http://en.wikipedia.org/wiki/PBKDF2
111 result = password.encode('utf8')
112 for i in xrange(cls.iterations):
113 result = hmac.HMAC(result, salt, hashlib.sha256).digest() # uses HMAC (RFC 2104) to apply salt
114 result = result.encode('base64') # doesnt seem to be crypt(3) compatible
115 return '%s%s$%s' % (magic_sha256, salt, result)
117 class res_users(osv.osv):
118 _inherit = "res.users"
120 def set_pw(self, cr, uid, id, name, value, args, context):
122 encrypted = md5crypt(value, gen_salt())
123 cr.execute("update res_users set password='', password_crypt=%s where id=%s", (encrypted, id))
126 def get_pw( self, cr, uid, ids, name, args, context ):
127 cr.execute('select id, password from res_users where id in %s', (tuple(map(int, ids)),))
128 stored_pws = cr.fetchall()
131 for id, stored_pw in stored_pws:
137 'password': fields.function(get_pw, fnct_inv=set_pw, type='char', string='Password', invisible=True, store=True),
138 'password_crypt': fields.char(string='Encrypted Password', invisible=True),
141 def check_credentials(self, cr, uid, password):
142 # convert to base_crypt if needed
143 cr.execute('SELECT password, password_crypt FROM res_users WHERE id=%s AND active', (uid,))
145 stored_password, stored_password_crypt = cr.fetchone()
146 if stored_password and not stored_password_crypt:
148 stored_password_crypt = md5crypt(stored_password, salt)
149 cr.execute("UPDATE res_users SET password='', password_crypt=%s WHERE id=%s", (stored_password_crypt, uid))
151 return super(res_users, self).check_credentials(cr, uid, password)
152 except openerp.exceptions.AccessDenied:
154 if stored_password_crypt:
155 if stored_password_crypt[:len(magic_md5)] == magic_md5:
156 salt = stored_password_crypt[len(magic_md5):11]
157 if stored_password_crypt == md5crypt(password, salt):
159 elif stored_password_crypt[:len(magic_md5)] == magic_sha256:
160 salt = stored_password_crypt[len(magic_md5):11]
161 if stored_password_crypt == md5crypt(password, salt):
163 # Reraise password incorrect
167 # vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4: