diff options
| author | Jan Pokorn? <jpokorny@redhat.com> | 2012-03-05 21:14:08 +0100 |
|---|---|---|
| committer | Jan Pokorn? <jpokorny@redhat.com> | 2012-03-05 21:14:08 +0100 |
| commit | 663ec52ddd568148e000f1e7d2ea65d2ec284dd5 (patch) | |
| tree | 75016556deeb4a14d7266d8ace9624b5be004b5d /paste/request.py | |
| parent | 531c568bd89a2e34ca3077314587e421c5867091 (diff) | |
| download | paste-663ec52ddd568148e000f1e7d2ea65d2ec284dd5.tar.gz | |
auth/auth_tkt.py: enable overriding digest algorithms
Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5. Quoting:
----v----
The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly applicable
to mod_auth_tkt, which primarily relies on the security of the shared
secret rather than the strength of the hashing scheme. More paranoid users
will probably prefer to use one of the SHA digest types, however.
The default is likely to change in a future version, so setting the digest
type explicitly is encouraged.
----^----
Thus, enable it also in this implementation so one can optionally switch
to a stronger secure hash.
Backward compatibility should be untouched as ``md5`` is being passed
as a default kwarg. The only change affecting external world is
a new parameter required at ``calculate_digest`` (specifying the
digest to use), but as it has probably no use outside the module,
this is a non-issue. Alternatively: another optional kwarg.
Update (based Ian's comments):
The algorithm can also be specified as a string referring to the
algorithm known to hashlib (otherwise AttributeError will be raised).
Example session I used to check it works as expected (longish):
>>> import sys; sys.path.append('../..')
>>> from hashlib import sha256, sha512
>>> execfile('auth_tkt.py')
>>> AuthTicket('secret', 'me', '0.0.0.0').cookie_value()
'39fecb1395af5285232be390eba0eed34f5518c8me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', "md5").cookie_value()
'c3b8eacbbbf76a9c993c7dcb99975d504f5518cfme!m,d,5!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="md5") \
... .cookie_value()
'db3b04de3c44b5bd0e2b47019e903c064f5518dbme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha1") \
... .cookie_value()
'dddaadc2be960b6e89263ae7fb8c39591554103d4f5518edme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value()
'bf5c9a32e49920f2ca517ec19a9d55e10a83849e5d532e8997891b8ccdbf0e634f551902me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha256") \
... .cookie_value()
'9cb12df90fd86b868c98353115df4da3b8f9fa83bebecdf0b7918fea5d06b0744f551908me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo='foo') \
... .cookie_value()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "auth_tkt.py", line 107, in __init__
self.digest_algo = getattr(hashlib, digest_algo)
AttributeError: 'module' object has no attribute 'foo'
>>>
>>> parse_ticket('secret', \
... AuthTicket('secret', 'me', '0.0.0.0').cookie_value(),'0.0.0.0')
(1330977060, 'me', [''], '')
>>> parse_ticket('secret', \
... AuthTicket('secret', 'me', '0.0.0.0', digest_algo='md5') \
... .cookie_value(),'0.0.0.0', digest_algo='md5')
(1330977096, 'me', [''], '')
>>> parse_ticket('secret', \
... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value(),'0.0.0.0', digest_algo=sha256)
(1330977115, 'me', [''], '')
>>> parse_ticket('secret', \
... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0', digest_algo=sha512)
(1330977125, 'me', [''], '')
>>> parse_ticket('secret', \
... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "auth_tkt.py", line 179, in parse_ticket
expected=(expected, digest))
__main__.BadTicket: Digest signature is not correct
[1] http://linux.die.net/man/3/mod_auth_tkt
Diffstat (limited to 'paste/request.py')
0 files changed, 0 insertions, 0 deletions