format pwhash

This commit is contained in:
Balakrishnan Balasubramanian 2023-05-16 19:41:50 -04:00
parent 11de5948c8
commit c441863af7

View File

@ -17,24 +17,38 @@ PACK_FMT = f"<c{SALT_LEN}s64slhh"
def gen_pwhash(password: str) -> str: def gen_pwhash(password: str) -> str:
salt = os.urandom(SALT_LEN) salt = os.urandom(SALT_LEN)
sh = scrypt(password.encode(), salt=salt, n=SCRYPT_N, r=SCRYPT_R, p=SCRYPT_P) sh = scrypt(password.encode(),
pack_bytes = pack(PACK_FMT, VERSION, salt, sh, SCRYPT_N, SCRYPT_R, SCRYPT_P) salt=salt,
n=SCRYPT_N,
r=SCRYPT_R,
p=SCRYPT_P)
pack_bytes = pack(PACK_FMT, VERSION, salt, sh, SCRYPT_N, SCRYPT_R,
SCRYPT_P)
return b32encode(pack_bytes).decode() return b32encode(pack_bytes).decode()
class PWInfo: class PWInfo:
def __init__(self, salt, sh): def __init__(self, salt, sh):
self.salt = salt self.salt = salt
self.scrypt_hash = sh self.scrypt_hash = sh
def parse_hash(pwhash: str) -> PWInfo: def parse_hash(pwhash: str) -> PWInfo:
decoded = b32decode(pwhash.encode()) decoded = b32decode(pwhash.encode())
ver, salt, sh, n, r, p = unpack(PACK_FMT, decoded) ver, salt, sh, n, r, p = unpack(PACK_FMT, decoded)
if not (ver, n, r, p, len(salt)) == (VERSION, SCRYPT_N, SCRYPT_R, SCRYPT_P, SALT_LEN): if not (ver, n, r, p, len(salt)) == (VERSION, SCRYPT_N, SCRYPT_R, SCRYPT_P,
raise Exception(f"Invalid hash: {ver=}, {n=}, {r=}, {p=}, f{len(salt)=} != {VERSION=}, {SCRYPT_N=}, {SCRYPT_R=}, {SCRYPT_P=}, {SALT_LEN=}") SALT_LEN):
raise Exception(
f"Invalid hash: {ver=}, {n=}, {r=}, {p=}, f{len(salt)=} != {VERSION=}, {SCRYPT_N=}, {SCRYPT_R=}, {SCRYPT_P=}, {SALT_LEN=}"
)
return PWInfo(salt, sh) return PWInfo(salt, sh)
def check_pass(password: str, pwinfo: PWInfo) -> bool: def check_pass(password: str, pwinfo: PWInfo) -> bool:
# No need for constant time compare for hashes. See https://security.stackexchange.com/a/46215 # No need for constant time compare for hashes. See https://security.stackexchange.com/a/46215
return pwinfo.scrypt_hash == scrypt(password.encode(), salt=pwinfo.salt, n=SCRYPT_N, r=SCRYPT_R, p=SCRYPT_P) return pwinfo.scrypt_hash == scrypt(password.encode(),
salt=pwinfo.salt,
n=SCRYPT_N,
r=SCRYPT_R,
p=SCRYPT_P)