Rooba
/
mitmproxy
mirror of https://github.com/mitmproxy/mitmproxy.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

use passlib instead of md5crypt

This commit is contained in:
Maximilian Hils 2014-08-16 15:28:09 +02:00
parent 1b8529649c
commit 1c1167eda0
5 changed files with 8 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
netlib/contrib/__init__.py
View File

94
netlib/contrib/md5crypt.py
View File

@ -1,94 +0,0 @@
# Based on FreeBSD src/lib/libcrypt/crypt.c 1.2
# http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2&content-type=text/plain
# Original license:
# * "THE BEER-WARE LICENSE" (Revision 42):
# * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
# * can do whatever you want with this stuff. If we meet some day, and you think
# * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
# This port adds no further stipulations. I forfeit any copyright interest.
import md5
def md5crypt(password, salt, magic='$1$'):
# /* The password first, since that is what is most unknown */ /* Then our magic string */ /* Then the raw salt */
m = md5.new()
m.update(password + magic + salt)
# /* Then just as many characters of the MD5(pw,salt,pw) */
mixin = md5.md5(password + salt + password).digest()
for i in range(0, len(password)):
m.update(mixin[i % 16])
# /* Then something really weird... */
# Also really broken, as far as I can tell. -m
i = len(password)
while i:
if i & 1:
m.update('\x00')
else:
m.update(password[0])
i >>= 1
final = m.digest()
# /* and now, just to make sure things don't run too fast */
for i in range(1000):
m2 = md5.md5()
if i & 1:
m2.update(password)
else:
m2.update(final)
if i % 3:
m2.update(salt)
if i % 7:
m2.update(password)
if i & 1:
m2.update(final)
else:
m2.update(password)
final = m2.digest()
# This is the bit that uses to64() in the original code.
itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
rearranged = ''
for a, b, c in ((0, 6, 12), (1, 7, 13), (2, 8, 14), (3, 9, 15), (4, 10, 5)):
v = ord(final[a]) << 16 | ord(final[b]) << 8 | ord(final[c])
for i in range(4):
rearranged += itoa64[v & 0x3f]; v >>= 6
v = ord(final[11])
for i in range(2):
rearranged += itoa64[v & 0x3f]; v >>= 6
return magic + salt + '$' + rearranged
if __name__ == '__main__':
def test(clear_password, the_hash):
magic, salt = the_hash[1:].split('$')[:2]
magic = '$' + magic + '$'
return md5crypt(clear_password, salt, magic) == the_hash
test_cases = (
(' ', '$1$yiiZbNIH$YiCsHZjcTkYd31wkgW8JF.'),
('pass', '$1$YeNsbWdH$wvOF8JdqsoiLix754LTW90'),
('____fifteen____', '$1$s9lUWACI$Kk1jtIVVdmT01p0z3b/hw1'),
('____sixteen_____', '$1$dL3xbVZI$kkgqhCanLdxODGq14g/tW1'),
('____seventeen____', '$1$NaH5na7J$j7y8Iss0hcRbu3kzoJs5V.'),
('__________thirty-three___________', '$1$HO7Q6vzJ$yGwp2wbL5D7eOVzOmxpsy.'),
('apache', '$apr1$J.w5a/..$IW9y6DR0oO/ADuhlMF5/X1')
)
for clearpw, hashpw in test_cases:
if test(clearpw, hashpw):
print '%s: pass' % clearpw
else:
print '%s: FAIL' % clearpw

29
netlib/http_auth.py
View File

@ -1,4 +1,4 @@
from .contrib import md5crypt from passlib.apache import HtpasswdFile
import http import http
from argparse import Action, ArgumentTypeError from argparse import Action, ArgumentTypeError
@ -78,32 +78,14 @@ class PassManHtpasswd:
""" """
Read usernames and passwords from an htpasswd file Read usernames and passwords from an htpasswd file
""" """
def __init__(self, fp): def __init__(self, path):
""" """
Raises ValueError if htpasswd file is invalid. Raises ValueError if htpasswd file is invalid.
""" """
self.usernames = {} self.htpasswd = HtpasswdFile(path)
for l in fp:
l = l.strip().split(':')
if len(l) != 2:
raise ValueError("Invalid htpasswd file.")
parts = l[1].split('$')
if len(parts) != 4:
raise ValueError("Invalid htpasswd file.")
self.usernames[l[0]] = dict(
token = l[1],
dummy = parts[0],
magic = parts[1],
salt = parts[2],
hashed_password = parts[3]
)
def test(self, username, password_token): def test(self, username, password_token):
ui = self.usernames.get(username) return bool(self.htpasswd.check_password(username, password_token))
if not ui:
return False
expected = md5crypt.md5crypt(password_token, ui["salt"], '$'+ui["magic"]+'$')
return expected==ui["token"]
class PassManSingleUser: class PassManSingleUser:
@ -149,6 +131,5 @@ class NonanonymousAuthAction(AuthAction):
class HtpasswdAuthAction(AuthAction): class HtpasswdAuthAction(AuthAction):
def getPasswordManager(self, s): def getPasswordManager(self, s):
with open(s, "r") as f: return PassManHtpasswd(s)
return PassManHtpasswd(f)

2
setup.py
View File

@ -88,5 +88,5 @@ setup(
"Topic :: Software Development :: Testing :: Traffic Generation", "Topic :: Software Development :: Testing :: Traffic Generation",
"Topic :: Internet :: WWW/HTTP", "Topic :: Internet :: WWW/HTTP",
], ],
install_requires=["pyasn1>0.1.2", "pyopenssl>=0.14"], install_requires=["pyasn1>0.1.2", "pyopenssl>=0.14", "passlib>=1.6.2"],
) )

8
test/test_http_auth.py
View File

@ -12,14 +12,10 @@ class TestPassManNonAnon:
class TestPassManHtpasswd: class TestPassManHtpasswd:
def test_file_errors(self): def test_file_errors(self):
s = cStringIO.StringIO("foo") tutils.raises("malformed htpasswd file", http_auth.PassManHtpasswd, tutils.test_data.path("data/server.crt"))
tutils.raises("invalid htpasswd", http_auth.PassManHtpasswd, s)
s = cStringIO.StringIO("foo:bar$foo")
tutils.raises("invalid htpasswd", http_auth.PassManHtpasswd, s)
def test_simple(self): def test_simple(self):
f = open(tutils.test_data.path("data/htpasswd"),"rb") pm = http_auth.PassManHtpasswd(tutils.test_data.path("data/htpasswd"))
pm = http_auth.PassManHtpasswd(f)
vals = ("basic", "test", "test") vals = ("basic", "test", "test")
p = http.assemble_http_basic_auth(*vals) p = http.assemble_http_basic_auth(*vals)