tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove unsecure methods from htpasswd and make md5 default

Browse Source
This commit is contained in:
Unrud 2020-01-19 18:26:14 +01:00
parent 0a5fd94577
commit 6108d8d759
6 changed files with 21 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -33,7 +33,7 @@ notifications:
install:
- ${PYTHON} --version
- ${PYTHON} -m pip install --upgrade coveralls
- ${PYTHON} -m pip install --upgrade --editable .[test,md5,bcrypt]
- ${PYTHON} -m pip install --upgrade --editable .[test,bcrypt]
- ${PYTHON} -m pip list
script:

8
config
View File

@ -68,11 +68,9 @@
#htpasswd_filename = /etc/radicale/users
# Htpasswd encryption method
# Value: plain | sha1 | ssha | crypt | bcrypt | md5
# Only bcrypt can be considered secure.
# bcrypt requires the passlib[bcrypt] module and md5 requires
# the passlib module.
#htpasswd_encryption = bcrypt
# Value: plain | bcrypt | md5
# bcrypt requires the passlib[bcrypt] module.
#htpasswd_encryption = md5
# Incorrect authentication delay (seconds)
#delay = 1

85
radicale/auth/htpasswd.py
View File

@ -22,11 +22,9 @@ Authentication backend that checks credentials with a htpasswd file.
Apache's htpasswd command (httpd.apache.org/docs/programs/htpasswd.html)
manages a file for storing user credentials. It can encrypt passwords using
different methods, e.g. BCRYPT, MD5-APR1 (a version of MD5 modified for
Apache), SHA1, or by using the system's CRYPT routine. The CRYPT and SHA1
encryption methods implemented by htpasswd are considered as insecure. MD5-APR1
provides medium security as of 2015. Only BCRYPT can be considered secure by
current standards.
different the methods BCRYPT or MD5-APR1 (a version of MD5 modified for
Apache). MD5-APR1 provides medium security as of 2015. Only BCRYPT can be
considered secure by current standards.
MD5-APR1-encrypted credentials can be written by all versions of htpasswd (it
is the default, in fact), whereas BCRYPT requires htpasswd 2.4.x or newer.
@ -41,22 +39,19 @@ The following htpasswd password encrpytion methods are supported by Radicale
out-of-the-box:
- plain-text (created by htpasswd -p...) -- INSECURE
- CRYPT (created by htpasswd -d...) -- INSECURE
- SHA1 (created by htpasswd -s...) -- INSECURE
When passlib (https://pypi.python.org/pypi/passlib) is importable, the
following significantly more secure schemes are parsable by Radicale:
- MD5-APR1 (htpasswd -m...) -- htpasswd's default method
When passlib[bcrypt] is installed:
- BCRYPT (htpasswd -B...) -- Requires htpasswd 2.4.x
"""
import base64
import functools
import hashlib
import hmac
from passlib.hash import apr_md5_crypt
from radicale import auth
@ -66,40 +61,22 @@ class Auth(auth.BaseAuth):
self._filename = configuration.get("auth", "htpasswd_filename")
encryption = configuration.get("auth", "htpasswd_encryption")
if encryption == "ssha":
self._verify = self._ssha
elif encryption == "sha1":
self._verify = self._sha1
elif encryption == "plain":
if encryption == "plain":
self._verify = self._plain
elif encryption == "md5":
try:
from passlib.hash import apr_md5_crypt
except ImportError as e:
raise RuntimeError(
"The htpasswd encryption method 'md5' requires "
"the passlib module.") from e
self._verify = functools.partial(self._md5apr1, apr_md5_crypt)
self._verify = self._md5apr1
elif encryption == "bcrypt":
try:
from passlib.hash import bcrypt
except ImportError as e:
raise RuntimeError(
"The htpasswd encryption method 'bcrypt' requires "
"the passlib module with bcrypt support.") from e
"the passlib[bcrypt] module.") from e
# A call to `encrypt` raises passlib.exc.MissingBackendError with a
# good error message if bcrypt backend is not available. Trigger
# this here.
bcrypt.hash("test-bcrypt-backend")
self._verify = functools.partial(self._bcrypt, bcrypt)
elif encryption == "crypt":
try:
import crypt
except ImportError as e:
raise RuntimeError(
"The htpasswd encryption method 'crypt' requires "
"the crypt() system support.") from e
self._verify = functools.partial(self._crypt, crypt)
else:
raise RuntimeError("The htpasswd encryption method %r is not "
"supported." % encryption)
@ -108,45 +85,11 @@ class Auth(auth.BaseAuth):
"""Check if ``hash_value`` and ``password`` match, plain method."""
return hmac.compare_digest(hash_value, password)
def _crypt(self, crypt, hash_value, password):
"""Check if ``hash_value`` and ``password`` match, crypt method."""
hash_value = hash_value.strip()
return hmac.compare_digest(crypt.crypt(password, hash_value),
hash_value)
def _sha1(self, hash_value, password):
"""Check if ``hash_value`` and ``password`` match, sha1 method."""
hash_value = base64.b64decode(hash_value.strip().replace(
"{SHA}", "").encode("ascii"))
password = password.encode(self.configuration.get("encoding", "stock"))
sha1 = hashlib.sha1()
sha1.update(password)
return hmac.compare_digest(sha1.digest(), hash_value)
def _ssha(self, hash_value, password):
"""Check if ``hash_value`` and ``password`` match, salted sha1 method.
This method is not directly supported by htpasswd, but it can be
written with e.g. openssl, and nginx can parse it.
"""
hash_value = base64.b64decode(hash_value.strip().replace(
"{SSHA}", "").encode("ascii"))
password = password.encode(self.configuration.get("encoding", "stock"))
salt_value = hash_value[20:]
hash_value = hash_value[:20]
sha1 = hashlib.sha1()
sha1.update(password)
sha1.update(salt_value)
return hmac.compare_digest(sha1.digest(), hash_value)
def _bcrypt(self, bcrypt, hash_value, password):
hash_value = hash_value.strip()
return bcrypt.verify(password, hash_value)
return bcrypt.verify(password, hash_value.strip())
def _md5apr1(self, md5_apr1, hash_value, password):
hash_value = hash_value.strip()
return md5_apr1.verify(password, hash_value)
def _md5apr1(self, hash_value, password):
return apr_md5_crypt.verify(password, hash_value.strip())
def login(self, login, password):
"""Validate credentials.

2
radicale/config.py
View File

@ -160,7 +160,7 @@ DEFAULT_CONFIG_SCHEMA = OrderedDict([
"help": "htpasswd filename",
"type": filepath}),
("htpasswd_encryption", {
"value": "bcrypt",
"value": "md5",
"help": "htpasswd encryption method",
"type": str}),
("realm", {

19
radicale/tests/test_auth.py
View File

@ -80,32 +80,15 @@ class TestBaseAuthRequests(BaseTest):
self._test_htpasswd("plain", "tmp:be:po", (
("tmp", "be:po", 207), ("tmp", "bepo", 401)))
def test_htpasswd_sha1(self):
self._test_htpasswd("sha1", "tmp:{SHA}UWRS3uSJJq2itZQEUyIH8rRajCM=")
def test_htpasswd_ssha(self):
self._test_htpasswd("ssha", "tmp:{SSHA}qbD1diw9RJKi0DnW4qO8WX9SE18W")
def test_htpasswd_md5(self):
try:
import passlib # noqa: F401
except ImportError:
pytest.skip("passlib is not installed")
self._test_htpasswd("md5", "tmp:$apr1$BI7VKCZh$GKW4vq2hqDINMr8uv7lDY/")
def test_htpasswd_crypt(self):
try:
import crypt # noqa: F401
except ImportError:
pytest.skip("crypt is not installed")
self._test_htpasswd("crypt", "tmp:dxUqxoThMs04k")
def test_htpasswd_bcrypt(self):
try:
from passlib.hash import bcrypt
from passlib.exc import MissingBackendError
except ImportError:
pytest.skip("passlib is not installed")
pytest.skip("passlib[bcrypt] is not installed")
try:
bcrypt.hash("test-bcrypt-backend")
except MissingBackendError:

3
setup.py
View File

@ -73,12 +73,11 @@ setup(
exclude=["*.tests", "*.tests.*", "tests.*", "tests"]),
package_data={"radicale": WEB_FILES},
entry_points={"console_scripts": ["radicale = radicale.__main__:run"]},
install_requires=["vobject>=0.9.6", "python-dateutil>=2.7.3"],
install_requires=["passlib", "vobject>=0.9.6", "python-dateutil>=2.7.3"],
setup_requires=pytest_runner,
tests_require=tests_require,
extras_require={
"test": tests_require,
"md5": "passlib",
"bcrypt": "passlib[bcrypt]"},
keywords=["calendar", "addressbook", "CalDAV", "CardDAV"],
python_requires=">=3.5.2",