cbmi/account/password_encryption.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import base64

from Crypto import Random
from Crypto.Cipher import AES

ENCRYPTED_LDAP_PASSWORD = 'encrypted_ldap_password'


def encrypt_ldap_password(cleartext_pw):
    """
    Encrypts the cleartext_pw with a randomly generated key.

    Returns the key and the encrypted message containing the password.
    The key is supposed to be stored into the 'session_key' cookie field we can
    later use it to decrypt the password and connect to the LDAP server with it.
    """
    # 16 bytes of key => AES-128
    random = Random.new()
    key = random.read(16)

    # initialization vector
    iv = random.read(16)

    # do the encryption
    aes = AES.new(key, AES.MODE_CFB, iv)
    message = iv + aes.encrypt(cleartext_pw.encode())
    return base64.b64encode(message).decode(), base64.b64encode(key).decode()


def decrypt_ldap_password(message, key):
    """
    Takes an encrypted, base64 encoded password and the base64 encoded key.
    Returns the cleartext password.
    """
    decoded_message = base64.b64decode(message)
    decoded_key = base64.b64decode(key)

    # first 16 bytes of the message are the initialization vector
    iv = decoded_message[:16]

    # the rest is the encrypted password
    ciphertext = decoded_message[16:]

    # decrypt it
    aes = AES.new(decoded_key, AES.MODE_CFB, iv)
    cleartext_pw = aes.decrypt(ciphertext).decode()
    return cleartext_pw


def store_ldap_password(request, password):
    """
    Stores the password in an encrypted session storage and returns the key.
    """
    encrypted_pw, key = encrypt_ldap_password(password)
    request.session[ENCRYPTED_LDAP_PASSWORD] = encrypted_pw
    request.session.save()
    return key


def get_ldap_password(request):
    cookies = request.COOKIES
    key = cookies.get('sessionkey', None)
    if not key:
        raise Exception('sessionkey not found in cookies.')
    return decrypt_ldap_password(request.session[ENCRYPTED_LDAP_PASSWORD], key)
#11 passwords are now stored with aes-128 encryption 2013-10-27 21:13:41 +01:00			`#!/usr/bin/env python`
			`# -- coding: utf-8 --`

			`import base64`

			`from Crypto import Random`
			`from Crypto.Cipher import AES`

			`ENCRYPTED_LDAP_PASSWORD = 'encrypted_ldap_password'`

Fixes IndexError on save with removed member forwarding email (#11) * Fixed IndexError if a non existent field gets queried for a value. Using dict.get to either get a value or provide a reasonable default * Removed list construction around new_key value * Clean up source code with 80x25 terminal and vim (complies with PEP-8) * Added some docstrings 2020-12-05 23:23:19 +01:00
#11 passwords are now stored with aes-128 encryption 2013-10-27 21:13:41 +01:00			`def encrypt_ldap_password(cleartext_pw):`
			`"""`
			`Encrypts the cleartext_pw with a randomly generated key.`

			`Returns the key and the encrypted message containing the password.`
			`The key is supposed to be stored into the 'session_key' cookie field we can`
			`later use it to decrypt the password and connect to the LDAP server with it.`
			`"""`
			`# 16 bytes of key => AES-128`
			`random = Random.new()`
			`key = random.read(16)`

			`# initialization vector`
			`iv = random.read(16)`

			`# do the encryption`
			`aes = AES.new(key, AES.MODE_CFB, iv)`
django4 fixes 2022-06-11 21:10:41 +02:00			`message = iv + aes.encrypt(cleartext_pw.encode())`
upgrade to django 1.11.16 and python3.6 2018-10-03 00:16:28 +02:00			`return base64.b64encode(message).decode(), base64.b64encode(key).decode()`
#11 passwords are now stored with aes-128 encryption 2013-10-27 21:13:41 +01:00
Fixes IndexError on save with removed member forwarding email (#11) * Fixed IndexError if a non existent field gets queried for a value. Using dict.get to either get a value or provide a reasonable default * Removed list construction around new_key value * Clean up source code with 80x25 terminal and vim (complies with PEP-8) * Added some docstrings 2020-12-05 23:23:19 +01:00
#11 passwords are now stored with aes-128 encryption 2013-10-27 21:13:41 +01:00			`def decrypt_ldap_password(message, key):`
			`"""`
			`Takes an encrypted, base64 encoded password and the base64 encoded key.`
			`Returns the cleartext password.`
			`"""`
			`decoded_message = base64.b64decode(message)`
			`decoded_key = base64.b64decode(key)`

			`# first 16 bytes of the message are the initialization vector`
			`iv = decoded_message[:16]`

			`# the rest is the encrypted password`
			`ciphertext = decoded_message[16:]`

			`# decrypt it`
			`aes = AES.new(decoded_key, AES.MODE_CFB, iv)`
django4 fixes 2022-06-11 21:10:41 +02:00			`cleartext_pw = aes.decrypt(ciphertext).decode()`
#11 passwords are now stored with aes-128 encryption 2013-10-27 21:13:41 +01:00			`return cleartext_pw`

Fixes IndexError on save with removed member forwarding email (#11) * Fixed IndexError if a non existent field gets queried for a value. Using dict.get to either get a value or provide a reasonable default * Removed list construction around new_key value * Clean up source code with 80x25 terminal and vim (complies with PEP-8) * Added some docstrings 2020-12-05 23:23:19 +01:00
#11 passwords are now stored with aes-128 encryption 2013-10-27 21:13:41 +01:00			`def store_ldap_password(request, password):`
			`"""`
			`Stores the password in an encrypted session storage and returns the key.`
			`"""`
			`encrypted_pw, key = encrypt_ldap_password(password)`
			`request.session[ENCRYPTED_LDAP_PASSWORD] = encrypted_pw`
			`request.session.save()`
			`return key`

Fixes IndexError on save with removed member forwarding email (#11) * Fixed IndexError if a non existent field gets queried for a value. Using dict.get to either get a value or provide a reasonable default * Removed list construction around new_key value * Clean up source code with 80x25 terminal and vim (complies with PEP-8) * Added some docstrings 2020-12-05 23:23:19 +01:00
#11 passwords are now stored with aes-128 encryption 2013-10-27 21:13:41 +01:00			`def get_ldap_password(request):`
			`cookies = request.COOKIES`
			`key = cookies.get('sessionkey', None)`
			`if not key:`
			`raise Exception('sessionkey not found in cookies.')`
Fixes IndexError on save with removed member forwarding email (#11) * Fixed IndexError if a non existent field gets queried for a value. Using dict.get to either get a value or provide a reasonable default * Removed list construction around new_key value * Clean up source code with 80x25 terminal and vim (complies with PEP-8) * Added some docstrings 2020-12-05 23:23:19 +01:00			`return decrypt_ldap_password(request.session[ENCRYPTED_LDAP_PASSWORD], key)`