Added support for argon2, more secure than sha256 with salt.

Kept backwards compat with existing stored keys.
2025-01-18 06:03:54 +03:00 · 2023-07-23 02:16:51 +02:00 · 2023-07-23 02:16:51 +02:00 · 8137373c40
commit 8137373c40
parent 833f8a0a3e
2 changed files with 14 additions and 4 deletions
--- a/server/requirements.txt
+++ b/server/requirements.txt
@ -50,3 +50,4 @@ art
 dnspython
 aiohttp
 uvloop
 argon2-cffi
--- a/server/src/uds/core/managers/crypto.py
+++ b/server/src/uds/core/managers/crypto.py
@ -41,6 +41,8 @@ import logging
 import typing
 import secrets
 # For password secrets
 from argon2 import PasswordHasher
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
@ -263,10 +265,8 @@ class CryptoManager(metaclass=singleton.Singleton):
        if isinstance(value, str):
            value = value.encode()
-        salt = self.salt(8)  # 8 bytes = 16 chars
+        # Argon2
-        value = salt.encode() + value
+        return '{ARGON2}' + PasswordHasher().hash(value.decode())
        return '{SHA256SALT}' + salt + str(hashlib.sha3_256(value).hexdigest())
    def checkHash(self, value: typing.Union[str, bytes], hashValue: str) -> bool:
        if isinstance(value, str):
@ -287,6 +287,15 @@ class CryptoManager(metaclass=singleton.Singleton):
                hashlib.sha3_256(value).hexdigest(), hashValue[28:]
            )
        # Argon2
        if hashValue[:8] == '{ARGON2}':
            ph = PasswordHasher()
            try:
                ph.verify(hashValue[8:], value.decode())
                return True
            except Exception:
                return False  # Verify will raise an exception if not valid
        # Old sha1
        return secrets.compare_digest(
            hashValue, str(hashlib.sha1(value).hexdigest())  # nosec: Old compatibility SHA1, not used anymore but need to be supported