StNicolay/PassManager
Archived
1
1
Fork 0
Code Pull Requests Releases 8 Activity

Compare commits

base: StNicolay:570f15001e874a4d3454279531843d5a6384130d
Branches Tags
StNicolay:main
StNicolay:unstable
StNicolay:1.4
StNicolay:1.3.1
StNicolay:1.3
StNicolay:1.2
StNicolay:1.1.1
StNicolay:1.1
StNicolay:1.0
StNicolay:Beta
..
compare: StNicolay:a1bed9014d6fc680b1604fdf9804c748b01c8774
Branches Tags
StNicolay:unstable
StNicolay:main
StNicolay:1.4
StNicolay:1.3.1
StNicolay:1.3
StNicolay:1.2
StNicolay:1.1.1
StNicolay:1.1
StNicolay:1.0
StNicolay:Beta

3 Commits
570f15001e ... a1bed9014d

Author SHA1 Message Date
StNicolay
a1bed9014d Changed the way the master password hashing works 
Switched from Bcrypt to Scrypt for master password hashing
Changed models to use new sizes for hashes and salts, doubled the size of enc_login and enc_passwd for accounts
Created new function to check master password validity
Increased salt sizes for accounts and master passwords
Removed bcrypt from requirements
 2022-11-07 16:30:45 +03:00
StNicolay
66ab13b45d Changed handlers.get_accounts to use a guard clause, added comment to clarify, why we are putting account in backticks 2022-11-07 16:29:37 +03:00
StNicolay
da42d7ad1d Changed comments in cryptograpy.other_accounts to be more precise 2022-11-07 16:29:31 +03:00
5 changed files with 55 additions and 44 deletions
Show Stats Expand all files Collapse all files

1
requirements.txt
View File

@ -1,4 +1,3 @@
bcrypt
cryptography
pymysql
python-dotenv

16
src/bot/handlers.py
View File

@ -26,9 +26,12 @@ def get_accounts(
) -> None:
base_handler(bot, mes)
accounts = database.get.get_accounts(engine, mes.from_user.id)
if accounts:
if not accounts:
return send_tmp_message(bot, mes.chat.id, "У вас нет аккаунтов")
# Make accounts copyable and escape special chars
accounts = [f"`{account}`" for account in accounts]
return send_tmp_message(
send_tmp_message(
bot,
mes.chat.id,
"Ваши аккаунты:\n"
@ -36,7 +39,6 @@ def get_accounts(
+ "\nНажмите на название, чтобы скопировать",
30,
)
send_tmp_message(bot, mes.chat.id, "У вас нет аккаунтов")
def delete_all(
@ -217,7 +219,7 @@ def _add_account5(
return send_tmp_message(bot, mes.chat.id, "Успешная отмена")
salt, hash_ = database.get.get_master_pass(engine, mes.from_user.id)
if cryptography.master_pass.encrypt_master_pass(text, salt) != hash_:
if not cryptography.master_pass.check_master_pass(text, hash_, salt):
return send_tmp_message(bot, mes.chat.id, "Не подходит главный пароль")
name, login, passwd = data["name"], data["login"], data["passwd"]
@ -279,7 +281,7 @@ def _get_account3(
master_salt, hash_pass = database.get.get_master_pass(engine, mes.from_user.id)
if cryptography.master_pass.encrypt_master_pass(text, master_salt) != hash_pass:
if not cryptography.master_pass.check_master_pass(text, hash_pass, master_salt):
return send_tmp_message(bot, mes.chat.id, "Не подходит мастер пароль")
salt, enc_login, enc_pass = database.get.get_account_info(
@ -376,7 +378,7 @@ def _export2(
return send_tmp_message(bot, mes.chat.id, "Успешная отмена")
master_salt, hash_pass = database.get.get_master_pass(engine, mes.from_user.id)
if cryptography.master_pass.encrypt_master_pass(text, master_salt) != hash_pass:
if not cryptography.master_pass.check_master_pass(text, hash_pass, master_salt):
return send_tmp_message(bot, mes.chat.id, "Не подходит мастер пароль")
accounts = get_all_accounts(engine, mes.from_user.id, text)
@ -443,7 +445,7 @@ def _import3(
return send_tmp_message(bot, mes.chat.id, "Успешная отмена")
master_salt, hash_pass = database.get.get_master_pass(engine, mes.from_user.id)
if cryptography.master_pass.encrypt_master_pass(text, master_salt) != hash_pass:
if not cryptography.master_pass.check_master_pass(text, hash_pass, master_salt):
return send_tmp_message(bot, mes.chat.id, "Не подходит мастер пароль")
# List of names of accounts, which failed to be added to the database or failed tests

45
src/cryptography/master_pass.py
View File

@ -1,26 +1,35 @@
from typing import overload
import os
import bcrypt
from cryptography.exceptions import InvalidKey
from cryptography.hazmat.primitives.kdf.scrypt import Scrypt
_memory_use = 2**14
@overload
def encrypt_master_pass(passwd: str, salt: bytes) -> bytes:
...
def _get_kdf(salt: bytes) -> Scrypt:
kdf = Scrypt(
salt=salt,
length=128,
n=_memory_use,
r=8,
p=1,
)
return kdf
@overload
def encrypt_master_pass(passwd: str) -> tuple[bytes, bytes]:
...
def encrypt_master_pass(
passwd: str, salt: bytes | None = None
) -> tuple[bytes, bytes] | bytes:
"""Hashes master password and return tuple of hashed password and salt"""
if salt is None:
salt = bcrypt.gensalt()
gened_salt = True
salt = os.urandom(64)
kdf = _get_kdf(salt)
return kdf.derive(passwd.encode("utf-8")), salt
def check_master_pass(passwd: str, enc_pass: bytes, salt: bytes) -> bool:
"""Checks if the master password is correct"""
kdf = _get_kdf(salt)
try:
kdf.verify(passwd.encode("utf-8"), enc_pass)
except InvalidKey:
return False
else:
gened_salt = False
hashed = bcrypt.hashpw(passwd.encode("utf-8"), salt)
return (hashed, salt) if gened_salt else hashed
return True

11
src/cryptography/other_accounts.py
View File

@ -1,6 +1,5 @@
import base64
import bcrypt
import os
from cryptography.fernet import Fernet
from cryptography.hazmat.backends import default_backend
@ -23,9 +22,9 @@ def _generate_key(salt: bytes, master_pass: bytes) -> bytes:
def encrypt_account_info(
login: str, passwd: str, master_pass: bytes
) -> tuple[bytes, bytes, bytes]:
"""Encrypts login and password of a user using hash of their master password as a key.
Returns a tuple of encrypted login password and salt"""
salt = bcrypt.gensalt()
"""Encrypts login and password of a user using their master password as a key.
Returns a tuple of encrypted login, password and salt"""
salt = os.urandom(64)
key = _generate_key(salt, master_pass)
f = Fernet(key)
enc_login = f.encrypt(login.encode("utf-8"))
@ -36,6 +35,8 @@ def encrypt_account_info(
def decrypt_account_info(
enc_login: bytes, enc_pass: bytes, master_pass: bytes, salt: bytes
) -> tuple[str, str]:
"""Decrypts login and password using their master password as a key.
Returns a tuple of decrypted login and password"""
key = _generate_key(salt, master_pass)
f = Fernet(key)
login_bytes = f.decrypt(enc_login)

10
src/database/models.py
View File

@ -8,10 +8,10 @@ class MasterPass(sqlmodel.SQLModel, table=True):
id: Optional[int] = sqlmodel.Field(primary_key=True)
user_id: int = sqlmodel.Field(nullable=False, index=True, unique=True)
salt: bytes = sqlmodel.Field(
sa_column=sqlmodel.Column(sqlmodel.VARBINARY(255), nullable=False)
sa_column=sqlmodel.Column(sqlmodel.BINARY(64), nullable=False)
)
passwd: bytes = sqlmodel.Field(
sa_column=sqlmodel.Column(sqlmodel.VARBINARY(255), nullable=False)
sa_column=sqlmodel.Column(sqlmodel.BINARY(128), nullable=False)
)
@ -22,11 +22,11 @@ class Account(sqlmodel.SQLModel, table=True):
user_id: int = sqlmodel.Field(nullable=False, index=True)
name: str = sqlmodel.Field(nullable=False, index=True, max_length=255)
salt: bytes = sqlmodel.Field(
sa_column=sqlmodel.Column(sqlmodel.VARBINARY(255), nullable=False)
sa_column=sqlmodel.Column(sqlmodel.BINARY(64), nullable=False)
)
enc_login: bytes = sqlmodel.Field(
sa_column=sqlmodel.Column(sqlmodel.VARBINARY(255), nullable=False)
sa_column=sqlmodel.Column(sqlmodel.VARBINARY(500), nullable=False)
)
enc_pass: bytes = sqlmodel.Field(
sa_column=sqlmodel.Column(sqlmodel.VARBINARY(255), nullable=False)
sa_column=sqlmodel.Column(sqlmodel.VARBINARY(500), nullable=False)
)