hN dZddlmZmZddlmZddlmZddlZddl Z ddl Z e je Z ddlmZdadadadaddlmZddlmZmZmZdd lmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%dd l&m'Z'dd l(m)Z)dd l(m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/ddl0m1cm2Z3d gZ4e*dZ5e*dZ6e*dZ7e*dZ8e*dZ9dZ:dZ;dZ<Gdde3jze3j|e3j~e3je3je3jZCGddeCZDGddeCZEGddeCZFGddeCZGGd d!eCZHGd"d#eCZIGd$d eDeCZJe*d%ZKGd&d'eJZLGd(d)eLZMy)*zpasslib.bcrypt -- implementation of OpenBSD's BCrypt algorithm. TODO: * support 2x and altered-2a hashes? http://www.openwall.com/lists/oss-security/2011/06/27/9 * deal with lack of PY3-compatibile c-ext implementation )with_statementabsolute_import) b64encode)sha256N)warn) compile_hmac)PasslibHashWarningPasslibSecurityWarningPasslibSecurityError) safe_crypt repeat_stringto_bytes parse_versionrng getrandstr test_crypt to_unicode utf8_truncateutf8_repeat_stringcrypt_accepts_bytes)bcrypt64)get_unbound_method_function)u uascii_to_strunicode str_to_uasciiPY3 error_frombcryptz$2$z$2a$z$2x$z$2y$z$2b$z<$2a$04$5BJqKfqMQvV7nS.yUguNcueVirQqDBGaLXSqj.rs.pZPlNR0UX/HKcX ddl} ddlm}y#t$rYywxYw#t$rYywxYw)a! internal helper which tries to distinguish pybcrypt vs bcrypt. :returns: True if cext-based py-bcrypt, False if ffi-based bcrypt, None if 'bcrypt' module not found. .. versionchanged:: 1.6.3 Now assuming bcrypt installed, unless py-bcrypt explicitly detected. Previous releases assumed py-bcrypt by default. Making this change since py-bcrypt is (apparently) unmaintained and static, whereas bcrypt is being actively maintained, and it's internal structure may shift. rN) __version__FT)r ImportErrorbcrypt._bcryptr")rr"s Y/var/www/html/Resume-Scraper/venv/lib/python3.12/site-packages/passlib/handlers/bcrypt.py_detect_pybcryptr&7s@(.   s  ))c eZdZdZdZdZdZejZ e Z e e eee fZede ede edeede iZd xZZejZd Zd Zd ZdZd ZdZdZdZdZdZdZ e Z!dZ"e#dZ$dZ%dZ&e#fdZ'e#dZ(e#fdZ)e#fdZ*dfd Z+dZ,e#dZ-dZ.e#ddZ/xZ0S) _BcryptCommona& Base class which implements brunt of BCrypt code. This is then subclassed by the various backends, to override w/ backend-specific methods. When a backend is loaded, the bases of the 'bcrypt' class proper are modified to prepend the correct backend-specific subclass. r)saltroundsidenttruncate_error22a2y2bz.Oeu log2HFc:|j|\}}|tk(r td|jt d\}}t |}|t d|fzk7r t jj|d|dd|dd}}||||xsd|S)Nz>crypt_blowfish's buggy '2x' hashes are not currently supported$z%02dzmalformed cost fieldr2)r*r)checksumr+) _parse_identIDENT_2X ValueErrorsplitrintuhexcMalformedHashError) clshashr+tail rounds_strdatar*r)chks r% from_stringz_BcryptCommon.from_strings&&t, t H 34 4::af- DZ 6fY. .&&++C1GH H"ItBCyc[D   ctd|j|j|j|jfz}t |S)Nz %s%02d$%s%s)rr+r*r)r9r)selfrCs r% to_stringz_BcryptCommon.to_strings54::t{{DIIt}}"UUT""rIcbtd||j|jfz}t|S)z5internal helper to prepare config string for backendsz %s%02d$%s)rr*r)r)rKr+configs r% _get_configz_BcryptCommon._get_configs*;5$++tyy"AAV$$rIc t|tr|jd}|jtr|d|j vryt t|"|fi|S)NasciiT) isinstancebytesdecode startswithIDENT_2Afinal_salt_charssuperr( needs_update)rBrCkwds __class__s r%rZz_BcryptCommon.needs_updatesV dE ";;w'D ??8 $b9M9M)M ]C5dCdCCrIcf|j|r|j|jS|S)z.safe_verify,sd &fd++ &&%66.. & X!64$@%%  &s A reference hash is the incorrectly generated $2x$ hash taken from above url sёrQs805$6bNw2HLQYeqHYyBfLMsv/OiwqTymGIGzFsA4hOTWebfehXHNprcASs805$6bNw2HLQYeqHYyBfLMsv/OUcZd0LKP39b87nBw3.S2tVZSqiQX6euz.passlib.hash.bcrypt: Your installation of the zM backend is vulnerable to the crypt_blowfish 8-bit bug (CVE-2011-2483) under z@ hashes, and should be upgraded or replaced with another backend backend failed to verify z 8bit hashN)encoder RuntimeErrorr+rtbug_hash correct_hashrurws r%assert_lacks_8bit_bugzD_BcryptCommon._finalize_backend_mixin..assert_lacks_8bit_bugBs0!F||G,/jjH <<03nnLfh'+RYZ_abb&,/"QXZ_#`aa0rIcddd}|jddz}||ry|jddz}||std|d y ) a> check for bsd wraparound bug (fixed in 2b) this is treated as a warning, because it's rare in the field, and pybcrypt (as of 2015-7-21) is unpatched, but some people may be stuck with it. test cases from NOTE: reference hash is of password "0"*72 NOTE: if in future we need to deliberately create hashes which have this bug, can use something like 'hashpw(repeat_string(secret[:((1+secret) % 256) or 1]), 72)' s01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789NrQs804$R1lJ2gkNaoPGdafE.H.16.nVyh2niHsGJhayOHLMiXlI45o8/DU.6Ts804$R1lJ2gkNaoPGdafE.H.16.1MKHPvmKwryeulRe225LKProWYwt9Oirzz wraparound hashF)r{r|r}s r%detect_wrap_bugz>_BcryptCommon._finalize_backend_mixin..detect_wrap_buglsg'-F||G,/jjHfh'!<<03nnL&,/"W^`e#fggrIc6|sytd|)Nz- backend unexpectedly has wraparound bug for )r|)r+rurs r%assert_lacks_wrap_bugzD_BcryptCommon._finalize_backend_mixin..assert_lacks_wrap_bugs""5)V]_def frIs;$2$04$5BJqKfqMQvV7nS.yUguNcuRfMMOXK0xPWavM7pOzjEi5ze5T1k8/Stestz1%r backend lacks $2$ support, enabling workaroundz %s incorrectly rejected $2$ hashz %s lacks support for $2a$ hashesz!%s incorrectly rejected $2a$ hashos_cryptz;%r backend has $2a$ bsd wraparound bug, enabling workaroundzpasslib.hash.bcrypt: Your installation of the %r backend is vulnerable to the bsd wraparound bug, and should be upgraded or replaced with another backend (enabling workaround for now).r/r0z2%r backend lacks $2y$ support, enabling workaroundz!%s incorrectly rejected $2y$ hashr1z2%r backend lacks $2b$ support, enabling workaroundz!%s incorrectly rejected $2b$ hash)r_backend_mixin_map_workrounds_initializedrwr<r?r@MissingBackendError _bcryptorengine SaltErrorrp_lacks_20_supportrrrsr| TEST_HASH_2ArWrr _has_2a_wraparound_bugreplace_lacks_2y_supportIDENT_2Y_lacks_2b_supportIDENT_2B_fallback_ident) mixin_clsrudryrunrxrr test_hash_20result test_hash_2y test_hash_2brrvrws ` @@@r%_finalize_backend_mixinz%_BcryptCommon._finalize_backend_mixinsSF55g>> @ ? @  , ,!!!;!;<  )**446 6I &,( bT 6 gV V\2 ^ #*.I ' III7 SAGKL L V\2 ^ #AGKL LBWLM M !( +x(j(II[]de:=DD66 8 48 0 $++D$7 V\2 ^ #*.I ' IIJG TBWLM M "( + !( +$++D$7 V\2 ^ #*.I ' IIJG T-1 )BWLM M(0I % !( + !( +-1 )rIcR|j||j|jS)z common helper for backends to implement _calc_checksum(). takes in secret, returns (secret, ident) pair, )new)_norm_digest_argsr+ use_defaultsrKrts r%_prepare_digest_argsz"_BcryptCommon._prepare_digest_argss& %%fdjjd>O>O%PPrIc|j}t|tr|jd}n|r |j dt j||r|j|t|vrt jj||jr"t|dk\r|r t|d}n|dd}|tk(r ||fS|t k(r|j"r |j$}||fS|t&k(r|j(r |j$}||fS|t*k(r9|j,r)|r|r t/|d}n t1|d}|j$}||fS|t2k(r t5dt7d|z#t $rd}YGwxYw)Nutf-8Frr6z.$2x$ hashes not currently supported by passlibzunexpected ident value: %r)_require_valid_utf8_bytesrSrr{rUUnicodeDecodeErrorr?validate_secret_check_truncate_policy_BNULLr@NullPasswordErrorrlenrrWrrrrrIDENT_2rrr r;r|AssertionError)rBrtr+rrequire_valid_utf8_bytess r%rz_BcryptCommon._norm_digest_argss$'#@#@ fg &]]7+F % 1 g& 6"   & &v . V &&**3/ /  % %#f+*<' 'vr2 H  Pu}Mh $$ ++@u}=h $$++4u}1g $$/"4FB!?!.vr!:++u}h OP P!!=!EF FW& 1,1( 1sE<< F  F )F)1__name__ __module__ __qualname____doc__name setting_kwds checksum_sizercharmapchecksum_charsr default_identrrWr;r ident_valuesr ident_aliases min_salt_size max_salt_size salt_charsrXdefault_rounds min_rounds max_rounds rounds_cost truncate_sizerrrrrrr classmethodrHrLrOrZr`rcrfrk_no_backend_suggestionrrr __classcell__r\s@r%r(r(^s| D@L M%%N MXx8DLsVWagx!D'8tWh(M %'&MM!!J NJJK M$"O %   "# % D D$,,    4YCCVQWWrIr(c"eZdZdZfdZxZS) _NoBackendz mixin used before any backend has been loaded. contains stubs that force loading of one of the available backends. cJ|jtt||Srb)_stub_requires_backendrYr_calc_checksum)rKrtr\s r%rz_NoBackend._calc_checksumNs# ##%VT1&99rI)rrrrrrrs@r%rrFs::rIrc&eZdZdZedZdZy)_BcryptBackendz- backend which uses 'bcrypt' package ctry ddla tjj }t jd||j||S#t$rYywxYw#t jddd}YTxYw)NFrz&(trapped) error reading bcrypt versionTrn z%detected 'bcrypt' backend, version %r) r&r_bcryptr# __about__r"rrwarningrsr)rrrversions r%_load_backend_mixinz"_BcryptBackend._load_backend_mixin`s    $ "''33G 97C00v>>   " KK@4K P!GsAA# A A #Bc|j|\}}|j|}t|tr|j d}t j ||}t|tsJ|j|rt|t|dzk7r#tjj|||d|ddjdS)NrQr-z`bcrypt` packagesource)rrOrSrr{rhashpwrTrVrr?r@CryptBackendErrorrUrKrtr+rNrCs r%rz_BcryptBackend._calc_checksums 11&9 !!%( fg &]]7+F~~ff-$&&v&#d)s6{2~*E&&**4FX*Y YCDz  ))rINrrrrrrrrIr%rr[s!??J *rIrc&eZdZdZedZdZy)_BcryptorBackendz/ backend which uses 'bcryptor' package cr ddla|stdt|j ||S#t$rYywxYw)NrFzqSupport for `bcryptor` is deprecated, and will be removed in Passlib 1.8; Please use `pip install bcrypt` instead)bcryptorrr#rDeprecationWarningrrrrs r%rz$_BcryptorBackend._load_backend_mixinsI  (  ;>  s * 66cb|j|\}}|j|}tjj dj ||}|j |rt|t|dzk7r#tjj|||dt|ddS)NFr-zbcryptor libraryrr) rrOrrEnginehash_keyrVrr?r@rrrs r%rz_BcryptorBackend._calc_checksums 11&9 !!%(&&u-66vvFv&#d)s6{R7G*G&&**4FX*Y YT#$Z((rINrrrIr%rrs  ? ? )rIrc4eZdZdZdZedZdZdZeZ y)_PyBcryptBackendz/ backend which uses 'pybcrypt' package Nctsy ddla|st dt  tj j}tjd|t|xsd }|d krft d |ztjj|jddl}|j#|_t%|j&|_|j+||S#t$rYywxYw#tjddd}YxYw) NFrzrSupport for `py-bcrypt` is deprecated, and will be removed in Passlib 1.8; Please use `pip install bcrypt` insteadz((trapped) error reading pybcrypt versionTrnrz'detected 'pybcrypt' backend, version %r)rr)rzapy-bcrypt %s has a major security vulnerability, you should upgrade to py-bcrypt 0.3 immediately.)r&r _pybcryptr#rrrr"rrrrsrr?r@r _calc_lock threadingLockr_calc_checksum_threadsaferr)rrrrvinfors r%rz$_PyBcryptBackend._load_backend_mixins !  &  ; DFF99 ;##+ '0~~'7 $'B9CfCf'gI $00v>>9   " KKBTK R!GsC C/ C,+C,/D ch|j5|j|cdddS#1swYyxYwrb)r_calc_checksum_rawrs r%rz*_PyBcryptBackend._calc_checksum_threadsafes.__ 3**62 3 3 3s(1c0|j|\}}|j|}tj||}|j |rt |t |dzk7r#t jj|||dt|ddS)Nr-zpybcrypt libraryrr) rrOrrrVrr?r@rrrs r%rz#_PyBcryptBackend._calc_checksum_raws 11&9 !!%(/v&#d)s6{R7G*G&&**4FX*Y YT#$Z((rI) rrrrrrrrrrrrIr%rrs2 J$?$?L3 )(NrIrc,eZdZdZe ZedZdZy)_OsCryptBackendz0 backend which uses :func:`crypt.crypt` cHtdtsy|j||S)NrF)rrrrs r%rz#_OsCryptBackend._load_backend_mixin s"&,/00v>>rIc^|j|\}}|j|}t||}|Q|j|rt |t |dzk7r!t j j||||ddStr"t|tr |jdt j j}t j j!d||d||d#t$r*tt j jddwxYw)Nr-rrzpython3 crypt.crypt() ony supports bytes passwords using UTF8; passlib recommends running `pip install bcrypt` for general bcrypt support.z|crypt.crypt() failed for unknown reason; passlib recommends running `pip install bcrypt` for general bcrypt support.(config=z , secret=))rrOr rVrr?r@rrrSrTrUrrPasswordValueErrordebug_only_reprrq)rKrtr+rNrCrs r%rz_OsCryptBackend._calc_checksums 11&9 !!%(&&)  ??6*c$i3v;;K.Kff..tVTBB:  :fe,  g&*&&00ff)))8(?QWAX Z +&  !:!:b" s C993D,N) rrrrrrrrrrrIr%rrs) %8 7?? 7rIrc&eZdZdZedZdZy)_BuiltinBackendzA backend which uses passlib's pure-python implementation cddlm}|tjj dst j dyddlma |j||S)Nr)as_boolPASSLIB_BUILTIN_BCRYPTz@bcrypt 'builtin' backend not enabled via $PASSLIB_BUILTIN_BCRYPTF) raw_bcrypt) passlib.utilsrosenvirongetrrrspasslib.crypto._blowfishr_builtin_bcryptr)rrrrs r%rz#_BuiltinBackend._load_backend_mixinSsA)rzz~~&>?@ IIX YJ00v>>rIc|j|\}}t||dd|jjd|j}|j dS)NrQ)rrr)r{r*rU)rKrtr+rGs r%rz_BuiltinBackend._calc_checksum]sR11&9 feAbk"ii..w7Fzz'""rINrrrIr%rrOs ??#rIrc*eZdZdZdZdZeeee e e dZ y)ra This class implements the BCrypt password hash, and follows the :ref:`password-hash-api`. It supports a fixed-length salt, and a variable number of rounds. The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords: :type salt: str :param salt: Optional salt string. If not specified, one will be autogenerated (this is recommended). If specified, it must be 22 characters, drawn from the regexp range ``[./0-9A-Za-z]``. :type rounds: int :param rounds: Optional number of rounds to use. Defaults to 12, must be between 4 and 31, inclusive. This value is logarithmic, the actual number of iterations used will be :samp:`2**{rounds}` -- increasing the rounds by +1 will double the amount of time taken. :type ident: str :param ident: Specifies which version of the BCrypt algorithm will be used when creating a new hash. Typically this option is not needed, as the default (``"2b"``) is usually the correct choice. If specified, it must be one of the following: * ``"2"`` - the first revision of BCrypt, which suffers from a minor security flaw and is generally not used anymore. * ``"2a"`` - some implementations suffered from rare security flaws, replaced by 2b. * ``"2y"`` - format specific to the *crypt_blowfish* BCrypt implementation, identical to ``"2b"`` in all but name. * ``"2b"`` - latest revision of the official BCrypt algorithm, current default. :param bool truncate_error: By default, BCrypt will silently truncate passwords larger than 72 bytes. Setting ``truncate_error=True`` will cause :meth:`~passlib.ifc.PasswordHash.hash` to raise a :exc:`~passlib.exc.PasswordTruncateError` instead. .. versionadded:: 1.7 :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``rounds`` that are too small or too large, and ``salt`` strings that are too long. .. versionadded:: 1.6 .. versionchanged:: 1.6 This class now supports ``"2y"`` hashes, and recognizes (but does not support) the broken ``"2x"`` hashes. (see the :ref:`crypt_blowfish bug ` for details). .. versionchanged:: 1.6 Added a pure-python backend. .. versionchanged:: 1.6.3 Added support for ``"2b"`` variant. .. versionchanged:: 1.7 Now defaults to ``"2b"`` variant. )rpybcryptrrbuiltinT)Nrr rrr N) rrrrbackends_backend_mixin_targetrrrrrrrrrIr%rrfs5@VIH! $$#" rIr8cVeZdZdZedej DZdZedZ y)_wrapped_bcryptz abstracts out some bits bcrypt_sha256 & django_bcrypt_sha256 share. - bypass backend-loading wrappers for hash() etc - disable truncation support, sha256 wrappers don't need it. c#*K|] }|dvs| yw))r,Nr).0elems r% z_wrapped_bcrypt.s`$M_A_`s Ncyrbr)rBrts r%rz&_wrapped_bcrypt._check_truncate_policys rI) rrrrtuplerrrrrrrIr%rrs8 `&*=*=``LM&  rIrc6eZdZdZdZeefZdeZeZ e ddgZ dZ e dfd ZedZej$dZej$dZe d Ze d Zed Zed Zd Zdfd Ze dZfdZfdZxZS) bcrypt_sha256a This class implements a composition of BCrypt + HMAC_SHA256, and follows the :ref:`password-hash-api`. It supports a fixed-length salt, and a variable number of rounds. The :meth:`~passlib.ifc.PasswordHash.hash` and :meth:`~passlib.ifc.PasswordHash.genconfig` methods accept all the same optional keywords as the base :class:`bcrypt` hash. .. versionadded:: 1.6.2 .. versionchanged:: 1.7 Now defaults to ``"2b"`` bcrypt variant; though supports older hashes generated using the ``"2a"`` bcrypt variant. .. versionchanged:: 1.7.3 For increased security, updated to use HMAC-SHA256 instead of plain SHA256. Now only supports the ``"2b"`` bcrypt variant. Hash format updated to "v=2". cdtfdtjjDS)Nc30K|] }|dvr|yw)r Nr)ritemrs r%rz)bcrypt_sha256...s&/K26q'\2I04/Ks)dictrritems)rs`r%zbcrypt_sha256.s*$/K@T@T@Z@Z@\/K+KrIr c tt| di|}||j||_|j }|jdkDr$|t k7rtd|d|j|S)Nr zbcrypt z hashes not allowed for version r)rYrusing _norm_versionrrrr<)rBrr[subclsr+r\s r%r"zbcrypt_sha256.using,sm}c0848  #11':FN$$ >>A %8"3#V^^56 6 rIz$bcrypt-sha256$z(?x) ^ [$]bcrypt-sha256[$] v=(?P\d+), t=(?P2b), r=(?P\d{1,2}) [$](?P[^$]{22}) (?:[$](?P[^$]{31}))? $ z(?x) ^ [$]bcrypt-sha256[$] (?P2[ab]), (?P\d{1,2}) [$](?P[^$]{22}) (?:[$](?P[^$]{31}))? $ chtj|}|sy|j|jS)NF)r?to_unicode_for_identifyrVprefixr_s r%r^zbcrypt_sha256.identifyas+))$/szz**rIc t|dd}|j|jstjj ||j j|}|r>t|jd}|dkr^tjj||jj|}|rd}ntjj||jd}|jtjr2|tjk7rtjj||||jdt||jd|jd  S) NrQrCrr r r*typer)digest)rr+r*r)r9)rrVr'r?r@InvalidHashError _v2_hash_rematchr>grouprA _v1_hash_re_UZEROZeroPaddedRoundsError)rBrCmrr*s r%rHzbcrypt_sha256.from_stringhs%$0szz*&&))#. . OO ! !$ ' !''),-G{ff//44%%d+Aff//44"   RYY 'Fbii,?&&..s3 3''&/v;WWX&   rIz"$bcrypt-sha256$v=2,t=%s,r=%d$%s$%sz$bcrypt-sha256$%s,%d$%s$%sc|jdk(r |j}n |j}||jj t |j |j|jfz}t|S)Nr ) r _v1_template _v2_templater+strip_UDOLLARr*r)r9r)rKtemplaterCs r%rLzbcrypt_sha256.to_strings] <<1 ((H((H4::++H5t{{DIIt}}]]T""rIc \||j||_tt|di|y)Nr)r#rrYr__init__)rKrr[r\s r%r:zbcrypt_sha256.__init__s-  --g6DL mT+3d3rIcV||jvrt|jd||S)Nz": unknown or unsupported version: )_supported_versionsr<r)rBrs r%r#zbcrypt_sha256._norm_versions* #11 1SZ[\ \rIcft|tr|jd}|jdk(rt |j }nI|j }|d|jvr tdtd|jd|}t|}tt|7|S)Nrr r zinvalid salt stringrrQ)rSrr{rrr*r)rXr<rrrYrr)rKrtr*r)keyr\s r%rzbcrypt_sha256._calc_checksums fg &]]7+F <<1 F^**,F99DBxt444!!677A\(DKK,@A&IF]D8==rIc p|jt|jkrytt|di|S)NTr)rr)rYr_calc_needs_update)rKr[r\s r%r@z bcrypt_sha256._calc_needs_updates1 <<$t*,, ,]D<DtDDrIrb)rrrrrrWrrrrsetr<rrr"rr'recompiler,r/r^rHr5r4rLr:r#rr@rrs@r%rrs8 D h'LKLXZMM q!f+G 6 !F"**   K"**  K++   49:L12L#4%>VEErIr)Nr __future__rrbase64rhashlibrrrBlogging getLoggerrrrwarningsrrrrrpasslib.crypto.digestr passlib.excr r r rr r rrrrrrrrrpasslib.utils.binaryrpasslib.utils.compatrrrrrrrpasslib.utils.handlersutilshandlersr?__all__rrWr;rrrrr&SubclassBackendMixin TruncateMixin HasManyIdents HasRoundsHasSaltGenericHandlerr(rrrrrrrr7rrrrIr%rXs7 'g''1    .XXQQQQ*<ZZ##   E( V9 V9 V9 V9 N "NcB++R-=-=r?O?OLL"**b.?.?cP : :*8*]8*z)})HC(}C(PFmFV#m#.YZYD S6 f FdEOdErI