crypt.py 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120
  1. """Wrapper to the POSIX crypt library call and associated functionality."""
  2. import sys as _sys
  3. try:
  4. import _crypt
  5. except ModuleNotFoundError:
  6. if _sys.platform == 'win32':
  7. raise ImportError("The crypt module is not supported on Windows")
  8. else:
  9. raise ImportError("The required _crypt module was not built as part of CPython")
  10. import errno
  11. import string as _string
  12. from random import SystemRandom as _SystemRandom
  13. from collections import namedtuple as _namedtuple
  14. _saltchars = _string.ascii_letters + _string.digits + './'
  15. _sr = _SystemRandom()
  16. class _Method(_namedtuple('_Method', 'name ident salt_chars total_size')):
  17. """Class representing a salt method per the Modular Crypt Format or the
  18. legacy 2-character crypt method."""
  19. def __repr__(self):
  20. return '<crypt.METHOD_{}>'.format(self.name)
  21. def mksalt(method=None, *, rounds=None):
  22. """Generate a salt for the specified method.
  23. If not specified, the strongest available method will be used.
  24. """
  25. if method is None:
  26. method = methods[0]
  27. if rounds is not None and not isinstance(rounds, int):
  28. raise TypeError(f'{rounds.__class__.__name__} object cannot be '
  29. f'interpreted as an integer')
  30. if not method.ident: # traditional
  31. s = ''
  32. else: # modular
  33. s = f'${method.ident}$'
  34. if method.ident and method.ident[0] == '2': # Blowfish variants
  35. if rounds is None:
  36. log_rounds = 12
  37. else:
  38. log_rounds = int.bit_length(rounds-1)
  39. if rounds != 1 << log_rounds:
  40. raise ValueError('rounds must be a power of 2')
  41. if not 4 <= log_rounds <= 31:
  42. raise ValueError('rounds out of the range 2**4 to 2**31')
  43. s += f'{log_rounds:02d}$'
  44. elif method.ident in ('5', '6'): # SHA-2
  45. if rounds is not None:
  46. if not 1000 <= rounds <= 999_999_999:
  47. raise ValueError('rounds out of the range 1000 to 999_999_999')
  48. s += f'rounds={rounds}$'
  49. elif rounds is not None:
  50. raise ValueError(f"{method} doesn't support the rounds argument")
  51. s += ''.join(_sr.choice(_saltchars) for char in range(method.salt_chars))
  52. return s
  53. def crypt(word, salt=None):
  54. """Return a string representing the one-way hash of a password, with a salt
  55. prepended.
  56. If ``salt`` is not specified or is ``None``, the strongest
  57. available method will be selected and a salt generated. Otherwise,
  58. ``salt`` may be one of the ``crypt.METHOD_*`` values, or a string as
  59. returned by ``crypt.mksalt()``.
  60. """
  61. if salt is None or isinstance(salt, _Method):
  62. salt = mksalt(salt)
  63. return _crypt.crypt(word, salt)
  64. # available salting/crypto methods
  65. methods = []
  66. def _add_method(name, *args, rounds=None):
  67. method = _Method(name, *args)
  68. globals()['METHOD_' + name] = method
  69. salt = mksalt(method, rounds=rounds)
  70. result = None
  71. try:
  72. result = crypt('', salt)
  73. except OSError as e:
  74. # Not all libc libraries support all encryption methods.
  75. if e.errno == errno.EINVAL:
  76. return False
  77. raise
  78. if result and len(result) == method.total_size:
  79. methods.append(method)
  80. return True
  81. return False
  82. _add_method('SHA512', '6', 16, 106)
  83. _add_method('SHA256', '5', 16, 63)
  84. # Choose the strongest supported version of Blowfish hashing.
  85. # Early versions have flaws. Version 'a' fixes flaws of
  86. # the initial implementation, 'b' fixes flaws of 'a'.
  87. # 'y' is the same as 'b', for compatibility
  88. # with openwall crypt_blowfish.
  89. for _v in 'b', 'y', 'a', '':
  90. if _add_method('BLOWFISH', '2' + _v, 22, 59 + len(_v), rounds=1<<4):
  91. break
  92. _add_method('MD5', '1', 8, 34)
  93. _add_method('CRYPT', None, 2, 13)
  94. del _v, _add_method