crypt.py 3.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124
  1. """Wrapper to the POSIX crypt library call and associated functionality."""
  2. import sys as _sys
  3. try:
  4. import _crypt
  5. except ModuleNotFoundError:
  6. if _sys.platform == 'win32':
  7. raise ImportError("The crypt module is not supported on Windows")
  8. else:
  9. raise ImportError("The required _crypt module was not built as part of CPython")
  10. import errno
  11. import string as _string
  12. import warnings
  13. from random import SystemRandom as _SystemRandom
  14. from collections import namedtuple as _namedtuple
  15. warnings._deprecated(__name__, remove=(3, 13))
  16. _saltchars = _string.ascii_letters + _string.digits + './'
  17. _sr = _SystemRandom()
  18. class _Method(_namedtuple('_Method', 'name ident salt_chars total_size')):
  19. """Class representing a salt method per the Modular Crypt Format or the
  20. legacy 2-character crypt method."""
  21. def __repr__(self):
  22. return '<crypt.METHOD_{}>'.format(self.name)
  23. def mksalt(method=None, *, rounds=None):
  24. """Generate a salt for the specified method.
  25. If not specified, the strongest available method will be used.
  26. """
  27. if method is None:
  28. method = methods[0]
  29. if rounds is not None and not isinstance(rounds, int):
  30. raise TypeError(f'{rounds.__class__.__name__} object cannot be '
  31. f'interpreted as an integer')
  32. if not method.ident: # traditional
  33. s = ''
  34. else: # modular
  35. s = f'${method.ident}$'
  36. if method.ident and method.ident[0] == '2': # Blowfish variants
  37. if rounds is None:
  38. log_rounds = 12
  39. else:
  40. log_rounds = int.bit_length(rounds-1)
  41. if rounds != 1 << log_rounds:
  42. raise ValueError('rounds must be a power of 2')
  43. if not 4 <= log_rounds <= 31:
  44. raise ValueError('rounds out of the range 2**4 to 2**31')
  45. s += f'{log_rounds:02d}$'
  46. elif method.ident in ('5', '6'): # SHA-2
  47. if rounds is not None:
  48. if not 1000 <= rounds <= 999_999_999:
  49. raise ValueError('rounds out of the range 1000 to 999_999_999')
  50. s += f'rounds={rounds}$'
  51. elif rounds is not None:
  52. raise ValueError(f"{method} doesn't support the rounds argument")
  53. s += ''.join(_sr.choice(_saltchars) for char in range(method.salt_chars))
  54. return s
  55. def crypt(word, salt=None):
  56. """Return a string representing the one-way hash of a password, with a salt
  57. prepended.
  58. If ``salt`` is not specified or is ``None``, the strongest
  59. available method will be selected and a salt generated. Otherwise,
  60. ``salt`` may be one of the ``crypt.METHOD_*`` values, or a string as
  61. returned by ``crypt.mksalt()``.
  62. """
  63. if salt is None or isinstance(salt, _Method):
  64. salt = mksalt(salt)
  65. return _crypt.crypt(word, salt)
  66. # available salting/crypto methods
  67. methods = []
  68. def _add_method(name, *args, rounds=None):
  69. method = _Method(name, *args)
  70. globals()['METHOD_' + name] = method
  71. salt = mksalt(method, rounds=rounds)
  72. result = None
  73. try:
  74. result = crypt('', salt)
  75. except OSError as e:
  76. # Not all libc libraries support all encryption methods.
  77. if e.errno in {errno.EINVAL, errno.EPERM, errno.ENOSYS}:
  78. return False
  79. raise
  80. if result and len(result) == method.total_size:
  81. methods.append(method)
  82. return True
  83. return False
  84. _add_method('SHA512', '6', 16, 106)
  85. _add_method('SHA256', '5', 16, 63)
  86. # Choose the strongest supported version of Blowfish hashing.
  87. # Early versions have flaws. Version 'a' fixes flaws of
  88. # the initial implementation, 'b' fixes flaws of 'a'.
  89. # 'y' is the same as 'b', for compatibility
  90. # with openwall crypt_blowfish.
  91. for _v in 'b', 'y', 'a', '':
  92. if _add_method('BLOWFISH', '2' + _v, 22, 59 + len(_v), rounds=1<<4):
  93. break
  94. _add_method('MD5', '1', 8, 34)
  95. _add_method('CRYPT', None, 2, 13)
  96. del _v, _add_method