1"""Wrapper to the POSIX crypt library call and associated functionality.""" 2 3import sys as _sys 4 5try: 6 import _crypt 7except ModuleNotFoundError: 8 if _sys.platform == 'win32': 9 raise ImportError("The crypt module is not supported on Windows") 10 else: 11 raise ImportError("The required _crypt module was not built as part of CPython") 12 13import errno 14import string as _string 15import warnings 16from random import SystemRandom as _SystemRandom 17from collections import namedtuple as _namedtuple 18 19 20warnings._deprecated(__name__, remove=(3, 13)) 21 22 23_saltchars = _string.ascii_letters + _string.digits + './' 24_sr = _SystemRandom() 25 26 27class _Method(_namedtuple('_Method', 'name ident salt_chars total_size')): 28 29 """Class representing a salt method per the Modular Crypt Format or the 30 legacy 2-character crypt method.""" 31 32 def __repr__(self): 33 return '<crypt.METHOD_{}>'.format(self.name) 34 35 36def mksalt(method=None, *, rounds=None): 37 """Generate a salt for the specified method. 38 39 If not specified, the strongest available method will be used. 40 41 """ 42 if method is None: 43 method = methods[0] 44 if rounds is not None and not isinstance(rounds, int): 45 raise TypeError(f'{rounds.__class__.__name__} object cannot be ' 46 f'interpreted as an integer') 47 if not method.ident: # traditional 48 s = '' 49 else: # modular 50 s = f'${method.ident}$' 51 52 if method.ident and method.ident[0] == '2': # Blowfish variants 53 if rounds is None: 54 log_rounds = 12 55 else: 56 log_rounds = int.bit_length(rounds-1) 57 if rounds != 1 << log_rounds: 58 raise ValueError('rounds must be a power of 2') 59 if not 4 <= log_rounds <= 31: 60 raise ValueError('rounds out of the range 2**4 to 2**31') 61 s += f'{log_rounds:02d}$' 62 elif method.ident in ('5', '6'): # SHA-2 63 if rounds is not None: 64 if not 1000 <= rounds <= 999_999_999: 65 raise ValueError('rounds out of the range 1000 to 999_999_999') 66 s += f'rounds={rounds}$' 67 elif rounds is not None: 68 raise ValueError(f"{method} doesn't support the rounds argument") 69 70 s += ''.join(_sr.choice(_saltchars) for char in range(method.salt_chars)) 71 return s 72 73 74def crypt(word, salt=None): 75 """Return a string representing the one-way hash of a password, with a salt 76 prepended. 77 78 If ``salt`` is not specified or is ``None``, the strongest 79 available method will be selected and a salt generated. Otherwise, 80 ``salt`` may be one of the ``crypt.METHOD_*`` values, or a string as 81 returned by ``crypt.mksalt()``. 82 83 """ 84 if salt is None or isinstance(salt, _Method): 85 salt = mksalt(salt) 86 return _crypt.crypt(word, salt) 87 88 89# available salting/crypto methods 90methods = [] 91 92def _add_method(name, *args, rounds=None): 93 method = _Method(name, *args) 94 globals()['METHOD_' + name] = method 95 salt = mksalt(method, rounds=rounds) 96 result = None 97 try: 98 result = crypt('', salt) 99 except OSError as e: 100 # Not all libc libraries support all encryption methods. 101 if e.errno in {errno.EINVAL, errno.EPERM, errno.ENOSYS}: 102 return False 103 raise 104 if result and len(result) == method.total_size: 105 methods.append(method) 106 return True 107 return False 108 109_add_method('SHA512', '6', 16, 106) 110_add_method('SHA256', '5', 16, 63) 111 112# Choose the strongest supported version of Blowfish hashing. 113# Early versions have flaws. Version 'a' fixes flaws of 114# the initial implementation, 'b' fixes flaws of 'a'. 115# 'y' is the same as 'b', for compatibility 116# with openwall crypt_blowfish. 117for _v in 'b', 'y', 'a', '': 118 if _add_method('BLOWFISH', '2' + _v, 22, 59 + len(_v), rounds=1<<4): 119 break 120 121_add_method('MD5', '1', 8, 34) 122_add_method('CRYPT', None, 2, 13) 123 124del _v, _add_method 125