Xc@sdZddlmZmZddlZejeZddlZddl Z ddl m Z e Z e addlmZddlmZddlmZddlmZmZdd lmZmZmZddljjZd gZ yddl!Z Wne"k re Z nXe#e d e Z$e$rBe$Z%e j&j'Z(nd fd YZ%dZ(dej)ej*ej+ej,ej-ej.fdYZ/de/fdYZ0de/fdYZ1de/fdYZ2d e0e/fdYZ!dS(spasslib.handlers.argon2 -- argon2 password hash wrapper References ========== * argon2 - home: https://github.com/P-H-C/phc-winner-argon2 - whitepaper: https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf * argon2 cffi wrapper - pypi: https://pypi.python.org/pypi/argon2_cffi - home: https://github.com/hynek/argon2_cffi * argon2 pure python - pypi: https://pypi.python.org/pypi/argon2pure - home: https://github.com/bwesterb/argon2pure i(twith_statementtabsolute_importN(twarn(texc(t MAX_UINT32(tto_bytes(t b64s_encodet b64s_decode(tutunicodet bascii_to_strtargon2tPasswordHashert_default_settingscBs,eZdZdZdZdZdZdZRS(s dummy object to use as source of defaults when argon2 mod not present. synced w/ argon2 16.1 as of 2016-6-16 iii(t__name__t __module__t__doc__t time_costt memory_costt parallelismtsalt_lenthash_len(((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyR :s it _Argon2Commonc BseZdZdZd Zed ZejZ ed ed fZ ej Z dZ eZejZdZeZdZd"ZeZd#ZdZdZeZejZeZej Z eZ!d#Z"e#d#d#d#d#d#d#d#dZ$e#dZ%e#dZ&e'j(de'j)Z*e#dZ+dZ,ed#d#d#dZ-e#dZ.e#edZ/dZ0dZ1e#dZ2e#d#d#dZ3RS($s& Base class which implements brunt of Argon2 code. This is then subclassed by the various backends, to override w/ backend-specific methods. When a backend is loaded, the bases of the 'argon2' class proper are modified to prepend the correct backend-specific subclass. R tsaltt salt_sizeRtroundsRRRt digest_sizeRs$argon2is $argon2i$s $argon2d$iitlineariic Ks|dk r4d|kr'tdn||d[id])\$ (?: v=(?P\d+) \$ )? m=(?P\d+) , t=(?P\d+) , p=(?P\d+) (?: ,keyid=(?P[^,$]+) )? (?: ,data=(?P[^,$]+) )? (?: \$ (?P[^$]+) (?: \$ (?P.+) )? )? $ c Cs]t|tr!|jd}nt|tsEtj|dn|jj|}|sotj|n|j ddddddd d d \ }}}}}}} } } |rt d n|d |dkd|rt |nddt |dt |dt |d | r&t | ndd | r>t | ndd| rVt | ndS(Nsutf-8R7ttypetversionRRRtkeyidtdataRtdigests&argon2 'keyid' parameter not supportedttype_dtdiRtchecksum(R%R tencodetbytesRtExpectedStringErrort _hash_regextmatchtMalformedHashErrortgrouptNotImplementedErrorR(RR ( R/R7tmR9R:RRRR;R<RR=((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyt from_string8s(-    c Cst|j|j}|j}|dkr4d}n d|}|j}|ridtt|j}nd}d|||j|j|j |tt|j tt|j fS(Nitsv=%d$s,data=s%s%sm=%d,t=%d,p=%d%s$%s$%s( tstrR6R>R:R<R RRRRRR@(tselftidentR:tvstrR<tkdstr((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyt to_stringSs      cKs|jd}|dk r-t||_ntt|j|||_|dkr[n|j||_ |dkr|n|j ||_ |dkrn3t |t stjj|ddn||_dS(NR@RBR<(R$R tlenR*R"Rt__init__R>t _norm_versionR:R+RR%RBR&RtExpectedTypeErrorR<(RMR>R:RR<R0R@((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRSis      cCst|tjs-tjj|ddn|dkr[|dkr[td|fn|j}||jkrtd|j|||jfn|S(NtintegerR:iisinvalid argon2 hash version: %dsk%s: hash version 0x%X not supported by %r backend (max version is 0x%X); try updating or switching backends( R%R&t int_typesRRUR-t get_backendt max_versionR2(R/R:tbackend((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRTs c Cs%tj||d|jddd|S(NRRRR(R&R)R3(R/RR((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyR+scKst|}|jrtS|j}|dks=||jkrI|j}n|j|kr\tS|j|jkrrtS|j|jkrtSt t |j |S(N( R9R>tTruetmin_desired_versionR RYR:RR*R"Rt_calc_needs_update(RMR0R/tminver((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyR]s    s> -- recommend you install one (e.g. 'pip install argon2_cffi')cCs3|j}|dkr/td|tjjntS(s helper called by from backend mixin classes' _load_backend_mixin() -- invoked after backend imports have been loaded, and performs feature detection & testing common to all backends. is6%r doesn't support argon2 v1.3, and should be upgraded(RYRR&RtPasslibSecurityWarningR[(t mixin_clsR2tdryrunRY((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyt_finalize_backend_mixins    cCs|j}|dkr6|dk r6|j|}n|dk r|j|j|j|dkr|jdk rtdqnt|}|dkrd|||f}n t |}t j |d|dS(s} internal helper invoked when backend has hash/verification error; used to adapt to passlib message. t argon2_cffis8argon2_cffi backend doesn't support the 'data' parametersDecoding faileds%s reported: %s: hash=%rtreasonN(sDecoding failed( RXR RJR,RRR<RHRLtreprRRF(R/terrR7RMRZttextRd((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyt_adapt_backend_errors     ( ssalts salt_sizessalt_lensroundss time_costs memory_costs parallelisms digest_sizeshash_leniiN(4RRRR2t setting_kwdsRRNR RR*R6Rtdefault_salt_sizet min_salt_sizeRt max_salt_sizeRtdefault_roundst min_roundst max_roundst rounds_costtmax_parallelismt_default_versionRYR R\R3R.tFalsetpure_use_threadsRR:RR>R<t classmethodR#R,R8tretcompiletXRDRJRQRSRTR+R]t_no_backend_suggestionRbRh(((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRIsd         6 ) t _NoBackendcBs\eZdZedZedZejddddedZdZ RS( s mixin used before any backend has been loaded. contains stubs that force loading of one of the available backends. cCs|j|j|S(N(t_stub_requires_backendR7(R/tsecret((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyR7s cCs|j|j||S(N(R{tverify(R/R|R7((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyR} s t deprecateds1.7tremoveds2.0cCs|j|j||S(N(R{tgenhash(R/R|tconfig((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRs cCs |jtt|j|S(N(R{R"R t_calc_checksum(RMR|((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRs ( RRRRuR7R}R&tdeprecated_methodRR(((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRzs t _CffiBackendcBsSeZdZedZedZedZedZdZRS(s argon2_cffi backend cCsRtdkrtStjj}tjdtj|||_|_ |j ||S(NsOdetected 'argon2_cffi' backend, version %r, with support for 0x%x argon2 hashes( t _argon2_cffiR Rst low_leveltARGON2_VERSIONtlogtdebugt __version__R:RYRb(R`R2RaRY((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyt_load_backend_mixin0s    cCstj|t|d}ybttjjdtjjjd|j d|j d|j dt|j d|j d|SWn(tjjk r}|j|nXdS( Nsutf-8R9RRRRRR|(R&tvalidate_secretRR RRt hash_secrettTypetIRRmRt_generate_saltR*t exceptionst HashingErrorRh(R/R|Rf((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyR7>s     cCstj|t|d}t|d}|jdrLtjjj}ntjjj}y tjj |||}t SWnEtj j k rt Stj jk r}|j|d|nXdS(Nsutf-8tasciis $argon2d$R7(R&RRR5RRRtDRt verify_secretR[RtVerifyMismatchErrorRstVerificationErrorRh(R/R|R7R9tresultRf((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyR}Qs cCstj|t|d}|j|}|jrFtjjj}ntjjj }yat tjj d|d|j d|j d|jdt|jd|jd|d |j}Wn.tjjk r}|j|d |nX|jd kr |jd d }n|S(Nsutf-8R9RRRRRR|R:R7is$v=16$t$(R&RRRJR>RRRRRR RRRRRR*R:RRRhtreplace(R/R|RRMR9RRf((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRfs*      cCstddS(Ns-shouldn't be called under argon2_cffi backend(tAssertionError(RMR|((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRs( RRRRuRR7R}RR(((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyR(s  t _PureBackendcBs&eZdZedZdZRS(s argon2pure backend cCsyddlaWntk r$tSXyddlm}Wntk rZtjdtSXtjd||stdt j n||_ |_ |j ||S(Ni(tARGON2_DEFAULT_VERSIONs\detected 'argon2pure' backend, but package is too old (passlib requires argon2pure >= 1.2.3)sBdetected 'argon2pure' backend, with support for 0x%x argon2 hashessUsing argon2pure backend, which is 100x+ slower than is required for adequate security. Installing argon2_cffi (via 'pip install argon2_cffi') is strongly recommended(t argon2puret _argon2puret ImportErrorRsRRtwarningRRRR_R:RYRb(R`R2RaRY((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRs      cCstj|t|d}|jr1tj}n tj}td|d|jd|j d|j d|j d|j d|d |j }|jd kr|j|d RtARGON2DtARGON2ItdictRRRRR*R:R.RtR[R<R t Argon2ErrorRh(RMR|R9R0Rf((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRs0             (RRRRuRR(((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyRs%cBs5eZdZdZeZied6ed6e d6Z RS(s[ This class implements the Argon2 password hash [#argon2-home]_, and follows the :ref:`password-hash-api`. (This class only supports generating "Type I" argon2 hashes). Argon2 supports a variable-length salt, and variable time & memory cost, and a number of other configurable parameters. The :meth:`~passlib.ifc.PasswordHash.replace` method accepts the following optional keywords: :type salt: str :param salt: Optional salt string. If specified, the length must be between 0-1024 bytes. If not specified, one will be auto-generated (this is recommended). :type salt_size: int :param salt_size: Optional number of bytes to use when autogenerating new salts. :type rounds: int :param rounds: Optional number of rounds to use. This corresponds linearly to the amount of time hashing will take. :type time_cost: int :param time_cost: An alias for **rounds**, for compatibility with underlying argon2 library. :param int memory_cost: Defines the memory usage in kibibytes. This corresponds linearly to the amount of memory hashing will take. :param int parallelism: Defines the parallelization factor. *NOTE: this will affect the resulting hash value.* :param int digest_size: Length of the digest in bytes. :param int max_threads: Maximum number of threads that will be used. -1 means unlimited; otherwise hashing will use ``min(parallelism, max_threads)`` threads. .. note:: This option is currently only honored by the argon2pure backend. :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``rounds`` that are too small or too large, and ``salt`` strings that are too long. .. todo:: * Support configurable threading limits. RcR(s argon2_cffis argon2pureN( RRRtbackendsR[t_backend_mixin_targetRzR RRt_backend_mixin_map(((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pyR s; (3Rt __future__RRtloggingt getLoggerRRRvttypestwarningsRR RRtpasslibRtpasslib.crypto.digestRt passlib.utilsRtpasslib.utils.binaryRRtpasslib.utils.compatRR R tpasslib.utils.handlerstutilsthandlersR&t__all__R Rtgetattrt_PasswordHasherR RRRrtSubclassBackendMixintParallelismMixint HasRoundst HasRawSalttHasRawChecksumtGenericHandlerRRzRR(((s;/usr/lib/python2.7/site-packages/passlib/handlers/argon2.pytsB        *hQ