def os_supports_ident(self, hash):
"check if OS crypt is expected to support given ident"
if hash is None:
return True
# most OSes won't support 2x/2y
# XXX: definitely not the BSDs, but what about the linux variants?
from passlib.handlers.bcrypt import IDENT_2X, IDENT_2Y
if hash.startswith(IDENT_2X) or hash.startswith(IDENT_2Y):
return False
return True
def os_supports_ident(self, hash):
"check if OS crypt is expected to support given ident"
if hash is None:
return True
# most OSes won't support 2x/2y
# XXX: definitely not the BSDs, but what about the linux variants?
from passlib.handlers.bcrypt import IDENT_2X, IDENT_2Y
if hash.startswith(IDENT_2X) or hash.startswith(IDENT_2Y):
return False
return True
def os_supports_ident(self, hash):
"""check if OS crypt is expected to support given ident"""
if hash is None:
return True
# most OSes won't support 2x/2y
# XXX: definitely not the BSDs, but what about the linux variants?
# XXX: replace this all with 'handler._lacks_2{x}_support' feature detection?
# could even just do call to safe_crypt(ident + salt) and see what we get
from passlib.handlers.bcrypt import IDENT_2X, IDENT_2Y
if hash.startswith(IDENT_2X) or hash.startswith(IDENT_2Y):
return False
return True
def check_bcryptor(secret, hash):
"bcryptor"
secret = to_native_str(secret, self.fuzz_password_encoding)
if hash.startswith(IDENT_2Y):
hash = IDENT_2A + hash[4:]
elif hash.startswith(IDENT_2):
# bcryptor doesn't support $2$ hashes; but we can fake it
# using the $2a$ algorithm, by repeating the password until
# it's 72 chars in length.
hash = IDENT_2A + hash[3:]
if secret:
secret = repeat_string(secret, 72)
return Engine(False).hash_key(secret, hash) == hash
def check_bcryptor(secret, hash):
"""bcryptor"""
secret = to_native_str(secret, self.FuzzHashGenerator.password_encoding)
if hash.startswith((IDENT_2B, IDENT_2Y)):
hash = IDENT_2A + hash[4:]
elif hash.startswith(IDENT_2):
# bcryptor doesn't support $2$ hashes; but we can fake it
# using the $2a$ algorithm, by repeating the password until
# it's 72 chars in length.
hash = IDENT_2A + hash[3:]
if secret:
secret = repeat_string(secret, 72)
return Engine(False).hash_key(secret, hash) == hash
def verify_django(secret, hash):
"""django/check_password"""
if self.handler.name == "django_bcrypt" and hash.startswith(
"bcrypt$$2y$"):
hash = hash.replace("$$2y$", "$$2a$")
if isinstance(secret, bytes):
secret = secret.decode("utf-8")
return check_password(secret, hash)
def check_bcrypt(secret, hash):
"""bcrypt"""
secret = to_bytes(secret, self.fuzz_password_encoding)
if hash.startswith(IDENT_2B):
# bcrypt <1.1 lacks 2b support
hash = IDENT_2A + hash[4:]
elif hash.startswith(IDENT_2):
# bcrypt doesn't support $2$ hashes; but we can fake it
# using the $2a$ algorithm, by repeating the password until
# it's 72 chars in length.
hash = IDENT_2A + hash[3:]
if secret:
secret = repeat_string(secret, 72)
hash = to_bytes(hash)
try:
return bcrypt.hashpw(secret, hash) == hash
except ValueError:
raise ValueError("bcrypt rejected hash: %r (secret=%r)" % (hash, secret))
def check_pybcrypt(secret, hash):
"pybcrypt"
secret = to_native_str(secret, self.fuzz_password_encoding)
if hash.startswith(IDENT_2Y):
hash = IDENT_2A + hash[4:]
try:
return bcrypt.hashpw(secret, hash) == hash
except ValueError:
raise ValueError("py-bcrypt rejected hash: %r" % (hash, ))
def check_pybcrypt(secret, hash):
"pybcrypt"
secret = to_native_str(secret, self.fuzz_password_encoding)
if hash.startswith(IDENT_2Y):
hash = IDENT_2A + hash[4:]
try:
return bcrypt.hashpw(secret, hash) == hash
except ValueError:
raise ValueError("py-bcrypt rejected hash: %r" % (hash,))
def verify_django(secret, hash):
"""django/check_password"""
if self.handler.name == "django_bcrypt" and hash.startswith("bcrypt$$2y$"):
hash = hash.replace("$$2y$", "$$2a$")
if self.django_has_encoding_glitch and isinstance(secret, bytes):
# e.g. unsalted_md5 on 1.5 and higher try to combine
# salt + password before encoding to bytes, leading to ascii error.
# this works around that issue.
secret = secret.decode("utf-8")
return check_password(secret, hash)
def check_pybcrypt(secret, hash):
"""pybcrypt"""
secret = to_native_str(secret, self.fuzz_password_encoding)
if len(secret) > 200: # vulnerable to wraparound bug
secret = secret[:200]
if hash.startswith((IDENT_2B, IDENT_2Y)):
hash = IDENT_2A + hash[4:]
try:
return bcrypt.hashpw(secret, hash) == hash
except ValueError:
raise ValueError("py-bcrypt rejected hash: %r" % (hash,))
def check_bcrypt(secret, hash):
"""bcrypt"""
secret = to_bytes(secret, self.FuzzHashGenerator.password_encoding)
if hash.startswith(IDENT_2B):
# bcrypt <1.1 lacks 2B support
hash = IDENT_2A + hash[4:]
elif hash.startswith(IDENT_2):
# bcrypt doesn't support $2$ hashes; but we can fake it
# using the $2a$ algorithm, by repeating the password until
# it's 72 chars in length.
hash = IDENT_2A + hash[3:]
if secret:
secret = repeat_string(secret, 72)
elif hash.startswith(IDENT_2Y) and bcrypt.__version__ == "3.0.0":
hash = IDENT_2B + hash[4:]
hash = to_bytes(hash)
try:
return bcrypt.hashpw(secret, hash) == hash
except ValueError:
raise ValueError("bcrypt rejected hash: %r (secret=%r)" %
(hash, secret))
def verify_django(secret, hash):
"""django/check_password"""
if (1,4) <= DJANGO_VERSION < (1,6) and not secret:
return "skip"
if self.handler.name == "django_bcrypt" and hash.startswith("bcrypt$$2y$"):
hash = hash.replace("$$2y$", "$$2a$")
if DJANGO_VERSION >= (1,5) and self.django_has_encoding_glitch and isinstance(secret, bytes):
# e.g. unsalted_md5 on 1.5 and higher try to combine
# salt + password before encoding to bytes, leading to ascii error.
# this works around that issue.
secret = secret.decode("utf-8")
return check_password(secret, hash)
def check_pybcrypt(secret, hash):
"""pybcrypt"""
secret = to_native_str(secret,
self.FuzzHashGenerator.password_encoding)
if len(secret) > 200: # vulnerable to wraparound bug
secret = secret[:200]
if hash.startswith((IDENT_2B, IDENT_2Y)):
hash = IDENT_2A + hash[4:]
try:
if lock:
with lock:
return bcrypt_mod.hashpw(secret, hash) == hash
else:
return bcrypt_mod.hashpw(secret, hash) == hash
except ValueError:
raise ValueError("py-bcrypt rejected hash: %r" % (hash, ))
def check_bcrypt(secret, hash):
"bcrypt"
secret = to_bytes(secret, self.fuzz_password_encoding)
#if hash.startswith(IDENT_2Y):
# hash = IDENT_2A + hash[4:]
if hash.startswith(IDENT_2):
# bcryptor doesn't support $2$ hashes; but we can fake it
# using the $2a$ algorithm, by repeating the password until
# it's 72 chars in length.
hash = IDENT_2A + hash[3:]
if secret:
secret = repeat_string(secret, 72)
hash = to_bytes(hash)
try:
return bcrypt.hashpw(secret, hash) == hash
except ValueError:
raise ValueError("bcrypt rejected hash: %r" % (hash, ))
def check_padding(hash):
assert hash.startswith(("$2a$", "$2b$")) and len(hash) >= 28, \
"unexpectedly malformed hash: %r" % (hash,)
self.assertTrue(hash[28] in '.Oeu',
"unused bits incorrectly set in hash: %r" % (hash,))
def check_padding(hash):
assert hash.startswith("$2a$") and len(hash) >= 28
self.assertTrue(
hash[28] in '.Oeu',
"unused bits incorrectly set in hash: %r" % (hash, ))
def check_padding(hash):
assert hash.startswith(("$2a$", "$2b$")) and len(hash) >= 28, \
"unexpectedly malformed hash: %r" % (hash,)
self.assertTrue(
hash[28] in '.Oeu',
"unused bits incorrectly set in hash: %r" % (hash, ))
def check_padding(hash):
"check bcrypt hash doesn't have salt padding bits set"
assert hash.startswith("$2a$") and len(hash) >= 28
self.assertTrue(hash[28] in BSLAST,
"padding bits set in hash: %r" % (hash,))
def check_padding(hash):
assert hash.startswith("$2a$") and len(hash) >= 28
self.assertTrue(hash[28] in ".Oeu", "unused bits incorrectly set in hash: %r" % (hash,))
def check_padding(hash):
"check bcrypt hash doesn't have salt padding bits set"
assert hash.startswith("$2a$") and len(hash) >= 28
self.assertTrue(hash[28] in BSLAST,
"padding bits set in hash: %r" % (hash, ))
