o xg|b@sddlZddlZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z ddl mZddlmZmZmZmZddlmZddlmZd Zd Zd d Zd8ddZd8ddZeddZeddZ ee ddZ!d9ddZ"ddZ#d:ddZ$d d!Z%Gd"d#d#Z&Gd$d%d%e&Z'Gd&d'd'e'Z(Gd(d)d)e&Z)Gd*d+d+e&Z*Gd,d-d-e*Z+Gd.d/d/e&Z,Gd0d1d1e&Z-Gd2d3d3e&Z.Gd4d5d5e&Z/Gd6d7d7e&Z0dS);N)settings)ImproperlyConfigured)setting_changed)receiver)RANDOM_STRING_CHARSconstant_time_compareget_random_stringpbkdf2) import_string) gettext_noop!(cCs|dup |t S)zv Return True if this password wasn't generated by User.set_unusable_password(), i.e. make_password(None). N) startswithUNUSABLE_PASSWORD_PREFIX)encodedr=/usr/lib/python3/dist-packages/django/contrib/auth/hashers.pyis_password_usablesrdefaultc Cs|dupt| }t|}zt|}Wn tyd}Ynw|r)tttdS|j|jk}|p5||}| ||}|sH|sH|rH| |||rR|rR|rR|||S)z Return a boolean of whether the raw password matches the three part encoded digest. If setter is specified, it'll be called when you need to regenerate the password. NTF) r get_hasheridentify_hasher ValueError make_passwordrUNUSABLE_PASSWORD_SUFFIX_LENGTH algorithm must_updateverifyharden_runtime) passwordrsetter preferred fake_runtimehasherhasher_changedr is_correctrrrcheck_passwords$        r%cCsT|dur tttSt|ttfstdt|jt |}|p#| }| ||S)a| Turn a plain-text password into a hash for database storage Same as encode() but generate a new random salt. If password is None then return a concatenation of UNUSABLE_PASSWORD_PREFIX and a random string, which disallows logins. Additional random string reduces chances of gaining access to staff or superuser accounts. See ticket #20079 for more info. Nz+Password must be a string or bytes, got %s.) rrr isinstancebytesstr TypeErrortype __qualname__rsaltencode)rr,r"rrrrGs   rcCsBg}tjD]}t|}|}t|dstd|||q|S)Nrz,hasher doesn't specify an algorithm name: %s)rPASSWORD_HASHERSr getattrrappend)hashers hasher_path hasher_clsr"rrr get_hashers\s   r4cCsddtDS)NcSsi|]}|j|qSrr).0r"rrr ksz,get_hashers_by_algorithm..)r4rrrrget_hashers_by_algorithmisr8cKs$|ddkrttdSdS)Nsettingr.)r4 cache_clearr8)kwargsrrr reset_hashersns  r<cCsLt|dr|S|dkrtdSt}z||WSty%td|w)z Return an instance of a loaded password hasher. If algorithm is 'default', return the default hasher. Lazily import hashers specified in the project's settings file if needed. rrrz\Unknown password hashing algorithm '%s'. Did you specify it in the PASSWORD_HASHERS setting?)hasattrr4r8KeyErrorr)rr1rrrrus    rcCspt|dkr d|vst|dkr|drd}t|St|dkr,|dr,d}t|S|dd d }t|S) z Return an instance of a loaded password hasher. Identify hasher algorithm by examining encoded hash, and call get_hasher() to return hasher. Raise ValueError if algorithm cannot be identified, or if hasher is not loaded. $%md5$$ unsalted_md5.sha1$$ unsalted_sha1r)lenrsplitr)rrrrrrs r*cCs(|d|}||t||d7}|S)z Return the given hash, with only the first ``show`` number shown. The rest are masked with ``char`` for security reasons. N)rH)hashshowcharmaskedrrr mask_hashs rPcCst|ttt|kSN)rHmathlog2r)r,expected_entropyrrrmust_update_saltsrUc@s\eZdZdZdZdZdZddZddZdd Z d d Z d d Z ddZ ddZ ddZdS)BasePasswordHasherz Abstract base class for password hashers When creating your own hasher, you need to override algorithm, verify(), encode() and safe_summary(). PasswordHasher objects are immutable. Nc Csz|jdur5t|jttfr|j\}}n|j}zt|}W|Sty4}z td|jj |fd}~wwtd|jj )Nz&Couldn't load %r algorithm library: %sz-Hasher %r doesn't specify a library attribute) libraryr&tuplelist importlib import_module ImportErrorr __class____name__)selfnamemod_pathmoduleerrr _load_librarys    z BasePasswordHasher._load_librarycCs&t|jttt}t|tdS)z Generate a cryptographically secure nonce salt in ASCII with an entropy of at least `salt_entropy` bits. ) allowed_chars)rRceil salt_entropyrSrHrr)r` char_countrrrr,s zBasePasswordHasher.saltcCtd)z'Check if the given password is correct.z?subclasses of BasePasswordHasher must provide a verify() methodNotImplementedErrorr`rrrrrrszBasePasswordHasher.verifycCrj)z Create an encoded database value. The result is normally formatted as "algorithm$salt$hash" and must be fewer than 128 characters. z@subclasses of BasePasswordHasher must provide an encode() methodrkr`rr,rrrr-zBasePasswordHasher.encodecCrj)z Return a decoded database value. The result is a dictionary and should contain `algorithm`, `hash`, and `salt`. Extra keys can be algorithm specific like `iterations` or `work_factor`. z@subclasses of BasePasswordHasher must provide a decode() method.rkr`rrrrdecodeszBasePasswordHasher.decodecCrj)z Return a summary of safe values. The result is a dictionary and will be used where the password field must be displayed to construct a safe representation of the password. zEsubclasses of BasePasswordHasher must provide a safe_summary() methodrkrprrr safe_summaryrozBasePasswordHasher.safe_summarycCdS)NFrrprrrrzBasePasswordHasher.must_updatecCstddS)a Bridge the runtime gap between the work factor supplied in `encoded` and the work factor suggested by this hasher. Taking PBKDF2 as an example, if `encoded` contains 20000 iterations and `self.iterations` is 30000, this method should run password through another 10000 iterations of PBKDF2. Similar approaches should exist for any hasher that has a work factor. If not, this method should be defined as a no-op to silence the warning. zIsubclasses of BasePasswordHasher should provide a harden_runtime() methodN)warningswarnrmrrrrs z!BasePasswordHasher.harden_runtime)r_ __module__r+__doc__rrXrhrer,rr-rqrrrrrrrrrVs    rVc@sPeZdZdZdZdZejZdddZ ddZ d d Z d d Z d dZ ddZdS)PBKDF2PasswordHashera Secure password hashing using the PBKDF2 algorithm (recommended) Configured to use PBKDF2 + HMAC + SHA256. The result is a 64 byte binary string. Iterations may be changed safely but you must rename the algorithm if you change SHA256. pbkdf2_sha256iNcCs^|dusJ|r d|vsJ|p|j}t||||jd}t|d}d|j|||fS)Nr@)digestasciiz %s$%d$%s$%s) iterationsr r{base64 b64encoderqstripr)r`rr,r}rLrrrr-s  zPBKDF2PasswordHasher.encodecCs4|dd\}}}}||jksJ||t||dS)Nr@)rrLr}r,rIrint)r`rrr}r,rLrrrrqszPBKDF2PasswordHasher.decodecCs*||}|||d|d}t||SNr,r}rqr-rr`rrdecoded encoded_2rrrr's  zPBKDF2PasswordHasher.verifyc CsF||}td|dtd|dtdt|dtdt|diS)Nrr}r,rLrq_rPr`rrrrrrr,   z!PBKDF2PasswordHasher.safe_summarycCs,||}t|d|j}|d|jkp|Sr)rqrUrhr})r`rr update_saltrrrr5s z PBKDF2PasswordHasher.must_updatecCs:||}|j|d}|dkr|||d|dSdS)Nr}rr,)rqr}r-)r`rrrextra_iterationsrrrr:s z#PBKDF2PasswordHasher.harden_runtimerQ)r_rwr+rxrr}hashlibsha256r{r-rqrrrrrrrrrry s   ryc@seZdZdZdZejZdS)PBKDF2SHA1PasswordHasherz Alternate PBKDF2 hasher which uses SHA1, the default PRF recommended by PKCS #5. This is compatible with other implementations of PBKDF2, such as openssl's PKCS5_PBKDF2_HMAC_SHA1(). pbkdf2_sha1N)r_rwr+rxrrsha1r{rrrrrAs rc@s\eZdZdZdZdZdZdZdZddZ dd Z d d Z d d Z ddZ ddZddZdS)Argon2PasswordHashera Secure password hashing using the argon2 algorithm. This is the winner of the Password Hashing Competition 2013-2015 (https://password-hashing.net). It requires the argon2-cffi library which depends on native C code and might cause portability issues. argon2ic CsL|}|}|jj|||j|j|j|j|j d}|j | dS)N) time_cost memory_cost parallelismhash_lenr*r|) reparams low_level hash_secretr-rrrrr*rrq)r`rr,rrdatarrrr-[s zArgon2PasswordHasher.encodec Cs|}|dd\}}||jksJ|d|}|d^}}}} |dt| d7}t|d} || |j|j | |j ||j |d S)Nr@rG=latin1) rrLrrr,rvarietyversionr) rerIrextract_parametersrHr~ b64decoderqrrrr) r`rrrrestrrrb64saltrLr,rrrrqis"zArgon2PasswordHasher.decodecCsV|}|dd\}}||jksJz |d||WS|jjy*YdSw)Nr@rGF)rerIrPasswordHasherr exceptionsVerificationError)r`rrrrrrrrr~szArgon2PasswordHasher.verifycCsv||}td|dtd|dtd|dtd|dtd|dtd|dtd t|d td t|d iS) Nrrrz memory costrz time costrrr,rLrrrrrrrs       z!Argon2PasswordHasher.safe_summarycCs>||}|d}|}|j|_t|d|j}||kp|S)Nrr,)rqrsalt_lenrUrh)r`rrcurrent_params new_paramsrrrrrs  z Argon2PasswordHasher.must_updatecCdSrQrrmrrrrsz#Argon2PasswordHasher.harden_runtimec Cs4|}|j|jjj|jj|j|j|j|j |j dS)N)r*rrrrrr) re ParametersrTypeIDARGON2_VERSIONDEFAULT_RANDOM_SALT_LENGTHDEFAULT_HASH_LENGTHrrr)r`rrrrrszArgon2PasswordHasher.paramsN)r_rwr+rxrrXrrrr-rqrrrrrrrrrrrLs   rc@sZeZdZdZdZejZdZdZ ddZ ddZ d d Z d d Z d dZddZddZdS)BCryptSHA256PasswordHashera& Secure password hashing using the bcrypt algorithm (recommended) This is considered by many to be the most secure algorithm but you must first install the bcrypt library. Please be warned that this library depends on native C code and might cause portability issues. bcrypt_sha256)bcryptr cCs|}||jSrQ)regensaltrounds)r`rrrrr,s zBCryptSHA256PasswordHasher.saltcCsN|}|}|jdurt||}|||}d|j|dfS)Nz%s$%sr|)rer-r{binasciihexlifyhashpwrrq)r`rr,rrrrrr-s   z!BCryptSHA256PasswordHasher.encodecCsH|dd\}}}}}||jksJ|||dd|ddt|dS)Nr@r)ralgostrchecksumr, work_factorr)r`rremptyrrrrrrrqs  z!BCryptSHA256PasswordHasher.decodecCs:|dd\}}||jksJ|||d}t||S)Nr@rGr|)rIrr-r)r`rrrrrrrrrs z!BCryptSHA256PasswordHasher.verifyc CsF||}td|dtd|dtdt|dtdt|diS)Nrz work factorrr,rrrrrrrrrz'BCryptSHA256PasswordHasher.safe_summarycCs||}|d|jkS)Nr)rqrrrrrrs z&BCryptSHA256PasswordHasher.must_updatecCsr|dd\}}|dd}|dd}d|jt|d}|dkr7|||d|d8}|dks$dSdS)Nr@rGrrr|)rIrrr-)r`rrrrr,rdiffrrrrs z)BCryptSHA256PasswordHasher.harden_runtimeN)r_rwr+rxrrrr{rXrr,r-rqrrrrrrrrrrs   rc@seZdZdZdZdZdS)BCryptPasswordHashera Secure password hashing using the bcrypt algorithm This is considered by many to be the most secure algorithm but you must first install the bcrypt library. Please be warned that this library depends on native C code and might cause portability issues. This hasher does not first hash the password which means it is subject to bcrypt's 72 bytes password truncation. Most use cases should prefer the BCryptSHA256PasswordHasher. rN)r_rwr+rxrr{rrrrrs rc@DeZdZdZdZddZddZddZd d Zd d Z d dZ dS)SHA1PasswordHasherz? The SHA1 password hashing algorithm (not recommended) rcCB|dusJ|r d|vsJt||}d|j||fSNr@%s$%s$%s)rrr- hexdigestrr`rr,rLrrrr- zSHA1PasswordHasher.encodecC,|dd\}}}||jksJ|||dSNr@rrrLr,rIrr`rrr,rLrrrrq zSHA1PasswordHasher.decodecC$||}|||d}t||SNr,rrrrrr  zSHA1PasswordHasher.verifycC>||}td|dtdt|dddtdt|diSNrr,rrMrLrrrrrrr#  zSHA1PasswordHasher.safe_summarycC||}t|d|jSrrqrUrhrrrrr+ zSHA1PasswordHasher.must_updatecCrrQrrmrrrr/rtz!SHA1PasswordHasher.harden_runtimeN r_rwr+rxrr-rqrrrrrrrrrr   rc@r)MD5PasswordHasherzE The Salted MD5 password hashing algorithm (not recommended) md5cCrr)rrr-rrrrrrr-9rzMD5PasswordHasher.encodecCrrrrrrrrq?rzMD5PasswordHasher.decodecCrrrrrrrrHrzMD5PasswordHasher.verifycCrrrrrrrrrMrzMD5PasswordHasher.safe_summarycCrrrrrrrrUrzMD5PasswordHasher.must_updatecCrrQrrmrrrrYrtz MD5PasswordHasher.harden_runtimeNrrrrrr3rrc@r)UnsaltedSHA1PasswordHashera7 Very insecure algorithm that you should *never* use; store SHA1 hashes with an empty salt. This class is implemented because Django used to accept such password hashes. Some older Django installs still have these values lingering around so we need to handle and upgrade them properly. rFcCrsNrr`rrrr,hrtzUnsaltedSHA1PasswordHasher.saltcCs&|dksJt|}d|S)Nrzsha1$$%s)rrr-rrrrrr-ks z!UnsaltedSHA1PasswordHasher.encodecCs$|dsJ|j|ddddS)NrErJr)rrrprrrrqps  z!UnsaltedSHA1PasswordHasher.decodecCs||d}t||Sr)r-rr`rrrrrrrxs  z!UnsaltedSHA1PasswordHasher.verifycCs*||}td|dtdt|diS)NrrLrrrrrrr|s  z'UnsaltedSHA1PasswordHasher.safe_summarycCrrQrrmrrrrrtz)UnsaltedSHA1PasswordHasher.harden_runtimeN r_rwr+rxrr,r-rqrrrrrrrrr]s rc@r)UnsaltedMD5PasswordHashera Incredibly insecure algorithm that you should *never* use; stores unsalted MD5 hashes without the algorithm prefix, also accepts MD5 hashes with an empty salt. This class is implemented because Django used to store passwords this way and to accept such password hashes. Some older Django installs still have these values lingering around so we need to handle and upgrade them properly. rCcCrsrrrrrrr,rtzUnsaltedMD5PasswordHasher.saltcCs|dksJt|Sr)rrr-rrnrrrr-s z UnsaltedMD5PasswordHasher.encodecCs|j|ddS)Nrr5rprrrrqsz UnsaltedMD5PasswordHasher.decodecCs8t|dkr|dr|dd}||d}t||S)NrArBr)rHrr-rrrrrrs   z UnsaltedMD5PasswordHasher.verifycCs.||}td|dtdt|dddiS)NrrLrrrrrrrrrs  z&UnsaltedMD5PasswordHasher.safe_summarycCrrQrrmrrrrrtz(UnsaltedMD5PasswordHasher.harden_runtimeNrrrrrrs  rc@sHeZdZdZdZdZddZddZddZd d Z d d Z d dZ dS)CryptPasswordHasherzv Password hashing using UNIX crypt (not recommended) The crypt module is not supported on all platforms. cryptcCstdS)Nr)rrrrrr,szCryptPasswordHasher.saltcCs@|}t|dks J|||}|dusJd|jd|fS)Nrrr)rerHrr)r`rr,rrLrrrr-s   zCryptPasswordHasher.encodecCrrrrrrrrqrzCryptPasswordHasher.decodecCs0|}||}|||d}t|d|S)NrL)rerqrr)r`rrrrrrrrrs zCryptPasswordHasher.verifyc Cs:||}td|dtd|dtdt|dddiS)Nrr,rLrrrrrrrrrs   z CryptPasswordHasher.safe_summarycCrrQrrmrrrrrtz"CryptPasswordHasher.harden_runtimeN) r_rwr+rxrrXr,r-rqrrrrrrrrrs  r)Nr)r)rJrK)1r~r functoolsrr[rRru django.confrdjango.core.exceptionsrdjango.core.signalsrdjango.dispatchrdjango.utils.cryptorrrr django.utils.module_loadingr django.utils.translationr rrrrr%r lru_cacher4r8r<rrrPrUrVryrrrrrrrrrrrrrsP        (      Y8 eG***,