+anddlZddlmZmZmZddlmZddlmZm Z m Z dZ dZ dZ dZd Zd ZGd d Zy) N) Parameters _check_typesextract_parameters) InvalidHash)Type hash_secret verify_secreticHt|tr|S|j|S)zM Ensure *s* is a bytes string. Encode using *encoding* if it isn't. ) isinstancebytesencode)sencodings 9/usr/lib/python3/dist-packages/argon2/_password_hasher.py _ensure_bytesrs"!U 88H ceZdZdZddgZeeeee de jfdZ e dZe dZe dZe d Ze d Ze d Zd Ze j*e j,e jd ZdZdZy)PasswordHashera  High level class to hash passwords with sensible defaults. Uses Argon2\ **id** by default and always uses a random salt_ for hashing. But it can verify any type of Argon2 as long as the hash is correctly encoded. The reason for this being a class is both for convenience to carry parameters and to verify the parameters only *once*. Any unnecessary slowdown when hashing is a tangible advantage for a brute force attacker. :param int time_cost: Defines the amount of computation realized and therefore the execution time, given in number of iterations. :param int memory_cost: Defines the memory usage, given in kibibytes_. :param int parallelism: Defines the number of parallel threads (*changes* the resulting hash value). :param int hash_len: Length of the hash in bytes. :param int salt_len: Length of random salt to be generated for each password. :param str encoding: The Argon2 C library expects bytes. So if :meth:`hash` or :meth:`verify` are passed an unicode string, it will be encoded using this encoding. :param Type type: Argon2 type to use. Only change for interoperability with legacy systems. .. versionadded:: 16.0.0 .. versionchanged:: 18.2.0 Switch from Argon2i to Argon2id based on the recommendation by the current RFC draft. See also :doc:`parameters`. .. versionchanged:: 18.2.0 Changed default *memory_cost* to 100 MiB and default *parallelism* to 8. .. versionchanged:: 18.2.0 ``verify`` now will determine the type of hash. .. versionchanged:: 18.3.0 The Argon2 type is configurable now. .. _salt: https://en.wikipedia.org/wiki/Salt_(cryptography) .. _kibibytes: https://en.wikipedia.org/wiki/Binary_prefix#kibi _parametersrzutf-8c t|tf|tf|tf|tf|tf|tf|tf}|r t |t |d||||||_||_y)N) time_cost memory_cost parallelismhash_lensalt_lenrtype)r versionrrrrr)rintstrr TypeErrorrrr) selfrrrrrrr es r__init__zPasswordHasher.__init__@s~  #&$c*$c*___  A, &## ! rc.|jjSN)rrr&s rrzPasswordHasher.time_costbs)))rc.|jjSr*)rrr+s rrzPasswordHasher.memory_costf+++rc.|jjSr*)rrr+s rrzPasswordHasher.parallelismjr-rc.|jjSr*)rrr+s rrzPasswordHasher.hash_lenn(((rc.|jjSr*)rrr+s rrzPasswordHasher.salt_lenrr0rc.|jjSr*)rr r+s rr zPasswordHasher.typevs$$$rc  tt||jtj|j |j |j|j|j|jjdS)z Hash *password* and return an encoded hash. :param password: Password to hash. :type password: ``bytes`` or ``unicode`` :raises argon2.exceptions.HashingError: If hashing fails. :rtype: unicode )secretsaltrrrrr ascii) r rrosurandomrrrrrr decode)r&passwords rhashzPasswordHasher.hashzsa 4==9DMM*nn((((]]  &/ r)s $argon2i$s $argon2d$s $argon2idct|d} |j|dd}t |t||j|S#tttf$r t wxYw)a Verify that *password* matches *hash*. .. warning:: It is assumed that the caller is in full control of the hash. No other parsing than the determination of the hash type is done by ``argon2-cffi``. :param hash: An encoded hash as returned from :meth:`PasswordHasher.hash`. :type hash: ``bytes`` or ``unicode`` :param password: The password to verify. :type password: ``bytes`` or ``unicode`` :raises argon2.exceptions.VerifyMismatchError: If verification fails because *hash* is not valid for *password*. :raises argon2.exceptions.VerificationError: If verification fails for other reasons. :raises argon2.exceptions.InvalidHash: If *hash* is so clearly invalid, that it couldn't be passed to Argon2. :return: ``True`` on success, raise :exc:`~argon2.exceptions.VerificationError` otherwise. :rtype: bool .. versionchanged:: 16.1.0 Raise :exc:`~argon2.exceptions.VerifyMismatchError` on mismatches instead of its more generic superclass. .. versionadded:: 18.2.0 Hash type agility. r6N )r_header_to_type IndexErrorKeyError LookupErrorrr r)r&r;r: hash_types rverifyzPasswordHasher.verifysmBT7+ ,,T"1X6I -$--8)  Hk2 -  s AA c2|jt|k7S)aO Check whether *hash* was created using the instance's parameters. Whenever your Argon2 parameters -- or ``argon2-cffi``'s defaults! -- change, you should rehash your passwords at the next opportunity. The common approach is to do that whenever a user logs in, since that should be the only time when you have access to the cleartext password. Therefore it's best practice to check -- and if necessary rehash -- passwords after each successful authentication. :rtype: bool .. versionadded:: 18.2.0 )rr)r&r;s rcheck_needs_rehashz!PasswordHasher.check_needs_rehashs"#5d#;;;rN)__name__ __module__ __qualname____doc__ __slots__DEFAULT_TIME_COSTDEFAULT_MEMORY_COSTDEFAULT_PARALLELISMDEFAULT_HASH_LENGTHDEFAULT_RANDOM_SALT_LENGTHrIDr(propertyrrrrrr r;IDr>rCrErrrrs$J +I$''$+ WW !D**,,,,))))%%,ffffggO ) VrXsH @@#77 y<y