forked from fedora-python/python26
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpython-2.6.6-crypt-module-salt-backport.patch
284 lines (266 loc) · 10.1 KB
/
python-2.6.6-crypt-module-salt-backport.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
diff -up Python-2.6.6/Doc/library/crypt.rst.salt Python-2.6.6/Doc/library/crypt.rst
--- Python-2.6.6/Doc/library/crypt.rst.salt 2009-10-27 10:19:50.000000000 -0400
+++ Python-2.6.6/Doc/library/crypt.rst 2011-03-23 16:18:53.957871467 -0400
@@ -16,9 +16,9 @@
This module implements an interface to the :manpage:`crypt(3)` routine, which is
a one-way hash function based upon a modified DES algorithm; see the Unix man
-page for further details. Possible uses include allowing Python scripts to
-accept typed passwords from the user, or attempting to crack Unix passwords with
-a dictionary.
+page for further details. Possible uses include storing hashed passwords
+so you can check passwords without storing the actual password, or attempting
+to crack Unix passwords with a dictionary.
.. index:: single: crypt(3)
@@ -27,15 +27,81 @@ the :manpage:`crypt(3)` routine in the r
extensions available on the current implementation will also be available on
this module.
+Hashing Methods
+---------------
-.. function:: crypt(word, salt)
+The :mod:`crypt` module defines the list of hashing methods (not all methods
+are available on all platforms):
+
+.. data:: METHOD_SHA512
+
+ A Modular Crypt Format method with 16 character salt and 86 character
+ hash. This is the strongest method.
+
+.. versionadded:: 3.3
+
+.. data:: METHOD_SHA256
+
+ Another Modular Crypt Format method with 16 character salt and 43
+ character hash.
+
+.. versionadded:: 3.3
+
+.. data:: METHOD_MD5
+
+ Another Modular Crypt Format method with 8 character salt and 22
+ character hash.
+
+.. versionadded:: 3.3
+
+.. data:: METHOD_CRYPT
+
+ The traditional method with a 2 character salt and 13 characters of
+ hash. This is the weakest method.
+
+.. versionadded:: 3.3
+
+
+Module Attributes
+-----------------
+
+
+.. attribute:: methods
+
+ A list of available password hashing algorithms, as
+ ``crypt.METHOD_*`` objects. This list is sorted from strongest to
+ weakest, and is guaranteed to have at least ``crypt.METHOD_CRYPT``.
+
+.. versionadded:: 3.3
+
+
+Module Functions
+----------------
+
+The :mod:`crypt` module defines the following functions:
+
+.. function:: crypt(word, salt=None)
*word* will usually be a user's password as typed at a prompt or in a graphical
- interface. *salt* is usually a random two-character string which will be used
- to perturb the DES algorithm in one of 4096 ways. The characters in *salt* must
- be in the set ``[./a-zA-Z0-9]``. Returns the hashed password as a string, which
- will be composed of characters from the same alphabet as the salt (the first two
- characters represent the salt itself).
+ interface. The optional *salt* is either a string as returned from
+ :func:`mksalt`, one of the ``crypt.METHOD_*`` values (though not all
+ may be available on all platforms), or a full encrypted password
+ including salt, as returned by this function. If *salt* is not
+ provided, the strongest method will be used (as returned by
+ :func:`methods`.
+
+ Checking a password is usually done by passing the plain-text password
+ as *word* and the full results of a previous :func:`crypt` call,
+ which should be the same as the results of this call.
+
+ *salt* (either a random 2 or 16 character string, possibly prefixed with
+ ``$digit$`` to indicate the method) which will be used to perturb the
+ encryption algorithm. The characters in *salt* must be in the set
+ ``[./a-zA-Z0-9]``, with the exception of Modular Crypt Format which
+ prefixes a ``$digit$``.
+
+ Returns the hashed password as a string, which will be composed of
+ characters from the same alphabet as the salt.
.. index:: single: crypt(3)
@@ -43,6 +109,27 @@ this module.
different sizes in the *salt*, it is recommended to use the full crypted
password as salt when checking for a password.
+.. versionchanged:: 3.3
+ Before version 3.3, *salt* must be specified as a string and cannot
+ accept ``crypt.METHOD_*`` values (which don't exist anyway).
+
+
+.. function:: mksalt(method=None)
+
+ Return a randomly generated salt of the specified method. If no
+ *method* is given, the strongest method available as returned by
+ :func:`methods` is used.
+
+ The return value is a string either of 2 characters in length for
+ ``crypt.METHOD_CRYPT``, or 19 characters starting with ``$digit$`` and
+ 16 random characters from the set ``[./a-zA-Z0-9]``, suitable for
+ passing as the *salt* argument to :func:`crypt`.
+
+.. versionadded:: 3.3
+
+Examples
+--------
+
A simple example illustrating typical use::
import crypt, getpass, pwd
@@ -59,3 +146,11 @@ A simple example illustrating typical us
else:
return 1
+To generate a hash of a password using the strongest available method and
+check it against the original::
+
+ import crypt
+
+ hashed = crypt.crypt(plaintext)
+ if hashed != crypt.crypt(plaintext, hashed):
+ raise "Hashed version doesn't validate against original"
diff -up Python-2.6.6/Lib/crypt.py.salt Python-2.6.6/Lib/crypt.py
--- Python-2.6.6/Lib/crypt.py.salt 2011-03-23 16:18:53.957871467 -0400
+++ Python-2.6.6/Lib/crypt.py 2011-03-23 16:19:04.282001478 -0400
@@ -0,0 +1,70 @@
+"""Wrapper to the POSIX crypt library call and associated functionality.
+
+Note that the ``methods`` and ``METHOD_*`` attributes are non-standard
+extensions to Python 2.6, backported from 3.3"""
+
+import _crypt
+import string
+from random import choice
+from collections import namedtuple
+
+
+_saltchars = string.ascii_letters + string.digits + './'
+
+
+class _Method(namedtuple('_Method', 'name ident salt_chars total_size')):
+
+ """Class representing a salt method per the Modular Crypt Format or the
+ legacy 2-character crypt method."""
+
+ def __repr__(self):
+ return '<crypt.METHOD_%s>' % self.name
+
+
+
+def mksalt(method=None):
+ """Generate a salt for the specified method.
+
+ If not specified, the strongest available method will be used.
+
+ This is a non-standard extension to Python 2.6, backported from 3.3
+ """
+ if method is None:
+ method = methods[0]
+ s = '$%s$' % method.ident if method.ident else ''
+ s += ''.join(choice(_saltchars) for _ in range(method.salt_chars))
+ return s
+
+
+def crypt(word, salt=None):
+ """Return a string representing the one-way hash of a password, with a salt
+ prepended.
+
+ If ``salt`` is not specified or is ``None``, the strongest
+ available method will be selected and a salt generated. Otherwise,
+ ``salt`` may be one of the ``crypt.METHOD_*`` values, or a string as
+ returned by ``crypt.mksalt()``.
+
+ Note that these are non-standard extensions to Python 2.6's crypt.crypt()
+ entrypoint, backported from 3.3: the standard Python 2.6 crypt.crypt()
+ entrypoint requires two strings as the parameters, and does not support
+ keyword arguments.
+ """
+ if salt is None or isinstance(salt, _Method):
+ salt = mksalt(salt)
+ return _crypt.crypt(word, salt)
+
+
+# available salting/crypto methods
+METHOD_CRYPT = _Method('CRYPT', None, 2, 13)
+METHOD_MD5 = _Method('MD5', '1', 8, 34)
+METHOD_SHA256 = _Method('SHA256', '5', 16, 63)
+METHOD_SHA512 = _Method('SHA512', '6', 16, 106)
+
+methods = []
+for _method in (METHOD_SHA512, METHOD_SHA256, METHOD_MD5):
+ _result = crypt('', _method)
+ if _result and len(_result) == _method.total_size:
+ methods.append(_method)
+methods.append(METHOD_CRYPT)
+del _result, _method
diff -up Python-2.6.6/Lib/test/test_crypt.py.salt Python-2.6.6/Lib/test/test_crypt.py
--- Python-2.6.6/Lib/test/test_crypt.py.salt 2008-03-13 16:47:41.000000000 -0400
+++ Python-2.6.6/Lib/test/test_crypt.py 2011-03-23 16:18:53.957871467 -0400
@@ -9,6 +9,25 @@ class CryptTestCase(unittest.TestCase):
if test_support.verbose:
print 'Test encryption: ', c
+ def test_salt(self):
+ self.assertEqual(len(crypt._saltchars), 64)
+ for method in crypt.methods:
+ salt = crypt.mksalt(method)
+ self.assertEqual(len(salt),
+ method.salt_chars + (3 if method.ident else 0))
+
+ def test_saltedcrypt(self):
+ for method in crypt.methods:
+ pw = crypt.crypt('assword', method)
+ self.assertEqual(len(pw), method.total_size)
+ pw = crypt.crypt('assword', crypt.mksalt(method))
+ self.assertEqual(len(pw), method.total_size)
+
+ def test_methods(self):
+ # Gurantee that METHOD_CRYPT is the last method in crypt.methods.
+ self.assertTrue(len(crypt.methods) >= 1)
+ self.assertEqual(crypt.METHOD_CRYPT, crypt.methods[-1])
+
def test_main():
test_support.run_unittest(CryptTestCase)
diff -up Python-2.6.6/Modules/cryptmodule.c.salt Python-2.6.6/Modules/cryptmodule.c
--- Python-2.6.6/Modules/cryptmodule.c.salt 2010-05-09 11:15:40.000000000 -0400
+++ Python-2.6.6/Modules/cryptmodule.c 2011-03-23 16:18:53.958871462 -0400
@@ -43,7 +43,7 @@ static PyMethodDef crypt_methods[] = {
};
PyMODINIT_FUNC
-initcrypt(void)
+init_crypt(void)
{
- Py_InitModule("crypt", crypt_methods);
+ Py_InitModule("_crypt", crypt_methods);
}
diff -up Python-2.6.6/Modules/Setup.dist.salt Python-2.6.6/Modules/Setup.dist
--- Python-2.6.6/Modules/Setup.dist.salt 2011-03-23 16:18:52.815117238 -0400
+++ Python-2.6.6/Modules/Setup.dist 2011-03-23 16:18:53.958871462 -0400
@@ -221,7 +221,7 @@ _ssl _ssl.c \
#
# First, look at Setup.config; configure may have set this for you.
-crypt cryptmodule.c -lcrypt # crypt(3); needs -lcrypt on some systems
+_crypt _cryptmodule.c -lcrypt # crypt(3); needs -lcrypt on some systems
# Some more UNIX dependent modules -- off by default, since these
diff -up Python-2.6.6/setup.py.salt Python-2.6.6/setup.py
--- Python-2.6.6/setup.py.salt 2011-03-23 16:18:53.886860431 -0400
+++ Python-2.6.6/setup.py 2011-03-23 16:18:53.959871236 -0400
@@ -679,7 +679,7 @@ class PyBuildExt(build_ext):
libs = ['crypt']
else:
libs = []
- exts.append( Extension('crypt', ['cryptmodule.c'], libraries=libs) )
+ exts.append( Extension('_crypt', ['_cryptmodule.c'], libraries=libs) )
else:
missing.append('crypt')