.. index:: single: PasswordHash interface single: custom hash handler; requirements .. module:: passlib.ifc :synopsis: abstract interfaces used by Passlib ============================================= :mod:`passlib.ifc` -- Password Hash Interface ============================================= .. _password-hash-api: PasswordHash API ================ This module provides the :class:`!PasswordHash` abstract base class. This class defines the common methods and attributes present on all the hashes importable from the :mod:`passlib.hash` module. Additionally, the :class:`passlib.context.CryptContext` class is deliberately designed to parallel many of this interface's methods. .. rst-class:: float-center .. seealso:: :ref:`hash-tutorial` -- Overview of this interface and how to use it. Base Abstract Class =================== .. class:: PasswordHash() This class provides an abstract interface for an arbitrary password hasher. Applications will generally not construct instances directly -- most of the operations are performed via classmethods, allowing instances of a given class to be an internal detail used to implement the various operations. While :class:`!PasswordHash` offers a number of methods and attributes, most applications will only need the two primary methods: * :meth:`PasswordHash.hash` - generate new salt, return hash of password. * :meth:`PasswordHash.verify` - verify password against existing hash. Two additional support methods are also provided: * :meth:`PasswordHash.using` - create subclass with customized configuration. * :meth:`PasswordHash.identify` - check if hash belongs to this algorithm. Each hash algorithm also provides a number of :ref:`informational attributes `, allowing programmatic inspection of its options and parameter limits. .. seealso:: :ref:`hash-tutorial` -- Overview of this interface and how to use it. .. _primary-methods: Hashing & Verification Methods ============================== Most applications will only need to use two methods: :meth:`PasswordHash.hash` to generate new hashes, and :meth:`PasswordHash.verify` to check passwords against existing hashes. These methods provide an easy interface for working with a password hash, and abstract away details such as salt generation, hash normalization, and hash comparison. .. classmethod:: PasswordHash.hash(secret, \*\*kwds) Digest password using format-specific algorithm, returning resulting hash string. For most hashes supported by Passlib, the returned string will contain: an algorithm identifier, a cost parameter, the salt string, and finally the password digest itself. :type secret: unicode or bytes :arg secret: string containing the password to encode. :param \*\*kwds: All additional keywords are algorithm-specific, and will be listed in that hash's documentation; though many of the more common keywords are listed under :attr:`PasswordHash.setting_kwds` and :attr:`PasswordHash.context_kwds`. .. deprecated:: 1.7 Passing :attr:`PasswordHash.setting_kwds` such as ``rounds`` and ``salt_size`` directly into the :meth:`hash` method is deprecated. Callers should instead use ``handler.using(**settings).hash(secret)``. Support for the old method is is tentatively scheduled for removal in Passlib 2.0. Context keywords such as ``user`` should still be provided to :meth:`!hash`. :returns: Resulting password hash, encoded in an algorithm-specific format. This will always be an instance of :class:`!str` (i.e. :class:`unicode` under Python 3, ``ascii``-encoded :class:`bytes` under Python 2). :raises ValueError: * If a ``kwd``'s value is invalid (e.g. if a ``salt`` string is too small, or a ``rounds`` value is out of range). * If ``secret`` contains characters forbidden by the hash algorithm (e.g. :class:`!des_crypt` forbids NULL characters). :raises TypeError: * if ``secret`` is not :class:`!unicode` or :class:`bytes`. * if a ``kwd`` argument has an incorrect type. * if an algorithm-specific required ``kwd`` is not provided. .. versionchanged:: 1.6 Hashes now raise :exc:`TypeError` if a required keyword is missing, rather than :exc:`ValueError` like in previous releases; in order to conform with normal Python behavior. .. versionchanged:: 1.6 Passlib is now much stricter about input validation: for example, out-of-range ``rounds`` values now cause an error instead of being clipped (though applications may set :ref:`relaxed=True ` to restore the old behavior). .. versionchanged:: 1.7 This method was renamed from :meth:`encrypt`. Deprecated support for passing settings directly into :meth:`!hash`. .. classmethod:: PasswordHash.encrypt(secret, \*\*kwds) Legacy alias for :meth:`PasswordHash.hash`. .. deprecated:: 1.7 This method was renamed to :meth:`!hash` in version 1.7. This alias will be removed in version 2.0, and should only be used for compatibility with Passlib 1.3 - 1.6. .. classmethod:: PasswordHash.verify(secret, hash, \*\*context_kwds) Verify a secret using an existing hash. This checks if a secret matches against the one stored inside the specified hash. :type secret: unicode or bytes :param secret: A string containing the password to check. :type secret: unicode or bytes :param hash: A string containing the hash to check against, such as returned by :meth:`PasswordHash.hash`. Hashes may be specified as :class:`!unicode` or ``ascii``-encoded :class:`!bytes`. :param \*\*kwds: Very few hashes will have additional keywords. The ones that do typically require external contextual information in order to calculate the digest. For these hashes, the values must match the ones passed to the original :meth:`PasswordHash.hash` call when the hash was generated, or the password will not verify. These additional keywords are algorithm-specific, and will be listed in that hash's documentation; though the more common keywords are listed under :attr:`PasswordHash.context_kwds`. Examples of common keywords include ``user``. :returns: ``True`` if the secret matches, otherwise ``False``. :raises TypeError: * if either ``secret`` or ``hash`` is not a unicode or bytes instance. * if the hash requires additional ``kwds`` which are not provided, * if a ``kwd`` argument has the wrong type. :raises ValueError: * if ``hash`` does not match this algorithm's format. * if the ``secret`` contains forbidden characters (see :meth:`PasswordHash.hash`). * if a configuration/salt string generated by :meth:`PasswordHash.genconfig` is passed in as the value for ``hash`` (these strings look similar to a full hash, but typically lack the digest portion needed to verify a password). .. versionchanged:: 1.6 This function now raises :exc:`ValueError` if ``None`` or a config string is provided instead of a properly-formed hash; previous releases were inconsistent in their handling of these two border cases. .. seealso:: * :ref:`hash-verifying` tutorial for a usage example .. _crypt-methods: .. rst-class:: html-toggle Crypt Methods ============= Taken together, the :meth:`PasswordHash.genconfig` and :meth:`PasswordHash.genhash` are two tightly-coupled methods that mimic the standard Unix "crypt" interface. The first method generates salt / configuration strings from a set of settings, and the second hashes the password using the provided configuration string. .. seealso:: Most applications will find :meth:`PasswordHash.hash` much more useful, as it combines the functionality of these two methods into one. .. classmethod:: PasswordHash.genconfig(\*\*setting_kwds) .. deprecated:: 1.7 As of 1.7, this method is deprecated, and slated for complete removal in Passlib 2.0. For all known real-world uses, ``.hash("", **settings)`` should provide equivalent functionality. This deprecation may be reversed if a use-case presents itself in the mean time. Returns a configuration string encoding settings for hash generation. This function takes in all the same :attr:`PasswordHash.setting_kwds` as :meth:`PasswordHash.hash`, fills in suitable defaults, and encodes the settings into a single "configuration" string, suitable passing to :meth:`PasswordHash.genhash`. :param \*\*kwds: All additional keywords are algorithm-specific, and will be listed in that hash's documentation; though many of the more common keywords are listed under :attr:`PasswordHash.setting_kwds` Examples of common keywords include ``salt`` and ``rounds``. :returns: A configuration string (as :class:`!str`). :raises ValueError, TypeError: This function raises exceptions for the same reasons as :meth:`PasswordHash.hash`. .. versionchanged:: 1.7 This should now always return a full hash string, even in cases where previous releases would return a truncated "configuration only" string, or ``None``. .. classmethod:: PasswordHash.genhash(secret, config, \*\*context_kwds) Encrypt secret using specified configuration string. .. deprecated:: 1.7 As of 1.7, this method is deprecated, and slated for complete removal in Passlib 2.0. This deprecation may be reversed if a use-case presents itself in the mean time. This takes in a password and a configuration string, and returns a hash for that password. :type secret: unicode or bytes :arg secret: string containing the password to be encrypted. :type config: unicode or bytes :arg config: configuration string to use when hashing the secret. this can either be an existing hash that was previously returned by :meth:`PasswordHash.genhash`, or a configuration string that was previously created by :meth:`PasswordHash.genconfig`. .. versionchanged:: 1.7 ``None`` is no longer accepted for hashes which (prior to 1.7) lacked a configuration string format. :param \*\*kwds: Very few hashes will have additional keywords. The ones that do typically require external contextual information in order to calculate the digest. For these hashes, the values must match the ones passed to the original :meth:`PasswordHash.hash` call when the hash was generated, or the password will not verify. These additional keywords are algorithm-specific, and will be listed in that hash's documentation; though the more common keywords are listed under ::attr:`PasswordHash.context_kwds`. Examples of common keywords include ``user``. :returns: Encoded hash matching specified secret, config, and kwds. This will always be a native :class:`!str` instance. :raises ValueError, TypeError: This function raises exceptions for the same reasons as :meth:`PasswordHash.hash`. .. warning:: Traditionally, password verification using the "crypt" interface was done by testing if ``hash == genhash(password, hash)``. This test is only reliable for a handful of algorithms, as various hash representation issues may cause false results. Applications are strongly urged to use :meth:`~PasswordHash.verify` instead. .. _support-methods: Factory Creation ================ One powerful method offered by the :class:`!PasswordHash` class :meth:`PasswordHash.using`. This method allows you to quickly create subclasses of a specific hash, providing it with preconfigured defaults specific to your application: .. classmethod:: PasswordHash.using(relaxed=False, \*\*settings) This method takes in a set of algorithm-specific settings, and returns a new handler object which uses the specified default settings instead. :param \*\*settings: All keywords are algorithm-specific, and will be listed in that hash's documentation; though many of the more common keywords are listed under :attr:`PasswordHash.setting_kwds`. Examples of common keywords include ``rounds`` and ``salt_size``. :returns: A new object which adheres to :class:`!PasswordHash` api. :raises ValueError: * If a keywords's value is invalid (e.g. if a ``salt`` string is too small, or a ``rounds`` value is out of range). :raises TypeError: * if a ``kwd`` argument has an incorrect type. .. versionadded:: 1.7 .. seealso:: :ref:`hash-configuring` tutorial for a usage example Hash Inspection Methods ======================= There are currently two hash inspection methods, :meth:`PasswordHash.identify` and :meth:`PasswordHash.needs_update`. .. classmethod:: PasswordHash.identify(hash) Quickly identify if a hash string belongs to this algorithm. :type hash: unicode or bytes :arg hash: the candidate hash string to check :returns: * ``True`` if the input is a configuration string or hash string identifiable as belonging to this scheme (even if it's malformed). * ``False`` if the input does not belong to this scheme. :raises TypeError: if :samp:`{hash}` is not a unicode or bytes instance. .. note:: A small number of the hashes supported by Passlib lack a reliable method of identification (e.g. :class:`~passlib.hash.lmhash` and :class:`~passlib.hash.nthash` both consist of 32 hexadecimal characters, with no distinguishing features). For such hashes, this method may return false positives. .. seealso:: If you are considering using this method to select from multiple algorithms (e.g. in order to verify a password), you will be better served by the :ref:`CryptContext ` class. .. automethod:: PasswordHash.needs_update .. the undocumented and experimental support methods currently include parsehash() and bitsize() .. todo:: document the :attr:`is_disabled` and DisabledHash interface added in passlib 1.7. .. _informational-attributes: .. _general-attributes: General Informational Attributes ================================ Each hash provides a handful of informational attributes, allowing programs to dynamically adapt to the requirements of different hash algorithms. The following attributes should be defined for all the hashes in passlib: .. attribute:: PasswordHash.name Name uniquely identifying this hash. For the hashes built into Passlib, this will always match the location where it was imported from — :samp:`passlib.hash.{name}` — though externally defined hashes may not adhere to this. This should always be a :class:`!str` consisting of lowercase ``a-z``, the digits ``0-9``, and the underscore character ``_``. .. attribute:: PasswordHash.setting_kwds Tuple listing the keywords supported by :meth:`PasswordHash.using` control hash generation, and which will be encoded into the resulting hash. (These keywords will also be accepted by :meth:`PasswordHash.hash` and :meth:`PasswordHash.genconfig`, though that behavior is deprecated as of Passlib 1.7; and will be removed in Passlib 2.0). This list commonly includes keywords for controlling salt generation, adjusting time-cost parameters, etc. Most of these settings are optional, and suitable defaults will be chosen if they are omitted (e.g. salts will be autogenerated). While the documentation for each hash should have a complete list of the specific settings the hash uses, the following keywords should have roughly the same behavior for all the hashes that support them: .. index:: single: salt; PasswordHash keyword ``salt`` Specifies a fixed salt string to use, rather than randomly generating one. This option is supported by most of the hashes in Passlib, though typically it isn't used, as random generation of a salt is usually the desired behavior. Hashes typically require this to be a :class:`!unicode` or :class:`!bytes` instance, with additional constraints appropriate to the algorithm. .. index:: single: salt_size; PasswordHash keyword ``salt_size`` Most algorithms which support the ``salt`` setting will autogenerate a salt when none is provided. Most of those hashes will also offer this option, which allows the caller to specify the size of salt which should be generated. If omitted, the hash's default salt size will be used. .. seealso:: the :ref:`salt info ` attributes (below) .. index:: single: rounds; PasswordHash keyword ``rounds`` If present, this means the hash can vary the number of internal rounds used in some part of its algorithm, allowing the calculation to take a variable amount of processor time, for increased security. While this is almost always a non-negative integer, additional constraints may be present for each algorithm (such as the cost varying on a linear or logarithmic scale). This value is typically omitted, in which case a default value will be used. The defaults for all the hashes in Passlib are periodically retuned to strike a balance between security and responsiveness. .. seealso:: the :ref:`rounds info ` attributes (below) .. index:: single: ident; PasswordHash keyword ``ident`` If present, the class supports multiple formats for encoding the same hash. The class's documentation will generally list the allowed values, allowing alternate output formats to be selected. Note that these values will typically correspond to different revision of the hash algorithm itself, and they may not all offer the same level of security. ``truncate_error`` This will be present if and only if the hash truncates passwords larger than some limit (reported via it's :attr:`truncate_size` attribute). By default, they will silently truncate passwords above their limit. Setting ``truncate_error=True`` will cause :meth:`PasswordHash.hash` to raise a :exc:`~passlib.exc.PasswordTruncateError` instead. .. index:: single: relaxed; PasswordHash keyword .. _relaxed-keyword: ``relaxed`` By default, passing an invalid value to :meth:`PasswordHash.using` will result in a :exc:`ValueError`. However, if ``relaxed=True`` then Passlib will attempt to correct the error and (if successful) issue a :exc:`~passlib.exc.PasslibHashWarning` instead. This warning may then be filtered if desired. Correctable errors include (but are not limited to): ``rounds`` and ``salt_size`` values that are too low or too high, ``salt`` strings that are too large. .. versionadded:: 1.6 .. _context-keywords: .. attribute:: PasswordHash.context_kwds Tuple listing the keywords supported by :meth:`PasswordHash.hash`, :meth:`PasswordHash.verify`, and :meth:`PasswordHash.genhash`. These keywords are different from the settings kwds in that the context keywords affect the hash, but are not encoded within it, and thus must be provided each time the hash is calculated. This list commonly includes a user account, http realm identifier, etc. Most of these keywords are required by the hashes which support them, as they are frequently used in place of an embedded salt parameter. *Most hash algorithms in Passlib will have no context keywords.* While the documentation for each hash should have a complete list of the specific context keywords the hash uses, the following keywords should have roughly the same behavior for all the hashes that support them: .. index:: single: user; PasswordHash keyword ``user`` If present, the class requires a username be specified whenever performing a hash calculation (e.g. :class:`~passlib.hash.postgres_md5` and :class:`~passlib.hash.oracle10`). .. index:: single: encoding; PasswordHash keyword ``encoding`` Some hashes have poorly-defined or host-dependant unicode behavior, and properly hashing a non-ASCII password requires providing the correct encoding (:class:`~passlib.hash.lmhash` is perhaps the worst offender). Hashes which provide this keyword will always expose their default encoding programmatically via the :attr:`PasswordHash.default_encoding` attribute. .. attribute:: truncate_size A positive integer, indicating the hash will truncate any passwords larger than this many bytes. If ``None`` (the more common case), indicates the hash will use the entire password provided. Hashes which specify this setting will also support a ``truncate_error`` flag via their :meth:`PasswordHash.using` method, to configure how truncation is handled. .. seealso:: :ref:`hash-configuring` tutorial for a usage example .. _salt-attributes: Salt Information Attributes =========================== For schemes which support a salt string, ``"salt"`` should be listed in their :attr:`PasswordHash.setting_kwds`, and the following attributes should be defined: .. attribute:: PasswordHash.max_salt_size The maximum number of bytes/characters allowed in the salt. Should either be a positive integer, or ``None`` (indicating the algorithm has no effective upper limit). .. attribute:: PasswordHash.min_salt_size The minimum number of bytes/characters required for the salt. Must be an integer between 0 and :attr:`PasswordHash.max_salt_size`. .. attribute:: PasswordHash.default_salt_size The default salt size that will be used when generating a salt, assuming ``salt_size`` is not set explicitly. This is typically the same as :attr:`max_salt_size`, or a sane default if ``max_salt_size=None``. .. attribute:: PasswordHash.salt_chars A unicode string containing all the characters permitted in a salt string. For most :ref:`modular-crypt-format` hashes, this is equal to :data:`passlib.utils.binary.HASH64_CHARS`. For the rare hashes where the ``salt`` parameter must be specified in bytes, this will be a placeholder :class:`!bytes` object containing all 256 possible byte values. .. not yet documentated, want to make sure this is how we want to do things: .. attribute:: PasswordHash.default_salt_chars sequence of characters used to generate new salts. this is typically the same as :attr:`PasswordHash.salt_chars`, but some hashes accept a larger-than-useful range, and this will contain only the "common" values used for generation. .. _rounds-attributes: Rounds Information Attributes ============================= For schemes which support a variable time-cost parameter, ``"rounds"`` should be listed in their :attr:`PasswordHash.setting_kwds`, and the following attributes should be defined: .. attribute:: PasswordHash.max_rounds The maximum number of rounds the scheme allows. Specifying a value beyond this will result in a :exc:`ValueError`. This will be either a positive integer, or ``None`` (indicating the algorithm has no effective upper limit). .. attribute:: PasswordHash.min_rounds The minimum number of rounds the scheme allows. Specifying a value below this will result in a :exc:`ValueError`. Will always be an integer between 0 and :attr:`PasswordHash.max_rounds`. .. attribute:: PasswordHash.default_rounds The default number of rounds that will be used if none is explicitly provided to :meth:`PasswordHash.hash`. This will always be an integer between :attr:`PasswordHash.min_rounds` and :attr:`PasswordHash.max_rounds`. .. attribute:: PasswordHash.rounds_cost While the cost parameter ``rounds`` is an integer, how it corresponds to the amount of time taken can vary between hashes. This attribute indicates the scale used by the hash: * ``"linear"`` - time taken scales linearly with rounds value (e.g. :class:`~passlib.hash.sha512_crypt`) * ``"log2"`` - time taken scales exponentially with rounds value (e.g. :class:`~passlib.hash.bcrypt`) .. todo:: document the additional :meth:`PasswordHash.using` keywords available for setting rounds limits. .. todo: haven't decided if this is how I want the api look before formally publishing it in the documentation: .. _password-hash-backends: Multiple Backends ================= .. note:: For the most part, applications will not need this interface, outside of perhaps calling the :meth:`PasswordHash.get_backend` to determine which the active backend. Some hashes provided by Passlib have multiple backends which they select from at runtime, to provide the fastest implementation available. Algorithms which offer multiple backends will expose the following methods and attributes: .. attribute:: PasswordHash.backends Tuple listing names of potential backends (which may or may not be available). If this attribute is not present, the hash does not support multiple backends. While the names of the backends are specific to the hash algorithm, the following standard names may be present: * ``"os_crypt"`` - backend which uses stdlib's :mod:`!crypt` module. this backend will not be available if the underlying host OS does not support the particular hash algorithm. * ``"builtin"`` - backend using pure-python implementation built into Passlib. All hashes will have this as their last backend, as a fallback. .. method:: PasswordHash.get_backend() This method should return the name of the currently active backend that will be used by :meth:`PasswordHash.hash` and :meth:`PasswordHash.verify`. :raises passlib.exc.MissingBackendError: in the rare case that *no* backends can be loaded. .. method:: PasswordHash.has_backend(backend) This method can be used to test if a specific backend is available. Returns ``True`` or ``False``. .. method:: PasswordHash.set_backend(backend) This method can be used to select a specific backend. The ``backend`` argument must be one of the backends listed in :attr:`PasswordHash.backends`, or the special value ``"default"``. :raises passlib.exc.MissingBackendError: if the specified backend is not available.