diff options
-rw-r--r-- | src/_bcrypt/src/lib.rs | 22 | ||||
-rw-r--r-- | src/bcrypt/__init__.py | 22 |
2 files changed, 13 insertions, 31 deletions
diff --git a/src/_bcrypt/src/lib.rs b/src/_bcrypt/src/lib.rs index ba54c3a..ac1897f 100644 --- a/src/_bcrypt/src/lib.rs +++ b/src/_bcrypt/src/lib.rs @@ -28,13 +28,15 @@ fn hashpass<'p>( if raw_parts.len() != 3 { return Err(pyo3::exceptions::PyValueError::new_err("Invalid salt")); } - if raw_parts[0] != b"2y" - && raw_parts[0] != b"2b" - && raw_parts[0] != b"2a" - && raw_parts[0] != b"2x" - { - return Err(pyo3::exceptions::PyValueError::new_err("Invalid salt")); - } + let version = match raw_parts[0] { + b"2y" => bcrypt::Version::TwoY, + b"2b" => bcrypt::Version::TwoB, + b"2a" => bcrypt::Version::TwoA, + b"2x" => bcrypt::Version::TwoX, + _ => { + return Err(pyo3::exceptions::PyValueError::new_err("Invalid salt")); + } + }; let cost = std::str::from_utf8(raw_parts[1]) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))? .parse::<u32>() @@ -50,7 +52,7 @@ fn hashpass<'p>( let hashed = bcrypt::hash_with_salt(password, cost, raw_salt).unwrap(); Ok(pyo3::types::PyBytes::new( py, - hashed.format_for_version(bcrypt::Version::TwoB).as_bytes(), + hashed.format_for_version(version).as_bytes(), )) } @@ -62,8 +64,8 @@ fn pbkdf<'p>( rounds: u32, desired_key_bytes: usize, ) -> pyo3::PyResult<&'p pyo3::types::PyBytes> { - pyo3::types::PyBytes::new_with(py, desired_key_bytes, |mut output| { - bcrypt_pbkdf::bcrypt_pbkdf(password, salt, rounds, &mut output).unwrap(); + pyo3::types::PyBytes::new_with(py, desired_key_bytes, |output| { + bcrypt_pbkdf::bcrypt_pbkdf(password, salt, rounds, output).unwrap(); Ok(()) }) } diff --git a/src/bcrypt/__init__.py b/src/bcrypt/__init__.py index 5b2fd42..be79417 100644 --- a/src/bcrypt/__init__.py +++ b/src/bcrypt/__init__.py @@ -18,7 +18,6 @@ from __future__ import division import hmac import os -import re import warnings from .__about__ import ( @@ -50,9 +49,6 @@ __all__ = [ ] -_normalize_re = re.compile(rb"^\$2y\$") - - def gensalt(rounds: int = 12, prefix: bytes = b"2b") -> bytes: if prefix not in (b"2a", b"2b"): raise ValueError("Supported prefixes are b'2a' or b'2b'") @@ -88,23 +84,7 @@ def hashpw(password: bytes, salt: bytes) -> bytes: # on $2a$, so we do it here to preserve compatibility with 2.0.0 password = password[:72] - # When the original 8bit bug was found the original library we supported - # added a new prefix, $2y$, that fixes it. This prefix is exactly the same - # as the $2b$ prefix added by OpenBSD other than the name. Since the - # OpenBSD library does not support the $2y$ prefix, if the salt given to us - # is for the $2y$ prefix, we'll just mugne it so that it's a $2b$ prior to - # passing it into the C library. - original_salt, salt = salt, _normalize_re.sub(b"$2b$", salt) - - hashed = _bcrypt.hashpass(password, salt) - - # Now that we've gotten our hashed password, we want to ensure that the - # prefix we return is the one that was passed in, so we'll use the prefix - # from the original salt and concatenate that with the return value (minus - # the return value's prefix). This will ensure that if someone passed in a - # salt with a $2y$ prefix, that they get back a hash with a $2y$ prefix - # even though we munged it to $2b$. - return original_salt[:4] + hashed[4:] + return _bcrypt.hashpass(password, salt) def checkpw(password: bytes, hashed_password: bytes) -> bool: |