pyca/bcrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pyca:main
Branches Tags
pyca:main
pyca:fix-alpine
pyca:dependabot/cargo/src/_bcrypt/unicode-ident-1.0.16
pyca:dependabot/cargo/src/_bcrypt/cpufeatures-0.2.17
pyca:testing
pyca:reaperhulk-patch-1
pyca:dependabot/cargo/src/_bcrypt/crypto-common-0.1.5
pyca:3.2.x
pyca:5.0.0
pyca:4.3.0
pyca:4.2.1
pyca:4.2.0
pyca:4.1.3
pyca:4.1.2
pyca:4.1.1
pyca:4.1.0
pyca:4.0.1
pyca:4.0.0
pyca:3.2.2
pyca:3.2.1
pyca:3.2.0
pyca:3.1.7
pyca:3.1.6
pyca:3.1.5
pyca:3.1.4
pyca:3.1.3
pyca:3.1.2
pyca:3.1.1
pyca:3.1.0
pyca:3.0.0
pyca:2.0.0
pyca:v1.1.1
pyca:v1.1.0
pyca:v1.0.2
pyca:v1.0.1
pyca:v1.0.0
..
compare: pyca:dependabot/cargo/src/_bcrypt/crypto-common-0.1.5
Branches Tags
pyca:main
pyca:fix-alpine
pyca:dependabot/cargo/src/_bcrypt/unicode-ident-1.0.16
pyca:dependabot/cargo/src/_bcrypt/cpufeatures-0.2.17
pyca:testing
pyca:reaperhulk-patch-1
pyca:dependabot/cargo/src/_bcrypt/crypto-common-0.1.5
pyca:3.2.x
pyca:5.0.0
pyca:4.3.0
pyca:4.2.1
pyca:4.2.0
pyca:4.1.3
pyca:4.1.2
pyca:4.1.1
pyca:4.1.0
pyca:4.0.1
pyca:4.0.0
pyca:3.2.2
pyca:3.2.1
pyca:3.2.0
pyca:3.1.7
pyca:3.1.6
pyca:3.1.5
pyca:3.1.4
pyca:3.1.3
pyca:3.1.2
pyca:3.1.1
pyca:3.1.0
pyca:3.0.0
pyca:2.0.0
pyca:v1.1.1
pyca:v1.1.0
pyca:v1.0.2
pyca:v1.0.1
pyca:v1.0.0

1 Commits
main ... dependabot

Author SHA1 Message Date
dependabot[bot]
5e0e8cb23b
Bump crypto-common from 0.1.4 to 0.1.5 in /src/_bcrypt 
Bumps [crypto-common](https://github.com/RustCrypto/traits) from 0.1.4 to 0.1.5.
- [Release notes](https://github.com/RustCrypto/traits/releases)
- [Commits](https://github.com/RustCrypto/traits/compare/crypto-common-v0.1.4...crypto-common-v0.1.5)

---
updated-dependencies:
- dependency-name: crypto-common
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-07-11 03:41:37 +00:00
27 changed files with 1154 additions and 1406 deletions
Show Stats Expand all files Collapse all files

33
.circleci/build-wheel.sh Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash -ex
cd /test
echo "Building for ${PLATFORM}"
PYBIN="/opt/python/${PYTHON}/bin"
mkdir -p /test/wheelhouse.final
"${PYBIN}"/python -m venv .venv
.venv/bin/pip install -U pip wheel setuptools-rust
.venv/bin/python setup.py sdist
cd dist
tar zxf bcrypt*.tar.gz
rm -rf bcrypt*.tar.gz
cd bcrypt*
REGEX="cp3([0-9])*"
if [[ "${PYBIN}" =~ $REGEX ]]; then
PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}"
fi
../../.venv/bin/python setup.py bdist_wheel "$PY_LIMITED_API"
auditwheel repair --plat "${PLATFORM}" -w wheelhouse/ dist/bcrypt*.whl
../../.venv/bin/pip install bcrypt --no-index -f wheelhouse/
../../.venv/bin/python -c "import bcrypt; password = b'super secret password';hashed = bcrypt.hashpw(password, bcrypt.gensalt());bcrypt.checkpw(password, hashed)"
mv wheelhouse/* /test/wheelhouse.final

97
.circleci/config.yml Normal file
View File

@ -0,0 +1,97 @@
version: 2.1
commands:
docker-pull:
parameters:
image:
type: string
steps:
- run: docker pull <<parameters.image>>
docker-run:
parameters:
image:
type: string
command:
type: string
steps:
- run: docker run -e PLATFORM -e PYTHON -v $(pwd):/test <<parameters.image>> /bin/bash -c 'cd /test;<<parameters.command>>'
jobs:
linux-arm64:
machine:
image: ubuntu-2004:current
resource_class: arm.medium
parameters:
image:
type: string
toxenv:
type: string
steps:
- checkout
- docker-pull:
image: <<parameters.image>>
- docker-run:
image: <<parameters.image>>
command: /venv/bin/tox -e <<parameters.toxenv>>
linux-arm64-wheel:
machine:
image: ubuntu-2004:current
resource_class: arm.medium
parameters:
image:
type: string
platform:
type: string
python:
type: string
environment:
PLATFORM: <<parameters.platform>>
PYTHON: <<parameters.python>>
steps:
- checkout
- docker-pull:
image: <<parameters.image>>
- docker-run:
image: <<parameters.image>>
command: /test/.circleci/build-wheel.sh
- store_artifacts:
path: wheelhouse.final
workflows:
ci:
jobs:
- linux-arm64:
# Changing this name should only be done in conjunction with updating
# the required checks on GH
name: linux-arm64-ci
image: ghcr.io/pyca/cryptography-runner-ubuntu-focal:aarch64
toxenv: py38
# This makes sure it runs on all tags in addition to PRs/branches.
# By default CircleCI ignores tags.
filters:
tags:
only: /.*/
- linux-arm64-wheel:
name: manylinux2014_aarch64-wheel
image: ghcr.io/pyca/cryptography-manylinux2014_aarch64:latest
python: cp36-cp36m
platform: manylinux2014_aarch64
filters:
tags:
only: /.*/
- linux-arm64-wheel:
name: manylinux_2_24_aarch64-wheel
image: ghcr.io/pyca/cryptography-manylinux_2_24:aarch64
python: cp36-cp36m
platform: manylinux_2_24_aarch64
filters:
tags:
only: /.*/
- linux-arm64-wheel:
name: musllinux_1_1_aarch64-wheel
image: ghcr.io/pyca/cryptography-musllinux_1_1:aarch64
python: cp36-cp36m
platform: musllinux_1_1_aarch64
filters:
tags:
only: /.*/

14
.github/config/macos-pkg-choices-freethreaded-3.13t.xml vendored
View File

@ -1,14 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>org.python.Python.PythonTFramework-3.13</string>
</dict>
</array>
</plist>

14
.github/config/macos-pkg-choices-freethreaded-3.14t.xml vendored
View File

@ -1,14 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>org.python.Python.PythonTFramework-3.14</string>
</dict>
</array>
</plist>

2
.github/dependabot.yml vendored
View File

@ -4,7 +4,6 @@ updates:
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 1024
- package-ecosystem: cargo
directory: "/src/_bcrypt/"
schedule:
@ -12,4 +11,3 @@ updates:
allow:
# Also update indirect dependencies
- dependency-type: all
open-pull-requests-limit: 1024

214
.github/workflows/ci.yml vendored
View File

@ -9,191 +9,167 @@ on:
jobs:
macos:
runs-on: ${{ matrix.MACOS }}
runs-on: macos-latest
strategy:
fail-fast: false
matrix:
PYTHON:
- {VERSION: "3.8", NOXSESSION: "tests"}
- {VERSION: "3.14", NOXSESSION: "tests"}
- {VERSION: "3.14t", NOXSESSION: "tests"}
MACOS:
- macos-15-intel
- macos-latest
name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.MACOS }}"
PYTHON:
- {VERSION: "3.6", TOXENV: "py36"}
- {VERSION: "3.10", TOXENV: "py310"}
name: "Python ${{ matrix.PYTHON.VERSION }} on macOS"
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v3.0.2
- name: Setup python
id: setup-python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v4.0.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
- uses: actions/cache@v5.0.5
- uses: actions/cache@v3.0.4
timeout-minutes: 5
with:
path: |
~/Library/Caches/pip/
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/registry/src/
~/.cargo/git/db/
src/_bcrypt/target/
key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- run: pip install nox
- run: nox -v
key: ${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
with:
profile: minimal
toolchain: 'stable'
override: true
default: true
- run: pip install tox
- run: tox
env:
NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }}
TOXENV: ${{ matrix.PYTHON.TOXENV }}
CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
windows:
runs-on: ${{ matrix.WINDOWS.RUNNER }}
runs-on: windows-latest
strategy:
fail-fast: false
matrix:
WINDOWS:
- {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc', RUNNER: 'windows-latest'}
- {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc', RUNNER: 'windows-latest'}
- {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'}
- {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'}
PYTHON:
- {VERSION: "3.8", NOXSESSION: "tests"}
- {VERSION: "3.14", NOXSESSION: "tests"}
- {VERSION: "3.14t", NOXSESSION: "tests"}
- {VERSION: "3.6", TOXENV: "py36"}
- {VERSION: "3.10", TOXENV: "py310"}
name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v3.0.2
- name: Setup python
id: setup-python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v4.0.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
architecture: ${{ matrix.WINDOWS.ARCH }}
- uses: actions/cache@v5.0.5
- uses: actions/cache@v3.0.4
timeout-minutes: 5
with:
path: |
~/AppData/Local/pip/Cache/
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/registry/src/
~/.cargo/git/db/
src/_bcrypt/target/
key: ${{ runner.os }}-${{ matrix.WINDOWS.ARCH }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
key: ${{ runner.os }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
with:
profile: minimal
toolchain: stable
override: true
default: true
target: ${{ matrix.WINDOWS.RUST_TRIPLE }}
- run: pip install nox
- run: nox -v
- run: pip install tox
- run: tox
env:
NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }}
TOXENV: ${{ matrix.PYTHON.TOXENV }}
CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
linux:
runs-on: ubuntu-22.04
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
PYTHON:
- {VERSION: "3.13", NOXSESSION: "pep8,packaging"}
- {VERSION: "3.13", NOXSESSION: "mypy"}
- {VERSION: "3.8", NOXSESSION: "tests"}
- {VERSION: "3.9", NOXSESSION: "tests"}
- {VERSION: "3.10", NOXSESSION: "tests"}
- {VERSION: "3.11", NOXSESSION: "tests"}
- {VERSION: "3.12", NOXSESSION: "tests"}
- {VERSION: "3.13", NOXSESSION: "tests"}
- {VERSION: "3.13t", NOXSESSION: "tests"}
- {VERSION: "3.14", NOXSESSION: "tests"}
- {VERSION: "3.14t", NOXSESSION: "tests"}
- {VERSION: "pypy-3.11", NOXSESSION: "tests"}
- {VERSION: "3.9", TOXENV: "pep8,packaging"}
- {VERSION: "3.9", TOXENV: "mypy"}
- {VERSION: "3.6", TOXENV: "py36"}
- {VERSION: "3.7", TOXENV: "py37"}
- {VERSION: "3.8", TOXENV: "py38"}
- {VERSION: "3.9", TOXENV: "py39"}
- {VERSION: "3.10", TOXENV: "py310"}
- {VERSION: "pypy-3.7", TOXENV: "pypy3"}
- {VERSION: "pypy-3.8", TOXENV: "pypy3"}
- {VERSION: "pypy-3.9", TOXENV: "pypy3"}
# MSRV
- {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "1.85"}
- {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "beta"}
- {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "nightly"}
name: "${{ matrix.PYTHON.VERSION }} on linux, Rust ${{ matrix.PYTHON.RUST_VERSION || 'stable' }}"
- {VERSION: "3.10", TOXENV: "py310", RUST_VERSION: "1.56.0"}
- {VERSION: "3.10", TOXENV: "py310", RUST_VERSION: "beta"}
- {VERSION: "3.10", TOXENV: "py310", RUST_VERSION: "nightly"}
name: "${{ matrix.PYTHON.TOXENV }} on linux, Rust ${{ matrix.PYTHON.RUST_VERSION || 'stable' }}"
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v3.0.2
- name: Setup python
id: setup-python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v4.0.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
- uses: actions/cache@v5.0.5
- uses: actions/cache@v3.0.4
timeout-minutes: 5
with:
path: |
~/.cache/pip/
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/registry/src/
~/.cargo/git/db/
src/_bcrypt/target/
key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
- uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
with:
profile: minimal
toolchain: ${{ matrix.PYTHON.RUST_VERSION || 'stable' }}
override: true
default: true
- run: pip install nox
- run: nox -v
- run: pip install tox
- run: tox
env:
NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }}
CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
alpine:
runs-on: ${{ matrix.IMAGE.RUNNER }}
container:
image: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }}
volumes:
- /staticnodehost:/staticnodecontainer:rw,rshared
- /staticnodehost/24:/__e/node24:ro,rshared
strategy:
fail-fast: false
matrix:
IMAGE:
- {IMAGE: "alpine", NOXSESSION: "tests", RUNNER: "ubuntu-latest"}
- {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"}
name: "${{ matrix.IMAGE.NOXSESSION }} on ${{ matrix.IMAGE.IMAGE }}"
steps:
- name: Ridiculous-er workaround for static node
run: |
cp -R /staticnode/* /staticnodecontainer/
- name: Ridiculous alpine workaround for actions support on arm64
run: |
# This modifies /etc/os-release so the JS actions
# from GH can't detect that it's on alpine:aarch64. It will
# then use a glibc nodejs, which works fine when gcompat
# is installed in the container (which it is)
sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release
if: matrix.IMAGE.IMAGE == 'alpine:aarch64'
- uses: actions/checkout@v6.0.2
with:
persist-credentials: false
- run: /venv/bin/pip install nox
- run: /venv/bin/nox -v
env:
NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }}
RUSTUP_HOME: /root/.rustup
TOXENV: ${{ matrix.PYTHON.TOXENV }}
CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
linux-distros:
runs-on: ${{ matrix.IMAGE.RUNNER }}
runs-on: ubuntu-latest
container: ghcr.io/pyca/cryptography-runner-${{ matrix.IMAGE.IMAGE }}
strategy:
fail-fast: false
matrix:
IMAGE:
- {IMAGE: "ubuntu-rolling:aarch64", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"}
- {IMAGE: "ubuntu-rolling:armv7l", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"}
name: "${{ matrix.IMAGE.NOXSESSION }} on ${{ matrix.IMAGE.IMAGE }}"
- {IMAGE: "alpine", TOXENV: "py310"}
name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v3.0.2
with:
persist-credentials: false
- run: /venv/bin/pip install nox
- run: /venv/bin/nox -v
- uses: actions/cache@v3.0.4
timeout-minutes: 5
with:
path: |
~/.cache/pip/
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/registry/src/
~/.cargo/git/db/
src/_bcrypt/target/
key: ${{ runner.os }}-${{ matrix.IMAGE.IMAGE }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- run: '/venv/bin/tox'
env:
NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }}
TOXENV: ${{ matrix.IMAGE.TOXENV }}
RUSTUP_HOME: /root/.rustup
CARGO_TARGET_DIR: ${{ format('{0}/src/_bcrypt/target/', github.workspace) }}
all-green: # This job does nothing and is only used for the branch protection
if: always()
needs:
- macos
- windows
- linux
- alpine
- linux-distros
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
with:
jobs: ${{ toJSON(needs) }}

2
.github/workflows/lock.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
lock:
runs-on: ubuntu-latest
steps:
- uses: dessant/lock-threads@v6
- uses: dessant/lock-threads@v3
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
issue-inactive-days: 90

60
.github/workflows/pypi-publish.yml vendored
View File

@ -1,60 +0,0 @@
name: Publish to PyPI
on:
workflow_dispatch:
inputs:
run_id:
description: The run of wheel-builder to use for finding artifacts.
required: true
environment:
description: Which PyPI environment to upload to
required: true
type: choice
options: ["testpypi", "pypi"]
workflow_run:
workflows: ["Wheel Builder"]
types: [completed]
permissions:
contents: read
jobs:
publish:
runs-on: ubuntu-latest
# We're not actually verifying that the triggering push event was for a
# tag, because github doesn't expose enough information to do so.
# wheel-builder.yml currently only has push events for tags.
if: github.event_name == 'workflow_dispatch' || (github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success')
permissions:
id-token: "write"
attestations: "write"
steps:
- run: echo "$EVENT_CONTEXT"
env:
EVENT_CONTEXT: ${{ toJson(github.event) }}
- run: |
echo "PYPI_URL=https://upload.pypi.org/legacy/" >> $GITHUB_ENV
if: github.event_name == 'workflow_run' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'pypi')
- run: |
echo "PYPI_URL=https://test.pypi.org/legacy/" >> $GITHUB_ENV
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'testpypi'
- uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
with:
path: tmpdist/
run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }}
- run: mkdir dist/
- run: |
find tmpdist/ -type f -name 'bcrypt*' -exec mv {} dist/ \;
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
with:
repository-url: ${{ env.PYPI_URL }}
skip-existing: true
# Do not perform attestation for things for TestPyPI. This is
# because there's nothing that would prevent a malicious PyPI from
# serving a signed TestPyPI asset in place of a release intended for
# PyPI.
attestations: ${{ env.PYPI_URL == 'https://upload.pypi.org/legacy/' }}

224
.github/workflows/wheel-builder.yml vendored
View File

@ -7,111 +7,34 @@ on:
version:
description: The version to build
required: false
# Do not add any non-tag push events without updating pypi-publish.yml. If
# you do, it'll upload wheels to PyPI.
push:
tags:
- '*.*'
- '*.*.*'
pull_request:
paths:
- .github/workflows/wheel-builder.yml
- setup.py
- pyproject.toml
jobs:
sdist:
manylinux:
runs-on: ubuntu-latest
name: sdists
strategy:
matrix:
PYTHON:
- {VERSION: "cp36-cp36m", ABI_VERSION: 'cp36'}
CONTAINER:
- {IMAGE: "cryptography-manylinux2010:x86_64", NAME: "manylinux2010"}
- {IMAGE: "cryptography-manylinux2014:x86_64", NAME: "manylinux2014"}
- {IMAGE: "cryptography-manylinux_2_24:x86_64", NAME: "manylinux_2_24"}
- {IMAGE: "cryptography-musllinux_1_1:x86_64", NAME: "musllinux_1_1"}
name: "${{ matrix.PYTHON.ABI_VERSION }} ${{ matrix.CONTAINER.NAME }}"
container: ghcr.io/pyca/${{ matrix.CONTAINER.IMAGE }}
steps:
- uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2
- uses: actions/checkout@v1 # Need v1 because manylinux2010 can't run node from v2
with:
# The tag to build or the tag received by the tag event
ref: ${{ github.event.inputs.version || github.ref }}
persist-credentials: false
- run: python -m venv .venv
- name: Install Python dependencies
run: .venv/bin/pip install -U pip build
- name: Make sdist
run: .venv/bin/python -m build --sdist
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: "bcrypt-sdist"
path: dist/bcrypt*
manylinux:
needs: [sdist]
runs-on: ${{ matrix.MANYLINUX.RUNNER }}
strategy:
fail-fast: false
matrix:
PYTHON:
- { VERSION: "cp38-cp38", ABI_VERSION: 'cp38' }
- { VERSION: "cp39-cp39", ABI_VERSION: 'cp39' }
- { VERSION: "pp311-pypy311_pp73" }
- { VERSION: "cp313-cp313t" }
- { VERSION: "cp314-cp314t" }
MANYLINUX:
- { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" }
- { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"}
- { NAME: "manylinux_2_34_x86_64", CONTAINER: "cryptography-manylinux_2_34:x86_64", RUNNER: "ubuntu-latest"}
- { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"}
- { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: "ubuntu-24.04-arm" }
- { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: "ubuntu-24.04-arm" }
- { NAME: "manylinux_2_34_aarch64", CONTAINER: "cryptography-manylinux_2_34:aarch64", RUNNER: "ubuntu-24.04-arm" }
- { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: "ubuntu-24.04-arm" }
- { NAME: "manylinux_2_31_armv7l", CONTAINER: "cryptography-manylinux_2_31:armv7l", RUNNER: "ubuntu-24.04-arm" }
exclude:
# There are no readily available musllinux PyPy distributions
- PYTHON: { VERSION: "pp311-pypy311_pp73" }
MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"}
- PYTHON: { VERSION: "pp311-pypy311_pp73" }
MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: "ubuntu-24.04-arm" }
# We also don't build pypy wheels for anything except the latest manylinux
- PYTHON: { VERSION: "pp311-pypy311_pp73" }
MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"}
- PYTHON: { VERSION: "pp311-pypy311_pp73" }
MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: "ubuntu-24.04-arm" }
# No PyPy on armv7l either
- PYTHON: { VERSION: "pp311-pypy311_pp73" }
MANYLINUX: { NAME: "manylinux_2_31_armv7l", CONTAINER: "cryptography-manylinux_2_31:armv7l", RUNNER: "ubuntu-24.04-arm" }
name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}"
container:
image: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }}
volumes:
- /staticnodehost:/staticnodecontainer:rw,rshared
- /staticnodehost/24:/__e/node24:ro,rshared
steps:
- name: Ridiculous-er workaround for static node
run: |
cp -R /staticnode/* /staticnodecontainer/
- name: Ridiculous alpine workaround for actions support on arm64
run: |
# This modifies /etc/os-release so the JS actions
# from GH can't detect that it's on alpine:aarch64. It will
# then use a glibc nodejs, which works fine when gcompat
# is installed in the container (which it is)
sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release
if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64')
- run: /opt/python/${{ matrix.PYTHON.VERSION }}/bin/python -m venv .venv
- name: Install python dependencies
run: .venv/bin/pip install -U pip wheel setuptools-rust
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: bcrypt-sdist
- run: mkdir tmpwheelhouse
- name: Build the wheel
run: |
if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then
PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation"
fi
.venv/bin/python -m pip wheel -v $PY_LIMITED_API bcrypt*.tar.gz -w dist/ && mv dist/bcrypt*.whl tmpwheelhouse
- name: Make sdist
run: .venv/bin/python setup.py sdist
- run: tar zxvf dist/bcrypt*.tar.gz && mkdir tmpwheelhouse
- run: cd bcrypt* && ../.venv/bin/python setup.py bdist_wheel --py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} && mv dist/bcrypt*.whl ../tmpwheelhouse
env:
RUSTUP_HOME: /root/.rustup
- run: auditwheel repair tmpwheelhouse/bcrypt*.whl -w wheelhouse/
@ -121,73 +44,50 @@ jobs:
- run: mkdir bcrypt-wheelhouse
- run: mv wheelhouse/bcrypt*.whl bcrypt-wheelhouse/
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- uses: actions/upload-artifact@v1
with:
name: "bcrypt-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}${{ matrix.PYTHON.ABI_VERSION }}"
name: "bcrypt-${{ github.event.inputs.version }}-${{ matrix.CONTAINER.NAME }} -${{ matrix.PYTHON.ABI_VERSION }}"
path: bcrypt-wheelhouse/
macos:
needs: [sdist]
runs-on: macos-15
runs-on: macos-11
strategy:
fail-fast: false
matrix:
PYTHON:
- VERSION: '3.11'
ABI_VERSION: 'cp38'
DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.9/python-3.11.9-macos11.pkg'
BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3'
- VERSION: '3.11'
ABI_VERSION: 'cp39'
DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.9/python-3.11.9-macos11.pkg'
BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3'
- VERSION: '3.13t'
DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.13.7/python-3.13.7-macos11.pkg'
BIN_PATH: '/Library/Frameworks/PythonT.framework/Versions/3.13/bin/python3.13t'
- VERSION: '3.14t'
DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.14.0/python-3.14.0-macos11.pkg'
BIN_PATH: '/Library/Frameworks/PythonT.framework/Versions/3.14/bin/python3.14t'
name: "Python ${{ matrix.PYTHON.VERSION }} ${{ matrix.PYTHON.ABI_VERSION }} on macOS"
- VERSION: '3.10'
ABI_VERSION: 'cp36'
DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.10.1/python-3.10.1-macos11.pkg'
BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.10/bin/python3'
name: "Python ${{ matrix.PYTHON.VERSION }} for ABI ${{ matrix.PYTHON.ABI_VERSION }} on macOS"
steps:
- uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2
- uses: actions/checkout@v2.4.0
with:
# The tag to build or the tag received by the tag event
ref: ${{ github.event.inputs.version || github.ref }}
sparse-checkout: |
.github/config/macos-pkg-choices-freethreaded-3.13t.xml
.github/config/macos-pkg-choices-freethreaded-3.14t.xml
persist-credentials: false
- name: Install Python
if: ${{ !endsWith(matrix.PYTHON.VERSION, 't') }}
run: |
- run: |
curl "${{ matrix.PYTHON.DOWNLOAD_URL }}" -o python.pkg
sudo installer -pkg python.pkg -target /
- name: Install Python (free-threaded)
if: ${{ endsWith(matrix.PYTHON.VERSION, 't') }}
run: |
curl "${{ matrix.PYTHON.DOWNLOAD_URL }}" -o python.pkg
sudo installer -pkg python.pkg -applyChoiceChangesXML .github/config/macos-pkg-choices-freethreaded-${{ matrix.PYTHON.VERSION }}.xml -target /
- uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
- uses: actions-rs/toolchain@v1.0.7
with:
profile: minimal
toolchain: stable
# Add the x86-64 target in addition to the native arch (arm64)
target: x86_64-apple-darwin
override: true
default: true
# Add the arm64 target in addition to the native arch (x86_64)
target: aarch64-apple-darwin
- run: ${{ matrix.PYTHON.BIN_PATH }} -m venv venv
- run: venv/bin/pip install -U pip wheel setuptools-rust
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: bcrypt-sdist
- run: mkdir wheelhouse
- name: Make sdist
run: venv/bin/python setup.py sdist
- run: tar zxvf dist/bcrypt*.tar.gz && mkdir wheelhouse
- name: Build the wheel
run: |
if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then
PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation"
fi
venv/bin/python -m pip wheel -v $PY_LIMITED_API bcrypt*.tar.gz -w dist/ && mv dist/bcrypt*.whl wheelhouse
run: cd bcrypt* && ../venv/bin/python setup.py bdist_wheel --py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} && mv dist/bcrypt*.whl ../wheelhouse
env:
PYTHON_VERSION: ${{ matrix.PYTHON.ABI_VERSION }}
MACOSX_DEPLOYMENT_TARGET: '10.12'
MACOSX_DEPLOYMENT_TARGET: '10.10'
CFLAGS: '-arch arm64 -arch x86_64'
ARCHFLAGS: '-arch arm64 -arch x86_64'
_PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2'
- run: venv/bin/pip install -f wheelhouse --no-index bcrypt
@ -196,50 +96,46 @@ jobs:
- run: mkdir bcrypt-wheelhouse
- run: mv wheelhouse/bcrypt*.whl bcrypt-wheelhouse/
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- uses: actions/upload-artifact@v1
with:
name: "bcrypt-${{ github.event.inputs.version }}-macOS-${{ matrix.PYTHON.VERSION }}${{ matrix.PYTHON.ABI_VERSION }}"
name: "bcrypt-${{ github.event.inputs.version }}-macOS-${{ matrix.PYTHON.ABI_VERSION }}"
path: bcrypt-wheelhouse/
windows:
needs: [sdist]
runs-on: ${{ matrix.WINDOWS.RUNNER }}
runs-on: windows-latest
strategy:
fail-fast: false
matrix:
WINDOWS:
- {ARCH: 'x86', RUST_TRIPLE: 'i686-pc-windows-msvc', RUNNER: 'windows-latest'}
- {ARCH: 'x64', RUST_TRIPLE: 'x86_64-pc-windows-msvc', RUNNER: 'windows-latest'}
- {ARCH: 'x86', RUST_TRIPLE: 'i686-pc-windows-msvc'}
- {ARCH: 'x64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'}
PYTHON:
- {VERSION: "3.11", ABI_VERSION: "cp38"}
- {VERSION: "3.11", ABI_VERSION: "cp39"}
- {VERSION: "3.13t"}
- {VERSION: "3.14t"}
- {VERSION: "3.6", ABI_VERSION: "cp36"}
name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.PYTHON.ABI_VERSION }} ${{ matrix.WINDOWS.ARCH }}"
steps:
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- uses: actions/checkout@v2.4.0
with:
name: bcrypt-sdist
# The tag to build or the tag received by the tag event
ref: ${{ github.event.inputs.version || github.ref }}
persist-credentials: false
- name: Setup python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v4.0.0
with:
python-version: ${{ matrix.PYTHON.VERSION }}
architecture: ${{ matrix.WINDOWS.ARCH }}
- uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
- uses: actions-rs/toolchain@v1.0.7
with:
profile: minimal
toolchain: stable
override: true
default: true
target: ${{ matrix.WINDOWS.RUST_TRIPLE }}
- run: python -m pip install -U pip wheel setuptools-rust
- run: mkdir wheelhouse
shell: bash
- name: Build the wheel
run: |
if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then
PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation"
fi
python -m pip wheel -v $PY_LIMITED_API bcrypt*.tar.gz -w dist/ && mv dist/bcrypt*.whl wheelhouse
- name: Make sdist
run: python setup.py sdist
- run: tar zxvf dist/bcrypt*.tar.gz && mkdir wheelhouse
shell: bash
- run: cd bcrypt* && python setup.py bdist_wheel --py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} && mv dist/bcrypt*.whl ../wheelhouse
- run: pip install -f wheelhouse --no-index bcrypt
- run: |
python -c "import bcrypt; password = b'super secret password';hashed = bcrypt.hashpw(password, bcrypt.gensalt());bcrypt.checkpw(password, hashed)"
@ -247,7 +143,7 @@ jobs:
# TODO: can we setup another python and test in the same job? this would catch bad linking problems (e.g. build and test on py36, but then install py38 and see if it works
- run: mkdir bcrypt-wheelhouse
- run: move wheelhouse\bcrypt*.whl bcrypt-wheelhouse\
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- uses: actions/upload-artifact@v1
with:
name: "bcrypt-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.ARCH }}-${{ matrix.PYTHON.VERSION }}${{ matrix.PYTHON.ABI_VERSION }}"
name: "bcrypt-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.ARCH }}-${{ matrix.PYTHON.ABI_VERSION }}"
path: bcrypt-wheelhouse\

167
CHANGELOG.rst
View File

@ -1,167 +0,0 @@
Changelog
=========
Unreleased
----------
* Bumped MSRV to 1.85.
5.0.0
-----
* Bumped MSRV to 1.74.
* Added support for Python 3.14 and free-threaded Python 3.14.
* Added support for Windows on ARM.
* Passing ``hashpw`` a password longer than 72 bytes now raises a
``ValueError``. Previously the password was silently truncated, following the
behavior of the original OpenBSD ``bcrypt`` implementation.
4.3.0
-----
* Dropped support for Python 3.7.
* We now support free-threaded Python 3.13.
* We now support PyPy 3.11.
* We now publish wheels for free-threaded Python 3.13, for PyPy 3.11 on
``manylinux``, and for ARMv7l on ``manylinux``.
4.2.1
-----
* Bump Rust dependency versions - this should resolve crashes on Python 3.13
free-threaded builds.
* We no longer build ``manylinux`` wheels for PyPy 3.9.
4.2.0
-----
* Bump Rust dependency versions
* Removed the ``BCRYPT_ALLOW_RUST_163`` environment variable.
4.1.3
-----
* Bump Rust dependency versions
4.1.2
-----
* Publish both ``py37`` and ``py39`` wheels. This should resolve some errors
relating to initializing a module multiple times per process.
4.1.1
-----
* Fixed the type signature on the ``kdf`` method.
* Fixed packaging bug on Windows.
* Fixed incompatibility with passlib package detection assumptions.
4.1.0
-----
* Dropped support for Python 3.6.
* Bumped MSRV to 1.64. (Note: Rust 1.63 can be used by setting the ``BCRYPT_ALLOW_RUST_163`` environment variable)
4.0.1
-----
* We now build PyPy ``manylinux`` wheels.
* Fixed a bug where passing an invalid ``salt`` to ``checkpw`` could result in
a ``pyo3_runtime.PanicException``. It now correctly raises a ``ValueError``.
4.0.0
-----
* ``bcrypt`` is now implemented in Rust. Users building from source will need
to have a Rust compiler available. Nothing will change for users downloading
wheels.
* We no longer ship ``manylinux2010`` wheels. Users should upgrade to the latest
``pip`` to ensure this doesnt cause issues downloading wheels on their
platform. We now ship ``manylinux_2_28`` wheels for users on new enough platforms.
* ``NUL`` bytes are now allowed in inputs.
3.2.2
-----
* Fixed packaging of ``py.typed`` files in wheels so that ``mypy`` works.
3.2.1
-----
* Added support for compilation on z/OS
* The next release of ``bcrypt`` with be 4.0 and it will require Rust at
compile time, for users building from source. There will be no additional
requirement for users who are installing from wheels. Users on most
platforms will be able to obtain a wheel by making sure they have an up to
date ``pip``. The minimum supported Rust version will be 1.56.0.
* This will be the final release for which we ship ``manylinux2010`` wheels.
Going forward the minimum supported manylinux ABI for our wheels will be
``manylinux2014``. The vast majority of users will continue to receive
``manylinux`` wheels provided they have an up to date ``pip``.
3.2.0
-----
* Added typehints for library functions.
* Dropped support for Python versions less than 3.6 (2.7, 3.4, 3.5).
* Shipped ``abi3`` Windows wheels (requires pip >= 20).
3.1.7
-----
* Set a ``setuptools`` lower bound for PEP517 wheel building.
* We no longer distribute 32-bit ``manylinux1`` wheels. Continuing to produce
them was a maintenance burden.
3.1.6
-----
* Added support for compilation on Haiku.
3.1.5
-----
* Added support for compilation on AIX.
* Dropped Python 2.6 and 3.3 support.
* Switched to using ``abi3`` wheels for Python 3. If you are not getting a
wheel on a compatible platform please upgrade your ``pip`` version.
3.1.4
-----
* Fixed compilation with mingw and on illumos.
3.1.3
-----
* Fixed a compilation issue on Solaris.
* Added a warning when using too few rounds with ``kdf``.
3.1.2
-----
* Fixed a compile issue affecting big endian platforms.
* Fixed invalid escape sequence warnings on Python 3.6.
* Fixed building in non-UTF8 environments on Python 2.
3.1.1
-----
* Resolved a ``UserWarning`` when used with ``cffi`` 1.8.3.
3.1.0
-----
* Added support for ``checkpw``, a convenience method for verifying a password.
* Ensure that you get a ``$2y$`` hash when you input a ``$2y$`` salt.
* Fixed a regression where ``$2a`` hashes were vulnerable to a wraparound bug.
* Fixed compilation under Alpine Linux.
3.0.0
-----
* Switched the C backend to code obtained from the OpenBSD project rather than
openwall.
* Added support for ``bcrypt_pbkdf`` via the ``kdf`` function.
2.0.0
-----
* Added support for an adjustible prefix when calling ``gensalt``.
* Switched to CFFI 1.0+

5
MANIFEST.in
View File

@ -1,8 +1,8 @@
include LICENSE README.rst CHANGELOG.rst
include LICENSE README.rst
include pyproject.toml
include noxfile.py .coveragerc
include tox.ini .coveragerc
recursive-include src py.typed *.pyi
recursive-include src/_bcrypt Cargo.toml Cargo.lock *.rs
@ -11,6 +11,7 @@ recursive-include tests *.py
exclude requirements.txt release.py mypy.ini
recursive-exclude .github *
recursive-exclude .circleci *
exclude src/_bcrypt/target
recursive-exclude src/_bcrypt/target *

119
README.rst
View File

@ -8,8 +8,7 @@ bcrypt
.. image:: https://github.com/pyca/bcrypt/workflows/CI/badge.svg?branch=main
:target: https://github.com/pyca/bcrypt/actions?query=workflow%3ACI+branch%3Amain
Acceptable password hashing for your software and your servers (but you should
really use argon2id or scrypt)
Acceptable password hashing for your software and your servers
Installation
@ -17,28 +16,28 @@ Installation
To install bcrypt, simply:
.. code:: console
.. code:: bash
$ pip install bcrypt
Note that bcrypt should build very easily on Linux provided you have a C
compiler and a Rust compiler (the minimum supported Rust version is 1.74.0).
compiler and a Rust compiler (the minimum supported Rust version is 1.56.0).
For Debian and Ubuntu, the following command will ensure that the required dependencies are installed:
.. code:: console
.. code:: bash
$ sudo apt-get install build-essential cargo
For Fedora and RHEL-derivatives, the following command will ensure that the required dependencies are installed:
.. code:: console
.. code:: bash
$ sudo yum install gcc cargo
For Alpine, the following command will ensure that the required dependencies are installed:
.. code:: console
.. code:: bash
$ apk add --update musl-dev gcc cargo
@ -51,10 +50,100 @@ While bcrypt remains an acceptable choice for password storage, depending on you
Changelog
=========
The changelog is maintained in `CHANGELOG.rst <https://github.com/pyca/bcrypt/blob/main/CHANGELOG.rst>`_
UNRELEASED
----------
* ``bcrypt`` is now implemented in Rust. Users building from source will need
to have a Rust compiler available. Nothing will change for users downloading
wheels.
3.2.2
-----
* Fixed packaging of ``py.typed`` files in wheels so that ``mypy`` works.
3.2.1
-----
* Added support for compilation on z/OS
* The next release of ``bcrypt`` with be 4.0 and it will require Rust at
compile time, for users building from source. There will be no additional
requirement for users who are installing from wheels. Users on most
platforms will be able to obtain a wheel by making sure they have an up to
date ``pip``. The minimum supported Rust version will be 1.56.0.
* This will be the final release for which we ship ``manylinux2010`` wheels.
Going forward the minimum supported manylinux ABI for our wheels will be
``manylinux2014``. The vast majority of users will continue to receive
``manylinux`` wheels provided they have an up to date ``pip``.
3.2.0
-----
* Added typehints for library functions.
* Dropped support for Python versions less than 3.6 (2.7, 3.4, 3.5).
* Shipped ``abi3`` Windows wheels (requires pip >= 20).
3.1.7
-----
* Set a ``setuptools`` lower bound for PEP517 wheel building.
* We no longer distribute 32-bit ``manylinux1`` wheels. Continuing to produce
them was a maintenance burden.
3.1.6
-----
* Added support for compilation on Haiku.
3.1.5
-----
* Added support for compilation on AIX.
* Dropped Python 2.6 and 3.3 support.
* Switched to using ``abi3`` wheels for Python 3. If you are not getting a
wheel on a compatible platform please upgrade your ``pip`` version.
3.1.4
-----
* Fixed compilation with mingw and on illumos.
3.1.3
-----
* Fixed a compilation issue on Solaris.
* Added a warning when using too few rounds with ``kdf``.
3.1.2
-----
* Fixed a compile issue affecting big endian platforms.
* Fixed invalid escape sequence warnings on Python 3.6.
* Fixed building in non-UTF8 environments on Python 2.
3.1.1
-----
* Resolved a ``UserWarning`` when used with ``cffi`` 1.8.3.
3.1.0
-----
* Added support for ``checkpw``, a convenience method for verifying a password.
* Ensure that you get a ``$2y$`` hash when you input a ``$2y$`` salt.
* Fixed a regression where ``$2a`` hashes were vulnerable to a wraparound bug.
* Fixed compilation under Alpine Linux.
3.0.0
-----
* Switched the C backend to code obtained from the OpenBSD project rather than
openwall.
* Added support for ``bcrypt_pbkdf`` via the ``kdf`` function.
2.0.0
-----
* Added support for an adjustible prefix when calling ``gensalt``.
* Switched to CFFI 1.0+
Usage
=====
-----
Password Hashing
~~~~~~~~~~~~~~~~
@ -123,9 +212,8 @@ As of 3.0.0 the ``$2y$`` prefix is still supported in ``hashpw`` but deprecated.
Maximum Password Length
~~~~~~~~~~~~~~~~~~~~~~~
Passing ``hashpw`` a password longer than 72 bytes now raises a ``ValueError``.
Previously the password was silently truncated, following the behavior of the
original OpenBSD ``bcrypt`` implementation. To work around this, a common approach is to hash a
The bcrypt algorithm only handles passwords up to 72 characters, any characters
beyond that are ignored. To work around this, a common approach is to hash a
password with a cryptographic hash (such as ``sha256``) and then base64
encode it to prevent NULL byte problems before hashing the result with
``bcrypt``:
@ -142,7 +230,12 @@ Compatibility
-------------
This library should be compatible with py-bcrypt and it will run on Python
3.8+ (including free-threaded builds), and PyPy 3.
3.6+, and PyPy 3.
C Code
------
This library uses code from OpenBSD.
Security
--------

36
mypy.ini Normal file
View File

@ -0,0 +1,36 @@
[mypy]
show_column_numbers=True
pretty=True
disallow_any_unimported=True
# _bcrypt usage will result in any exprs
disallow_any_expr=False
disallow_any_decorated=True
disallow_any_explicit=True
disallow_any_generics=True
disallow_subclassing_any=True
disallow_untyped_calls=True
disallow_untyped_defs=True
disallow_incomplete_defs=True
check_untyped_defs=True
disallow_untyped_decorators=True
no_implicit_optional=True
strict_optional=True
warn_redundant_casts=True
warn_unused_ignores=True
warn_no_return=True
# _bcrypt is untyped so all calls involving it will be Any
warn_return_any=False
# keep backwards compatibility for users not using static type checking
warn_unreachable=False
strict_equality=True
ignore_missing_imports=False
[mypy-bcrypt._bcrypt]
ignore_missing_imports = True
disallow_any_explicit = False

42
noxfile.py
View File

@ -1,42 +0,0 @@
import nox
nox.options.reuse_existing_virtualenvs = True
nox.options.default_venv_backend = "uv|virtualenv"
@nox.session
def tests(session: nox.Session) -> None:
session.install("coverage")
session.install(".[tests]")
session.run(
"coverage", "run", "-m", "pytest", "--strict-markers", *session.posargs
)
session.run("coverage", "combine")
session.run("coverage", "report", "-m", "--fail-under", "100")
@nox.session
def pep8(session: nox.Session) -> None:
session.install("ruff")
session.run("ruff", "check", ".")
session.run("ruff", "format", "--check", ".")
@nox.session
def mypy(session: nox.Session) -> None:
session.install("mypy")
session.install(".[tests]")
session.run("mypy", "tests/")
@nox.session
def packaging(session: nox.Session) -> None:
session.install("setuptools-rust", "check-manifest", "readme_renderer")
session.run("check-manifest")
session.run(
"python3", "-m", "readme_renderer", "README.rst", "-o", "/dev/null"
)

76
pyproject.toml
View File

@ -1,80 +1,14 @@
[build-system]
# Must be kept in sync with `setup_requirements` in `setup.py`
requires = [
"setuptools>=42.0.0",
"setuptools>=40.8.0",
"wheel",
"setuptools-rust>=1.7.0",
"setuptools-rust",
]
# Point to the setuptools' PEP517 build backend explicitly to
# disable Pip's fallback guessing
build-backend = "setuptools.build_meta"
[project]
name = "bcrypt"
# When updating this, also update lib.rs
version = "5.0.0"
authors = [
{name = "The Python Cryptographic Authority developers", email = "cryptography-dev@python.org"}
]
description = "Modern password hashing for your software and your servers"
license = {text = "Apache-2.0"}
classifiers = [
"Development Status :: 5 - Production/Stable",
"License :: OSI Approved :: Apache Software License",
"Programming Language :: Python :: Implementation :: CPython",
"Programming Language :: Python :: Implementation :: PyPy",
"Programming Language :: Python :: 3",
"Programming Language :: Python :: 3 :: Only",
"Programming Language :: Python :: 3.8",
"Programming Language :: Python :: 3.9",
"Programming Language :: Python :: 3.10",
"Programming Language :: Python :: 3.11",
"Programming Language :: Python :: 3.12",
"Programming Language :: Python :: 3.13",
"Programming Language :: Python :: 3.14",
"Programming Language :: Python :: Free Threading :: 3 - Stable",
]
requires-python = ">= 3.8"
dynamic = ["readme"]
[project.urls]
homepage = "https://github.com/pyca/bcrypt/"
changelog = "https://github.com/pyca/bcrypt/blob/main/CHANGELOG.rst"
[tool.setuptools]
zip-safe = false
package-dir = {"" = "src"}
packages = ["bcrypt"]
[tool.setuptools.dynamic]
readme = {file = "README.rst", content-type = "text/x-rst"}
[project.optional-dependencies]
tests = ["pytest>=3.2.1,!=3.3.0"]
typecheck = ["mypy"]
[[tool.setuptools-rust.ext-modules]]
target = "bcrypt._bcrypt"
path = "src/_bcrypt/Cargo.toml"
py-limited-api = "auto"
rust-version = ">=1.64.0"
[tool.ruff]
[tool.black]
line-length = 79
lint.ignore = ['N818']
lint.select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF']
[tool.ruff.lint.isort]
known-first-party = ["bcrypt", "tests"]
[tool.mypy]
show_error_codes = true
check_untyped_defs = true
no_implicit_reexport = true
warn_redundant_casts = true
warn_unused_ignores = true
warn_unused_configs = true
strict_equality = true
[tool.check-manifest]
ignore = ["tests/reference/*"]
target-version = ["py36"]

134
release.py
View File

@ -1,33 +1,139 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This file is dual licensed under the terms of the Apache License, Version
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
# for complete details.
from __future__ import absolute_import, division, print_function
import getpass
import glob
import io
import json
import os
import subprocess
import time
import zipfile
import click
import requests
def run(*args, **kwargs):
print(f"[running] {list(args)}")
print("[running] {0}".format(list(args)))
subprocess.check_call(list(args), **kwargs)
def wait_for_build_complete_github_actions(session, token, run_url):
while True:
response = session.get(
run_url,
headers={
"Content-Type": "application/json",
"Authorization": "token {}".format(token),
},
)
response.raise_for_status()
if response.json()["conclusion"] is not None:
break
time.sleep(3)
def download_artifacts_github_actions(session, token, run_url):
response = session.get(
run_url,
headers={
"Content-Type": "application/json",
"Authorization": "token {}".format(token),
},
)
response.raise_for_status()
response = session.get(
response.json()["artifacts_url"],
headers={
"Content-Type": "application/json",
"Authorization": "token {}".format(token),
},
)
response.raise_for_status()
paths = []
for artifact in response.json()["artifacts"]:
response = session.get(
artifact["archive_download_url"],
headers={
"Content-Type": "application/json",
"Authorization": "token {}".format(token),
},
)
with zipfile.ZipFile(io.BytesIO(response.content)) as z:
for name in z.namelist():
if not name.endswith(".whl"):
continue
p = z.open(name)
out_path = os.path.join(
os.path.dirname(__file__),
"dist",
os.path.basename(name),
)
with open(out_path, "wb") as f:
f.write(p.read())
paths.append(out_path)
return paths
def build_github_actions_wheels(token, version):
session = requests.Session()
response = session.post(
"https://api.github.com/repos/pyca/bcrypt/actions/workflows/"
"wheel-builder.yml/dispatches",
headers={
"Content-Type": "application/json",
"Accept": "application/vnd.github.v3+json",
"Authorization": "token {}".format(token),
},
data=json.dumps({"ref": "main", "inputs": {"version": version}}),
)
response.raise_for_status()
# Give it a few seconds for the run to kick off.
time.sleep(5)
response = session.get(
(
"https://api.github.com/repos/pyca/bcrypt/actions/workflows/"
"wheel-builder.yml/runs?event=workflow_dispatch"
),
headers={
"Content-Type": "application/json",
"Authorization": "token {}".format(token),
},
)
response.raise_for_status()
run_url = response.json()["workflow_runs"][0]["url"]
wait_for_build_complete_github_actions(session, token, run_url)
return download_artifacts_github_actions(session, token, run_url)
@click.command()
@click.argument("version")
def release(version):
"""
``version`` should be a string like '0.4' or '1.0'.
"""
run("git", "tag", "-s", version, "-m", f"{version} release")
run("git", "push", "--tags", "git@github.com:pyca/bcrypt.git")
github_token = getpass.getpass("Github person access token: ")
run("git", "tag", "-s", version, "-m", "{0} release".format(version))
run("git", "push", "--tags")
run("python", "setup.py", "sdist")
packages = glob.glob("dist/bcrypt-{0}*".format(version))
github_actions_wheel_paths = build_github_actions_wheels(
github_token, version
)
run("twine", "upload", "-s", *packages)
run("twine", "upload", *github_actions_wheel_paths)
if __name__ == "__main__":

39
setup.cfg Normal file
View File

@ -0,0 +1,39 @@
[metadata]
name = bcrypt
version = attr: bcrypt.__about__.__version__
description = Modern password hashing for your software and your servers
long_description = file: README.rst
long_description_content_type = text/x-rst
license = Apache License, Version 2.0
license_file = LICENSE
url = https://github.com/pyca/bcrypt/
author = The Python Cryptographic Authority developers
author_email = cryptography-dev@python.org
classifiers =
Development Status :: 5 - Production/Stable
License :: OSI Approved :: Apache Software License
Programming Language :: Python :: Implementation :: CPython
Programming Language :: Python :: Implementation :: PyPy
Programming Language :: Python :: 3
Programming Language :: Python :: 3 :: Only
Programming Language :: Python :: 3.6
Programming Language :: Python :: 3.7
Programming Language :: Python :: 3.8
Programming Language :: Python :: 3.9
Programming Language :: Python :: 3.10
[options]
python_requires = >=3.6
include_package_data = True
zip_safe = False
package_dir =
=src
packages =
bcrypt
ext_package = bcrypt
[options.extras_require]
tests =
pytest>=3.2.1,!=3.3.0
typecheck =
mypy

32
setup.py Normal file
View File

@ -0,0 +1,32 @@
#!/usr/bin/env python
import platform
import sys
from setuptools import setup
from setuptools_rust import RustExtension
if platform.python_implementation() == "PyPy":
if sys.pypy_version_info < (2, 6):
raise RuntimeError(
"bcrypt is not compatible with PyPy < 2.6. Please upgrade PyPy to "
"use this library."
)
setup(
rust_extensions=[
RustExtension(
"_bcrypt",
"src/_bcrypt/Cargo.toml",
py_limited_api=True,
# Enable abi3 mode if we're not using PyPy.
features=(
[]
if platform.python_implementation() == "PyPy"
else ["pyo3/abi3-py36"]
),
rust_version=">=1.56.0",
),
],
)

610
src/_bcrypt/Cargo.lock generated
View File

@ -1,37 +1,36 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 4
version = 3
[[package]]
name = "anyhow"
version = "1.0.102"
name = "autocfg"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
[[package]]
name = "base64"
version = "0.22.1"
version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd"
[[package]]
name = "bcrypt"
version = "0.19.1"
version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "24ae5479c93d3720e4c1dbd6b945b97457c50cb672781104768190371df1a905"
checksum = "a7e7c93a3fb23b2fdde989b2c9ec4dd153063ec81f408507f84c090cd91c6641"
dependencies = [
"base64",
"blowfish",
"getrandom",
"subtle",
"zeroize",
]
[[package]]
name = "bcrypt-pbkdf"
version = "0.11.0"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "144e573728da132683b9488acd528274c790e07fc06ff81ee29f9d8f8b1041e0"
checksum = "f4ef233ffa9cb9c7820b2b0e9efd0821ed180e866c9120ec9f45518659742074"
dependencies = [
"blowfish",
"pbkdf2",
@ -45,31 +44,29 @@ dependencies = [
"base64",
"bcrypt",
"bcrypt-pbkdf",
"getrandom",
"pyo3",
"subtle",
]
[[package]]
name = "bitflags"
version = "2.11.1"
version = "1.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
[[package]]
name = "block-buffer"
version = "0.12.0"
version = "0.10.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cdd35008169921d80bc60d3d0ab416eecb028c4cd653352907921d95084790be"
checksum = "0bf7fe51849ea569fd452f37822f606a5cabb684dc918707a0193fd4664ff324"
dependencies = [
"hybrid-array",
"generic-array",
]
[[package]]
name = "blowfish"
version = "0.10.0"
version = "0.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "62ce3946557b35e71d1bbe07ec385073ce9eda05043f95de134eb578fcf1a298"
checksum = "e412e2cd0f2b2d93e02543ceae7917b3c70331573df19ee046bcbc35e45e87d7"
dependencies = [
"byteorder",
"cipher",
@ -77,262 +74,239 @@ dependencies = [
[[package]]
name = "byteorder"
version = "1.5.0"
version = "1.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
[[package]]
name = "cfg-if"
version = "1.0.4"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "cipher"
version = "0.5.1"
version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e34d8227fe1ba289043aeb13792056ff80fd6de1a9f49137a5f499de8e8c78ea"
checksum = "d1873270f8f7942c191139cb8a40fd228da6c3fd2fc376d7e92d47aa14aeb59e"
dependencies = [
"crypto-common",
"inout",
]
[[package]]
name = "cmov"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3f88a43d011fc4a6876cb7344703e297c71dda42494fee094d5f7c76bf13f746"
[[package]]
name = "cpufeatures"
version = "0.3.0"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
checksum = "59a6001667ab124aebae2a495118e11d30984c3a653e99d86d58971708cf5e4b"
dependencies = [
"libc",
]
[[package]]
name = "crypto-common"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77727bb15fa921304124b128af125e7e3b968275d1b108b379190264f4423710"
dependencies = [
"hybrid-array",
]
[[package]]
name = "ctutils"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7d5515a3834141de9eafb9717ad39eea8247b5674e6066c404e8c4b365d2a29e"
dependencies = [
"cmov",
]
[[package]]
name = "digest"
version = "0.11.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f1dd6dbb5841937940781866fa1281a1ff7bd3bf827091440879f9994983d5c2"
dependencies = [
"block-buffer",
"crypto-common",
"ctutils",
]
[[package]]
name = "equivalent"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
[[package]]
name = "foldhash"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
[[package]]
name = "getrandom"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
dependencies = [
"cfg-if",
"libc",
"r-efi",
"wasip2",
"wasip3",
]
[[package]]
name = "hashbrown"
version = "0.15.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
dependencies = [
"foldhash",
]
[[package]]
name = "hashbrown"
version = "0.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51"
[[package]]
name = "heck"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
[[package]]
name = "hybrid-array"
version = "0.4.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9155a582abd142abc056962c29e3ce5ff2ad5469f4246b537ed42c5deba857da"
checksum = "2ccfd8c0ee4cce11e45b3fd6f9d5e69e0cc62912aa6a0cb1bf4617b0eba5a12f"
dependencies = [
"generic-array",
"typenum",
]
[[package]]
name = "id-arena"
version = "2.3.0"
name = "digest"
version = "0.10.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
checksum = "f2fb860ca6fafa5552fb6d0e816a69c8e49f0908bf524e30a90d97c85892d506"
dependencies = [
"block-buffer",
"crypto-common",
"subtle",
]
[[package]]
name = "indexmap"
version = "2.14.0"
name = "generic-array"
version = "0.14.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
checksum = "fd48d33ec7f05fbfa152300fdad764757cbded343c1aa1cff2fbaf4134851803"
dependencies = [
"equivalent",
"hashbrown 0.17.0",
"serde",
"serde_core",
"typenum",
"version_check",
]
[[package]]
name = "getrandom"
version = "0.2.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6"
dependencies = [
"cfg-if",
"libc",
"wasi",
]
[[package]]
name = "indoc"
version = "0.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "47741a8bc60fb26eb8d6e0238bbb26d8575ff623fdc97b1a2c00c050b9684ed8"
dependencies = [
"indoc-impl",
"proc-macro-hack",
]
[[package]]
name = "indoc-impl"
version = "0.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ce046d161f000fffde5f432a0d034d0341dc152643b2598ed5bfce44c4f3a8f0"
dependencies = [
"proc-macro-hack",
"proc-macro2",
"quote",
"syn",
"unindent",
]
[[package]]
name = "inout"
version = "0.2.2"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4250ce6452e92010fdf7268ccc5d14faa80bb12fc741938534c58f16804e03c7"
checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
dependencies = [
"hybrid-array",
"generic-array",
]
[[package]]
name = "itoa"
version = "1.0.18"
name = "instant"
version = "0.1.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
[[package]]
name = "leb128fmt"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c"
dependencies = [
"cfg-if",
]
[[package]]
name = "libc"
version = "0.2.186"
version = "0.2.126"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
checksum = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836"
[[package]]
name = "log"
version = "0.4.29"
name = "lock_api"
version = "0.4.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
[[package]]
name = "memchr"
version = "2.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
checksum = "327fa5b6a6940e4699ec49a9beae1ea4845c6bab9314e4f84ac68742139d8c53"
dependencies = [
"autocfg",
"scopeguard",
]
[[package]]
name = "once_cell"
version = "1.21.4"
version = "1.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
checksum = "18a6dbe30758c9f83eb00cbea4ac95966305f5a7772f3f42ebfc7fc7eddbd8e1"
[[package]]
name = "parking_lot"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7d17b78036a60663b797adeaee46f5c9dfebb86948d1255007a1d6be0271ff99"
dependencies = [
"instant",
"lock_api",
"parking_lot_core",
]
[[package]]
name = "parking_lot_core"
version = "0.8.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d76e8e1493bcac0d2766c42737f34458f1c8c50c0d23bcb24ea953affb273216"
dependencies = [
"cfg-if",
"instant",
"libc",
"redox_syscall",
"smallvec",
"winapi",
]
[[package]]
name = "paste"
version = "0.1.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "45ca20c77d80be666aef2b45486da86238fabe33e38306bd3118fe4af33fa880"
dependencies = [
"paste-impl",
"proc-macro-hack",
]
[[package]]
name = "paste-impl"
version = "0.1.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d95a7db200b97ef370c8e6de0088252f7e0dfff7d047a28528e47456c0fc98b6"
dependencies = [
"proc-macro-hack",
]
[[package]]
name = "pbkdf2"
version = "0.13.0"
version = "0.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "112d82ceb8c5bf524d9af484d4e4970c9fd5a0cc15ba14ad93dccd28873b0629"
checksum = "271779f35b581956db91a3e55737327a03aa051e90b1c47aeb189508533adfd7"
dependencies = [
"digest",
]
[[package]]
name = "portable-atomic"
version = "1.13.1"
name = "proc-macro-hack"
version = "0.5.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
[[package]]
name = "prettyplease"
version = "0.2.37"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
dependencies = [
"proc-macro2",
"syn",
]
checksum = "dbf0c48bc1d91375ae5c3cd81e3722dff1abcf81a30960240640d223f59fe0e5"
[[package]]
name = "proc-macro2"
version = "1.0.106"
version = "1.0.40"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
checksum = "dd96a1e8ed2596c337f8eae5f24924ec83f5ad5ab21ea8e455d3566c69fbcaf7"
dependencies = [
"unicode-ident",
]
[[package]]
name = "pyo3"
version = "0.28.3"
version = "0.15.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "91fd8e38a3b50ed1167fb981cd6fd60147e091784c427b8f7183a7ee32c31c12"
checksum = "d41d50a7271e08c7c8a54cd24af5d62f73ee3a6f6a314215281ebdec421d5752"
dependencies = [
"cfg-if",
"indoc",
"libc",
"once_cell",
"portable-atomic",
"parking_lot",
"paste",
"pyo3-build-config",
"pyo3-ffi",
"pyo3-macros",
"unindent",
]
[[package]]
name = "pyo3-build-config"
version = "0.28.3"
version = "0.15.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e368e7ddfdeb98c9bca7f8383be1648fd84ab466bf2bc015e94008db6d35611e"
checksum = "779239fc40b8e18bc8416d3a37d280ca9b9fb04bda54b98037bb6748595c2410"
dependencies = [
"target-lexicon",
]
[[package]]
name = "pyo3-ffi"
version = "0.28.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f29e10af80b1f7ccaf7f69eace800a03ecd13e883acfacc1e5d0988605f651e"
dependencies = [
"libc",
"pyo3-build-config",
"once_cell",
]
[[package]]
name = "pyo3-macros"
version = "0.28.3"
version = "0.15.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df6e520eff47c45997d2fc7dd8214b25dd1310918bbb2642156ef66a67f29813"
checksum = "00b247e8c664be87998d8628e86f282c25066165f1f8dda66100c48202fdb93a"
dependencies = [
"proc-macro2",
"pyo3-macros-backend",
"quote",
"syn",
@ -340,11 +314,10 @@ dependencies = [
[[package]]
name = "pyo3-macros-backend"
version = "0.28.3"
version = "0.15.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c4cdc218d835738f81c2338f822078af45b4afdf8b2e33cbb5916f108b813acb"
checksum = "5a8c2812c412e00e641d99eeb79dd478317d981d938aa60325dfa7157b607095"
dependencies = [
"heck",
"proc-macro2",
"pyo3-build-config",
"quote",
@ -353,72 +326,33 @@ dependencies = [
[[package]]
name = "quote"
version = "1.0.45"
version = "1.0.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
checksum = "3bcdf212e9776fbcb2d23ab029360416bb1706b1aea2d1a5ba002727cbcab804"
dependencies = [
"proc-macro2",
]
[[package]]
name = "r-efi"
version = "6.0.0"
name = "redox_syscall"
version = "0.2.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
[[package]]
name = "semver"
version = "1.0.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
[[package]]
name = "serde"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
checksum = "62f25bc4c7e55e0b0b7a1d43fb893f4fa1361d0abe38b9ce4f323c2adfe6ef42"
dependencies = [
"serde_core",
"bitflags",
]
[[package]]
name = "serde_core"
version = "1.0.228"
name = "scopeguard"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "serde_json"
version = "1.0.149"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
dependencies = [
"itoa",
"memchr",
"serde",
"serde_core",
"zmij",
]
checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
[[package]]
name = "sha2"
version = "0.11.0"
version = "0.10.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "446ba717509524cb3f22f17ecc096f10f4822d76ab5c0b9822c5f9c284e825f4"
checksum = "55deaec60f81eefe3cce0dc50bda92d6d8e88f2a27df7c5033b42afeb1ed2676"
dependencies = [
"cfg-if",
"cpufeatures",
@ -426,200 +360,82 @@ dependencies = [
]
[[package]]
name = "subtle"
version = "2.6.1"
name = "smallvec"
version = "1.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
checksum = "2fd0db749597d91ff862fd1d55ea87f7855a744a8425a64695b6fca237d1dad1"
[[package]]
name = "subtle"
version = "2.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
[[package]]
name = "syn"
version = "2.0.117"
version = "1.0.98"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
checksum = "c50aef8a904de4c23c788f104b7dddc7d6f79c647c7c8ce4cc8f73eb0ca773dd"
dependencies = [
"proc-macro2",
"quote",
"unicode-ident",
]
[[package]]
name = "target-lexicon"
version = "0.13.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "adb6935a6f5c20170eeceb1a3835a49e12e19d792f6dd344ccc76a985ca5a6ca"
[[package]]
name = "typenum"
version = "1.20.0"
version = "1.15.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de"
checksum = "dcf81ac59edc17cc8697ff311e8f5ef2d99fcbd9817b34cec66f90b6c3dfd987"
[[package]]
name = "unicode-ident"
version = "1.0.24"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c"
[[package]]
name = "unicode-xid"
version = "0.2.6"
name = "unindent"
version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
checksum = "52fee519a3e570f7df377a06a1a7775cdbfb7aa460be7e08de2b1f0e69973a44"
[[package]]
name = "wasip2"
version = "1.0.1+wasi-0.2.4"
name = "version_check"
version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0562428422c63773dad2c345a1882263bbf4d65cf3f42e90921f787ef5ad58e7"
checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
[[package]]
name = "wasi"
version = "0.11.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
"wit-bindgen 0.46.0",
"winapi-i686-pc-windows-gnu",
"winapi-x86_64-pc-windows-gnu",
]
[[package]]
name = "wasip3"
version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
dependencies = [
"wit-bindgen 0.51.0",
]
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
[[package]]
name = "wasm-encoder"
version = "0.244.0"
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
dependencies = [
"leb128fmt",
"wasmparser",
]
[[package]]
name = "wasm-metadata"
version = "0.244.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
dependencies = [
"anyhow",
"indexmap",
"wasm-encoder",
"wasmparser",
]
[[package]]
name = "wasmparser"
version = "0.244.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
dependencies = [
"bitflags",
"hashbrown 0.15.5",
"indexmap",
"semver",
]
[[package]]
name = "wit-bindgen"
version = "0.46.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f17a85883d4e6d00e8a97c586de764dabcc06133f7f1d55dce5cdc070ad7fe59"
[[package]]
name = "wit-bindgen"
version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
dependencies = [
"wit-bindgen-rust-macro",
]
[[package]]
name = "wit-bindgen-core"
version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
dependencies = [
"anyhow",
"heck",
"wit-parser",
]
[[package]]
name = "wit-bindgen-rust"
version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
dependencies = [
"anyhow",
"heck",
"indexmap",
"prettyplease",
"syn",
"wasm-metadata",
"wit-bindgen-core",
"wit-component",
]
[[package]]
name = "wit-bindgen-rust-macro"
version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
dependencies = [
"anyhow",
"prettyplease",
"proc-macro2",
"quote",
"syn",
"wit-bindgen-core",
"wit-bindgen-rust",
]
[[package]]
name = "wit-component"
version = "0.244.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
dependencies = [
"anyhow",
"bitflags",
"indexmap",
"log",
"serde",
"serde_derive",
"serde_json",
"wasm-encoder",
"wasm-metadata",
"wasmparser",
"wit-parser",
]
[[package]]
name = "wit-parser"
version = "0.244.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
dependencies = [
"anyhow",
"id-arena",
"indexmap",
"log",
"semver",
"serde",
"serde_derive",
"serde_json",
"unicode-xid",
"wasmparser",
]
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "zeroize"
version = "1.8.2"
version = "1.5.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
[[package]]
name = "zmij"
version = "1.0.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
checksum = "20b578acffd8516a6c3f2a1bdefc1ec37e547bb4e0fb8b6b01a4cafc886b4442"

14
src/_bcrypt/Cargo.toml
View File

@ -2,18 +2,14 @@
name = "bcrypt-rust"
version = "0.1.0"
authors = ["The bcrypt developers <cryptography-dev@python.org>"]
edition = "2024"
# This specifies the MSRV
rust-version = "1.85"
edition = "2018"
publish = false
[dependencies]
pyo3 = { version = "0.28", features = ["abi3"] }
bcrypt = "0.19.1"
bcrypt-pbkdf = "0.11.0"
base64 = "0.22.1"
subtle = "2.6"
getrandom = "0.4"
pyo3 = { version = "0.15.2" }
bcrypt = "0.13"
bcrypt-pbkdf = "0.8.1"
base64 = "0.13.0"
[features]
extension-module = ["pyo3/extension-module"]

206
src/_bcrypt/src/lib.rs
View File

@ -1,106 +1,34 @@
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// This file is dual licensed under the terms of the Apache License, Version
// 2.0, and the BSD License. See the LICENSE file in the root of this repository
// for complete details.
#![deny(rust_2018_idioms)]
use base64::Engine;
use pyo3::types::PyBytesMethods;
use pyo3::PyTypeInfo;
use std::convert::TryInto;
use std::ffi::CString;
use std::io::Write;
use subtle::ConstantTimeEq;
pub const BASE64_ENGINE: base64::engine::GeneralPurpose = base64::engine::GeneralPurpose::new(
&base64::alphabet::BCRYPT,
base64::engine::general_purpose::NO_PAD,
);
#[pyo3::pyfunction]
#[pyo3(signature = (rounds=12, prefix=None), text_signature = "(rounds=12, prefix=b'2b')")]
fn gensalt<'p>(
py: pyo3::Python<'p>,
rounds: u16,
prefix: Option<&[u8]>,
) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
let prefix = prefix.unwrap_or(b"2b");
if prefix != b"2a" && prefix != b"2b" {
return Err(pyo3::exceptions::PyValueError::new_err(
"Supported prefixes are b'2a' or b'2b'",
));
}
if !(4..=31).contains(&rounds) {
return Err(pyo3::exceptions::PyValueError::new_err("Invalid rounds"));
}
let mut salt = [0; 16];
getrandom::fill(&mut salt).unwrap();
let encoded_salt = BASE64_ENGINE.encode(salt);
pyo3::types::PyBytes::new_with(
py,
1 + prefix.len() + 1 + 2 + 1 + encoded_salt.len(),
|mut b| {
write!(b, "$").unwrap();
b.write_all(prefix).unwrap();
write!(b, "$").unwrap();
write!(b, "{:02.2}", rounds).unwrap();
write!(b, "$").unwrap();
b.write_all(encoded_salt.as_bytes()).unwrap();
Ok(())
},
)
#[pyo3::prelude::pyfunction]
fn encode_base64<'p>(py: pyo3::Python<'p>, data: &[u8]) -> &'p pyo3::types::PyBytes {
let output = base64::encode_config(data, base64::BCRYPT);
pyo3::types::PyBytes::new(py, output.as_bytes())
}
#[pyo3::pyfunction]
fn hashpw<'p>(
#[pyo3::prelude::pyfunction]
fn hashpass<'p>(
py: pyo3::Python<'p>,
password: &[u8],
salt: &[u8],
) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
// bcrypt originally suffered from a wraparound bug:
// http://www.openwall.com/lists/oss-security/2012/01/02/4
// This bug was corrected in the OpenBSD source by truncating inputs to 72
// bytes on the updated prefix $2b$, but leaving $2a$ unchanged for
// compatibility. However, pyca/bcrypt 2.0.0 *did* correctly truncate inputs
// on $2a$, so we do it here to preserve compatibility with 2.0.0
// Silent truncation is _probably_ not the best idea, even if the "original"
// OpenBSD implementation did/does this.
// We prefer to raise a ValueError in this case - if the user _wants_ to truncate,
// they can always do so manually by passing s[:72] instead of s into hashpw().
if password.len() > 72 {
return Err(pyo3::exceptions::PyValueError::new_err(
"password cannot be longer than 72 bytes, truncate manually if necessary (e.g. my_password[:72])",
));
}
) -> pyo3::PyResult<&'p pyo3::types::PyBytes> {
// salt here is not just the salt bytes, but rather an encoded value
// containing a version number, number of rounds, and the salt.
// Should be [prefix, cost, hash]. This logic is copied from `bcrypt`
let invalid_salt = || pyo3::exceptions::PyValueError::new_err("Invalid salt");
let mut parts = salt.split(|&b| b == b'$').filter(|s| !s.is_empty());
let raw_version = parts.next().ok_or_else(invalid_salt)?;
let raw_cost = parts.next().ok_or_else(invalid_salt)?;
let remainder = parts.next().ok_or_else(invalid_salt)?;
if parts.next().is_some() {
return Err(invalid_salt());
let raw_parts: Vec<_> = salt
.split(|&b| b == b'$')
.filter(|s| !s.is_empty())
.collect();
if raw_parts.len() != 3 {
return Err(pyo3::exceptions::PyValueError::new_err("Invalid salt"));
}
let version = match raw_version {
let version = match raw_parts[0] {
b"2y" => bcrypt::Version::TwoY,
b"2b" => bcrypt::Version::TwoB,
b"2a" => bcrypt::Version::TwoA,
@ -109,118 +37,46 @@ fn hashpw<'p>(
return Err(pyo3::exceptions::PyValueError::new_err("Invalid salt"));
}
};
let cost = std::str::from_utf8(raw_cost)
let cost = std::str::from_utf8(raw_parts[1])
.map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?
.parse::<u32>()
.map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?;
if remainder.len() < 22 {
return Err(pyo3::exceptions::PyValueError::new_err("Invalid salt"));
}
// The last component can contain either just the salt, or the salt and
// the result hash, depending on if the `salt` value come from `hashpw` or
// `gensalt`.
let raw_salt = BASE64_ENGINE
.decode(&remainder[..22])
let raw_salt = base64::decode_config(&raw_parts[2][..22], base64::BCRYPT)
.map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?
.try_into()
.map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?;
let hashed = py
.detach(|| bcrypt::hash_with_salt(password, cost, raw_salt))
.map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?;
let hashed = py.allow_threads(|| bcrypt::hash_with_salt(password, cost, raw_salt).unwrap());
Ok(pyo3::types::PyBytes::new(
py,
hashed.format_for_version(version).as_bytes(),
))
}
#[pyo3::pyfunction]
fn checkpw(py: pyo3::Python<'_>, password: &[u8], hashed_password: &[u8]) -> pyo3::PyResult<bool> {
Ok(hashpw(py, password, hashed_password)?
.as_bytes()
.ct_eq(hashed_password)
.into())
}
#[pyo3::pyfunction]
#[pyo3(signature = (password, salt, desired_key_bytes, rounds, ignore_few_rounds=false))]
fn kdf<'p>(
#[pyo3::prelude::pyfunction]
fn pbkdf<'p>(
py: pyo3::Python<'p>,
password: &[u8],
salt: &[u8],
desired_key_bytes: usize,
rounds: u32,
ignore_few_rounds: bool,
) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
if password.is_empty() || salt.is_empty() {
return Err(pyo3::exceptions::PyValueError::new_err(
"password and salt must not be empty",
));
}
if desired_key_bytes == 0 || desired_key_bytes > 512 {
return Err(pyo3::exceptions::PyValueError::new_err(
"desired_key_bytes must be 1-512",
));
}
if rounds < 1 {
return Err(pyo3::exceptions::PyValueError::new_err(
"rounds must be 1 or more",
));
}
if rounds < 50 && !ignore_few_rounds {
// They probably think bcrypt.kdf()'s rounds parameter is logarithmic,
// expecting this value to be slow enough (it probably would be if this
// were bcrypt). Emit a warning.
pyo3::PyErr::warn(
py,
&pyo3::exceptions::PyUserWarning::type_object(py),
&CString::new(format!("Warning: bcrypt.kdf() called with only {rounds} round(s). This few is not secure: the parameter is linear, like PBKDF2.")).unwrap(),
3
)?;
}
desired_key_bytes: usize,
) -> pyo3::PyResult<&'p pyo3::types::PyBytes> {
pyo3::types::PyBytes::new_with(py, desired_key_bytes, |output| {
py.detach(|| {
py.allow_threads(|| {
bcrypt_pbkdf::bcrypt_pbkdf(password, salt, rounds, output).unwrap();
});
Ok(())
})
}
#[pyo3::pymodule(gil_used = false)]
mod _bcrypt {
use pyo3::types::PyModuleMethods;
#[pyo3::prelude::pymodule]
fn _bcrypt(_py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> {
m.add_function(pyo3::wrap_pyfunction!(encode_base64, m)?)?;
m.add_function(pyo3::wrap_pyfunction!(hashpass, m)?)?;
m.add_function(pyo3::wrap_pyfunction!(pbkdf, m)?)?;
#[pymodule_export]
use super::{checkpw, gensalt, hashpw, kdf};
// Not yet possible to add constants declaratively.
#[pymodule_init]
fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> {
m.add("__title__", "bcrypt")?;
m.add(
"__summary__",
"Modern(-ish) password hashing for your software and your servers",
)?;
m.add("__uri__", "https://github.com/pyca/bcrypt/")?;
// When updating this, also update pyproject.toml
// This isn't named __version__ because passlib treats the existence of
// that attribute as proof that we're a different module
m.add("__version_ex__", "5.0.0")?;
let author = "The Python Cryptographic Authority developers";
m.add("__author__", author)?;
m.add("__email__", "cryptography-dev@python.org")?;
m.add("__license__", "Apache License, Version 2.0")?;
m.add("__copyright__", format!("Copyright 2013-2025 {author}"))?;
Ok(())
}
Ok(())
}

41
src/bcrypt/__about__.py Normal file
View File

@ -0,0 +1,41 @@
# Author:: Donald Stufft (<donald@stufft.io>)
# Copyright:: Copyright (c) 2013 Donald Stufft
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
__all__ = [
"__title__",
"__summary__",
"__uri__",
"__version__",
"__author__",
"__email__",
"__license__",
"__copyright__",
]
__title__ = "bcrypt"
__summary__ = "Modern password hashing for your software and your servers"
__uri__ = "https://github.com/pyca/bcrypt/"
__version__ = "4.0.0.dev1"
__author__ = "The Python Cryptographic Authority developers"
__email__ = "cryptography-dev@python.org"
__license__ = "Apache License, Version 2.0"
__copyright__ = "Copyright 2013-2022 {0}".format(__author__)

120
src/bcrypt/__init__.py
View File

@ -1,3 +1,7 @@
# Author:: Donald Stufft (<donald@stufft.io>)
# Copyright:: Copyright (c) 2013 Donald Stufft
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
@ -9,8 +13,14 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from __future__ import absolute_import
from __future__ import division
from ._bcrypt import (
import hmac
import os
import warnings
from .__about__ import (
__author__,
__copyright__,
__email__,
@ -18,26 +28,108 @@ from ._bcrypt import (
__summary__,
__title__,
__uri__,
checkpw,
gensalt,
hashpw,
kdf,
)
from ._bcrypt import (
__version_ex__ as __version__,
__version__,
)
from . import _bcrypt # noqa: I100
__all__ = [
"__author__",
"__copyright__",
"__email__",
"__license__",
"__summary__",
"__title__",
"__summary__",
"__uri__",
"__version__",
"checkpw",
"__author__",
"__email__",
"__license__",
"__copyright__",
"gensalt",
"hashpw",
"kdf",
"checkpw",
]
def gensalt(rounds: int = 12, prefix: bytes = b"2b") -> bytes:
if prefix not in (b"2a", b"2b"):
raise ValueError("Supported prefixes are b'2a' or b'2b'")
if rounds < 4 or rounds > 31:
raise ValueError("Invalid rounds")
salt = os.urandom(16)
output = _bcrypt.encode_base64(salt)
return (
b"$"
+ prefix
+ b"$"
+ ("%2.2u" % rounds).encode("ascii")
+ b"$"
+ output
)
def hashpw(password: bytes, salt: bytes) -> bytes:
if isinstance(password, str) or isinstance(salt, str):
raise TypeError("Strings must be encoded before hashing")
if b"\x00" in password:
raise ValueError("password may not contain NUL bytes")
# bcrypt originally suffered from a wraparound bug:
# http://www.openwall.com/lists/oss-security/2012/01/02/4
# This bug was corrected in the OpenBSD source by truncating inputs to 72
# bytes on the updated prefix $2b$, but leaving $2a$ unchanged for
# compatibility. However, pyca/bcrypt 2.0.0 *did* correctly truncate inputs
# on $2a$, so we do it here to preserve compatibility with 2.0.0
password = password[:72]
return _bcrypt.hashpass(password, salt)
def checkpw(password: bytes, hashed_password: bytes) -> bool:
if isinstance(password, str) or isinstance(hashed_password, str):
raise TypeError("Strings must be encoded before checking")
if b"\x00" in password or b"\x00" in hashed_password:
raise ValueError(
"password and hashed_password may not contain NUL bytes"
)
ret = hashpw(password, hashed_password)
return hmac.compare_digest(ret, hashed_password)
def kdf(
password: bytes,
salt: bytes,
desired_key_bytes: int,
rounds: int,
ignore_few_rounds: bool = False,
) -> bytes:
if isinstance(password, str) or isinstance(salt, str):
raise TypeError("Strings must be encoded before hashing")
if len(password) == 0 or len(salt) == 0:
raise ValueError("password and salt must not be empty")
if desired_key_bytes <= 0 or desired_key_bytes > 512:
raise ValueError("desired_key_bytes must be 1-512")
if rounds < 1:
raise ValueError("rounds must be 1 or more")
if rounds < 50 and not ignore_few_rounds:
# They probably think bcrypt.kdf()'s rounds parameter is logarithmic,
# expecting this value to be slow enough (it probably would be if this
# were bcrypt). Emit a warning.
warnings.warn(
(
"Warning: bcrypt.kdf() called with only {0} round(s). "
"This few is not secure: the parameter is linear, like PBKDF2."
).format(rounds),
UserWarning,
stacklevel=2,
)
return _bcrypt.pbkdf(password, salt, rounds, desired_key_bytes)

10
src/bcrypt/__init__.pyi
View File

@ -1,10 +0,0 @@
def gensalt(rounds: int = 12, prefix: bytes = b"2b") -> bytes: ...
def hashpw(password: bytes, salt: bytes) -> bytes: ...
def checkpw(password: bytes, hashed_password: bytes) -> bool: ...
def kdf(
password: bytes,
salt: bytes,
desired_key_bytes: int,
rounds: int,
ignore_few_rounds: bool = False,
) -> bytes: ...

7
src/bcrypt/_bcrypt.pyi Normal file
View File

@ -0,0 +1,7 @@
import typing
def encode_base64(data: bytes) -> bytes: ...
def hashpass(password: bytes, salt: bytes) -> bytes: ...
def pbkdf(
password: bytes, salt: bytes, rounds: int, desired_key_bytes: int
) -> bytes: ...

198
tests/test_bcrypt.py
View File

@ -1,10 +1,10 @@
import uuid
from concurrent.futures import ThreadPoolExecutor
import os
import pytest
import bcrypt
_test_vectors = [
(
b"Kk4DQuMMfZL9o",
@ -121,25 +121,29 @@ _test_vectors = [
b"$2a$05$XXXXXXXXXXXXXXXXXXXXXO",
b"$2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a",
),
(
b"0123456789abcdefghijklmnopqrstuvwxyz"
b"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
b"chars after 72 are ignored",
b"$2a$05$abcdefghijklmnopqrstuu",
b"$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui",
),
(
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"chars after 72 are ignored as usual",
b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.",
b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6",
),
(
b"\xa3",
b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.",
b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq",
),
(
b"}>\xb3\xfe\xf1\x8b\xa0\xe6(\xa2Lzq\xc3P\x7f\xcc\xc8b{\xf9\x14\xf6"
b"\xf6`\x81G5\xec\x1d\x87\x10\xbf\xa7\xe1}I7 \x96\xdfc\xf2\xbf\xb3Vh"
b"\xdfM\x88q\xf7\xff\x1b\x82~z\x13\xdd\xe9\x84\x00\xdd4",
b"$2b$10$keO.ZZs22YtygVF6BLfhGO",
b"$2b$10$keO.ZZs22YtygVF6BLfhGOI/JjshJYPp8DZsUtym6mJV2Eha2Hdd.",
),
(
b"g7\r\x01\xf3\xd4\xd0\xa9JB^\x18\x007P\xb2N\xc7\x1c\xee\x87&\x83C"
b"\x8b\xe8\x18\xc5>\x86\x14/\xd6\xcc\x1cJ\xde\xd7ix\xeb\xdeO\xef"
b"\xe1i\xac\xcb\x03\x96v1' \xd6@.m\xa5!\xa0\xef\xc0(",
b"$2a$04$tecY.9ylRInW/rAAzXCXPO",
b"$2a$04$tecY.9ylRInW/rAAzXCXPOOlyYeCNzmNTzPDNSIFztFMKbvs/s5XG",
),
]
_2y_test_vectors = [
@ -156,41 +160,40 @@ _2y_test_vectors = [
]
def test_gensalt_basic():
salt = bcrypt.gensalt()
assert salt.startswith(b"$2b$12$")
def test_gensalt_basic(monkeypatch):
monkeypatch.setattr(os, "urandom", lambda n: b"0000000000000000")
assert bcrypt.gensalt() == b"$2b$12$KB.uKB.uKB.uKB.uKB.uK."
@pytest.mark.parametrize(
("rounds", "expected_prefix"),
("rounds", "expected"),
[
(4, b"$2b$04$"),
(5, b"$2b$05$"),
(6, b"$2b$06$"),
(7, b"$2b$07$"),
(8, b"$2b$08$"),
(9, b"$2b$09$"),
(10, b"$2b$10$"),
(11, b"$2b$11$"),
(12, b"$2b$12$"),
(13, b"$2b$13$"),
(14, b"$2b$14$"),
(15, b"$2b$15$"),
(16, b"$2b$16$"),
(17, b"$2b$17$"),
(18, b"$2b$18$"),
(19, b"$2b$19$"),
(20, b"$2b$20$"),
(21, b"$2b$21$"),
(22, b"$2b$22$"),
(23, b"$2b$23$"),
(24, b"$2b$24$"),
(4, b"$2b$04$KB.uKB.uKB.uKB.uKB.uK."),
(5, b"$2b$05$KB.uKB.uKB.uKB.uKB.uK."),
(6, b"$2b$06$KB.uKB.uKB.uKB.uKB.uK."),
(7, b"$2b$07$KB.uKB.uKB.uKB.uKB.uK."),
(8, b"$2b$08$KB.uKB.uKB.uKB.uKB.uK."),
(9, b"$2b$09$KB.uKB.uKB.uKB.uKB.uK."),
(10, b"$2b$10$KB.uKB.uKB.uKB.uKB.uK."),
(11, b"$2b$11$KB.uKB.uKB.uKB.uKB.uK."),
(12, b"$2b$12$KB.uKB.uKB.uKB.uKB.uK."),
(13, b"$2b$13$KB.uKB.uKB.uKB.uKB.uK."),
(14, b"$2b$14$KB.uKB.uKB.uKB.uKB.uK."),
(15, b"$2b$15$KB.uKB.uKB.uKB.uKB.uK."),
(16, b"$2b$16$KB.uKB.uKB.uKB.uKB.uK."),
(17, b"$2b$17$KB.uKB.uKB.uKB.uKB.uK."),
(18, b"$2b$18$KB.uKB.uKB.uKB.uKB.uK."),
(19, b"$2b$19$KB.uKB.uKB.uKB.uKB.uK."),
(20, b"$2b$20$KB.uKB.uKB.uKB.uKB.uK."),
(21, b"$2b$21$KB.uKB.uKB.uKB.uKB.uK."),
(22, b"$2b$22$KB.uKB.uKB.uKB.uKB.uK."),
(23, b"$2b$23$KB.uKB.uKB.uKB.uKB.uK."),
(24, b"$2b$24$KB.uKB.uKB.uKB.uKB.uK."),
],
)
def test_gensalt_rounds_valid(rounds, expected_prefix):
salt = bcrypt.gensalt(rounds)
assert salt.startswith(expected_prefix)
def test_gensalt_rounds_valid(rounds, expected, monkeypatch):
monkeypatch.setattr(os, "urandom", lambda n: b"0000000000000000")
assert bcrypt.gensalt(rounds) == expected
@pytest.mark.parametrize("rounds", list(range(1, 4)))
@ -201,12 +204,12 @@ def test_gensalt_rounds_invalid(rounds):
def test_gensalt_bad_prefix():
with pytest.raises(ValueError):
bcrypt.gensalt(prefix=b"bad")
bcrypt.gensalt(prefix="bad")
def test_gensalt_2a_prefix():
salt = bcrypt.gensalt(prefix=b"2a")
assert salt.startswith(b"$2a$12$")
def test_gensalt_2a_prefix(monkeypatch):
monkeypatch.setattr(os, "urandom", lambda n: b"0000000000000000")
assert bcrypt.gensalt(prefix=b"2a") == b"$2a$12$KB.uKB.uKB.uKB.uKB.uK."
@pytest.mark.parametrize(("password", "salt", "hashed"), _test_vectors)
@ -234,25 +237,6 @@ def test_checkpw_2y_prefix(password, hashed, expected):
assert bcrypt.checkpw(password, hashed) is True
@pytest.mark.parametrize(
("pw_length", "should_raise"),
[
(71, False),
(72, False),
(73, True),
],
)
def test_hashpw_raises_correctly_for_long_passwords(pw_length, should_raise):
password = b"\xaa" * pw_length
salt = b"$2b$04$xnFVhJsTzsFBTeP3PpgbMe"
if should_raise:
with pytest.raises(ValueError):
bcrypt.hashpw(password, salt)
else:
bcrypt.hashpw(password, salt)
def test_hashpw_invalid():
with pytest.raises(ValueError):
bcrypt.hashpw(b"password", b"$2z$04$cVWp4XaNU8a4v1uMRum2SO")
@ -274,40 +258,34 @@ def test_checkpw_bad_salt():
b"badpass",
b"$2b$04$?Siw3Nv3Q/gTOIPetAyPr.GNj3aO0lb1E5E9UumYGKjP9BYqlNWJe",
)
with pytest.raises(ValueError):
bcrypt.checkpw(
b"password",
b"$2b$3$mdEQPMOtfPX.WGZNXgF66OhmBlOGKEd66SQ7DyJPGucYYmvTJYviy",
)
with pytest.raises(ValueError):
bcrypt.checkpw(b"password", b"$2b$12$incorrect")
def test_checkpw_str_password():
with pytest.raises(TypeError):
bcrypt.checkpw("password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO") # type: ignore[arg-type]
bcrypt.checkpw("password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO")
def test_checkpw_str_salt():
with pytest.raises(TypeError):
bcrypt.checkpw(b"password", "$2b$04$cVWp4XaNU8a4v1uMRum2SO") # type: ignore[arg-type]
bcrypt.checkpw(b"password", "$2b$04$cVWp4XaNU8a4v1uMRum2SO")
def test_hashpw_str_password():
with pytest.raises(TypeError):
bcrypt.hashpw("password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO") # type: ignore[arg-type]
bcrypt.hashpw("password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO")
def test_hashpw_str_salt():
with pytest.raises(TypeError):
bcrypt.hashpw(b"password", "$2b$04$cVWp4XaNU8a4v1uMRum2SO") # type: ignore[arg-type]
bcrypt.hashpw(b"password", "$2b$04$cVWp4XaNU8a4v1uMRum2SO")
def test_checkpw_nul_byte():
bcrypt.checkpw(
b"abc\0def",
b"$2b$04$2Siw3Nv3Q/gTOIPetAyPr.GNj3aO0lb1E5E9UumYGKjP9BYqlNWJe",
)
with pytest.raises(ValueError):
bcrypt.checkpw(
b"abc\0def",
b"$2b$04$2Siw3Nv3Q/gTOIPetAyPr.GNj3aO0lb1E5E9UumYGKjP9BYqlNWJe",
)
with pytest.raises(ValueError):
bcrypt.checkpw(
@ -318,13 +296,8 @@ def test_checkpw_nul_byte():
def test_hashpw_nul_byte():
salt = bcrypt.gensalt(4)
hashed = bcrypt.hashpw(b"abc\0def", salt)
assert bcrypt.checkpw(b"abc\0def", hashed)
# assert that we are sensitive to changes in the password after the first
# null byte:
assert not bcrypt.checkpw(b"abc\0deg", hashed)
assert not bcrypt.checkpw(b"abc\0def\0", hashed)
assert not bcrypt.checkpw(b"abc\0def\0\0", hashed)
with pytest.raises(ValueError):
bcrypt.hashpw(b"abc\0def", salt)
def test_checkpw_extra_data():
@ -398,13 +371,13 @@ def test_checkpw_extra_data():
[
# longer password
8,
b"Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do"
b" eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut "
b"Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do "
b"eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut "
b"enim ad minim veniam, quis nostrud exercitation ullamco laboris "
b"nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor "
b"in reprehenderit in voluptate velit esse cillum dolore eu fugiat"
b" nulla pariatur. Excepteur sint occaecat cupidatat non proident,"
b" sunt in culpa qui officia deserunt mollit anim id est laborum.",
b"in reprehenderit in voluptate velit esse cillum dolore eu fugiat "
b"nulla pariatur. Excepteur sint occaecat cupidatat non proident, "
b"sunt in culpa qui officia deserunt mollit anim id est laborum.",
b"salis\x00",
b"\x10\x97\x8b\x07\x25\x3d\xf5\x7f\x71\xa1\x62\xeb\x0e\x8a\xd3\x0a",
],
@ -440,7 +413,8 @@ def test_checkpw_extra_data():
[
# UTF-8 Greek characters "odysseus" / "telemachos"
8,
b"\xe1\xbd\x88\xce\xb4\xcf\x85\xcf\x83\xcf\x83\xce\xb5\xcf\x8d\xcf\x82",
b"\xe1\xbd\x88\xce\xb4\xcf\x85\xcf\x83\xcf\x83\xce\xb5\xcf\x8d\xcf"
b"\x82",
b"\xce\xa4\xce\xb7\xce\xbb\xce\xad\xce\xbc\xce\xb1\xcf\x87\xce\xbf"
b"\xcf\x82",
b"\x43\x66\x6c\x9b\x09\xef\x33\xed\x8c\x27\xe8\xe8\xf3\xe2\xd8\xe6",
@ -456,12 +430,12 @@ def test_kdf(rounds, password, salt, expected):
def test_kdf_str_password():
with pytest.raises(TypeError):
bcrypt.kdf("password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO", 10, 10) # type: ignore[arg-type]
bcrypt.kdf("password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO", 10, 10)
def test_kdf_str_salt():
with pytest.raises(TypeError):
bcrypt.kdf(b"password", "salt", 10, 10) # type: ignore[arg-type]
bcrypt.kdf(b"password", "salt", 10, 10)
def test_kdf_no_warn_rounds():
@ -481,7 +455,7 @@ def test_kdf_warn_rounds():
(b"", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO", 10, 10, ValueError),
(b"password", b"", 10, 10, ValueError),
(b"password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO", 0, 10, ValueError),
(b"password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO", -3, 10, OverflowError),
(b"password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO", -3, 10, ValueError),
(b"password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO", 513, 10, ValueError),
(b"password", b"$2b$04$cVWp4XaNU8a4v1uMRum2SO", 20, 0, ValueError),
],
@ -491,22 +465,10 @@ def test_invalid_params(password, salt, desired_key_bytes, rounds, error):
bcrypt.kdf(password, salt, desired_key_bytes, rounds)
def test_multithreading():
def create_user(pw):
salt = bcrypt.gensalt(4)
hash_ = bcrypt.hashpw(pw, salt)
key = bcrypt.kdf(pw, salt, 32, 50)
assert bcrypt.checkpw(pw, hash_)
return (salt, hash_, key)
user_creator = ThreadPoolExecutor(max_workers=4)
pws = [uuid.uuid4().bytes for _ in range(50)]
futures = [user_creator.submit(create_user, pw) for pw in pws]
users = [future.result() for future in futures]
for pw, (salt, hash_, key) in zip(pws, users):
assert bcrypt.hashpw(pw, salt) == hash_
assert bcrypt.checkpw(pw, hash_)
assert bcrypt.kdf(pw, salt, 32, 50) == key
def test_2a_wraparound_bug():
assert (
bcrypt.hashpw(
(b"0123456789" * 26)[:255], b"$2a$04$R1lJ2gkNaoPGdafE.H.16."
)
== b"$2a$04$R1lJ2gkNaoPGdafE.H.16.1MKHPvmKwryeulRe225LKProWYwt9Oi"
)

44
tox.ini Normal file
View File

@ -0,0 +1,44 @@
[tox]
isolated_build = True
[testenv]
extras =
tests
deps =
coverage
commands =
coverage run -m pytest --strict-markers {posargs}
coverage combine
coverage report -m --fail-under 100
[testenv:pep8]
deps =
black
flake8
flake8-import-order
pep8-naming
commands =
flake8 .
black --check .
[testenv:mypy]
deps =
mypy
commands =
mypy src/bcrypt
[testenv:packaging]
deps =
setuptools-rust
check-manifest
readme_renderer
commands =
check-manifest
python setup.py check --metadata --restructuredtext --strict
[flake8]
ignore = E203,E211,E501,W503,W504
exclude = .tox,*.egg
select = E,W,F,N,I
application-import-names = bcrypt,tests