B hAZ#@s0dZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddlmZmZmZmZmZmZmZdZd Zed jZeed dZe Zed d ejjejj gDZ!ddZ"e"Z#eddfddZ$e%edZ&eddfddZ'ddZ(ddZ)ddZ*d#ddZ+dd Z,d!d"Z-dS)$z werkzeug.security ~~~~~~~~~~~~~~~~~ Security related helpers such as secure password hashing tools. :copyright: (c) 2014 by the Werkzeug Team, see AUTHORS for more details. :license: BSD, see LICENSE for more details. N)Struct) SystemRandom)xor)starmap) range_typePY2 text_typeizipto_bytes string_types to_nativeZ>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789iPz>IZcompare_digestccs|]}|dkr|VqdS))N/N).0seprr0lib/python3.7/site-packages/werkzeug/security.py srcCsJttdd}|dkrd}i}x(|D] }tt|d}|dk r"|||<q"W|S)NZ algorithms)Zmd5Zsha1Zsha224sha256Zsha384Zsha512)getattrhashlib)ZalgosrvZalgofuncrrr_find_hashlib_algorithms$s    rcCs t|||||}tt|dS)a)Like :func:`pbkdf2_bin`, but returns a hex-encoded string. .. versionadded:: 0.9 :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided, the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function, or a function from the hashlib module. Defaults to sha256. hex_codec) pbkdf2_binr codecsencode)datasalt iterationskeylenhashfuncrrrr pbkdf2_hex1sr" pbkdf2_hmacc Cst|trt|}n |stj}t|}t|}tr`|}t|dr`|jtkr`t |j||||St |d|}|sx|j }|fdd}t }xttd| |j  dD]X} ||t| } } x4t|dD]$} |t| } t ttt| | } qW|| qWt|d|S)aReturns a binary digest for the PBKDF2 hash algorithm of `data` with the given `salt`. It iterates `iterations` times and produces a key of `keylen` bytes. By default, SHA-256 is used as hash function; a different hashlib `hashfunc` can be provided. .. versionadded:: 0.9 :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function or a function from the hashlib module. Defaults to sha256. nameNcSs|}||t|S)N)copyupdate bytearrayZdigest)xmachrrr _pseudorandomns z!pbkdf2_bin.._pseudorandom) isinstancer _hash_funcsrrr _has_native_pbkdf2hasattrr$r#hmacHMACZ digest_sizer'r _pack_intbytesrrr extend) rrrr r!Z _test_hashr)r+ZbufblockruirrrrGs2      rcCst|tr|d}t|tr(|d}tdk r:t||St|t|krNdSd}trxPt||D]\}}|t|t|AO}qbWn$x"t||D]\}}|||AO}qW|dkS)zThis function compares strings in somewhat constant time. This requires that the length of at least one string is known in advance. Returns `True` if the two strings are equal, or `False` if they are not. .. versionadded:: 0.7 zutf-8NFr)r-rr_builtin_safe_str_cmplenrr ord)abrr(yrrr safe_str_cmp|s     r?cCs(|dkrtddddt|DS)zAGenerate a random string of SALT_CHARS with specified ``length``.rzSalt length must be positivecss|]}ttVqdS)N)_sys_rngZchoice SALT_CHARS)r_rrrrszgen_salt..) ValueErrorjoinr)lengthrrrgen_saltsrGc Cs|dkr||fSt|tr$|d}|dr|ddd}t|dkrTtd|d }|rrt|d pnd ptt }d }d ||f}nd }|}t |}|dkrt d ||r|stdt ||||d}nD|rt|tr|d}t|||}n|} | || }||fS)zInternal password hash helper. Supports plaintext without salt, unsalted and salted passwords. In case salted passwords are used hmac is used. plainzutf-8zpbkdf2:N:)r,z&Invalid number of arguments for PBKDF2rTz pbkdf2:%s:%dFzinvalid method %rzSalt is required for PBKDF2)r!)r-rr startswithsplitr:rDpopintDEFAULT_PBKDF2_ITERATIONSr.get TypeErrorr"r1r2Z hexdigestr&) methodrpasswordargsrZ is_pbkdf2 actual_methodZ hash_funcrr*rrr_hash_internals<           rW pbkdf2:sha256cCs2|dkrt|pd}t|||\}}d|||fS)aHash a password with the given method and salt with a string of the given length. The format of the string returned includes the method that was used so that :func:`check_password_hash` can check the hash. The format for the hashed string looks like this:: method$salt$hash This method can **not** generate unsalted passwords but it is possible to set param method='plain' in order to enforce plaintext passwords. If a salt is used, hmac is used internally to salt the password. If PBKDF2 is wanted it can be enabled by setting the method to ``pbkdf2:method:iterations`` where iterations is optional:: pbkdf2:sha256:80000$salt$hash pbkdf2:sha256$salt$hash :param password: the password to hash. :param method: the hash method to use (one that hashlib supports). Can optionally be in the format ``pbkdf2:[:iterations]`` to enable PBKDF2. :param salt_length: the length of the salt in letters. rHr@z%s$%s$%s)rGrW)rTrSZ salt_lengthrr*rVrrrgenerate_password_hashsrZcCs:|ddkrdS|dd\}}}tt|||d|S)acheck a password against a given salted and hashed password value. In order to support unsalted legacy passwords this method supports plain text passwords, md5 and sha1 hashes (both salted and unsalted). Returns `True` if the password matched, `False` otherwise. :param pwhash: a hashed string like returned by :func:`generate_password_hash`. :param password: the plaintext password to compare against the hash. $rKFr)countrMr?rW)ZpwhashrTrSrZhashvalrrrcheck_password_hashs r]cGsv|g}xd|D]\}|dkr"t|}xtD]}||kr(dSq(Wtj|sZ|dksZ|dr^dS||q Wtj|S)zSafely join `directory` and one or more untrusted `pathnames`. If this cannot be done, this function returns ``None``. :param directory: the base directory. :param pathnames: the untrusted pathnames relative to that directory. r@Nz..z../) posixpathnormpath _os_alt_sepsospathisabsrLappendrE)Z directoryZ pathnamespartsfilenamerrrr safe_joins     rg)rXrY).__doc__rar1rr^rZstructrZrandomroperatorr itertoolsrZwerkzeug._compatrrrr r r r rBrPZpackr3rr9rAlistrbraltsepr`rr.r"r0r/rr?rGrWrZr]rgrrrr s:    $    4+