An interpreted, interactive, object-oriented programming language
CentOS Sources
2017-08-01 71084d584ff953f5463757ec6536406320560b4d
commit | author | age
f63228 1
CS 2 # HG changeset patch
3 # User Benjamin Peterson <benjamin@python.org>
4 # Date 1401567982 25200
5 # Node ID e4da3ba9dcac4374ca0ccc46a48c32be6f951038
6 # Parent  8fa8c290c165dccd613632b69a816623b51e801e
7 backport hashlib.pbkdf2_hmac per PEP 466 (closes #21304)
8
9 Backport by Alex Gaynor.
10
11 diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst
12 --- a/Doc/library/hashlib.rst
13 +++ b/Doc/library/hashlib.rst
14 @@ -135,6 +135,46 @@ A hash object has the following methods:
15     compute the digests of strings that share a common initial substring.
16  
17  
18 +Key Derivation Function
19 +-----------------------
20 +
21 +Key derivation and key stretching algorithms are designed for secure password
22 +hashing. Naive algorithms such as ``sha1(password)`` are not resistant against
23 +brute-force attacks. A good password hashing function must be tunable, slow, and
24 +include a `salt <https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_.
25 +
26 +
27 +.. function:: pbkdf2_hmac(name, password, salt, rounds, dklen=None)
28 +
29 +   The function provides PKCS#5 password-based key derivation function 2. It
30 +   uses HMAC as pseudorandom function.
31 +
32 +   The string *name* is the desired name of the hash digest algorithm for
33 +   HMAC, e.g. 'sha1' or 'sha256'. *password* and *salt* are interpreted as
34 +   buffers of bytes. Applications and libraries should limit *password* to
35 +   a sensible value (e.g. 1024). *salt* should be about 16 or more bytes from
36 +   a proper source, e.g. :func:`os.urandom`.
37 +
38 +   The number of *rounds* should be chosen based on the hash algorithm and
39 +   computing power. As of 2013, at least 100,000 rounds of SHA-256 is suggested.
40 +
41 +   *dklen* is the length of the derived key. If *dklen* is ``None`` then the
42 +   digest size of the hash algorithm *name* is used, e.g. 64 for SHA-512.
43 +
44 +   >>> import hashlib, binascii
45 +   >>> dk = hashlib.pbkdf2_hmac('sha256', b'password', b'salt', 100000)
46 +   >>> binascii.hexlify(dk)
47 +   b'0394a2ede332c9a13eb82e9b24631604c31df978b4e2f0fbd2c549944f9d79a5'
48 +
49 +   .. versionadded:: 2.7.8
50 +
51 +   .. note::
52 +
53 +      A fast implementation of *pbkdf2_hmac* is available with OpenSSL.  The
54 +      Python implementation uses an inline version of :mod:`hmac`. It is about
55 +      three times slower and doesn't release the GIL.
56 +
57 +
58  .. seealso::
59
60     Module :mod:`hmac`
61 diff --git a/Lib/hashlib.py b/Lib/hashlib.py
62 --- a/Lib/hashlib.py
63 +++ b/Lib/hashlib.py
64 @@ -77,7 +77,7 @@ __always_supported = ('md5', 'sha1', 'sh
65  
66  algorithms = __always_supported
67  
68 -__all__ = __always_supported + ('new', 'algorithms')
69 +__all__ = __always_supported + ('new', 'algorithms', 'pbkdf2_hmac')
70  
71  
72  def __get_openssl_constructor(name):
73 @@ -123,6 +123,72 @@ for __func_name in __always_supported:
74          import logging
75          logging.exception('code for hash %s was not found.', __func_name)
76  
77 +try:
78 +    # OpenSSL's PKCS5_PBKDF2_HMAC requires OpenSSL 1.0+ with HMAC and SHA
79 +    from _hashlib import pbkdf2_hmac
80 +except ImportError:
81 +    import binascii
82 +    import struct
83 +
84 +    _trans_5C = b"".join(chr(x ^ 0x5C) for x in range(256))
85 +    _trans_36 = b"".join(chr(x ^ 0x36) for x in range(256))
86 +
87 +    def pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None):
88 +        """Password based key derivation function 2 (PKCS #5 v2.0)
89 +
90 +        This Python implementations based on the hmac module about as fast
91 +        as OpenSSL's PKCS5_PBKDF2_HMAC for short passwords and much faster
92 +        for long passwords.
93 +        """
94 +        if not isinstance(hash_name, str):
95 +            raise TypeError(hash_name)
96 +
97 +        if not isinstance(password, (bytes, bytearray)):
98 +            password = bytes(buffer(password))
99 +        if not isinstance(salt, (bytes, bytearray)):
100 +            salt = bytes(buffer(salt))
101 +
102 +        # Fast inline HMAC implementation
103 +        inner = new(hash_name)
104 +        outer = new(hash_name)
105 +        blocksize = getattr(inner, 'block_size', 64)
106 +        if len(password) > blocksize:
107 +            password = new(hash_name, password).digest()
108 +        password = password + b'\x00' * (blocksize - len(password))
109 +        inner.update(password.translate(_trans_36))
110 +        outer.update(password.translate(_trans_5C))
111 +
112 +        def prf(msg, inner=inner, outer=outer):
113 +            # PBKDF2_HMAC uses the password as key. We can re-use the same
114 +            # digest objects and and just update copies to skip initialization.
115 +            icpy = inner.copy()
116 +            ocpy = outer.copy()
117 +            icpy.update(msg)
118 +            ocpy.update(icpy.digest())
119 +            return ocpy.digest()
120 +
121 +        if iterations < 1:
122 +            raise ValueError(iterations)
123 +        if dklen is None:
124 +            dklen = outer.digest_size
125 +        if dklen < 1:
126 +            raise ValueError(dklen)
127 +
128 +        hex_format_string = "%%0%ix" % (new(hash_name).digest_size * 2)
129 +
130 +        dkey = b''
131 +        loop = 1
132 +        while len(dkey) < dklen:
133 +            prev = prf(salt + struct.pack(b'>I', loop))
134 +            rkey = int(binascii.hexlify(prev), 16)
135 +            for i in xrange(iterations - 1):
136 +                prev = prf(prev)
137 +                rkey ^= int(binascii.hexlify(prev), 16)
138 +            loop += 1
139 +            dkey += binascii.unhexlify(hex_format_string % rkey)
140 +
141 +        return dkey[:dklen]
142 +
143  # Cleanup locals()
144  del __always_supported, __func_name, __get_hash
145  del __hash_new, __get_openssl_constructor
146 diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
147 --- a/Lib/test/test_hashlib.py
148 +++ b/Lib/test/test_hashlib.py
149 @@ -16,6 +16,8 @@ except ImportError:
150      threading = None
151  import unittest
152  import warnings
153 +from binascii import unhexlify
154 +
155  from test import test_support
156  from test.test_support import _4G, precisionbigmemtest
157  
158 @@ -436,8 +438,72 @@ class HashLibTestCase(unittest.TestCase)
159          
160  
161  
162 +class KDFTests(unittest.TestCase):
163 +    pbkdf2_test_vectors = [
164 +        (b'password', b'salt', 1, None),
165 +        (b'password', b'salt', 2, None),
166 +        (b'password', b'salt', 4096, None),
167 +        # too slow, it takes over a minute on a fast CPU.
168 +        #(b'password', b'salt', 16777216, None),
169 +        (b'passwordPASSWORDpassword', b'saltSALTsaltSALTsaltSALTsaltSALTsalt',
170 +         4096, -1),
171 +        (b'pass\0word', b'sa\0lt', 4096, 16),
172 +    ]
173 +
174 +    pbkdf2_results = {
175 +        "sha1": [
176 +            # offical test vectors from RFC 6070
177 +            (unhexlify('0c60c80f961f0e71f3a9b524af6012062fe037a6'), None),
178 +            (unhexlify('ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957'), None),
179 +            (unhexlify('4b007901b765489abead49d926f721d065a429c1'), None),
180 +            #(unhexlify('eefe3d61cd4da4e4e9945b3d6ba2158c2634e984'), None),
181 +            (unhexlify('3d2eec4fe41c849b80c8d83662c0e44a8b291a964c'
182 +                           'f2f07038'), 25),
183 +            (unhexlify('56fa6aa75548099dcc37d7f03425e0c3'), None),],
184 +        "sha256": [
185 +            (unhexlify('120fb6cffcf8b32c43e7225256c4f837'
186 +                           'a86548c92ccc35480805987cb70be17b'), None),
187 +            (unhexlify('ae4d0c95af6b46d32d0adff928f06dd0'
188 +                           '2a303f8ef3c251dfd6e2d85a95474c43'), None),
189 +            (unhexlify('c5e478d59288c841aa530db6845c4c8d'
190 +                           '962893a001ce4e11a4963873aa98134a'), None),
191 +            #(unhexlify('cf81c66fe8cfc04d1f31ecb65dab4089'
192 +            #               'f7f179e89b3b0bcb17ad10e3ac6eba46'), None),
193 +            (unhexlify('348c89dbcbd32b2f32d814b8116e84cf2b17'
194 +                           '347ebc1800181c4e2a1fb8dd53e1c635518c7dac47e9'), 40),
195 +            (unhexlify('89b69d0516f829893c696226650a8687'), None),],
196 +        "sha512": [
197 +            (unhexlify('867f70cf1ade02cff3752599a3a53dc4af34c7a669815ae5'
198 +                           'd513554e1c8cf252c02d470a285a0501bad999bfe943c08f'
199 +                           '050235d7d68b1da55e63f73b60a57fce'), None),
200 +            (unhexlify('e1d9c16aa681708a45f5c7c4e215ceb66e011a2e9f004071'
201 +                           '3f18aefdb866d53cf76cab2868a39b9f7840edce4fef5a82'
202 +                           'be67335c77a6068e04112754f27ccf4e'), None),
203 +            (unhexlify('d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f8'
204 +                           '7f6902e072f457b5143f30602641b3d55cd335988cb36b84'
205 +                           '376060ecd532e039b742a239434af2d5'), None),
206 +            (unhexlify('8c0511f4c6e597c6ac6315d8f0362e225f3c501495ba23b8'
207 +                           '68c005174dc4ee71115b59f9e60cd9532fa33e0f75aefe30'
208 +                           '225c583a186cd82bd4daea9724a3d3b8'), 64),
209 +            (unhexlify('9d9e9c4cd21fe4be24d5b8244c759665'), None),],
210 +    }
211 +
212 +    def test_pbkdf2_hmac(self):
213 +        for digest_name, results in self.pbkdf2_results.items():
214 +            for i, vector in enumerate(self.pbkdf2_test_vectors):
215 +                password, salt, rounds, dklen = vector
216 +                expected, overwrite_dklen = results[i]
217 +                if overwrite_dklen:
218 +                    dklen = overwrite_dklen
219 +                out = hashlib.pbkdf2_hmac(
220 +                    digest_name, password, salt, rounds, dklen)
221 +                self.assertEqual(out, expected,
222 +                                 (digest_name, password, salt, rounds, dklen))
223 +
224 +
225 +
226  def test_main():
227 -    test_support.run_unittest(HashLibTestCase)
228 +    test_support.run_unittest(HashLibTestCase, KDFTests)
229  
230  if __name__ == "__main__":
231      test_main()
232 diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
233 --- a/Modules/_hashopenssl.c
234 +++ b/Modules/_hashopenssl.c
235 @@ -39,6 +39,7 @@
236  #include <openssl/ssl.h>
237  #include <openssl/err.h>
238  #include <openssl/evp.h>
239 +#include <openssl/hmac.h>
240  
241  #define MUNCH_SIZE INT_MAX
242  
243 @@ -563,6 +564,226 @@ EVP_new(PyObject *self, PyObject *args,
244      return ret_obj;
245  }
246  
247 +
248 +
249 +#if (OPENSSL_VERSION_NUMBER >= 0x10000000 && !defined(OPENSSL_NO_HMAC) \
250 +     && !defined(OPENSSL_NO_SHA))
251 +
252 +#define PY_PBKDF2_HMAC 1
253 +
254 +/* Improved implementation of PKCS5_PBKDF2_HMAC()
255 + *
256 + * PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of
257 + * `iter` times. Today (2013) the iteration count is typically 100,000 or
258 + * more. The improved algorithm is not subject to a Denial-of-Service
259 + * vulnerability with overly large passwords.
260 + *
261 + * Also OpenSSL < 1.0 don't provide PKCS5_PBKDF2_HMAC(), only
262 + * PKCS5_PBKDF2_SHA1.
263 + */
264 +static int
265 +PKCS5_PBKDF2_HMAC_fast(const char *pass, int passlen,
266 +                       const unsigned char *salt, int saltlen,
267 +                       int iter, const EVP_MD *digest,
268 +                       int keylen, unsigned char *out)
269 +{
270 +    unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
271 +    int cplen, j, k, tkeylen, mdlen;
272 +    unsigned long i = 1;
273 +    HMAC_CTX hctx_tpl, hctx;
274 +
275 +    mdlen = EVP_MD_size(digest);
276 +    if (mdlen < 0)
277 +        return 0;
278 +
279 +    HMAC_CTX_init(&hctx_tpl);
280 +    HMAC_CTX_init(&hctx);
281 +    p = out;
282 +    tkeylen = keylen;
283 +    if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL)) {
284 +        HMAC_CTX_cleanup(&hctx_tpl);
285 +        return 0;
286 +    }
287 +    while(tkeylen) {
288 +        if(tkeylen > mdlen)
289 +            cplen = mdlen;
290 +        else
291 +            cplen = tkeylen;
292 +        /* We are unlikely to ever use more than 256 blocks (5120 bits!)
293 +         * but just in case...
294 +         */
295 +        itmp[0] = (unsigned char)((i >> 24) & 0xff);
296 +        itmp[1] = (unsigned char)((i >> 16) & 0xff);
297 +        itmp[2] = (unsigned char)((i >> 8) & 0xff);
298 +        itmp[3] = (unsigned char)(i & 0xff);
299 +        if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
300 +            HMAC_CTX_cleanup(&hctx_tpl);
301 +            return 0;
302 +        }
303 +        if (!HMAC_Update(&hctx, salt, saltlen)
304 +                || !HMAC_Update(&hctx, itmp, 4)
305 +                || !HMAC_Final(&hctx, digtmp, NULL)) {
306 +            HMAC_CTX_cleanup(&hctx_tpl);
307 +            HMAC_CTX_cleanup(&hctx);
308 +            return 0;
309 +        }
310 +        HMAC_CTX_cleanup(&hctx);
311 +        memcpy(p, digtmp, cplen);
312 +        for (j = 1; j < iter; j++) {
313 +            if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
314 +                HMAC_CTX_cleanup(&hctx_tpl);
315 +                return 0;
316 +            }
317 +            if (!HMAC_Update(&hctx, digtmp, mdlen)
318 +                    || !HMAC_Final(&hctx, digtmp, NULL)) {
319 +                HMAC_CTX_cleanup(&hctx_tpl);
320 +                HMAC_CTX_cleanup(&hctx);
321 +                return 0;
322 +            }
323 +            HMAC_CTX_cleanup(&hctx);
324 +            for (k = 0; k < cplen; k++) {
325 +                p[k] ^= digtmp[k];
326 +            }
327 +        }
328 +        tkeylen-= cplen;
329 +        i++;
330 +        p+= cplen;
331 +    }
332 +    HMAC_CTX_cleanup(&hctx_tpl);
333 +    return 1;
334 +}
335 +
336 +/* LCOV_EXCL_START */
337 +static PyObject *
338 +_setException(PyObject *exc)
339 +{
340 +    unsigned long errcode;
341 +    const char *lib, *func, *reason;
342 +
343 +    errcode = ERR_peek_last_error();
344 +    if (!errcode) {
345 +        PyErr_SetString(exc, "unknown reasons");
346 +        return NULL;
347 +    }
348 +    ERR_clear_error();
349 +
350 +    lib = ERR_lib_error_string(errcode);
351 +    func = ERR_func_error_string(errcode);
352 +    reason = ERR_reason_error_string(errcode);
353 +
354 +    if (lib && func) {
355 +        PyErr_Format(exc, "[%s: %s] %s", lib, func, reason);
356 +    }
357 +    else if (lib) {
358 +        PyErr_Format(exc, "[%s] %s", lib, reason);
359 +    }
360 +    else {
361 +        PyErr_SetString(exc, reason);
362 +    }
363 +    return NULL;
364 +}
365 +/* LCOV_EXCL_STOP */
366 +
367 +PyDoc_STRVAR(pbkdf2_hmac__doc__,
368 +"pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\
369 +\n\
370 +Password based key derivation function 2 (PKCS #5 v2.0) with HMAC as\n\
371 +pseudorandom function.");
372 +
373 +static PyObject *
374 +pbkdf2_hmac(PyObject *self, PyObject *args, PyObject *kwdict)
375 +{
376 +    static char *kwlist[] = {"hash_name", "password", "salt", "iterations",
377 +                             "dklen", NULL};
378 +    PyObject *key_obj = NULL, *dklen_obj = Py_None;
379 +    char *name, *key;
380 +    Py_buffer password, salt;
381 +    long iterations, dklen;
382 +    int retval;
383 +    const EVP_MD *digest;
384 +
385 +    if (!PyArg_ParseTupleAndKeywords(args, kwdict, "ss*s*l|O:pbkdf2_hmac",
386 +                                     kwlist, &name, &password, &salt,
387 +                                     &iterations, &dklen_obj)) {
388 +        return NULL;
389 +    }
390 +
391 +    digest = EVP_get_digestbyname(name);
392 +    if (digest == NULL) {
393 +        PyErr_SetString(PyExc_ValueError, "unsupported hash type");
394 +        goto end;
395 +    }
396 +
397 +    if (password.len > INT_MAX) {
398 +        PyErr_SetString(PyExc_OverflowError,
399 +                        "password is too long.");
400 +        goto end;
401 +    }
402 +
403 +    if (salt.len > INT_MAX) {
404 +        PyErr_SetString(PyExc_OverflowError,
405 +                        "salt is too long.");
406 +        goto end;
407 +    }
408 +
409 +    if (iterations < 1) {
410 +        PyErr_SetString(PyExc_ValueError,
411 +                        "iteration value must be greater than 0.");
412 +        goto end;
413 +    }
414 +    if (iterations > INT_MAX) {
415 +        PyErr_SetString(PyExc_OverflowError,
416 +                        "iteration value is too great.");
417 +        goto end;
418 +    }
419 +
420 +    if (dklen_obj == Py_None) {
421 +        dklen = EVP_MD_size(digest);
422 +    } else {
423 +        dklen = PyLong_AsLong(dklen_obj);
424 +        if ((dklen == -1) && PyErr_Occurred()) {
425 +            goto end;
426 +        }
427 +    }
428 +    if (dklen < 1) {
429 +        PyErr_SetString(PyExc_ValueError,
430 +                        "key length must be greater than 0.");
431 +        goto end;
432 +    }
433 +    if (dklen > INT_MAX) {
434 +        /* INT_MAX is always smaller than dkLen max (2^32 - 1) * hLen */
435 +        PyErr_SetString(PyExc_OverflowError,
436 +                        "key length is too great.");
437 +        goto end;
438 +    }
439 +
440 +    key_obj = PyBytes_FromStringAndSize(NULL, dklen);
441 +    if (key_obj == NULL) {
442 +        goto end;
443 +    }
444 +    key = PyBytes_AS_STRING(key_obj);
445 +
446 +    Py_BEGIN_ALLOW_THREADS
447 +    retval = PKCS5_PBKDF2_HMAC_fast((char*)password.buf, (int)password.len,
448 +                                    (unsigned char *)salt.buf, (int)salt.len,
449 +                                    iterations, digest, dklen,
450 +                                    (unsigned char *)key);
451 +    Py_END_ALLOW_THREADS
452 +
453 +    if (!retval) {
454 +        Py_CLEAR(key_obj);
455 +        _setException(PyExc_ValueError);
456 +        goto end;
457 +    }
458 +
459 +  end:
460 +    PyBuffer_Release(&password);
461 +    PyBuffer_Release(&salt);
462 +    return key_obj;
463 +}
464 +
465 +#endif
466 +
467  /*
468   *  This macro and function generates a family of constructor function
469   *  definitions for specific hash algorithms.  These constructors are much
470 @@ -690,6 +911,10 @@ static struct PyMethodDef EVP_functions[
471      CONSTRUCTOR_METH_DEF(sha384),
472      CONSTRUCTOR_METH_DEF(sha512),
473  #endif
474 +#ifdef PY_PBKDF2_HMAC
475 +    {"pbkdf2_hmac", (PyCFunction)pbkdf2_hmac, METH_VARARGS|METH_KEYWORDS,
476 +     pbkdf2_hmac__doc__},
477 +#endif
478      {NULL,      NULL}            /* Sentinel */
479  };
480  
481 diff -up Python-2.7.5/Lib/test/test_hmac.py.cod Python-2.7.5/Lib/test/test_hmac.py
482 --- Python-2.7.5/Lib/test/test_hmac.py.cod    2015-02-23 10:37:13.448594606 +0100
483 +++ Python-2.7.5/Lib/test/test_hmac.py    2015-02-23 10:37:27.581717509 +0100
484 @@ -1,3 +1,5 @@
485 +# coding: utf-8
486 +
487  import hmac
488  import hashlib
489  import unittest