k"g$[ddlZddlZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z ddl mZddlmZmZmZmZddlmZddlmZd Zd Zd Zd'd Zd(d Zd(dZd(dZej@dZ!ej@dZ"ee dZ#d'dZ$dZ%d)dZ&dZ'GddZ(Gdde(Z)Gdde)Z*Gdde(Z+Gdd e(Z,Gd!d"e,Z-Gd#d$e(Z.Gd%d&e(Z/y)*N)settings)ImproperlyConfigured)setting_changed)receiver)RANDOM_STRING_CHARSconstant_time_compareget_random_stringpbkdf2) import_string) gettext_noop!(c:|duxs|jt S)zv Return True if this password wasn't generated by User.set_unusable_password(), i.e. make_password(None). N) startswithUNUSABLE_PASSWORD_PREFIX)encodeds T/var/www/html/djangosite/lib/python3.12/site-packages/django/contrib/auth/hashers.pyis_password_usablers" d? N'"4"45M"NNNcd|duxs t| }t|} t|}|rt t t yj|jk7}|xs|j|}|j||}|s|s|r|j||||fS#t$rd}YwxYw)z Return two booleans. The first is whether the raw password matches the three part encoded digest, and the second whether to regenerate the password. NT)FF) r get_hasheridentify_hasher ValueError make_passwordr UNUSABLE_PASSWORD_SUFFIX_LENGTH algorithm must_updateverifyharden_runtime)passwordr preferred fake_runtimehasherhasher_changedr is_corrects rverify_passwordr&$s t#F+=g+F'FL9%I )  '(GHI%%)<)<L  v NrcRtDcic]}|j|c}Scc}wN)r?r)r#s rget_hashers_by_algorithmrBs#3>= AF  f $ AA As$c `|dk(r)tjtjyy)Nr9)r? cache_clearrB)settingkwargss r reset_hashersrGs($$! ,,.%rct|dr|S|dk(r tdSt} ||S#t$rt d|zwxYw)z Return an instance of a loaded password hasher. If algorithm is 'default', return the default hasher. Lazily import hashers specified in the project's settings file if needed. rdefaultrz\Unknown password hashing algorithm '%s'. Did you specify it in the PASSWORD_HASHERS setting?)hasattrr?rBKeyErrorr)rr<s rrrsly+& i }Q+, 9% % &'  s 1A ct|dk(rd|vst|dk(r|jdr d}t|St|dk(r|jdr d}t|S|jdd d }t|S) z Return an instance of a loaded password hasher. Identify hasher algorithm by examining encoded hash, and call get_hasher() to return hasher. Raise ValueError if algorithm cannot be identified, or if hasher is not loaded. $%zmd5$$ unsalted_md5.zsha1$$ unsalted_sha1r)lenrsplitr)rrs rrrs G s'1 G w11':" i  W  2 28 <#  i  MM#q)!, i  rc8|d|}||t||dzz }|S)z Return the given hash, with only the first ``show`` number shown. The rest are masked with ``char`` for security reasons. N)rT)hashshowcharmaskeds r mask_hashr[s. %4[F dSde%%%F Mrcdt|tjttz|kSrA)rTmathlog2r)r6expected_entropys rmust_update_saltr`s& t9tyy%8!9: :=M MMrcReZdZdZdZdZdZdZdZdZ dZ dZ d Z d Z d Zd Zy) BasePasswordHasherz Abstract base class for password hashers When creating your own hasher, you need to override algorithm, verify(), encode() and safe_summary(). PasswordHasher objects are immutable. Ncr|jTt|jttfr|j\}}n |j} t j |}|Std|jjz#t $r*}td|jjd|d}~wwxYw)NzCouldn't load z algorithm library: z-Hasher %r doesn't specify a library attribute) libraryr0tuplelist importlib import_module ImportErrorr __class____name__)selfnamemod_pathmodulees r _load_libraryz BasePasswordHasher._load_librarys << #$,, 6!%h<< "00: M ;dnn>U>U U    ~~..3 s B B6 %B11B6ctj|jtjt t z }t |t S)z Generate a cryptographically secure nonce salt in ASCII with an entropy of at least `salt_entropy` bits. ) allowed_chars)r]ceil salt_entropyr^rTrr )rm char_counts rr6zBasePasswordHasher.salts:YYt00499SAT=U3VVW  ;NOOrctd)z'Check if the given password is correct.z?subclasses of BasePasswordHasher must provide a verify() methodNotImplementedErrorrmr rs rrzBasePasswordHasher.verifys! M  rc@| td|rd|vr tdy)Nzpassword must be provided.rNz+salt must be provided and cannot contain $.)r3rrmr r6s r_check_encode_argsz%BasePasswordHasher._check_encode_argss.  89 9sd{JK K#rctd)z Create an encoded database value. The result is normally formatted as "algorithm$salt$hash" and must be fewer than 128 characters. z@subclasses of BasePasswordHasher must provide an encode() methodryr}s rr7zBasePasswordHasher.encodes" N  rctd)z Return a decoded database value. The result is a dictionary and should contain `algorithm`, `hash`, and `salt`. Extra keys can be algorithm specific like `iterations` or `work_factor`. z@subclasses of BasePasswordHasher must provide a decode() method.ryrmrs rdecodezBasePasswordHasher.decode s" N  rctd)z Return a summary of safe values. The result is a dictionary and will be used where the password field must be displayed to construct a safe representation of the password. zEsubclasses of BasePasswordHasher must provide a safe_summary() methodryrs r safe_summaryzBasePasswordHasher.safe_summarys" S  rcy)NFrs rrzBasePasswordHasher.must_update$src.tjdy)a Bridge the runtime gap between the work factor supplied in `encoded` and the work factor suggested by this hasher. Taking PBKDF2 as an example, if `encoded` contains 20000 iterations and `self.iterations` is 30000, this method should run password through another 10000 iterations of PBKDF2. Similar approaches should exist for any hasher that has a work factor. If not, this method should be defined as a no-op to silence the warning. zIsubclasses of BasePasswordHasher should provide a harden_runtime() methodN)warningswarnr{s rrz!BasePasswordHasher.harden_runtime's  W r)rl __module__r5__doc__rrervrrr6rr~r7rrrrrrrrbrbsGIGL $P L        rrbcVeZdZdZdZdZejZd dZ dZ dZ dZ d Z d Zy) PBKDF2PasswordHashera Secure password hashing using the PBKDF2 algorithm (recommended) Configured to use PBKDF2 + HMAC + SHA256. The result is a 64 byte binary string. Iterations may be changed safely but you must rename the algorithm if you change SHA256. pbkdf2_sha256ipF Nc|j|||xs |j}t||||j}t j |j dj}d|j|||fzS)N)digestasciiz %s$%d$%s$%s) r~ iterationsr rbase64 b64encoderstripr)rmr r6rrWs rr7zPBKDF2PasswordHasher.encodeDsp $/24?? hjE%,,W5;;= D$GGGrcr|jdd\}}}}||jk(sJ||t||dS)NrN)rrWrr6rUrint)rmrrrr6rWs rrzPBKDF2PasswordHasher.decodeKsG,3MM#q,A) :tTDNN***"j/   rcn|j|}|j||d|d}t||SNr6rrr7rrmr rdecoded encoded_2s rrzPBKDF2PasswordHasher.verifyUs8++g&KK'&/7<;PQ $Wi88rc |j|}td|dtd|dtdt|dtdt|diS)Nrrr6rWr_r[rmrrs rrz!PBKDF2PasswordHasher.safe_summaryZsZ++g& kNGK0 lOW\2 fIy1 fIy1   rc|j|}t|d|j}|d|jk7xs|Sr)rr`rvr)rmrr update_salts rrz PBKDF2PasswordHasher.must_updatecs?++g&&wv8I8IJ  %8H[Hrc|j|}|j|dz }|dkDr|j||d|yy)Nrrr6)rrr7)rmr rrextra_iterationss rrz#PBKDF2PasswordHasher.harden_runtimehsF++g&??W\-BB a  KK'&/3C D rrA)rlrr5rrrhashlibsha256rr7rrrrrrrrrr7s= IJ ^^FH 9  I Errc,eZdZdZdZej Zy)PBKDF2SHA1PasswordHasherz Alternate PBKDF2 hasher which uses SHA1, the default PRF recommended by PKCS #5. This is compatible with other implementations of PBKDF2, such as openssl's PKCS5_PBKDF2_HMAC_SHA1(). pbkdf2_sha1N)rlrr5rrrsha1rrrrrrosI \\FrrcNeZdZdZdZdZdZdZdZdZ dZ dZ d Z d Z d Zd Zy )Argon2PasswordHashera Secure password hashing using the argon2 algorithm. This is the winner of the Password Hashing Competition 2013-2015 (https://password-hashing.net). It requires the argon2-cffi library which depends on native C code and might cause portability issues. argon2ic ^|j}|j}|jj|j |j |j |j |j|j|j}|j|jdzS)N) time_cost memory_cost parallelismhash_lenr4r) rrparams low_level hash_secretr7rrrrr4rr)rmr r6rrdatas rr7zArgon2PasswordHasher.encodes##%++ OO  KKM&&****__, ~~ G 444rc |j}|jdd\}}||jk(sJ|jd|z}|jd^}}}} |dt | dzzz }t j |jd} || |j|j| |j||j|d S)NrNrS=latin1) rrWrrr6rvarietyversionr) rrrUrextract_parametersrTr b64decoderrrrr) rmrrrrestrrrb64saltrWr6s rrzArgon2PasswordHasher.decodes##%!--Q/ 4DNN*****3:6%)ZZ_"!Wd33w<-!+,,(//9"!--!--))~~  rc|j}|jdd\}}||jk(sJ |jj d|z|S#|j j $rYywxYw)NrNrSF)rrrUrPasswordHasherr exceptionsVerificationError)rmr rrrrs rrzArgon2PasswordHasher.verifysy##%!--Q/ 4DNN*** ((*11#*hG G  22  s"AA76A7c,|j|}td|dtd|dtd|dtd|dtd|dtd|dtd t|d td t|d iS) Nrrrz memory costrz time costrrr6rWrrs rrz!Argon2PasswordHasher.safe_summarys++g& kNGK0 iL'), iL'), m gm4 kNGK0 m gm4 fIy1 fIy1  rc|j|}|d}|j}|j|_t|d|j}||k7xs|S)Nrr6)rrsalt_lenr`rv)rmrrcurrent_params new_paramsrs rrz Argon2PasswordHasher.must_updates[++g& *[[] -55 &wv8I8IJ *,<??rc|jdd\}}}}}||jk(sJ|||dd|ddt|dS)NrNr)ralgostrchecksumr6 work_factorr)rmrremptyrrrs rrz!BCryptSHA256PasswordHasher.decodesY7>}}S!7L4 5';DNN***"RS "I{+   rc|jdd\}}||jk(sJ|j||jd}t||S)NrNrSr)rUrr7r)rmr rrrrs rrz!BCryptSHA256PasswordHasher.verify sN!--Q/ 4DNN***KK$++g*>? $Wi88rc |j|}td|dtd|dtdt|dtdt|diS)Nr work factorrr6rrrs rrz'BCryptSHA256PasswordHasher.safe_summarys\++g& kNGK0 m gm4 fIy1 jM9WZ%89   rcH|j|}|d|jk7S)Nr)rrrs rrz&BCryptSHA256PasswordHasher.must_updates$++g&}%44rc|jdd\}}|dd}|jdd}d|jt|z zdz }|dkDr-|j||jd|dz}|dkDr,yy)NrNrSrrr)rUrrr7)rmr rrrr6rdiffs rrz)BCryptSHA256PasswordHasher.harden_runtimes--Q'4CRyC#T[[3v;./!3Qh KK$++g"6 7 AIDQhrN)rlrr5rrrrrrerr6r7rrrrrrrrrrsE I ^^F"G F+ @  9  5rrceZdZdZdZdZy)BCryptPasswordHashera Secure password hashing using the bcrypt algorithm This is considered by many to be the most secure algorithm but you must first install the bcrypt library. Please be warned that this library depends on native C code and might cause portability issues. This hasher does not first hash the password which means it is subject to bcrypt's 72 bytes password truncation. Most use cases should prefer the BCryptSHA256PasswordHasher. rN)rlrr5rrrrrrrr)s I FrrcJeZdZdZdZdZdZdZdZddZ d Z d Z d Z d Z d Zy)ScryptPasswordHasherz= Secure password hashing using the Scrypt algorithm. scryptrri@Nc |j|||xs |j}|xs |j}|xs |j}t j |j |j ||||jd}tj|jdj}d|j|||||fzS)N@)r6nrpmaxmemdklenrz%s$%d$%s$%d$%d$%s) r~r block_sizerrrr7rrrrrr)rmr r6rrrhash_s rr7zScryptPasswordHasher.encodeFs $/ !!!  !!! OO ;;   '..w7==?"dnnaq!U%KKKrc|jdd\}}}}}}||jk(sJ|t||t|t||dS)NrN)rrr6rrrWr)rmrrrr6rrrs rrzScryptPasswordHasher.decodeWsaGN}} H D ;j+uDNN***"{+j/{+   rc~|j|}|j||d|d|d|d}t||S)Nr6rrrrrs rrzScryptPasswordHasher.verifyesO++g&KK  FO M " L ! M "  %Wi88rc|j|}td|dtd|dtd|dtd|dtdt|dtdt|diS) Nrrrz block sizerrr6rWrrs rrz!ScryptPasswordHasher.safe_summarypsx++g& kNGK0 m gm4 lOW\2 m gm4 fIy1 fIy1   rc|j|}|d|jk7xs&|d|jk7xs|d|jk7S)Nrrr)rrrrrs rrz ScryptPasswordHasher.must_update{sV++g& M "d&6&6 6 :|$7 :}%)9)99 rcyrArr{s rrz#ScryptPasswordHasher.harden_runtimerr)NNN)rlrr5rrrrrrr7rrrrrrrrrr;sAIJ FKKL"   9    rrc8eZdZdZdZdZdZdZdZdZ dZ y ) MD5PasswordHasherzE The Salted MD5 password hashing algorithm (not recommended) md5c|j||tj||zjj }|j d|d|S)NrN)r~rrr7 hexdigestr)rmr r6rWs rr7zMD5PasswordHasher.encodesG $/{{D8O3356@@B!^^T488rc\|jdd\}}}||jk(sJ|||dS)NrNr)rrWr6)rUr)rmrrr6rWs rrzMD5PasswordHasher.decodes> ' c1 5 4DNN***"  rcf|j|}|j||d}t||SNr6rrs rrzMD5PasswordHasher.verifys1++g&KK'&/: $Wi88rc |j|}td|dtdt|ddtdt|diS)Nrr6r)rXrWrrs rrzMD5PasswordHasher.safe_summarysN++g& kNGK0 fIyq9 fIy1  rcV|j|}t|d|jSr )rr`rvrs rrzMD5PasswordHasher.must_updates'++g&1B1BCCrcyrArr{s rrz MD5PasswordHasher.harden_runtimes rN) rlrr5rrr7rrrrrrrrrrs-I9  9  D rr)rI)NrI)r*)0rr functoolsrrhr]r django.confrdjango.core.exceptionsrdjango.core.signalsrdjango.dispatchrdjango.utils.cryptorrr r django.utils.module_loadingr django.utils.translationr rrrrr&r,r.r lru_cacher?rBrGrrr[r`rbrrrrrrrrrrrs9   7/$ 66 O!#H ),    BB /// 2!,N h h V5E-5Ep 3 c -c LE!3EP5$K -K \' *' r