add support for $2y$

test vectors from openwall crypt-blowfish1.3
pyca · Jun 22, 2016 · 2572abc · 2572abc
1 parent 4c85e42
commit 2572abc
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/README.rst b/README.rst
@@ -97,7 +97,7 @@ Another one of bcrypt's features is an adjustable prefix to let you define what
 libraries you'll remain compatible with. To adjust this, pass either ``2a`` or
 ``2b`` (the default) to ``bcrypt.gensalt(prefix=b"2b")`` as a bytes object.
 
-As of 3.0.0 the supported prefixes are `$2a$` and `$2b$`. **`$2y$` is unsupported.**
+As of 3.0.0 the `$2y$` prefix is still supported in `hashpw` but deprecated.
 
 Maxmimum Password Length
 ~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/src/bcrypt/__init__.py b/src/bcrypt/__init__.py
@@ -17,6 +17,7 @@
 from __future__ import division
 
 import os
+import re
 
 import six
 
@@ -35,6 +36,13 @@
 ]
 
 
+_normalize_re = re.compile(b"^\$2y\$")
+
+
+def _normalize_prefix(salt):
+    return _normalize_re.sub(b"$2b$", salt)
+
+
 def gensalt(rounds=12, prefix=b"2b"):
     if prefix not in (b"2a", b"2b"):
         raise ValueError("Supported prefixes are b'2a' or b'2b'")
@@ -59,6 +67,8 @@ def hashpw(password, salt):
     if b"\x00" in password:
         raise ValueError("password may not contain NUL bytes")
 
+    salt = _normalize_prefix(salt)
+
     hashed = _bcrypt.ffi.new("unsigned char[]", 128)
     retval = _bcrypt.lib.bcrypt_hashpass(password, salt, hashed, len(hashed))
 

diff --git a/tests/test_bcrypt.py b/tests/test_bcrypt.py
@@ -280,6 +280,22 @@ def test_hashpw_existing(password, hashed):
     assert bcrypt.hashpw(password, hashed) == hashed
 
 
+@pytest.mark.parametrize(("password", "hashed", "expected"), [
+    (
+        b"\xa3",
+        b"$2y$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq",
+        b"$2b$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq",
+    ),
+    (
+        b"\xff\xff\xa3",
+        b"$2y$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e",
+        b"$2b$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e",
+    ),
+])
+def test_hashpw_2y_prefix(password, hashed, expected):
+    assert bcrypt.hashpw(password, hashed) == expected
+
+
 def test_hashpw_invalid():
     with pytest.raises(ValueError):
         bcrypt.hashpw(b"password", b"$2z$04$cVWp4XaNU8a4v1uMRum2SO")