Annotations for nacl.pwhash. (#718)

* Correct annotation of STRPREFIX constants These are C strings (i.e. pointers to a null-terminated sequence of bytes), and as such correspond to the `bytes` type in Python 3. (The name `cffi.string` probably made more sense in Python 2, where `str` was `bytes` rather than `unicode`.) This change makes these two entries consistent with other annotations. But for confirmation I checked directly: ```python >>> import nacl.bindings.crypto_pwhash >>> nacl.bindings.crypto_pwhash.crypto_pwhash_argon2i_STRPREFIX b'$argon2i$' ``` * Annotations for `nacl.pwhash` These are applied straight from #692.
pyca · Dec 8, 2021 · 78b5030 · 78b5030
1 parent 910e1bb
commit 78b5030
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 32 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -32,6 +32,7 @@ module = [
     "nacl.bindings",
     "nacl.encoding",
     "nacl.exceptions",
+    "nacl.pwhash",
     "nacl.utils",
 ]
 disallow_any_unimported = true
@@ -68,6 +69,7 @@ module = [
     "nacl.encoding",
     "nacl.exceptions",
     "nacl.utils",
+    "nacl.pwhash",
 ]
 disallow_any_expr = true
 warn_return_any = true

diff --git a/src/nacl/bindings/crypto_pwhash.py b/src/nacl/bindings/crypto_pwhash.py
@@ -99,7 +99,7 @@
 crypto_pwhash_BYTES_MIN: int = lib.crypto_pwhash_bytes_min()
 crypto_pwhash_BYTES_MAX: int = lib.crypto_pwhash_bytes_max()
 
-crypto_pwhash_argon2i_STRPREFIX: str = ffi.string(
+crypto_pwhash_argon2i_STRPREFIX: bytes = ffi.string(
     ffi.cast("char *", lib.crypto_pwhash_argon2i_strprefix())
 )[:]
 crypto_pwhash_argon2i_MEMLIMIT_MIN: int = (
@@ -133,7 +133,7 @@
     lib.crypto_pwhash_argon2i_memlimit_sensitive()
 )
 
-crypto_pwhash_argon2id_STRPREFIX: str = ffi.string(
+crypto_pwhash_argon2id_STRPREFIX: bytes = ffi.string(
     ffi.cast("char *", lib.crypto_pwhash_argon2id_strprefix())
 )[:]
 crypto_pwhash_argon2id_MEMLIMIT_MIN: int = (

diff --git a/src/nacl/pwhash/__init__.py b/src/nacl/pwhash/__init__.py
@@ -54,7 +54,7 @@
 verify_scryptsalsa208sha256 = scrypt.verify
 
 
-def verify(password_hash, password):
+def verify(password_hash: bytes, password: bytes) -> bool:
     """
     Takes a modular crypt encoded stored password hash derived using one
     of the algorithms supported by `libsodium` and checks if the user provided

diff --git a/src/nacl/pwhash/_argon2.py b/src/nacl/pwhash/_argon2.py
@@ -32,7 +32,7 @@
 ALG_ARGON2_DEFAULT = nacl.bindings.crypto_pwhash_ALG_DEFAULT
 
 
-def verify(password_hash, password):
+def verify(password_hash: bytes, password: bytes) -> bool:
     """
     Takes a modular crypt encoded argon2i or argon2id stored password hash
     and checks if the user provided password will hash to the same string

diff --git a/src/nacl/pwhash/argon2i.py b/src/nacl/pwhash/argon2i.py
@@ -47,13 +47,13 @@
 
 
 def kdf(
-    size,
-    password,
-    salt,
-    opslimit=OPSLIMIT_SENSITIVE,
-    memlimit=MEMLIMIT_SENSITIVE,
-    encoder=nacl.encoding.RawEncoder,
-):
+    size: int,
+    password: bytes,
+    salt: bytes,
+    opslimit: int = OPSLIMIT_SENSITIVE,
+    memlimit: int = MEMLIMIT_SENSITIVE,
+    encoder: nacl.encoding.Encoder = nacl.encoding.RawEncoder,
+) -> bytes:
     """
     Derive a ``size`` bytes long key from a caller-supplied
     ``password`` and ``salt`` pair using the argon2i
@@ -107,8 +107,10 @@ def kdf(
 
 
 def str(
-    password, opslimit=OPSLIMIT_INTERACTIVE, memlimit=MEMLIMIT_INTERACTIVE
-):
+    password: bytes,
+    opslimit: int = OPSLIMIT_INTERACTIVE,
+    memlimit: int = MEMLIMIT_INTERACTIVE,
+) -> bytes:
     """
     Hashes a password with a random salt, using the memory-hard
     argon2i construct and returning an ascii string that has all

diff --git a/src/nacl/pwhash/argon2id.py b/src/nacl/pwhash/argon2id.py
@@ -51,13 +51,13 @@
 
 
 def kdf(
-    size,
-    password,
-    salt,
-    opslimit=OPSLIMIT_SENSITIVE,
-    memlimit=MEMLIMIT_SENSITIVE,
-    encoder=nacl.encoding.RawEncoder,
-):
+    size: int,
+    password: bytes,
+    salt: bytes,
+    opslimit: int = OPSLIMIT_SENSITIVE,
+    memlimit: int = MEMLIMIT_SENSITIVE,
+    encoder: nacl.encoding.Encoder = nacl.encoding.RawEncoder,
+) -> bytes:
     """
     Derive a ``size`` bytes long key from a caller-supplied
     ``password`` and ``salt`` pair using the argon2i
@@ -111,8 +111,10 @@ def kdf(
 
 
 def str(
-    password, opslimit=OPSLIMIT_INTERACTIVE, memlimit=MEMLIMIT_INTERACTIVE
-):
+    password: bytes,
+    opslimit: int = OPSLIMIT_INTERACTIVE,
+    memlimit: int = MEMLIMIT_INTERACTIVE,
+) -> bytes:
     """
     Hashes a password with a random salt, using the memory-hard
     argon2id construct and returning an ascii string that has all

diff --git a/src/nacl/pwhash/scrypt.py b/src/nacl/pwhash/scrypt.py
@@ -56,13 +56,13 @@
 
 
 def kdf(
-    size,
-    password,
-    salt,
-    opslimit=OPSLIMIT_SENSITIVE,
-    memlimit=MEMLIMIT_SENSITIVE,
-    encoder=nacl.encoding.RawEncoder,
-):
+    size: int,
+    password: bytes,
+    salt: bytes,
+    opslimit: int = OPSLIMIT_SENSITIVE,
+    memlimit: int = MEMLIMIT_SENSITIVE,
+    encoder: nacl.encoding.Encoder = nacl.encoding.RawEncoder,
+) -> bytes:
     """
     Derive a ``size`` bytes long key from a caller-supplied
     ``password`` and ``salt`` pair using the scryptsalsa208sha256
@@ -138,8 +138,10 @@ def kdf(
 
 
 def str(
-    password, opslimit=OPSLIMIT_INTERACTIVE, memlimit=MEMLIMIT_INTERACTIVE
-):
+    password: bytes,
+    opslimit: int = OPSLIMIT_INTERACTIVE,
+    memlimit: int = MEMLIMIT_INTERACTIVE,
+) -> bytes:
     """
     Hashes a password with a random salt, using the memory-hard
     scryptsalsa208sha256 construct and returning an ascii string
@@ -168,7 +170,7 @@ def str(
     )
 
 
-def verify(password_hash, password):
+def verify(password_hash: bytes, password: bytes) -> bool:
     """
     Takes the output of scryptsalsa208sha256 and compares it against
     a user provided password to see if they are the same