search

pyca / bcrypt

Modern(-ish) password hashing for your software and your servers
Apache License 2.0
1.25k stars 168 forks source link

I use `bcrypt` with `passlib` #678

Closed guilhermeyoshida closed 11 months ago

guilhermeyoshida commented 11 months ago 
          I use `bcrypt` with `passlib`

I updated bcrypt to 4.1.0 today and it has broken my service

I run my service in a docker container from docker image python:3.11-slim With these dependencies:

passlib==1.7.4
bcrypt==4.0.1

The following code works:

from passlib.context import CryptContext

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
pwd_context.verify('123', pwd_context.hash('123'))  # True

but with such dependencies

passlib==1.7.4
bcrypt==4.1.0

it crashes and traceback is:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/venv/lib/python3.11/site-packages/passlib/context.py", line 2258, in hash
    return record.hash(secret, **kwds)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 779, in hash
    self.checksum = self._calc_checksum(secret)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 591, in _calc_checksum
    self._stub_requires_backend()
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2254, in _stub_requires_backend
    cls.set_backend()
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2156, in set_backend
    return owner.set_backend(name, dryrun=dryrun)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2163, in set_backend
    return cls.set_backend(name, dryrun=dryrun)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2188, in set_backend
    cls._set_backend(name, dryrun)
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2311, in _set_backend
    super(SubclassBackendMixin, cls)._set_backend(name, dryrun)
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2224, in _set_backend
    ok = loader(**kwds)
         ^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 745, in _load_backend_mixin
    return mixin_cls._finalize_backend_mixin(name, dryrun)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 403, in _finalize_backend_mixin
    result = safe_verify("test", test_hash_20)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 303, in safe_verify
    return verify(secret, hash)
           ^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 792, in verify
    return consteq(self._calc_checksum(secret), chk)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 762, in _calc_checksum_raw
    hash = _pybcrypt.hashpw(secret, config)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument 'salt': 'str' object cannot be converted to 'PyBytes'

Originally posted by @joein in https://github.com/pyca/bcrypt/issues/677#issuecomment-1828159442

alex commented 11 months ago

Going to close this now that we've yanked the release. See https://github.com/pyca/bcrypt/issues/677#issuecomment-1828210130 for details

reaperhulk commented 11 months ago

Thanks for the reproducer here though, this was helpful in diagnosing the issue!