bcrypt: New release results in bcrypt break

Hello,

Our system sadly relies on tip of bcrypt and in this case the new release breaks when you do import bcrypt Can anyone fix this? I don’t know what this package does except that it is used in some dependable packages.

About this issue

Original URL
State: open
Created 7 months ago
Comments: 22 (5 by maintainers)

Commits related to this issue

profiles: mask broken/yanked =dev-python/bcrypt-4.1.0 Bug: https://github.com/pyca/bcrypt/issues/677 Closes: https://bugs.gentoo.org/918708 Signed-off-by: Sam James <sam@gentoo.org> — committed to gentoo/gentoo by thesamesam 7 months ago

Most upvoted comments

I use bcrypt with passlib I updated bcrypt to 4.1.0 today and it has broken my service

I run my service in a docker container from docker image python:3.11-slim With these dependencies:

passlib==1.7.4
bcrypt==4.0.1

The following code works:

from passlib.context import CryptContext

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
pwd_context.verify('123', pwd_context.hash('123'))  # True

but with such dependencies

passlib==1.7.4
bcrypt==4.1.0

it crashes and traceback is:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/venv/lib/python3.11/site-packages/passlib/context.py", line 2258, in hash
    return record.hash(secret, **kwds)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 779, in hash
    self.checksum = self._calc_checksum(secret)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 591, in _calc_checksum
    self._stub_requires_backend()
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2254, in _stub_requires_backend
    cls.set_backend()
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2156, in set_backend
    return owner.set_backend(name, dryrun=dryrun)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2163, in set_backend
    return cls.set_backend(name, dryrun=dryrun)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2188, in set_backend
    cls._set_backend(name, dryrun)
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2311, in _set_backend
    super(SubclassBackendMixin, cls)._set_backend(name, dryrun)
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 2224, in _set_backend
    ok = loader(**kwds)
         ^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 745, in _load_backend_mixin
    return mixin_cls._finalize_backend_mixin(name, dryrun)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 403, in _finalize_backend_mixin
    result = safe_verify("test", test_hash_20)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 303, in safe_verify
    return verify(secret, hash)
           ^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/utils/handlers.py", line 792, in verify
    return consteq(self._calc_checksum(secret), chk)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 762, in _calc_checksum_raw
    hash = _pybcrypt.hashpw(secret, config)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument 'salt': 'str' object cannot be converted to 'PyBytes'

joein on Nov 27, 2023

Same error using the test script below. passlib’s self-test logic appears to choke on the salt parameter having changed expected types inbetween 4.0.1 and 4.1.0.

from passlib.handlers.bcrypt import bcrypt

settings = {'ident': '2b', 'rounds': 12, 'salt': 'Aejoo1theicoquo9waeT6O'}

hasher = bcrypt.using(settings)

print(hasher.hash('passw0rd'))

Resulting stack trace:

Traceback (most recent call last):
  File "/Users/quatrava/Dev/ops/go-epfl/go-ops/ansible-deps-cache/python-libs/lib/python/site-packages/passlib/utils/handlers.py", line 2163, in set_backend
    return cls.set_backend(name, dryrun=dryrun)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/quatrava/Dev/ops/go-epfl/go-ops/ansible-deps-cache/python-libs/lib/python/site-packages/passlib/utils/handlers.py", line 2188, in set_backend
    cls._set_backend(name, dryrun)
  File "/Users/quatrava/Dev/ops/go-epfl/go-ops/ansible-deps-cache/python-libs/lib/python/site-packages/passlib/utils/handlers.py", line 2311, in _set_backend
    super(SubclassBackendMixin, cls)._set_backend(name, dryrun)
  File "/Users/quatrava/Dev/ops/go-epfl/go-ops/ansible-deps-cache/python-libs/lib/python/site-packages/passlib/utils/handlers.py", line 2224, in _set_backend
    ok = loader(**kwds)
         ^^^^^^^^^^^^^^
  File "/Users/quatrava/Dev/ops/go-epfl/go-ops/ansible-deps-cache/python-libs/lib/python/site-packages/passlib/handlers/bcrypt.py", line 745, in _load_backend_mixin
    return mixin_cls._finalize_backend_mixin(name, dryrun)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/quatrava/Dev/ops/go-epfl/go-ops/ansible-deps-cache/python-libs/lib/python/site-packages/passlib/handlers/bcrypt.py", line 403, in _finalize_backend_mixin
    result = safe_verify("test", test_hash_20)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/quatrava/Dev/ops/go-epfl/go-ops/ansible-deps-cache/python-libs/lib/python/site-packages/passlib/handlers/bcrypt.py", line 303, in safe_verify
    return verify(secret, hash)
           ^^^^^^^^^^^^^^^^^^^^
  File "/Users/quatrava/Dev/ops/go-epfl/go-ops/ansible-deps-cache/python-libs/lib/python/site-packages/passlib/utils/handlers.py", line 792, in verify
    return consteq(self._calc_checksum(secret), chk)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/quatrava/Dev/ops/go-epfl/go-ops/ansible-deps-cache/python-libs/lib/python/site-packages/passlib/handlers/bcrypt.py", line 764, in _calc_checksum_raw
    hash = _pybcrypt.hashpw(secret, config)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument 'salt': 'str' object cannot be converted to 'PyBytes'

Thanks for scrubbing this release from PyPI.

domq on Nov 27, 2023

We have yanked the 4.1.0 release so people experiencing issues should pip install -U bcrypt and it will re-install 4.0.1. If you have a local wheel cache and just type pip install bcrypt it may still install 4.1.0, so make sure you use -U to have it hit PyPI.

We’re looking at the Windows bug, but the passlib issue is actually an issue with passlib’s heuristic detection failing because we added __version__ to the shared object. We’ll work around this in 4.1.1 since while it isn’t our bug it certainly is our problem 😄

reaperhulk on Nov 27, 2023

I’ve gone ahead and done so.

(It was a bit fraught, because the only way to do so was to un-yank for a second. Hopefully this didn’t disturb anyone!)

alex on Nov 28, 2023