expose the function in hashlib

blink1073 · blink1073 · commit b51a39769eaf · 2026-04-17T11:02:37.000-05:00
diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst
@@ -371,6 +371,64 @@ include a `salt <https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_.
    .. versionadded:: 3.6
 
 
+.. _hashlib-saslprep:
+
+String preparation
+------------------
+
+.. function:: saslprep(data, *, allow_unassigned_code_points)
+
+   Prepare a Unicode string according to :rfc:`4013` (SASLprep), which is a
+   profile of the :rfc:`3454` *stringprep* algorithm.  SASLprep is used to
+   normalise usernames and passwords before they are transmitted in
+   authentication protocols such as SASL (e.g. SMTP, IMAP, LDAP).
+
+   *data* may be a :class:`str` or :class:`bytes`.  Byte strings are returned
+   unchanged.  Unicode strings are processed in four steps:
+
+   1. **Map** — non-ASCII space characters (table C.1.2) are replaced with
+      ``U+0020``; characters commonly mapped to nothing (table B.1) are
+      removed.
+   2. **Normalise** — the string is normalised using Unicode NFKC.
+   3. **Prohibit** — a :exc:`ValueError` is raised if the string contains
+      any character from the RFC 4013 prohibited-output tables (control
+      characters, private-use characters, non-characters, and others).
+   4. **Bidi check** — a :exc:`ValueError` is raised if the string mixes
+      right-to-left and left-to-right text in a way that violates
+      :rfc:`3454` section 6.
+
+   *allow_unassigned_code_points* must be supplied as a keyword argument.
+   Pass ``False`` for *stored strings* such as passwords stored in a
+   database (unassigned code points are prohibited, per :rfc:`3454`
+   section 7).  Pass ``True`` for *queries* such as a password typed at a
+   prompt (unassigned code points are permitted).  Always pass this
+   explicitly; there is no default.
+
+   Returns the prepared :class:`str`, or the original *data* unchanged if
+   it is a :class:`bytes` object.
+
+   >>> from hashlib import saslprep
+   >>> saslprep("I\u00ADX", allow_unassigned_code_points=False)  # soft hyphen removed
+   'IX'
+   >>> saslprep("\u2168", allow_unassigned_code_points=False)     # Roman numeral IX
+   'IX'
+   >>> saslprep(b"user", allow_unassigned_code_points=False)      # bytes unchanged
+   b'user'
+
+   .. versionadded:: 3.15
+
+   .. seealso::
+
+      :rfc:`4013`
+         SASLprep: Stringprep Profile for User Names and Passwords.
+
+      :rfc:`3454`
+         Preparation of Internationalized Strings ("stringprep").
+
+      :mod:`stringprep`
+         The underlying Unicode character tables used by this function.
+
+
 .. _hashlib-blake2:
 
 BLAKE2
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
@@ -65,7 +65,8 @@
 algorithms_available = set(__always_supported)
 
 __all__ = __always_supported + ('new', 'algorithms_guaranteed',
-                                'algorithms_available', 'file_digest')
+                                'algorithms_available', 'file_digest',
+                                'saslprep')
 
 
 __builtin_constructor_cache = {}
@@ -197,6 +198,8 @@ def __hash_new(name, *args, **kwargs):
     new = __py_new
     __get_hash = __get_builtin_constructor
 
+from _saslprep import saslprep
+
 try:
     # OpenSSL's PKCS5_PBKDF2_HMAC requires OpenSSL 1.0+ with HMAC and SHA
     from _hashlib import pbkdf2_hmac
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
@@ -51,7 +51,7 @@
 import datetime
 import sys
 from email.base64mime import body_encode as encode_base64
-from _saslprep import saslprep
+from hashlib import saslprep
 
 __all__ = ["SMTPException", "SMTPNotSupportedError", "SMTPServerDisconnected", "SMTPResponseException",
            "SMTPSenderRefused", "SMTPRecipientsRefused", "SMTPDataError",
diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py
@@ -3,7 +3,7 @@
 from email.message import EmailMessage
 from email.base64mime import body_encode as encode_base64
 import email.utils
-from _saslprep import saslprep
+from hashlib import saslprep
 import hashlib
 import hmac
 import socket
diff --git a/Misc/NEWS.d/next/Library/2026-04-07-00-00-00.gh-issue-73936.wrxC5G.rst b/Misc/NEWS.d/next/Library/2026-04-07-00-00-00.gh-issue-73936.wrxC5G.rst
@@ -1,3 +1,4 @@
-Add SASLprep (RFC 4013) support in :mod:`smtplib` to allow Unicode usernames
-and passwords in SMTP authentication. SASLprep implementation contributed by
-MongoDB, Inc.
+Add :func:`hashlib.saslprep`, an implementation of the RFC 4013 SASLprep
+string-preparation algorithm, and use it in :mod:`smtplib` to support Unicode
+usernames and passwords in SMTP authentication. SASLprep implementation
+contributed by MongoDB, Inc.
