pbkdf2: removed support for M2Crypto backend -- was only useful for sha1

(a border case anyways), and hashlib or fastpbkdf2 are much better choices
for this use case.

7 files changed, 9 insertions, 71 deletions

diff --git a/CHANGES b/CHANGES
index 9bb282b..dac93e9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -89,6 +89,9 @@ Minor Internal Changes
     * :func:`~passlib.utils.consteq` is now an alias for stdlib's :func:`hmac.compare_digest`
       under python 3.3 and up.
 
+    * M2Crypto no longer used to accelerate pbkdf2-hmac-sha1; applications which need this
+      should use the `fastpbkdf2 <https://pypi.python.org/pypi/fastpbkdf2>`_ backend instead.
+
 Deprecations
 ------------
     Passlib 1.7 has undergone a large number of deprecations, as part of a long range plan
diff --git a/admin/bench_pbkdf2.py b/admin/bench_pbkdf2.py
index 18c98fd..53a4d47 100644
--- a/admin/bench_pbkdf2.py
+++ b/admin/bench_pbkdf2.py
@@ -120,21 +120,6 @@ def main():
         na("hashlib")
 
     #--------------------------------------------------------------
-    # test m2crypto
-    #--------------------------------------------------------------
-    try:
-        from M2Crypto.EVP import pbkdf2
-    except ImportError:
-        pbkdf2 = None
-    if pbkdf2:
-        benchmark("m2crypto",
-                  "from M2Crypto.EVP import pbkdf2",
-                  "assert {alg!r} == 'sha1'; pbkdf2({secret!r}, {salt!r}, {rounds}, 20)",
-                  supported=["sha1"])
-    else:
-        na("m2crypto")
-
-    #--------------------------------------------------------------
     # test passlib backends
     #--------------------------------------------------------------
 
diff --git a/docs/install.rst b/docs/install.rst
index 138234c..d4cc195 100644
--- a/docs/install.rst
+++ b/docs/install.rst
@@ -59,12 +59,6 @@ Optional Libraries
    If installed, will be used to greatly speed up :func:`~passlib.crypto.digest.pbkdf2_hmac`,
    and any pbkdf2-based hashes.
 
-* `M2Crypto <http://chandlerproject.org/bin/view/Projects/MeTooCrypto>`_
-
-   If installed, M2Crypto will be used to accelerate some internal
-   functions used by some PBKDF2-based hashes, but it is not required
-   even in that case.
-
 * `SCrypt <https://pypi.python.org/pypi/scrypt>`_
 
    If installed, this will be used to provider support for the :class:`~passlib.hash.scrypt`
@@ -73,6 +67,7 @@ Optional Libraries
 .. versiochanged:: 1.7
 
     Added fastpbkdf2, cryptography, argon2_cffi, argon2pure, and scrypt support.
+    Removed M2Crypto support.
 
 Installation Instructions
 =========================
diff --git a/passlib/crypto/digest.py b/passlib/crypto/digest.py
index 1fbd073..b02fdbc 100644
--- a/passlib/crypto/digest.py
+++ b/passlib/crypto/digest.py
@@ -25,10 +25,6 @@ from struct import Struct
 from warnings import warn
 # site
 try:
-    from M2Crypto.EVP import pbkdf2 as _m2crypto_pbkdf2_hmac_sha1
-except ImportError:
-    _m2crypto_pbkdf2_hmac_sha1 = None
-try:
     # https://pypi.python.org/pypi/fastpbkdf2/
     from fastpbkdf2 import pbkdf2_hmac as _fast_pbkdf2_hmac
 except ImportError:
@@ -685,14 +681,6 @@ def pbkdf2_hmac(digest, secret, salt, rounds, keylen=None):
     if digest_info.supported_by_hashlib_pbkdf2:
         return _stdlib_pbkdf2_hmac(digest_info.name, secret, salt, rounds, keylen)
 
-    # m2crypto's pbkdf2-hmac-sha1 is faster than ours, so use it if available.
-    # NOTE: as of 2012-4-4, m2crypto has buffer overflow issue which frequently
-    #       causes segfaults if keylen > 32 (EVP_MAX_KEY_LENGTH).
-    #       therefore we're avoiding m2crypto for large keys until that's fixed.
-    #       (https://bugzilla.osafoundation.org/show_bug.cgi?id=13052)
-    if digest == "sha1" and _m2crypto_pbkdf2_hmac_sha1 and keylen < 32:
-        return _m2crypto_pbkdf2_hmac_sha1(secret, salt, rounds, keylen)
-
     #
     # otherwise use our own implementation
     #
@@ -872,15 +860,14 @@ else:
 
     _builtin_backend = "hexlify"
 
-# helper for benchmark script -- disable hashlib, fastpbkdf2 & m2crypto support if builtin requested
+# helper for benchmark script -- disable hashlib, fastpbkdf2 support if builtin requested
 if _force_backend == _builtin_backend:
-    _fast_pbkdf2_hmac = _m2crypto_pbkdf2_hmac_sha1 = _stdlib_pbkdf2_hmac = None
+    _fast_pbkdf2_hmac = _stdlib_pbkdf2_hmac = None
 
 # expose info about what backends are active
 PBKDF2_BACKENDS = [b for b in [
     "fastpbkdf2" if _fast_pbkdf2_hmac else None,
     "hashlib-ssl" if _stdlib_pbkdf2_hmac else None,
-    "m2crypto-sha1" if _m2crypto_pbkdf2_hmac_sha1 else None,
     "builtin-" + _builtin_backend
 ] if b]
 
diff --git a/passlib/tests/test_crypto_digest.py b/passlib/tests/test_crypto_digest.py
index 347c485..37318a5 100644
--- a/passlib/tests/test_crypto_digest.py
+++ b/passlib/tests/test_crypto_digest.py
@@ -230,8 +230,10 @@ class Pbkdf1_Test(TestCase):
 # import the test subject
 from passlib.crypto.digest import pbkdf2_hmac, PBKDF2_BACKENDS
 
-class _Common_Pbkdf2_Test(TestCase):
+# NOTE: relying on tox to verify this works under all the various backends.
+class Pbkdf2Test(TestCase):
     """test pbkdf2() support"""
+    descriptionPrefix = "passlib.crypto.digest.pbkdf2_hmac() <backends: %s>" % ", ".join(PBKDF2_BACKENDS)
 
     pbkdf2_test_vectors = [
         # (result, secret, salt, rounds, keylen, digest="sha1")
@@ -507,33 +509,6 @@ class _Common_Pbkdf2_Test(TestCase):
         self.assertEqual(len(helper(digest='sha1')), 20)
         self.assertEqual(len(helper(digest='sha256')), 32)
 
-#------------------------------------------------------------------------
-# create subclasses to test with- and without- m2crypto
-#------------------------------------------------------------------------
-
-def has_m2crypto():
-    try:
-        import M2Crypto
-        return True
-    except ImportError:
-        return False
-
-@skipUnless(has_m2crypto(), "M2Crypto not found")
-class Pbkdf2_M2Crypto_Test(_Common_Pbkdf2_Test):
-    descriptionPrefix = "passlib.crypto.digest.pbkdf2_hmac() <m2crypto backend>"
-
-@skipUnless(TEST_MODE("full") or not has_m2crypto(), "skipped under current test mode")
-class Pbkdf2_Builtin_Test(_Common_Pbkdf2_Test):
-    descriptionPrefix = "passlib.crypto.digest.pbkdf2_hmac() <backends: %s>" % ", ".join(PBKDF2_BACKENDS)
-
-    def setUp(self):
-        super(Pbkdf2_Builtin_Test, self).setUp()
-        # make sure m2crypto support is disabled, to force pure-python backend
-        import passlib.crypto.digest as mod
-        self.addCleanup(setattr, mod, "_m2crypto_pbkdf2_hmac_sha1",
-                        mod._m2crypto_pbkdf2_hmac_sha1)
-        mod._m2crypto_pbkdf2_hmac_sha1 = None
-
 #=============================================================================
 # eof
 #=============================================================================
diff --git a/passlib/utils/pbkdf2.py b/passlib/utils/pbkdf2.py
index 2e08a09..3a6aff9 100644
--- a/passlib/utils/pbkdf2.py
+++ b/passlib/utils/pbkdf2.py
@@ -89,10 +89,6 @@ def get_prf(name):
         32
         >>> digest = hmac_sha256('password', 'message')
 
-    This function will attempt to return the fastest implementation
-    it can find. Primarily, if M2Crypto is present, and supports the specified PRF,
-    :func:`M2Crypto.EVP.hmac` will be used behind the scenes.
-
     .. deprecated:: 1.7
 
         This function is deprecated, and will be removed in Passlib 2.0.
diff --git a/tox.ini b/tox.ini
index 9e9d3d2..9416e14 100644
--- a/tox.ini
+++ b/tox.ini
@@ -55,7 +55,6 @@ envlist =
     #       'unpack' used for py2
     ## pdbkf2-fastpbkdf2-py{2,3}, # tested by default config
     pbkdf2-hashlib-py{3,py3},
-    pbkdf2-m2crypto-py{2,3},
     pbkdf2-unpack-py{26,27,py},
     pbkdf2-frombytes-py{33,py3},
 
@@ -142,9 +141,7 @@ deps =
 
     # pbkdf2 backend tests
     # NOTE: fastpbkdf2 requires python-dev, libffi-dev, libssl-dev
-    # NOTE: m2crypto requires python-dev, swig, libssl-dev
     default,pbkdf2-fastpbkdf2: fastpbkdf2
-    pbkdf2-m2crypto: M2Crypto
     # pbkdf2-{hashlib,unpack,from_bytes} -- no deps
 
     # bcrypt backend tests