diff options
author | Eli Collins <elic@assurancetechnologies.com> | 2016-06-20 12:18:10 -0400 |
---|---|---|
committer | Eli Collins <elic@assurancetechnologies.com> | 2016-06-20 12:18:10 -0400 |
commit | 0adeaeee12a34b6dfada9869673f5b20f1a054fc (patch) | |
tree | a7c0fc3466c2ae294dbe1908a93c87e755013665 | |
parent | c4d0b23abf6b32c0ce15883cfebf0f6c492dc38c (diff) | |
download | passlib-0adeaeee12a34b6dfada9869673f5b20f1a054fc.tar.gz |
pbkdf2: removed support for M2Crypto backend -- was only useful for sha1
(a border case anyways), and hashlib or fastpbkdf2 are much better choices
for this use case.
-rw-r--r-- | CHANGES | 3 | ||||
-rw-r--r-- | admin/bench_pbkdf2.py | 15 | ||||
-rw-r--r-- | docs/install.rst | 7 | ||||
-rw-r--r-- | passlib/crypto/digest.py | 17 | ||||
-rw-r--r-- | passlib/tests/test_crypto_digest.py | 31 | ||||
-rw-r--r-- | passlib/utils/pbkdf2.py | 4 | ||||
-rw-r--r-- | tox.ini | 3 |
7 files changed, 9 insertions, 71 deletions
@@ -89,6 +89,9 @@ Minor Internal Changes * :func:`~passlib.utils.consteq` is now an alias for stdlib's :func:`hmac.compare_digest` under python 3.3 and up. + * M2Crypto no longer used to accelerate pbkdf2-hmac-sha1; applications which need this + should use the `fastpbkdf2 <https://pypi.python.org/pypi/fastpbkdf2>`_ backend instead. + Deprecations ------------ Passlib 1.7 has undergone a large number of deprecations, as part of a long range plan diff --git a/admin/bench_pbkdf2.py b/admin/bench_pbkdf2.py index 18c98fd..53a4d47 100644 --- a/admin/bench_pbkdf2.py +++ b/admin/bench_pbkdf2.py @@ -120,21 +120,6 @@ def main(): na("hashlib") #-------------------------------------------------------------- - # test m2crypto - #-------------------------------------------------------------- - try: - from M2Crypto.EVP import pbkdf2 - except ImportError: - pbkdf2 = None - if pbkdf2: - benchmark("m2crypto", - "from M2Crypto.EVP import pbkdf2", - "assert {alg!r} == 'sha1'; pbkdf2({secret!r}, {salt!r}, {rounds}, 20)", - supported=["sha1"]) - else: - na("m2crypto") - - #-------------------------------------------------------------- # test passlib backends #-------------------------------------------------------------- diff --git a/docs/install.rst b/docs/install.rst index 138234c..d4cc195 100644 --- a/docs/install.rst +++ b/docs/install.rst @@ -59,12 +59,6 @@ Optional Libraries If installed, will be used to greatly speed up :func:`~passlib.crypto.digest.pbkdf2_hmac`, and any pbkdf2-based hashes. -* `M2Crypto <http://chandlerproject.org/bin/view/Projects/MeTooCrypto>`_ - - If installed, M2Crypto will be used to accelerate some internal - functions used by some PBKDF2-based hashes, but it is not required - even in that case. - * `SCrypt <https://pypi.python.org/pypi/scrypt>`_ If installed, this will be used to provider support for the :class:`~passlib.hash.scrypt` @@ -73,6 +67,7 @@ Optional Libraries .. versiochanged:: 1.7 Added fastpbkdf2, cryptography, argon2_cffi, argon2pure, and scrypt support. + Removed M2Crypto support. Installation Instructions ========================= diff --git a/passlib/crypto/digest.py b/passlib/crypto/digest.py index 1fbd073..b02fdbc 100644 --- a/passlib/crypto/digest.py +++ b/passlib/crypto/digest.py @@ -25,10 +25,6 @@ from struct import Struct from warnings import warn # site try: - from M2Crypto.EVP import pbkdf2 as _m2crypto_pbkdf2_hmac_sha1 -except ImportError: - _m2crypto_pbkdf2_hmac_sha1 = None -try: # https://pypi.python.org/pypi/fastpbkdf2/ from fastpbkdf2 import pbkdf2_hmac as _fast_pbkdf2_hmac except ImportError: @@ -685,14 +681,6 @@ def pbkdf2_hmac(digest, secret, salt, rounds, keylen=None): if digest_info.supported_by_hashlib_pbkdf2: return _stdlib_pbkdf2_hmac(digest_info.name, secret, salt, rounds, keylen) - # m2crypto's pbkdf2-hmac-sha1 is faster than ours, so use it if available. - # NOTE: as of 2012-4-4, m2crypto has buffer overflow issue which frequently - # causes segfaults if keylen > 32 (EVP_MAX_KEY_LENGTH). - # therefore we're avoiding m2crypto for large keys until that's fixed. - # (https://bugzilla.osafoundation.org/show_bug.cgi?id=13052) - if digest == "sha1" and _m2crypto_pbkdf2_hmac_sha1 and keylen < 32: - return _m2crypto_pbkdf2_hmac_sha1(secret, salt, rounds, keylen) - # # otherwise use our own implementation # @@ -872,15 +860,14 @@ else: _builtin_backend = "hexlify" -# helper for benchmark script -- disable hashlib, fastpbkdf2 & m2crypto support if builtin requested +# helper for benchmark script -- disable hashlib, fastpbkdf2 support if builtin requested if _force_backend == _builtin_backend: - _fast_pbkdf2_hmac = _m2crypto_pbkdf2_hmac_sha1 = _stdlib_pbkdf2_hmac = None + _fast_pbkdf2_hmac = _stdlib_pbkdf2_hmac = None # expose info about what backends are active PBKDF2_BACKENDS = [b for b in [ "fastpbkdf2" if _fast_pbkdf2_hmac else None, "hashlib-ssl" if _stdlib_pbkdf2_hmac else None, - "m2crypto-sha1" if _m2crypto_pbkdf2_hmac_sha1 else None, "builtin-" + _builtin_backend ] if b] diff --git a/passlib/tests/test_crypto_digest.py b/passlib/tests/test_crypto_digest.py index 347c485..37318a5 100644 --- a/passlib/tests/test_crypto_digest.py +++ b/passlib/tests/test_crypto_digest.py @@ -230,8 +230,10 @@ class Pbkdf1_Test(TestCase): # import the test subject from passlib.crypto.digest import pbkdf2_hmac, PBKDF2_BACKENDS -class _Common_Pbkdf2_Test(TestCase): +# NOTE: relying on tox to verify this works under all the various backends. +class Pbkdf2Test(TestCase): """test pbkdf2() support""" + descriptionPrefix = "passlib.crypto.digest.pbkdf2_hmac() <backends: %s>" % ", ".join(PBKDF2_BACKENDS) pbkdf2_test_vectors = [ # (result, secret, salt, rounds, keylen, digest="sha1") @@ -507,33 +509,6 @@ class _Common_Pbkdf2_Test(TestCase): self.assertEqual(len(helper(digest='sha1')), 20) self.assertEqual(len(helper(digest='sha256')), 32) -#------------------------------------------------------------------------ -# create subclasses to test with- and without- m2crypto -#------------------------------------------------------------------------ - -def has_m2crypto(): - try: - import M2Crypto - return True - except ImportError: - return False - -@skipUnless(has_m2crypto(), "M2Crypto not found") -class Pbkdf2_M2Crypto_Test(_Common_Pbkdf2_Test): - descriptionPrefix = "passlib.crypto.digest.pbkdf2_hmac() <m2crypto backend>" - -@skipUnless(TEST_MODE("full") or not has_m2crypto(), "skipped under current test mode") -class Pbkdf2_Builtin_Test(_Common_Pbkdf2_Test): - descriptionPrefix = "passlib.crypto.digest.pbkdf2_hmac() <backends: %s>" % ", ".join(PBKDF2_BACKENDS) - - def setUp(self): - super(Pbkdf2_Builtin_Test, self).setUp() - # make sure m2crypto support is disabled, to force pure-python backend - import passlib.crypto.digest as mod - self.addCleanup(setattr, mod, "_m2crypto_pbkdf2_hmac_sha1", - mod._m2crypto_pbkdf2_hmac_sha1) - mod._m2crypto_pbkdf2_hmac_sha1 = None - #============================================================================= # eof #============================================================================= diff --git a/passlib/utils/pbkdf2.py b/passlib/utils/pbkdf2.py index 2e08a09..3a6aff9 100644 --- a/passlib/utils/pbkdf2.py +++ b/passlib/utils/pbkdf2.py @@ -89,10 +89,6 @@ def get_prf(name): 32 >>> digest = hmac_sha256('password', 'message') - This function will attempt to return the fastest implementation - it can find. Primarily, if M2Crypto is present, and supports the specified PRF, - :func:`M2Crypto.EVP.hmac` will be used behind the scenes. - .. deprecated:: 1.7 This function is deprecated, and will be removed in Passlib 2.0. @@ -55,7 +55,6 @@ envlist = # 'unpack' used for py2 ## pdbkf2-fastpbkdf2-py{2,3}, # tested by default config pbkdf2-hashlib-py{3,py3}, - pbkdf2-m2crypto-py{2,3}, pbkdf2-unpack-py{26,27,py}, pbkdf2-frombytes-py{33,py3}, @@ -142,9 +141,7 @@ deps = # pbkdf2 backend tests # NOTE: fastpbkdf2 requires python-dev, libffi-dev, libssl-dev - # NOTE: m2crypto requires python-dev, swig, libssl-dev default,pbkdf2-fastpbkdf2: fastpbkdf2 - pbkdf2-m2crypto: M2Crypto # pbkdf2-{hashlib,unpack,from_bytes} -- no deps # bcrypt backend tests |