diff options
| author | Eli Collins <elic@assurancetechnologies.com> | 2015-07-25 14:33:41 -0400 |
|---|---|---|
| committer | Eli Collins <elic@assurancetechnologies.com> | 2015-07-25 14:33:41 -0400 |
| commit | a16500cdb9cc27c68a4c8f349f5f67a2f4ee355f (patch) | |
| tree | bf6f07d9e69b02409f1723d74ea1655aea934301 | |
| parent | afea4e0e507cca61676911e9f2712703cd135ee4 (diff) | |
| parent | 80f093c922b64dfaedd00194a2fe16648fe2a8d0 (diff) | |
| download | passlib-a16500cdb9cc27c68a4c8f349f5f67a2f4ee355f.tar.gz | |
Merge from stable
| -rw-r--r-- | CHANGES | 8 | ||||
| -rwxr-xr-x | admin/upload.sh | 51 | ||||
| -rw-r--r-- | docs/conf.py | 2 | ||||
| -rw-r--r-- | docs/lib/passlib.hash.bcrypt.rst | 4 | ||||
| -rw-r--r-- | docs/lib/passlib.hash.cisco_pix.rst | 6 | ||||
| -rw-r--r-- | docs/password_hash_api.rst | 4 | ||||
| -rw-r--r-- | passlib/__init__.py | 2 | ||||
| -rw-r--r-- | passlib/apps.py | 8 | ||||
| -rw-r--r-- | passlib/handlers/django.py | 4 | ||||
| -rw-r--r-- | passlib/handlers/fshp.py | 4 | ||||
| -rw-r--r-- | passlib/handlers/pbkdf2.py | 6 | ||||
| -rw-r--r-- | passlib/handlers/phpass.py | 4 | ||||
| -rw-r--r-- | passlib/handlers/scram.py | 4 | ||||
| -rw-r--r-- | passlib/handlers/sha1_crypt.py | 4 | ||||
| -rw-r--r-- | passlib/handlers/sha2_crypt.py | 8 | ||||
| -rw-r--r-- | passlib/handlers/sun_md5_crypt.py | 4 | ||||
| -rw-r--r-- | setup.py | 7 |
17 files changed, 47 insertions, 83 deletions
@@ -113,8 +113,8 @@ Todo * Thread safety audit and tests for CryptContext, HasManyBackends, and lazy-init subclasses. -**1.6.3** (NOT YET RELEASED) -============================ +**1.6.4** (2015-07-25) +====================== This release rolls up assorted bug & compatibility fixes since 1.6.2. @@ -161,6 +161,10 @@ Other Changes * Passlib releases are now published as wheels instead of eggs. +.. note:: + + '1.6.3' was skipped due to upload issues. + **1.6.2** (2013-12-26) ====================== diff --git a/admin/upload.sh b/admin/upload.sh index 4044f1f..d8f6e71 100755 --- a/admin/upload.sh +++ b/admin/upload.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# helper script to build & upload passlib to pypi & google code +# helper script to build & upload passlib to pypi # SEP1="=====================================================" @@ -10,17 +10,6 @@ SEP2="-----------------------------------------------------" # init config # -if [ -z "$GC_USER" ]; then - echo "GC_USER not set" - exit 1 -fi - -if [ -z "$GC_PASSWORD" ]; then - echo "GC_PASSWORD not set" - exit 1 -fi - -GC_CMD="googlecode_upload.py -p passlib -u $GC_USER -w $GC_PASSWORD" if [ -z "$DRY_RUN" ]; then echo "DRY_RUN not set" exit 1 @@ -28,7 +17,6 @@ elif [ "$DRY_RUN" -eq 1 ]; then echo "dry run" UPLOAD_ARG="" UPLOAD_DOCS_ARG="" - GC_CMD="echo >>> $GC_CMD" else echo "real run" UPLOAD_ARG="upload" @@ -40,8 +28,6 @@ VTAIL="Release-${VSTR}" echo "$SEP1" echo "DRY_RUN=$DRY_RUN" -echo "GC_USER=$GC_USER" -echo "GC_PASSWORD=$GC_PASSWORD" echo "VERSION=$VSTR" # @@ -55,43 +41,12 @@ if [ -z "$SKIP_PYPI" ]; then # upload source echo "\n$SEP1\nbuilding and uploading source to pypi\n$SEP2" - python setup.py --for-release sdist $UPLOAD_ARG + python setup.py --for-release sdist bdist_wheel $UPLOAD_ARG # upload docs echo "\n$SEP1\nbuilding and uploading docs to pypi\n$SEP2" PASSLIB_DOCS="for-pypi" python setup.py --for-release build_sphinx $UPLOAD_DOCS_ARG fi -# -# upload to google code -# -if [ -z "$SKIP_GC" ]; then - - # build & sign docdist for google code - echo "\n$SEP1\nbuilding and signing docs.zip\n$SEP2" - python setup.py --for-release docdist - gpg --detach-sign -a dist/passlib-docs*.zip - - # move into dist for google code - cd dist - - # upload source to gc - echo "\n$SEP1\nuploading source to google code\n$SEP2" - SDIST="passlib-${VSTR}.tar.gz" - DZIP="passlib-docs-${VSTR}.zip" - if [ ! -f "$SDIST" -o ! -f "$SDIST.asc" -o ! -f "$DZIP" -o ! -f "$DZIP.asc" ]; then - echo "error: release file(s) not found" - exit 1 - fi - $GC_CMD -l Featured,Type-Source,OpSys-All,$VTAIL -s "Passlib ${VSTR} source distribution" $SDIST - $GC_CMD -l Type-Signature-Source,$VTAIL -s "Passlib ${VSTR} source distribution - PGP signature" passlib-${VSTR}.tar.gz.asc - - echo "\n$SEP1\nuploading docs to google code\n$SEP2" - $GC_CMD -l Type-Docs,OpSys-All,$VTAIL -s "Passlib ${VSTR} standalone documentation" passlib-docs-${VSTR}.zip - $GC_CMD -l Type-Signature-Docs,$VTAIL -s "Passlib ${VSTR} standalone documentation - PGP signature" passlib-docs-${VSTR}.zip.asc - - # move back again - cd .. -fi -echo "\n$SEP1\ndone."
\ No newline at end of file +echo "\n$SEP1\ndone." diff --git a/docs/conf.py b/docs/conf.py index 4902f5e..40f1910 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -152,7 +152,7 @@ modindex_common_prefix = ["passlib."] #============================================================================= todo_include_todos = True keep_warnings = True -issue_tracker_url = "gc:passlib" +issue_tracker_url = "bb:ecollins/passlib" #============================================================================= # Options for HTML output diff --git a/docs/lib/passlib.hash.bcrypt.rst b/docs/lib/passlib.hash.bcrypt.rst index 55566fa..53a841a 100644 --- a/docs/lib/passlib.hash.bcrypt.rst +++ b/docs/lib/passlib.hash.bcrypt.rst @@ -179,8 +179,8 @@ This implementation of bcrypt differs from others in a few ways: .. versionchanged:: 1.6.3 - Passlib will now detect, and refuse to use, any backend which is vulnerable - to this bug. + Passlib will now throw a :exc:`~passlib.exc.PasslibSecurityError` if an attempt is + made to use any backend which is vulnerable to this bug. * The 'BSD wraparound' bug diff --git a/docs/lib/passlib.hash.cisco_pix.rst b/docs/lib/passlib.hash.cisco_pix.rst index 7c53217..bb29d68 100644 --- a/docs/lib/passlib.hash.cisco_pix.rst +++ b/docs/lib/passlib.hash.cisco_pix.rst @@ -19,6 +19,12 @@ In the mean time, there are no guarantees that its behavior correctly replicates the official implementation. *caveat emptor*. +.. warning:: + + This class does not correctly handle hashes generated by + Pix/ASA 7.0 (2005) or newer; particularly for passwords 13 characters or more + (:issue:`51`). A new :class:`!cisco_asa` will be added in Passlib 1.7 to support these hashes. + .. currentmodule:: passlib.hash The :class:`cisco_pix` class implements the password hash algorithm commonly found on older Cisco diff --git a/docs/password_hash_api.rst b/docs/password_hash_api.rst index 8d20dbf..4e78932 100644 --- a/docs/password_hash_api.rst +++ b/docs/password_hash_api.rst @@ -740,5 +740,5 @@ However, some older algorithms (e.g. :class:`~passlib.hash.bsdi_crypt`) are weak a tradeoff must be made, choosing "secure but intolerably slow" over "fast but unacceptably insecure". For this reason, it is strongly recommended to not use a value much lower than Passlib's default. -.. [#avgsys] For Passlib 1.6.2, all hashes were retuned to take ~300ms on a - system with a 2.5 ghz 64 bit CPU. +.. [#avgsys] For Passlib 1.6.3, all hashes were retuned to take ~300ms on a + system with a 3.0 ghz 64 bit CPU. diff --git a/passlib/__init__.py b/passlib/__init__.py index 3e435c2..2d79dfe 100644 --- a/passlib/__init__.py +++ b/passlib/__init__.py @@ -1,3 +1,3 @@ -"""passlib - suite of password hashing & generation routinges""" +"""passlib - suite of password hashing & generation routines""" __version__ = '1.7.dev0' diff --git a/passlib/apps.py b/passlib/apps.py index da5f2b0..ceb5e1f 100644 --- a/passlib/apps.py +++ b/passlib/apps.py @@ -77,12 +77,12 @@ custom_app_context = LazyCryptContext( all__vary_rounds = 0.1, # set a good starting point for rounds selection - sha512_crypt__min_rounds = 60000, - sha256_crypt__min_rounds = 80000, + sha512_crypt__min_rounds = 535000, + sha256_crypt__min_rounds = 535000, # if the admin user category is selected, make a much stronger hash, - admin__sha512_crypt__min_rounds = 120000, - admin__sha256_crypt__min_rounds = 160000, + admin__sha512_crypt__min_rounds = 1024000, + admin__sha256_crypt__min_rounds = 1024000, ) #============================================================================= diff --git a/passlib/handlers/django.py b/passlib/handlers/django.py index 0413f7b..72693a0 100644 --- a/passlib/handlers/django.py +++ b/passlib/handlers/django.py @@ -268,7 +268,7 @@ class django_pbkdf2_sha256(DjangoVariableHash): :type rounds: int :param rounds: Optional number of rounds to use. - Defaults to 20000, but must be within ``range(1,1<<32)``. + Defaults to 29000, but must be within ``range(1,1<<32)``. :type relaxed: bool :param relaxed: @@ -321,7 +321,7 @@ class django_pbkdf2_sha1(django_pbkdf2_sha256): :type rounds: int :param rounds: Optional number of rounds to use. - Defaults to 60000, but must be within ``range(1,1<<32)``. + Defaults to 131000, but must be within ``range(1,1<<32)``. :type relaxed: bool :param relaxed: diff --git a/passlib/handlers/fshp.py b/passlib/handlers/fshp.py index 821aaec..5d47518 100644 --- a/passlib/handlers/fshp.py +++ b/passlib/handlers/fshp.py @@ -39,7 +39,7 @@ class fshp(uh.HasRounds, uh.HasRawSalt, uh.HasRawChecksum, uh.GenericHandler): :param rounds: Optional number of rounds to use. - Defaults to 100000, must be between 1 and 4294967295, inclusive. + Defaults to 480000, must be between 1 and 4294967295, inclusive. :param variant: Optionally specifies variant of FSHP to use. @@ -78,7 +78,7 @@ class fshp(uh.HasRounds, uh.HasRawSalt, uh.HasRawChecksum, uh.GenericHandler): #--HasRounds-- # FIXME: should probably use different default rounds # based on the variant. setting for default variant (sha256) for now. - default_rounds = 100000 # current passlib default, FSHP uses 4096 + default_rounds = 480000 # current passlib default, FSHP uses 4096 min_rounds = 1 # set by FSHP max_rounds = 4294967295 # 32-bit integer limit - not set by FSHP rounds_cost = "linear" diff --git a/passlib/handlers/pbkdf2.py b/passlib/handlers/pbkdf2.py index 76f594a..c14c24b 100644 --- a/passlib/handlers/pbkdf2.py +++ b/passlib/handlers/pbkdf2.py @@ -133,9 +133,9 @@ def create_pbkdf2_hash(hash_name, digest_size, rounds=12000, ident=None, module= #------------------------------------------------------------------------ # derived handlers #------------------------------------------------------------------------ -pbkdf2_sha1 = create_pbkdf2_hash("sha1", 20, 60000, ident=u("$pbkdf2$")) -pbkdf2_sha256 = create_pbkdf2_hash("sha256", 32, 20000) -pbkdf2_sha512 = create_pbkdf2_hash("sha512", 64, 19000) +pbkdf2_sha1 = create_pbkdf2_hash("sha1", 20, 131000, ident=u("$pbkdf2$")) +pbkdf2_sha256 = create_pbkdf2_hash("sha256", 32, 29000) +pbkdf2_sha512 = create_pbkdf2_hash("sha512", 64, 25000) ldap_pbkdf2_sha1 = uh.PrefixWrapper("ldap_pbkdf2_sha1", pbkdf2_sha1, "{PBKDF2}", "$pbkdf2$", ident=True) ldap_pbkdf2_sha256 = uh.PrefixWrapper("ldap_pbkdf2_sha256", pbkdf2_sha256, "{PBKDF2-SHA256}", "$pbkdf2-sha256$", ident=True) diff --git a/passlib/handlers/phpass.py b/passlib/handlers/phpass.py index 058471d..3dc955d 100644 --- a/passlib/handlers/phpass.py +++ b/passlib/handlers/phpass.py @@ -40,7 +40,7 @@ class phpass(uh.HasManyIdents, uh.HasRounds, uh.HasSalt, uh.GenericHandler): :type rounds: int :param rounds: Optional number of rounds to use. - Defaults to 17, must be between 7 and 30, inclusive. + Defaults to 19, must be between 7 and 30, inclusive. This value is logarithmic, the actual number of iterations used will be :samp:`2**{rounds}`. :type ident: str @@ -73,7 +73,7 @@ class phpass(uh.HasManyIdents, uh.HasRounds, uh.HasSalt, uh.GenericHandler): salt_chars = uh.HASH64_CHARS #--HasRounds-- - default_rounds = 17 + default_rounds = 19 min_rounds = 7 max_rounds = 30 rounds_cost = "log2" diff --git a/passlib/handlers/scram.py b/passlib/handlers/scram.py index 9da3f89..a4ba68a 100644 --- a/passlib/handlers/scram.py +++ b/passlib/handlers/scram.py @@ -42,7 +42,7 @@ class scram(uh.HasRounds, uh.HasRawSalt, uh.HasRawChecksum, uh.GenericHandler): :type rounds: int :param rounds: Optional number of rounds to use. - Defaults to 20000, but must be within ``range(1,1<<32)``. + Defaults to 100000, but must be within ``range(1,1<<32)``. :type algs: list of strings :param algs: @@ -95,7 +95,7 @@ class scram(uh.HasRounds, uh.HasRawSalt, uh.HasRawChecksum, uh.GenericHandler): max_salt_size = 1024 #--HasRounds-- - default_rounds = 20000 + default_rounds = 100000 min_rounds = 1 max_rounds = 2**32-1 rounds_cost = "linear" diff --git a/passlib/handlers/sha1_crypt.py b/passlib/handlers/sha1_crypt.py index 3d81ddb..0717d66 100644 --- a/passlib/handlers/sha1_crypt.py +++ b/passlib/handlers/sha1_crypt.py @@ -42,7 +42,7 @@ class sha1_crypt(uh.HasManyBackends, uh.HasRounds, uh.HasSalt, uh.GenericHandler :type rounds: int :param rounds: Optional number of rounds to use. - Defaults to 64000, must be between 1 and 4294967295, inclusive. + Defaults to 480000, must be between 1 and 4294967295, inclusive. :type relaxed: bool :param relaxed: @@ -72,7 +72,7 @@ class sha1_crypt(uh.HasManyBackends, uh.HasRounds, uh.HasSalt, uh.GenericHandler salt_chars = uh.HASH64_CHARS #--HasRounds-- - default_rounds = 64000 # current passlib default + default_rounds = 480000 # current passlib default min_rounds = 1 # really, this should be higher. max_rounds = 4294967295 # 32-bit integer limit rounds_cost = "linear" diff --git a/passlib/handlers/sha2_crypt.py b/passlib/handlers/sha2_crypt.py index 61ed5f5..88bc2a7 100644 --- a/passlib/handlers/sha2_crypt.py +++ b/passlib/handlers/sha2_crypt.py @@ -405,7 +405,7 @@ class sha256_crypt(_SHA2_Common): :type rounds: int :param rounds: Optional number of rounds to use. - Defaults to 110000, must be between 1000 and 999999999, inclusive. + Defaults to 535000, must be between 1000 and 999999999, inclusive. :type implicit_rounds: bool :param implicit_rounds: @@ -433,7 +433,7 @@ class sha256_crypt(_SHA2_Common): ident = u("$5$") checksum_size = 43 # NOTE: using 25/75 weighting of builtin & os_crypt backends - default_rounds = 110000 + default_rounds = 535000 #=================================================================== # backends @@ -464,7 +464,7 @@ class sha512_crypt(_SHA2_Common): :type rounds: int :param rounds: Optional number of rounds to use. - Defaults to 100000, must be between 1000 and 999999999, inclusive. + Defaults to 656000, must be between 1000 and 999999999, inclusive. :type implicit_rounds: bool :param implicit_rounds: @@ -494,7 +494,7 @@ class sha512_crypt(_SHA2_Common): checksum_size = 86 _cdb_use_512 = True # NOTE: using 25/75 weighting of builtin & os_crypt backends - default_rounds = 100000 + default_rounds = 656000 #=================================================================== # backend diff --git a/passlib/handlers/sun_md5_crypt.py b/passlib/handlers/sun_md5_crypt.py index 72f97bf..499f1f8 100644 --- a/passlib/handlers/sun_md5_crypt.py +++ b/passlib/handlers/sun_md5_crypt.py @@ -193,7 +193,7 @@ class sun_md5_crypt(uh.HasRounds, uh.HasSalt, uh.GenericHandler): :type rounds: int :param rounds: Optional number of rounds to use. - Defaults to 5500, must be between 0 and 4294963199, inclusive. + Defaults to 34000, must be between 0 and 4294963199, inclusive. :type bare_salt: bool :param bare_salt: @@ -231,7 +231,7 @@ class sun_md5_crypt(uh.HasRounds, uh.HasSalt, uh.GenericHandler): max_salt_size = None salt_chars = uh.HASH64_CHARS - default_rounds = 5500 # current passlib default + default_rounds = 34000 # current passlib default min_rounds = 0 max_rounds = 4294963199 ##2**32-1-4096 # XXX: ^ not sure what it does if past this bound... does 32 int roll over? @@ -85,8 +85,8 @@ providing full-strength password hashing for multi-user applications. * See the `documentation <http://packages.python.org/passlib>`_ for details, installation instructions, and examples. -* See the `homepage <http://passlib.googlecode.com>`_ - for the latest news, more information, and additional downloads. +* See the `homepage <https://bitbucket.org/ecollins/passlib>`_ + for the latest news and more information. * See the `changelog <http://packages.python.org/passlib/history.html>`_ for a description of what's new in Passlib. @@ -151,9 +151,8 @@ setup( author_email = "elic@assurancetechnologies.com", license = "BSD", - url = "http://passlib.googlecode.com", + url = "https://bitbucket.org/ecollins/passlib", download_url = -# ("http://passlib.googlecode.com/files/passlib-" + VERSION + ".tar.gz") ("http://pypi.python.org/packages/source/p/passlib/passlib-" + VERSION + ".tar.gz") if is_release else None, |