diff options
author | Eli Collins <elic@assurancetechnologies.com> | 2020-05-02 14:14:25 -0400 |
---|---|---|
committer | Eli Collins <elic@assurancetechnologies.com> | 2020-05-02 14:14:25 -0400 |
commit | 18aa5a99271908054b8fc65d79c91c8404d486af (patch) | |
tree | 9750869367a4290a26857c7500f2ca271deda112 /docs | |
parent | 61f4f3ba5d520dc5b35415be7c9dae49911429db (diff) | |
download | passlib-18aa5a99271908054b8fc65d79c91c8404d486af.tar.gz |
reworked lookup_hash() and create_hex_digest() internals to work better
on FIPS systems (issue 116).
* lookup_hash():
- moved all hash consturctor error checks / handling into HashInfo object,
which simplifies lookup_hash() internals
- [minor] added "required" kwd, inverse of the now-deprecated "return_unknown" kwd
- [minor] now caches unknown/unsupported HashInfo records.
* HashInfo:
- now catches ValueErrors thrown by hash constructor,
and special-cased detection of "disabled for fips" errors.
- stub instances now have constructor that throws UnknownHashError,
instead of being None. calling code should detect stub instances via
the new "not info.supported" instead of testing for "info.const is None".
* create_hex_digest() now defaults to creating handlers w/ mock hash func
when it's not present (e.g. due to FIPS). this should let them be imported;
and defer the errors until they're actually used.
* added _set_mock_fips_mode() and some helps to make lookup_hash()
fake a FIPS mode system (per traceback provided in issue comments).
used this to make some preliminary UTs for the digest & hasher changes above.
Diffstat (limited to 'docs')
-rw-r--r-- | docs/history/1.7.rst | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/docs/history/1.7.rst b/docs/history/1.7.rst index 0d25fb2..3cee9a9 100644 --- a/docs/history/1.7.rst +++ b/docs/history/1.7.rst @@ -26,6 +26,25 @@ Bugfixes * :mod:`passlib.ext.django`: fixed lru_cache import (django 3 compatibility) +Other Changes +------------- + +* Modified some internals to help run on FIPS systems (:issue:`116`): + + In particular, when MD5 hash is not available, :class:`~passlib.hash.hex_md5` + will now return a dummy hasher which throws an error if used; rather than throwing + an uncaught :exc:`!ValueError` when an application attempts to import it. (Similar behavior + added for the other unsalted digest hashes). + + .. py:currentmodule:: passlib.crypto.digest + + Also, :func:`lookup_hash`'s ``required=False`` kwd was modified to report unsupported hashes + via the :attr:`HashInfo.supported` attribute; rather than letting ValueErrors through uncaught. + + This should allow CryptContext instances to be created on FIPS systems without having + a load-time error (though they will still receive an error if an attempt is made to actually + *use* a FIPS-disabled hash). + **1.7.2** (2019-11-22) ====================== |