various CryptContext improvements

================================= * tweaked vary_rounds code to not "bunch up" when it hits min/max rounds * updated default policy settings * issues warning if min verify time is exceeded
author: Eli Collins <elic@assurancetechnologies.com> 2011-03-23 13:26:40 -0400
committer: Eli Collins <elic@assurancetechnologies.com> 2011-03-23 13:26:40 -0400
commit: 6a96a86a1d16f47b20b65a751f480429dd215cbf (patch)
tree: a6284fadcca22dba55267f8a12818a12b558bcc1 /passlib/context.py
parent: af21684ed1d296d522af7e5c806a28fea99bf3d7 (diff)
download: passlib-6a96a86a1d16f47b20b65a751f480429dd215cbf.tar.gz
1 files changed, 20 insertions, 1 deletions
diff --git a/passlib/context.py b/passlib/context.py
index 0658c33..ccced9a 100644
--- a/passlib/context.py
+++ b/passlib/context.py
@@ -612,7 +612,13 @@ class CryptContext(object):
                             vr = int(logb(vr*.01*(2**df),2)+.5)
                         else:
                             vr = int(df*vr/100)
-                    rounds = rng.randint(df-vr,df+vr)
+                    lower = df-vr
+                    if mn and lower < mn:
+                        lower = mn
+                    upper = df+vr
+                    if mx and upper > mx:
+                        upper = mx
+                    rounds = rng.randint(lower, upper)
                 else:
                     rounds = df
         if rounds is not None:
@@ -789,9 +795,22 @@ class CryptContext(object):
             delta = mvt + start - end
             if delta > 0:
                 time.sleep(delta)
+            elif delta < 0:
+                #warn app they aren't being protected against timing attacks...
+                warn("CryptContext: verify exceeded min_verify_time: scheme=%r min_verify_time=%r elapsed=%r", handler.name, mvt, end-start)
 
         return result
 
+    #TODO: check this works properly, and expose it to ease requirements for apps to use migration features
+    ##def verify_and_update(self, secret, hash, scheme=None, category=None, **kwds):
+    ##    ok = self.verify(secret, hash, scheme=scheme, category=category, **kwds)
+    ##    if not ok:
+    ##        return False, None
+    ##    if self.hash_needs_update(secret, hash, category=category):
+    ##        return True, self.encrypt(secret, **kwds)
+    ##    else:
+    ##        return True, None
+
     #=========================================================
     #eoc
     #=========================================================
author	Eli Collins <elic@assurancetechnologies.com>	2011-03-23 13:26:40 -0400
committer	Eli Collins <elic@assurancetechnologies.com>	2011-03-23 13:26:40 -0400
commit	6a96a86a1d16f47b20b65a751f480429dd215cbf (patch)
tree	a6284fadcca22dba55267f8a12818a12b558bcc1 /passlib/context.py
parent	af21684ed1d296d522af7e5c806a28fea99bf3d7 (diff)
download	passlib-6a96a86a1d16f47b20b65a751f480429dd215cbf.tar.gz