diff options
| author | Eli Collins <elic@assurancetechnologies.com> | 2011-03-23 13:26:40 -0400 |
|---|---|---|
| committer | Eli Collins <elic@assurancetechnologies.com> | 2011-03-23 13:26:40 -0400 |
| commit | 6a96a86a1d16f47b20b65a751f480429dd215cbf (patch) | |
| tree | a6284fadcca22dba55267f8a12818a12b558bcc1 /passlib | |
| parent | af21684ed1d296d522af7e5c806a28fea99bf3d7 (diff) | |
| download | passlib-6a96a86a1d16f47b20b65a751f480429dd215cbf.tar.gz | |
various CryptContext improvements
=================================
* tweaked vary_rounds code to not "bunch up" when it hits min/max rounds
* updated default policy settings
* issues warning if min verify time is exceeded
Diffstat (limited to 'passlib')
| -rw-r--r-- | passlib/context.py | 21 | ||||
| -rw-r--r-- | passlib/default.cfg | 16 |
2 files changed, 28 insertions, 9 deletions
diff --git a/passlib/context.py b/passlib/context.py index 0658c33..ccced9a 100644 --- a/passlib/context.py +++ b/passlib/context.py @@ -612,7 +612,13 @@ class CryptContext(object): vr = int(logb(vr*.01*(2**df),2)+.5) else: vr = int(df*vr/100) - rounds = rng.randint(df-vr,df+vr) + lower = df-vr + if mn and lower < mn: + lower = mn + upper = df+vr + if mx and upper > mx: + upper = mx + rounds = rng.randint(lower, upper) else: rounds = df if rounds is not None: @@ -789,9 +795,22 @@ class CryptContext(object): delta = mvt + start - end if delta > 0: time.sleep(delta) + elif delta < 0: + #warn app they aren't being protected against timing attacks... + warn("CryptContext: verify exceeded min_verify_time: scheme=%r min_verify_time=%r elapsed=%r", handler.name, mvt, end-start) return result + #TODO: check this works properly, and expose it to ease requirements for apps to use migration features + ##def verify_and_update(self, secret, hash, scheme=None, category=None, **kwds): + ## ok = self.verify(secret, hash, scheme=scheme, category=category, **kwds) + ## if not ok: + ## return False, None + ## if self.hash_needs_update(secret, hash, category=category): + ## return True, self.encrypt(secret, **kwds) + ## else: + ## return True, None + #========================================================= #eoc #========================================================= diff --git a/passlib/default.cfg b/passlib/default.cfg index c120660..c68f518 100644 --- a/passlib/default.cfg +++ b/passlib/default.cfg @@ -8,12 +8,12 @@ #TODO: need to generate min rounds for specific cpu speed & verify time limitations -bsdi_crypt.min_rounds = 30000 -phpass.min_rounds = 10 -bcrypt.min_rounds = 10 -sha256_crypt.min_rounds = 30000 -sha512_crypt.min_rounds = 30000 -sun_md5_crypt.min_rounds = 30000 -sha1_crypt.min_rounds = 30000 +all.vary_rounds = 10% -#TODO: specify default configuration for unix systems (mainly, deprecating des-crypt, ext-des-crypt) +bsdi_crypt.default_rounds = 30000 +phpass.default_rounds = 10 +bcrypt.default_rounds = 10 +sha1_crypt.default_rounds = 30000 +sun_md5_crypt.default_rounds = 30000 +sha256_crypt.default_rounds = 30000 +sha512_crypt.default_rounds = 30000 |