| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scrypt kdf code
- relocated scrypt kdf code to passlib.crypto.scrypt
- py3 compat fixes
- split UTs out into separate file
- removed "non-power of 2" support, not needed.
- added wrapper which can toggle between builtin backend,
and extenrnal scrypt package.
- factored out n/r/p validation code so it can be used independantly
of calling kdf itself.
* passlib.handlers.scrypt: added scrypt handler which wraps the kdf.
- added some custom test strings, as well as adapted some reference values
from the scrypt whitepaper.
- added documentation page
- integrated scrypt kdf wrapper w/ hash's HasManyBackends api
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
as a fallback for 'default_rounds', 'min_rounds', and 'max_rounds'.
this makes it easier to specify a django-style policy of "deprecate all hashes
which have a differing rounds value".
* removed special handling from 'rounds' from CryptContext parser
* tweaked affected CryptContext serialization tests
* added test for new behavior
|
| |
|
|
|
|
|
|
|
|
| |
only legitimate use was for 'vary_rounds' option, which is being phased out,
and other uses like 'min_rounds' were a security issue.
* fixed CryptContext() tests to stop uses "all" kwds
* issue dep warning if "all" scheme is used
* issue config warning if anything but "vary_rounds" is used,
since config needs to be changed (regardless of passlib version)
|
| |
|
|
|
|
|
| |
and not worth the amount of code it requires to support it.
* stripped out vary_rounds from all internal presets
* added deprecation warning if it's ever used
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
.encrypt()
----------
hash.encrypt() & context.encrypt() have been renamed to .hash().
this should take care of the long-standing issue 21 (the poor naming of .encrypt).
per docs, legacy aliases will remain in place until passlib 2.0.
.genhash() / .genconfig()
-------------------------
taking advantage of this reorganization to also deprecate .genconfig()
and .genhash() -- they're not really useful in a modern system,
nor as needed for historical support as initially thought:
.genconfig() will be retired completely in passlib 2.0;
.genhash() is rolled into the new .hash() method along with .encrypt().
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* split generate() into genword() & genphrase() --
APIs are just too different to keep combined.
* renamed internal calc funcs to better reflect their purpose.
* commented out PhraseGenerator's min_chars code, can't confirm
it's doing correct thing.
* commented out password strength estimator, too half-baked.
* tried to simplify SequenceGenerator attributes.
* genword(): defined some base charsets to work with
* genphrase(): wordsets now stored uncompressed (not really that big,
and .whl will compress everything for transport).
* fleshed out UTs for genword() & genphrase()
* updated docs
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and moved them to a separate passlib.crypto subpackage.
along with this move, made a few api cleanups:
* unified all code that's looking up hashes
to use new passlib.crypto.lookup_hash() wrapper, which takes
care of hash name normalization, loading fallback implementations,
and alg metadata inspection, all hidden behind a memoized function.
* deprecated pbkdf2() in favor of pbkdf2_hmac() -- only real use,
and new signature matches stdlib function. additionally,
this version is a bit faster, due to some assumptions that
can be made due to the PRF always being HMAC based.
* added compile_hmac() helper which does an even more efficient
job of pre-compiling a keyed HMAC function; this helped speed up pbkdf2 a bit more.
|
| |
|
|
|
|
|
|
|
| |
announcement
motivation is that django hashers framework has matured greatly
as of django 1.8, and dropping all prior versions not only eases support burden,
but opens up opportunity for integration via less invasive method in a
future passlib release, using django 1.8 as a common base.
|
| |\ |
|
| | |
| |
| |
| | |
(grafted from 147ca054691e1cc798faec622d8509502d7c37f9)
|
| | |
| |
| |
| | |
(grafted from da9beaf8d08dc0139430124ea1cf494242f14f5c)
|
| | |
| |
| |
| |
| |
| | |
the context,
and they will only be passed on for the hashes that support them (fixes issue 63).
|
| | | |
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* split cisco ASA 7.0 code out into separate 'cisco_asa' class,
some minor reformatting of the internals (no alg changes).
* updated documentation to reflect the two different classes,
added to changelog.
* added some reference vectors generated by current implementation --
vectors chosen to verify thresholds around various if/thens in the ASA alg.
added note that these still need to be verified by official implementation.
|
| |\ \ |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |\ \
| | |/ |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |\ \
| | |/ |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
bcrypt
------
* added support & UT for $2b$ hash format.
not making it the default yet, for backward compat.
* large refactor of how bcrypt backends are loaded:
instead of per-backend workarounds within each _calc_checksum_<backend>()
function: now using runtime detection of specific capabilities & workarounds,
that runs whenever set_backend() is called, combined with consolidated
workaround code within _calc_checksum(), controlled by the flags
set by set_backend().
this detection now looks for:
- the 8bit bug: throws a PasslibSecurityError
- the wraparound bug: issues warning, sets flag enabling a workaround.
- support for 2/2y/2b: if backend lacks support for particular variants,
sets flag enabling workaround to add support.
* os_crypt backend now just issues error if it can't handle a password encoding;
rather than trying fallbacks first -- edge case anyways, and likely
to not have any fallbacks when it does happen. simplifies backend code.
* added UTs to make sure wraparound-vulnerable passwords are hashed correctly
(as a 72char string, not a 1-3 char string that's repeated).
* internal blowfish code's ident parsing clarified.
other
-----
* added exc.PasslibSecurityError for fatal runtime errors.
* test framework: os_crypt backends no longer expected to use
*any* backend as fallback, just ones with lower priority than os_crypt.
* test framework: crypt_stub() wrapper now subclasses the handler,
so it can use an independant backend, instead of changing global
backend for duration of call (made parallel testing hard)
docs
----
* added entry to bcrypt page, writing down wraparound bug details,
and how passlib is handling it.
* all versions of pybcrypt & bcryptor seem to be vulnerable to wraparound bug.
starting process of deprecating these backends: marked bcrypt backend
as 'preferred' throughout the documentation.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
issue 55);
also added default_scheme="portable" to ease transition to passlib 1.7's new default behavior.
|
| | |\ \
| | |/ |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
now requiring django >= 1.4
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
support;
as well as PyPy 1.x and Jython 2.5.
shims removed
-------------
* b() shim replaced with b'' (py25)
* 'bytes' alias no longer needed (py25)
* callable() shim no longer needed (py30,31)
* PY_MIN_32 flag replaced with PY3 flag (py30,31)
* removed 'abc' module stub used by passlib.ifc (py25)
* removed chain_from_iterable() backport (py25)
* tests: removed catch_warnings() backport,
replaced refs with real warnings.catch_warnings() (py25)
* tests: removed unittest2 backports (py25, py30, py31) --
now throw hard error if unittest2 not present under py26
(the only release remaining which lacks the unittest2 features)
* removed SUPPORTS_DIR_METHOD conditional (py25, pypy 1.x)
* some other minor workarounds
other
-----
* added check in passlib.compat which now throws error telling user
version isn't supported (to prevent spurious errors later)
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
TOTP module reworked drastically. Should have committed this a long time ago.
Now have what is (hopefully) the final API for the TOTP module.
* Supports TOTP & HOTP
* Supports URI rendering & parsing
* Highlevel methods to handle state management, client clock skew estimation, etc.
* Unittests mostly complete (a few edge cases)
* Persistent serialization supports encrypting secrets with a password,
to mitigate exposure of storage medium.
* Basic API documentation.
Should be suitable for following use-cases:
* lowlevel methods for implementing HOTP/TOTP on server
* highlevel methods for implementing HOTP/TOTP on server,
and letting them handle details of tracking client state.
* methods for implementing an HOTP / TOTP client.
|
| |/ / |
|
| | |
| |
| |
| | |
des_crypt code
|
