| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
.set_backend() return value.
|
| |
|
|
|
|
|
|
|
|
|
| |
as a fallback for 'default_rounds', 'min_rounds', and 'max_rounds'.
this makes it easier to specify a django-style policy of "deprecate all hashes
which have a differing rounds value".
* removed special handling from 'rounds' from CryptContext parser
* tweaked affected CryptContext serialization tests
* added test for new behavior
|
| |
|
|
|
|
|
|
|
|
|
| |
implementation
these all derived directly from PasswordHash, and lacked a working .using().
* added UT to check for a working .using() method
* factored out GenericHandler's .using() into another base class
which these three hashes could inherit from.
|
| |
|
|
|
|
|
| |
and not worth the amount of code it requires to support it.
* stripped out vary_rounds from all internal presets
* added deprecation warning if it's ever used
|
| |
|
|
| |
default salt size, added UTs.
|
| |
|
|
| |
prevents some spurious test failures when under erratic system load
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* HasRounds: now parses vary_rounds="0.x" format correctly
* PrefixWrapper: now exposes "vary_rounds" attr
* handler tests: split HasRounds.using() into multiple tests, one for each property
(max_rounds, min_rounds, etc)
* context tests: added checks that custom handler is being configured correctly,
since actual behavior is now being checked by handler tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
.encrypt()
----------
hash.encrypt() & context.encrypt() have been renamed to .hash().
this should take care of the long-standing issue 21 (the poor naming of .encrypt).
per docs, legacy aliases will remain in place until passlib 2.0.
.genhash() / .genconfig()
-------------------------
taking advantage of this reorganization to also deprecate .genconfig()
and .genhash() -- they're not really useful in a modern system,
nor as needed for historical support as initially thought:
.genconfig() will be retired completely in passlib 2.0;
.genhash() is rolled into the new .hash() method along with .encrypt().
|
| |
|
|
| |
don't use 0, even if "allowed" by hash, causes spurious failures.
|
| |\ |
|
| | | |
|
| | |
| |
| |
| | |
which abstracts out job of parsing rounds value from hash.
|
| | |
| |
| |
| |
| |
| | |
under py25
(fixes issue 58)
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* test_handlers: fix py3 u() compat issue
* test_totp: clean norm_hash_name() caches so warnings repeat per-test,
added/fixed some warnings checks.
* HandlerCase: HasRounds.using() test: hack so bsdi_crypt can pass
(the 'odd rounds only' was playing havoc w/ the test's expectations)
* HandlerCase: effective_rounds() / effective_ident() helpers
now unwrap PrefixWrappers first; wrappers aren't callable like classes.
* HandlerCase: HasRounds.using() test: don't check min_rounds-1
if min_rounds is 0.
* HandlerCase: multithreaded fuzz test -- detect & log errors if stalled thread,
rather than main thread stalling forever. reduced thread count down to 10.
* reset_warning_filter() context manager -- simplified __exit__() cleanup code
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* tests: assertWarningList() wasn't running under some python versions
* tests: create_backend_case() had typo from recent refactor
* tests: multi-threading fuzz testing now TEST_MODE=full only
* tests: fixed effective_ident() helper
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* added UTs for basic min/max/default options.
still needs vary_rounds & alias tests
* clarified error/warning condtions for some cases,
handled implicit min/max policy settings.
* All HasRounds.using() options now accept values as strings,
to help CryptContext.
* Replaced some dup code in _norm_rounds w/ a call to _clip_to_valid_rounds
* departing from previous CryptContext behavior,
passing an explicit rounds value to encrypt() will now override
the policy limits (w/ a warning)
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* moved utils.patchAttr() function to TestCase.patchAttr(),
redid a bunch of manual monkeypatches to use .patchAttr() method.
* temporary_backend() hack replaced by subcls.using(), so temporary
backend use will be threadsafe (needed for concurrent tests).
* HandlerCase.create_backend_cases() replaced with HandlerCase.create_backend_case(),
all calls split out to make individual calls for each backend.
Easier to read in diffs going forward when backends added/removed.
* moved os_crypt specific code w/in create_backend_case() to OsCryptMixin,
which just subclasses the method it needs to modify. allowed
removing find_crypt_replacement() method entirely; decision to skip backend
now directly uses OsCryptMixin's own logic.
* fuzz_verifier_crypt() cleanups
- moved to OsCryptMixin; removing .using_patched_crypt ref from HandlerCase
- has_crypt_support() helper rolled into method, was only caller.
- os_supports_ident() refactored into crypt_supports_variant().
fuzz_verified_crypt() is (now) the only caller.
* bcrypt's crypt_supports_variant() now uses actual test of crypt()
rather than hardcoded list of supported values.
* fuzz verifier now handlers hashes throwing SkipTest.
* utils.has_crypt_support() rolled into
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| | |
able to handle non-utf8 passwords. only coming up now because bcrypt's
os_crypt fallback can now fail for such inputs.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
bcrypt
------
* added support & UT for $2b$ hash format.
not making it the default yet, for backward compat.
* large refactor of how bcrypt backends are loaded:
instead of per-backend workarounds within each _calc_checksum_<backend>()
function: now using runtime detection of specific capabilities & workarounds,
that runs whenever set_backend() is called, combined with consolidated
workaround code within _calc_checksum(), controlled by the flags
set by set_backend().
this detection now looks for:
- the 8bit bug: throws a PasslibSecurityError
- the wraparound bug: issues warning, sets flag enabling a workaround.
- support for 2/2y/2b: if backend lacks support for particular variants,
sets flag enabling workaround to add support.
* os_crypt backend now just issues error if it can't handle a password encoding;
rather than trying fallbacks first -- edge case anyways, and likely
to not have any fallbacks when it does happen. simplifies backend code.
* added UTs to make sure wraparound-vulnerable passwords are hashed correctly
(as a 72char string, not a 1-3 char string that's repeated).
* internal blowfish code's ident parsing clarified.
other
-----
* added exc.PasslibSecurityError for fatal runtime errors.
* test framework: os_crypt backends no longer expected to use
*any* backend as fallback, just ones with lower priority than os_crypt.
* test framework: crypt_stub() wrapper now subclasses the handler,
so it can use an independant backend, instead of changing global
backend for duration of call (made parallel testing hard)
docs
----
* added entry to bcrypt page, writing down wraparound bug details,
and how passlib is handling it.
* all versions of pybcrypt & bcryptor seem to be vulnerable to wraparound bug.
starting process of deprecating these backends: marked bcrypt backend
as 'preferred' throughout the documentation.
|
| | | |
|
| | |
| |
| |
| | |
clarity.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* removed exc_err() compat helper, can now use "Exception as err"
* next_method_attr replaced by nextgetter(), which seems a little cleaner
* removed py30/31 alias for SafeConfigParser
* put some PY26 features behind PY26 compat flag
* removed PY25 from setup classifiers
|
| | |
| |
| |
| |
| |
| | |
_load_backend() entirely,
was causing problems with new _load_backend() framework.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
support;
as well as PyPy 1.x and Jython 2.5.
shims removed
-------------
* b() shim replaced with b'' (py25)
* 'bytes' alias no longer needed (py25)
* callable() shim no longer needed (py30,31)
* PY_MIN_32 flag replaced with PY3 flag (py30,31)
* removed 'abc' module stub used by passlib.ifc (py25)
* removed chain_from_iterable() backport (py25)
* tests: removed catch_warnings() backport,
replaced refs with real warnings.catch_warnings() (py25)
* tests: removed unittest2 backports (py25, py30, py31) --
now throw hard error if unittest2 not present under py26
(the only release remaining which lacks the unittest2 features)
* removed SUPPORTS_DIR_METHOD conditional (py25, pypy 1.x)
* some other minor workarounds
other
-----
* added check in passlib.compat which now throws error telling user
version isn't supported (to prevent spurious errors later)
|
| | |
| |
| |
| | |
des_crypt code
|
| | |
| |
| |
| |
| |
| |
| | |
* simplified get_handler_case() a little
* has_active_backend() now returns a less confusing default string
("builtin" was ambiguous since it's a common backend name)
* probabilistic getrandstr() test fails 1/600 times, upped to 1/430,000 :)
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* not too much trouble, and definitely needed.
after considering options, decided to use sha256 + base64.
* added note re: bcrypt password truncation
* HasBackend mixin -- changed to use _calc_checksum_backend()
as the attribute it patches, instead of _calc_checksum().
makes it easier to consolidate code common to all backends (e.g. bcrypt)
* test_60_secret_size: changed hardcoded exception list to a class flag
* added registry test to make sure all hashes are being tested
(with a few known exceptions)
* clarified names inside builtin bcrypt backend
* updated changelog
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* added implementation of django 1.6's bcrypt_sha256 hasher, and UTs
* added django16 premade context to passlib.apps, made it default django_context
* test_ext_django now makes use of django16_context
* passlib.ext.django.utils.get_preset_config() now uses django16_context
* tox 'django' and 'django-py3' now test bcrypt integration
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
passlib.ext.django & it's tests have gotten out of sync with django,
leading to a number of UT failures, as reported in issue 50.
tests now pass on django 1.2 through 1.6
passlib.ext.django
------------------
mimic changes in django's hasher logic:
* handle unsalted_sha1 hasher (django 1.4.6+)
* check_password(): empty hashes return False, rather throw error (django 1.5+
* allow empty passwords (django 1.6+)
* generate unusuable password suffixes (django 1.6+)
passlib.hash
------------
* django_des_crypt: added "use_duplicate_salt" class attr,
allowing tests to enable django 1.4+ style hashes which omit 1st salt.
* django_disabled: added support for django 1.6+ random suffixes
passlib.tests
-------------
* test_ext_django: lots of changes to verify django 1.5/1.6 behavior
* test_handlers_django: split django tests out of test_handlers
to make it easiers to run django-related tests.
* added workaround for encoding glitch in salted_md5 / salted_sha1 hashers (django 1.5+)
|
| | |
| |
| |
| |
| |
| |
| | |
* added multi-thread fuzz testing to shared PasswordHash test suite
* added code to detect pybcrypt <0.3, issue warning, and implement
thread-lock to workaround it's fatal concurrency issue.
* TODO: audit rest of passlib for threading issues (shouldn't be any major ones)
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
for FreeBSD 8.3+ supporting SHA512-Crypt
|
| |
|
|
|
|
|
|
|
|
|
| |
* bcrypt fuzz fix: detect $2$ hashes w/ passwords like 'abc' 'abcabc' and regenerate,
since $2$ would hash them the same. one in a million chance, but I hit it.
* django_bcrypt: skip multi-ident testing entirely, only one prefix is used.
* get_fuzz_settings() now handles passwords too, so handlers can alter them
* get_fuzz_ident() now checks os_supports_ident() directly, so bcrypt test doesn't have to
* test_14_salt_chars now cleans up salt, so bcrypt test doesn't have to
* glitch in fuzz skip code
* add tox.ini to sdist
|
| |
|
|
|
|
|
|
|
| |
* timer issues under windows
* id() issues under jython
* mtime issues under jython & darwin
* corrected expectations of test_ext_django's patch checker
* added darwin flags to platform_os_crypt info
* fixed regression in os_crypt backend test mocking
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* split ut2 backports into separate module to keep them distinct from customizations
* added backport of skip() / skipIf(), simplified a bunch of code
* "PASSLIB_TESTS" env var renamed to "PASSLIB_TEST_MODE",
has one of three values (quick,default,full)
* assertWarningList() can now be used as context manager
* added TestCase.mktemp(), and some capability tests via TestCase.require_xxx()
* HandlerCase
- subclasses can now modify do_xxx() settings and context using unified interface.
- defaults to lower number of rounds for all hashes, to speed up UTs
- create_backend_case() is now classmethod that yields multiple backends
- added test to ensure os_crypt hashes forbid NULL chars
- EncodingHandlerMixin for common tests of 'encoding' keyword
|
| | |
|
| |
|
|
|
|
| |
- updated salt handling of the existing django hashes, in a way which should be backwards compatible w/ django 1.0
- UTs now test Django hasher output against passlib handlers (reverse was already being done)
- refactor of fuzz testing to reuse some of the methods.
|
| |
|
|
| |
issue w/ os_crypt proxying builtin bcrypt
|
| | |
|
