Skip to content

Latest commit

 

History

History
291 lines (209 loc) · 10.5 KB

CHANGES

File metadata and controls

291 lines (209 loc) · 10.5 KB

Release History

1.5.3 (2011-10-08)

Bugfix release -- fixes BCrypt padding/verification issue

This release fixes a single issue with Passlib's BCrypt support: Many BCrypt hashes generated by Passlib (<= 1.5.2) will not successfully verify under some of the other BCrypt implementations, such as OpenBSD's /etc/master.passwd.

In detail:

BCrypt hashes contain 4 "padding" bits in the encoded salt, and Passlib (<= 1.5.2) generated salts in a manner which frequently set some of the padding bits to 1. While Passlib ignores these bits, many BCrypt implementations perform password verification in a way will reject all passwords, if any of the padding bits are set. Thus Passlib's BCrypt salt generation needed to be corrected to ensure compatibility, and a route provided to fix existing hashes already out in the wild [issue 25].

Changes in this release:

.. currentmodule:: passlib.context
  • BCrypt hashes generated by Passlib now have all padding bits cleared.
  • Passlib will continue to accept BCrypt hashes that have padding bits set, but when it encounters them, it will issue a :exc:`UserWarning` recommending that the hash should be fixed (see below).
  • Applications which use :meth:`CryptContext.verify_and_update` will have any such hashes automatically re-encoded the next time the user logs in.

To fix existing hashes:

If you have BCrypt hashes which might have their padding bits set, you can import :class:`!passlib.hash.bcrypt`, and call clean_hash = bcrypt.normhash(hash). This function will clear the padding bits of any BCrypt hashes, and should leave all other strings alone.

1.5.2 (2011-09-19)

Minor bugfix release -- mainly Django-related fixes

Hashes

.. currentmodule:: passlib.hash

CryptContext

.. currentmodule:: passlib.context

1.5.1 (2011-08-17)

Minor bugfix release -- now compatible with Google App Engine.

  • bugfix: make passlib.hash.__loader__ attribute writable - needed by Google App Engine (GAE) [issue 19].
  • bugfix: provide fallback for loading passlib/default.cfg if :mod:`pkg_resources` is not present, such as for GAE [issue 19].
  • bugfix: fixed error thrown by CryptContext.verify when issuing min_verify_time warning [issue 17].
  • removed min_verify_time setting from custom_app_context, min_verify_time is too host & load dependant to be hardcoded [issue 17].
  • under GAE, disable all unittests which require writing to filesystem.
  • more unittest coverage for :mod:`passlib.apps` and :mod:`passlib.hosts`.
  • improved version datestamps in build script.

1.5 (2011-07-11)

"20% more unicode than the leading breakfast cereal"

The main new feature in this release is that Passlib now supports Python 3 (via the 2to3 tool). Everything has been recoded to have better separation between unicode and bytes, and to use unicode internally where possible. When run under Python 2, Passlib 1.5 attempts to provide the same behavior as Passlib 1.4; but when run under Python 3, most functions will return unicode instead of ascii bytes.

Besides this major change, there have been some other additions:

Hashes

  • added support for Cryptacular's PBKDF2 format.
  • added support for the FSHP family of hashes.
  • added support for using BCryptor as BCrypt backend.
  • added support for all of Django's hash formats.

CryptContext

.. currentmodule:: passlib.context

Documentation

Internals

Other

  • Builtin tests now use :mod:`!unittest2` if available.
  • Setup script no longer requires distribute or setuptools.
  • added (undocumented, experimental) Django app for overriding Django's default hash format, see docs/lib/passlib.ext.django.rst for more.

1.4 (2011-05-04)

This release contains a large number of changes, both large and small. It adds a number of PBKDF2-based schemes, better support for LDAP-format hashes, improved documentation, and faster load times. In detail...

Hashes

  • added LDAP {CRYPT} support for all hashes known to be supported by OS crypt()
  • added 3 custom PBKDF2 schemes for general use, as well as 3 LDAP-compatible versions.
  • added support for Dwayne Litzenberger's PBKDF2 scheme.
  • added support for Grub2's PBKDF2 hash scheme.
  • added support for Atlassian's PBKDF2 password hash
  • added support for all hashes used by the Roundup Issue Tracker
  • bsdi_crypt, sha1_crypt now check for OS crypt() support
  • salt_size keyword added to encrypt() method of all the hashes which support variable-length salts.
  • security fix: disabled unix_fallback's "wildcard password" support unless explicitly enabled by user.

CryptContext

  • host_context now dynamically detects which formats OS crypt() supports, instead of guessing based on sys.platform.
  • added predefined context for Roundup Issue Tracker database.
  • added CryptContext.verify_and_update() convience method, to make it easier to perform both operations at once.
  • bugfix: fixed NameError in category+min_verify_time border case
  • apps & hosts modules now use new :class:`LazyCryptContext` wrapper class - this should speed up initial import, and reduce memory by not loading uneeded hashes.

Documentation

  • greatly expanded documentation on how to use CryptContexts.
  • roughly documented framework for writing & testing custom password handlers.
  • various minor improvements.

Internals

  • added generate_password() convenience method
  • refactored framework for building hash handlers, using new mixin-based system.
  • deprecated old handler framework - will remove in 1.5
  • deprecated list_to_bytes & bytes_to_list - not used, will remove in 1.5

Other

  • password hash api - as part of cleaning up optional attributes specification, renamed a number of them to reduce ambiguity:

    • renamed {xxx}_salt_chars attributes -> xxx_salt_size
    • renamed salt_charset -> salt_chars
    • old attributes still present, but deprecated - will remove in 1.5

  • password hash api - tightened specifications for salt & rounds parameters, added support for hashes w/ no max salt size.

  • improved password hash api conformance tests

  • PyPy compatibility

1.3.1 (2011-03-28)

Minor bugfix release.

  • bugfix: replaced "sys.maxsize" reference that was failing under py25
  • bugfix: fixed default_rounds>max_rounds border case that could cause ValueError during CryptContext.encrypt()
  • minor documentation changes
  • added instructions for building html documentation from source

1.3 (2011-03-25)

First public release.

  • documentation completed
  • 99% unittest coverage
  • some refactoring and lots of bugfixes
  • added support for a number of addtional password schemes: bigcrypt, crypt16, sun md5 crypt, nthash, lmhash, oracle10 & 11, phpass, sha1, generic hex digests, ldap digests.

1.2 (2011-01-06)

Note

For this and all previous versions, PassLib did not exist independantly, but as a subpackage of BPS, a private & unreleased toolkit library.

  • many bugfixes
  • global registry added
  • transitional release for applications using BPS library.
  • first truly functional release since splitting from BPS library (see below).

1.0 (2009-12-11)

  • CryptContext & CryptHandler framework
  • added support for: des-crypt, bcrypt (via pybcrypt), postgres, mysql
  • added unit tests

0.5 (2008-05-10)

  • initial production version
  • consolidated from code scattered across multiple applications
  • MD5-Crypt, SHA256-Crypt, SHA512-Crypt support