[Python-modules-commits] [python-passlib] 01/04: Import python-passlib_1.7.1.orig.tar.gz
Barry Warsaw
barry at moszumanska.debian.org
Tue Jan 31 16:47:38 UTC 2017
This is an automated email from the git hooks/post-receive script.
barry pushed a commit to branch master
in repository python-passlib.
commit bb7fe6848e106c697364f39d5c6eabdf44eb7bb4
Author: Barry Warsaw <barry at debian.org>
Date: Tue Jan 31 10:55:35 2017 -0500
Import python-passlib_1.7.1.orig.tar.gz
---
LICENSE | 2 +-
PKG-INFO | 9 +-
docs/_fragments/asa_verify_callout.rst | 15 ++
docs/conf.py | 8 +-
docs/history/1.5.rst | 10 +-
docs/history/1.6.rst | 10 +-
docs/history/1.7.rst | 64 +++--
docs/history/ancient.rst | 6 +-
docs/history/index.rst | 35 ++-
docs/index.rst | 11 +-
docs/install.rst | 25 +-
docs/lib/passlib.apache.rst | 2 +-
docs/lib/passlib.apps.rst | 8 +-
docs/lib/passlib.context.rst | 36 +--
docs/lib/passlib.hash.argon2.rst | 2 +-
docs/lib/passlib.hash.bcrypt.rst | 9 +-
docs/lib/passlib.hash.bcrypt_sha256.rst | 2 +-
docs/lib/passlib.hash.bsdi_crypt.rst | 4 +-
docs/lib/passlib.hash.cisco_asa.rst | 12 +-
docs/lib/passlib.hash.cisco_pix.rst | 133 ++++++----
docs/lib/passlib.hash.des_crypt.rst | 2 +-
docs/lib/passlib.hash.django_std.rst | 4 +-
docs/lib/passlib.hash.fshp.rst | 2 +-
docs/lib/passlib.hash.hex_digests.rst | 2 +-
docs/lib/passlib.hash.ldap_crypt.rst | 2 +-
docs/lib/passlib.hash.ldap_std.rst | 2 +-
docs/lib/passlib.hash.lmhash.rst | 2 +-
docs/lib/passlib.hash.md5_crypt.rst | 4 +-
docs/lib/passlib.hash.msdcc.rst | 2 +-
docs/lib/passlib.hash.msdcc2.rst | 2 +-
docs/lib/passlib.hash.mssql2000.rst | 2 +-
docs/lib/passlib.hash.mssql2005.rst | 2 +-
docs/lib/passlib.hash.mysql323.rst | 2 +-
docs/lib/passlib.hash.nthash.rst | 2 +-
docs/lib/passlib.hash.oracle10.rst | 2 +-
docs/lib/passlib.hash.oracle11.rst | 2 +-
docs/lib/passlib.hash.pbkdf2_digest.rst | 2 +-
docs/lib/passlib.hash.postgres_md5.rst | 2 +-
docs/lib/passlib.hash.rst | 69 ++++-
docs/lib/passlib.hash.scram.rst | 2 +-
docs/lib/passlib.hash.scrypt.rst | 4 +-
docs/lib/passlib.hash.sha256_crypt.rst | 2 +-
docs/lib/passlib.hash.unix_disabled.rst | 2 +-
docs/lib/passlib.hosts.rst | 8 +-
docs/lib/passlib.ifc.rst | 2 +-
docs/narr/context-tutorial.rst | 10 +-
docs/narr/hash-tutorial.rst | 95 ++++---
docs/narr/overview.rst | 10 +-
docs/narr/quickstart.rst | 10 +-
passlib.egg-info/PKG-INFO | 9 +-
passlib.egg-info/SOURCES.txt | 3 +-
passlib/__init__.py | 2 +-
passlib/_setup/docdist.py | 87 ------
passlib/_setup/stamp.py | 112 +++++++-
passlib/apache.py | 12 +-
passlib/context.py | 223 +++++-----------
passlib/crypto/digest.py | 2 +-
passlib/crypto/scrypt/__init__.py | 90 ++++---
passlib/exc.py | 8 +-
passlib/handlers/bcrypt.py | 4 +-
passlib/handlers/cisco.py | 224 ++++++++++++----
passlib/handlers/md5_crypt.py | 2 +-
passlib/handlers/misc.py | 4 +-
passlib/handlers/sha2_crypt.py | 2 +-
passlib/ifc.py | 30 ++-
passlib/pwd.py | 64 +++--
passlib/tests/test_context.py | 141 +++-------
passlib/tests/test_crypto_scrypt.py | 3 +-
passlib/tests/test_ext_django.py | 5 +-
passlib/tests/test_ext_django_source.py | 5 +-
passlib/tests/test_handlers.py | 241 +----------------
passlib/tests/test_handlers_cisco.py | 457 ++++++++++++++++++++++++++++++++
passlib/tests/test_handlers_pbkdf2.py | 10 +-
passlib/tests/test_handlers_scrypt.py | 7 +-
passlib/tests/test_pwd.py | 8 +
passlib/tests/test_totp.py | 57 +++-
passlib/tests/test_utils_handlers.py | 6 +-
passlib/tests/utils.py | 299 +++++++++++++++------
passlib/totp.py | 4 +-
passlib/utils/__init__.py | 9 +-
passlib/utils/handlers.py | 31 ++-
setup.cfg | 1 -
setup.py | 204 +++++++-------
tox.ini | 39 +--
84 files changed, 1846 insertions(+), 1216 deletions(-)
diff --git a/LICENSE b/LICENSE
index 8b37500..ba416e5 100644
--- a/LICENSE
+++ b/LICENSE
@@ -17,7 +17,7 @@ Passlib is (c) `Assurance Technologies <http://www.assurancetechnologies.com>`_,
and is released under the `BSD license <http://www.opensource.org/licenses/bsd-license.php>`_::
Passlib
- Copyright (c) 2008-2016 Assurance Technologies, LLC.
+ Copyright (c) 2008-2017 Assurance Technologies, LLC.
All rights reserved.
Redistribution and use in source and binary forms, with or without
diff --git a/PKG-INFO b/PKG-INFO
index 5aa3da5..107066a 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,12 +1,12 @@
Metadata-Version: 1.1
Name: passlib
-Version: 1.7.0
+Version: 1.7.1
Summary: comprehensive password hashing framework supporting over 30 schemes
Home-page: https://bitbucket.org/ecollins/passlib
Author: Eli Collins
Author-email: elic at assurancetechnologies.com
License: BSD
-Download-URL: https://pypi.python.org/packages/source/p/passlib/passlib-1.7.0.tar.gz
+Download-URL: https://pypi.python.org/packages/source/p/passlib/passlib-1.7.1.tar.gz
Description: Passlib is a password hashing library for Python 2 & 3, which provides
cross-platform implementations of over 30 password hashing algorithms, as well
as a framework for managing existing password hashes. It's designed to be useful
@@ -35,9 +35,14 @@ Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: BSD License
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.6
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.3
+Classifier: Programming Language :: Python :: 3.4
+Classifier: Programming Language :: Python :: 3.5
+Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: Jython
Classifier: Programming Language :: Python :: Implementation :: PyPy
diff --git a/docs/_fragments/asa_verify_callout.rst b/docs/_fragments/asa_verify_callout.rst
new file mode 100644
index 0000000..46cfdb7
--- /dev/null
+++ b/docs/_fragments/asa_verify_callout.rst
@@ -0,0 +1,15 @@
+.. rst-class:: float-right without-title
+
+.. todo::
+
+ **Caveat Emptor**
+
+ Passlib's implementations of :class:`cisco_pix` and :class:`cisco_asa` both need verification.
+ For those with access to Cisco PIX and ASA systems, verifying Passlib's reference vectors
+ would be a great help (see :issue:`51`). In the mean time, there are no guarantees
+ that passlib correctly replicates the official implementation.
+
+ .. versionchanged:: 1.7.1
+
+ A number of :ref:`bugs <passlib-asa96-bug>` were fixed after expanding
+ the reference vectors, and testing against an ASA 9.6 system.
diff --git a/docs/conf.py b/docs/conf.py
index fed98d3..6883743 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -63,7 +63,7 @@ extensions = [
'cloud_sptheme.ext.index_styling',
# inserts toc into right hand nav bar (ala old style python docs)
- 'cloud_sptheme.ext.relbar_toc',
+ 'cloud_sptheme.ext.relbar_links',
# add "issue" role
'cloud_sptheme.ext.issue_tracker',
@@ -107,8 +107,10 @@ copyright = "2008-%d, %s. Last Updated %s" % (datetime.date.today().year, author
# version: The short X.Y version.
from passlib import __version__ as release
version = csp.get_version(release)
-tags.add("devcopy")
-devcopy = '.dev' in release
+if ".dev" in release:
+ tags.add("devcopy")
+if 'for-pypi' in options:
+ tags.add("pypi")
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
diff --git a/docs/history/1.5.rst b/docs/history/1.5.rst
index 575e81b..9d084c2 100644
--- a/docs/history/1.5.rst
+++ b/docs/history/1.5.rst
@@ -1,6 +1,6 @@
-==========
-1.5 Series
-==========
+===========
+Passlib 1.5
+===========
.. _bcrypt-padding-issue:
@@ -99,8 +99,8 @@
* improved version datestamps in build script.
-**1.5** (2011-07-11)
-====================
+**1.5.0** (2011-07-11)
+======================
*"20% more unicode than the leading breakfast cereal"*
diff --git a/docs/history/1.6.rst b/docs/history/1.6.rst
index 6b88c4b..05b3d40 100644
--- a/docs/history/1.6.rst
+++ b/docs/history/1.6.rst
@@ -1,6 +1,6 @@
-==========
-1.6 Series
-==========
+===========
+Passlib 1.6
+===========
**1.6.5** (2015-08-04)
======================
@@ -115,8 +115,8 @@ Other Changes
* Various documentation updates and corrections.
-**1.6** (2012-05-01)
-====================
+**1.6.0** (2012-05-01)
+======================
Overview
--------
diff --git a/docs/history/1.7.rst b/docs/history/1.7.rst
index ba9b926..4900428 100644
--- a/docs/history/1.7.rst
+++ b/docs/history/1.7.rst
@@ -1,13 +1,49 @@
.. _whats-new:
-==========
-1.7 Series
-==========
+===========
+Passlib 1.7
+===========
-.. seealso::
+**1.7.1** (2017-1-30)
+=====================
- The `Roadmap <https://bitbucket.org/ecollins/passlib/wiki/Roadmap>`_
- for a list of future changes that may impact applications.
+This release rolls up assorted bug & compatibility fixes since 1.7.0.
+
+Bugfixes
+--------
+* .. py:currentmodule:: passlib.hash
+
+ :class:`cisco_asa` and :class:`cisco_pix`: Fixed a number of issues
+ which under :ref:`certain conditions <passlib-asa96-bug>`
+ caused prior releases to generate hashes that were unverifiable
+ on Cisco systems.
+
+* .. py:currentmodule:: passlib.ifc
+
+ :meth:`PasswordHash.hash` will now warn if passed any settings
+ keywords. This usage was deprecated in 1.7.0, but warning wasn't properly enabled.
+ See :ref:`hash-configuring` for the preferred way to pass settings.
+
+* **setup.py**: Don't append timestamp when run from an sdist.
+ This should fix some downstream build issues.
+
+* :mod:`!passlib.tests.test_totp`: Test suite now traps additional errors that :func:`datetime.utcfromtimestamp`
+ may throw under python 3, which should fix some test failures on architectures with rarer ILP sizes.
+ It also works around Python 3.6 bug `29100 <https://bugs.python.org/issue29100>`_.
+
+Deprecations
+------------
+
+* :class:`~passlib.context.CryptContext`: The ``harden_verify`` flag has been turned into a NOOP and deprecated.
+ It will be removed in passlib 1.8 along with the already-deprecated ``min_verify_time`` (:issue:`83`).
+
+Other Changes
+-------------
+
+* :mod:`!passlib.tests.utils`: General truncation policy details were hammered out,
+ and additional hasher tests were added to enforce them.
+
+* **documentation**: Various updates & corrections.
.. rst-class:: emphasize-children toc-always-open
@@ -83,12 +119,6 @@ New Features
methods for dealing with hashes representing
:ref:`disabled accounts <context-disabled-hashes>` (:issue:`45`).
- * The :class:`~passlib.context.CryptContext` object now supports
- a :ref:`harden_verify <context-harden-verify-option>` option,
- allowing applications to introduce a delay in verification
- to help prevent attackers discovering weak or missing hashes
- through timing attacks.
-
* All hashers which truncate passwords (e.g. :class:`~passlib.hash.bcrypt`
and :class:`~passlib.hash.des_crypt`) can now be configured to raise
a :exc:`~passlib.exc.PasswordTruncateError` when a overly-large password is provided.
@@ -175,7 +205,8 @@ Deprecations
As part of a long-range plan to restructure and simplify both the API and the internals of Passlib,
a number of methods have been deprecated & replaced. The eventually goal is a large cleanup
and overhaul as part of Passlib 2.0. There will be at least one more 1.x version
-before Passlib 2.0, to provide a final transitional release.
+before Passlib 2.0, to provide a final transitional release
+(see the `Passlib Roadmap <https://bitbucket.org/ecollins/passlib/wiki/Roadmap>`_).
Password Hash API Deprecations
..............................
@@ -201,11 +232,12 @@ Password Hash API Deprecations
To provide settings such as ``rounds`` and ``salt_size``, callers
should use the new :meth:`PasswordHash.using`
method, which generates a new hasher with a customized configuration.
+ For example, instead of::
- >>> # for example, instead of this:
>>> sha256_crypt.encrypt("secret", rounds=12345)
- >>> # callers should now use:
+ ... applications should now use::
+
>>> sha256_crypt.using(rounds=12345).hash("secret")
Support for the old syntax will be removed in Passlib 2.0.
@@ -293,8 +325,6 @@ Scheduled removal of features:
* **[minor]** :mod:`passlib.context`: The :ref:`min_verify_time <context-min-verify-time-option>` keyword
that was deprecated in release 1.6, is now completely ignored.
Support will be removed entirely in release 1.8.
- See the new :ref:`harden_verify <context-harden-verify-option>` keyword
- that replaces it.
* **[trivial]** :mod:`passlib.hash`: The internal :meth:`!PasswordHash.parse_rounds` method, deprecated in 1.6, has been removed.
diff --git a/docs/history/ancient.rst b/docs/history/ancient.rst
index 797f584..f8a34ed 100644
--- a/docs/history/ancient.rst
+++ b/docs/history/ancient.rst
@@ -1,6 +1,6 @@
-=============
-1.4 & Earlier
-=============
+=====================
+Passlib 1.4 & Earlier
+=====================
**1.4** (2011-05-04)
====================
diff --git a/docs/history/index.rst b/docs/history/index.rst
index c4a6689..219b713 100644
--- a/docs/history/index.rst
+++ b/docs/history/index.rst
@@ -4,19 +4,36 @@
Release History
===============
-.. centered:: This is the documentation for the :ref:`1.7.0 Release <whats-new>` of Passlib.
-
-.. rst-class:: float-right
+.. rst-class:: float-center without-title
.. seealso::
- The `Roadmap <https://bitbucket.org/ecollins/passlib/wiki/Roadmap>`_
- for a list of future changes that may impact applications.
+ **For the latest release:** see :ref:`What's New <whats-new>` in Passlib 1.7
+
+.. toctree::
+ :maxdepth: 2
+
+ 1.7 Series <1.7>
+
+.. toctree::
+ :maxdepth: 2
+
+ 1.6 Series <1.6>
.. toctree::
:maxdepth: 2
- 1.7
- 1.6
- 1.5
- ancient
+ 1.5 Series <1.5>
+
+.. toctree::
+ :maxdepth: 2
+
+ 1.4 & Earlier <ancient>
+
+.. rst-class:: float-center without-title
+
+.. seealso::
+
+ See the `Project Roadmap <https://bitbucket.org/ecollins/passlib/wiki/Roadmap>`_
+ for a list of future changes that may impact applications.
+
diff --git a/docs/index.rst b/docs/index.rst
index d21f9ee..8409ef9 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -2,7 +2,8 @@
:align: center
:class: show-for-small
-.. rst-class:: float-right without-title
+
+.. rst-class:: float-right
.. seealso:: :ref:`What's new in Passlib 1.7 <whats-new>`
@@ -18,6 +19,14 @@ Passlib |release| documentation
For documentation of the latest stable version,
see `<https://passlib.readthedocs.io>`_.
+.. only:: pypi
+
+ .. warning::
+
+ The official Passlib documentation have moved to `<https://passlib.readthedocs.io>`_.
+ Documentation at this location is still being maintained,
+ but will be updated much less frequently.
+
Welcome
=======
Passlib is a password hashing library for Python 2 & 3, which provides
diff --git a/docs/install.rst b/docs/install.rst
index 6ee3d7f..be11d5d 100644
--- a/docs/install.rst
+++ b/docs/install.rst
@@ -104,21 +104,30 @@ Testing
Passlib contains a comprehensive set of unittests (about 38% of the total code),
which provide nearly complete coverage, and verification of the hash
algorithms using multiple external sources (if detected at runtime).
+
All unit tests are contained within the :mod:`passlib.tests` subpackage,
and are designed to be run using the
`Nose <http://somethingaboutorange.com/mrl/projects/nose>`_ unit testing library
(as well as the ``unittest2`` library under Python 2.6).
-Once Passlib and Nose have been installed, the main suite of tests may be run from the source directory::
+Once Passlib and Nose have been installed, the main suite of tests may be run using::
+
+ nosetests --tests passlib.tests
+
+By default, this runs the main battery of tests, but omits some additional ones
+(such as internal cross-checks, and mock-testing of features not provided natively by the host OS).
+To run these tests as well, set the following environmental variable::
- nosetests --tests passlib/tests
+ PASSLIB_TEST_MODE="full" nosetests --tests passlib.tests
-To run the full test suite, which includes internal cross-checks and mock-testing
-of features not provided natively by the host OS::
+To run a quick check to confirm just basic functionality, with a pared-down set of tests::
- PASSLIB_TEST_MODE="full" nosetests --tests passlib/tests
+ PASSLIB_TEST_MODE="quick" nosetests --tests passlib.tests
Tests may also be run via ``setup.py test`` or the included ``tox.ini`` file.
+The ``tox.ini`` file is used to test passlib before each release,
+and contains a number different environment setups.
+These tests require `tox <https://pypi.python.org/pypi/tox>`_ 2.5 or later.
.. rst-class:: html-toggle
@@ -129,11 +138,9 @@ online at `<https://passlib.readthedocs.io>`_.
If you wish to generate your own copy of the documentation,
you will need to:
-1. Install `Sphinx <http://sphinx.pocoo.org/>`_ (1.3 or newer)
-2. Install the `Cloud Sphinx Theme <http://packages.python.org/cloud_sptheme>`_ (1.8 or newer).
+1. Install `Sphinx <http://sphinx.pocoo.org/>`_ (1.4 or newer)
+2. Install the `Cloud Sphinx Theme <http://packages.python.org/cloud_sptheme>`_ (1.8.2 or newer).
3. Download the Passlib source
4. From the Passlib source directory, run :samp:`python setup.py build_sphinx`.
5. Once Sphinx completes its run, point a web browser to the file at :samp:`{SOURCE}/build/sphinx/html/index.html`
to access the Passlib documentation in html format.
-6. Alternately, steps 4 & 5 can be replaced by running :samp:`python setup.py docdist`,
- which will build a zip file of the documentation in :samp:`{SOURCE}/dist`.
diff --git a/docs/lib/passlib.apache.rst b/docs/lib/passlib.apache.rst
index 6274159..b87eb63 100644
--- a/docs/lib/passlib.apache.rst
+++ b/docs/lib/passlib.apache.rst
@@ -16,7 +16,7 @@ htpasswd and htdigest files; though the use of two helper classes.
.. versionchanged:: 1.7
- These classes will now preserve blank lines & "#" comments when updating
+ These classes will now preserve blank lines and "#" comments when updating
htpasswd files; previous releases would throw a parse error.
.. index:: Apache; htpasswd
diff --git a/docs/lib/passlib.apps.rst b/docs/lib/passlib.apps.rst
index e89b804..7e5559f 100644
--- a/docs/lib/passlib.apps.rst
+++ b/docs/lib/passlib.apps.rst
@@ -3,7 +3,7 @@
==================================================================
.. module:: passlib.apps
- :synopsis: encrypting & verifying passwords used in sql servers and other applications
+ :synopsis: hashing & verifying passwords used in sql servers and other applications
.. _predefined-context-example:
@@ -23,7 +23,7 @@ Each of the objects in this module can be imported directly::
>>> # a helper to let new applications *quickly* add password hashing.
>>> from passlib.apps import custom_app_context
-Encrypting a password is simple (and salt generation is handled automatically)::
+Hashing a password is simple (and salt generation is handled automatically)::
>>> hash = custom_app_context.hash("toomanysecrets")
>>> hash
@@ -185,11 +185,11 @@ PostgreSQL
This object should recognize password hashes stores in PostgreSQL's ``pg_shadow`` table;
which are all assumed to follow the :class:`~passlib.hash.postgres_md5` format.
- Note that the username must be provided whenever encrypting or verifying a postgres hash::
+ Note that the username must be provided whenever hashing or verifying a postgres hash::
>>> from passlib.apps import postgres_context
- >>> # encrypting a password...
+ >>> # hashing a password...
>>> postgres_context.hash("somepass", user="dbadmin")
'md578ed0f0ab2be0386645c1b74282917e7'
diff --git a/docs/lib/passlib.context.rst b/docs/lib/passlib.context.rst
index 2c95a74..5ed7413 100644
--- a/docs/lib/passlib.context.rst
+++ b/docs/lib/passlib.context.rst
@@ -23,7 +23,7 @@ The CryptContext Class
======================
.. class:: CryptContext(schemes=None, \*\*kwds)
- Helper for encrypting passwords using different algorithms.
+ Helper for hashing passwords using different algorithms.
At its base, this is a proxy object that makes it easy to use
multiple :class:`~passlib.ifc.PasswordHash` objects at the same time.
@@ -104,7 +104,7 @@ Options which directly affect the behavior of the CryptContext instance:
Specifies the name of the default scheme.
This option controls which of the configured
- schemes will be used as the default when encrypting
+ schemes will be used as the default when creating
new hashes. This parameter is optional; if omitted,
the first non-deprecated algorithm in ``schemes`` will be used.
You can use the :meth:`~CryptContext.default_scheme` method
@@ -180,37 +180,21 @@ Options which directly affect the behavior of the CryptContext instance:
and will be removed in version 1.8.
.. versionchanged:: 1.7
- Per deprecation roadmap above, this option is now ignored.
- See ``harden_verify`` below for a replacement.
+ Per deprecation roadmap above, this option is now ignored.
.. _context-harden-verify-option:
``harden_verify``
- If set to ``true``, CryptContext will pause the first time :meth:`verify`
- is called, in order to calculate the "average" time it would take
- to verify a hash created using the default settings.
-
- Subsequent :meth:`verify` calls using will have their time padded
- to this minimum time, in order to make it harder for an attacker
- to guess which accounts have weak hashes.
-
- Applications may also wish to call :meth:`~CryptContext.dummy_verify` for login
- attempts where the user does not exist, in order to mask which
- users accounts have valid hashes.
+ Companion to ``min_verify_time``, currently ignored.
- This option can be set to ``True`` or ``False`` (the default).
-
- The default (may) be changed in a later 2.x release.
-
- .. warning::
+ .. versionadded:: 1.7
- This feature is new, and adjustments may need to be made
- to when (and how) the code calculates what the "minimum verification time"
- is supposed to be.
+ .. deprecated:: 1.7.1
- .. versionadded:: 1.7
+ This option is ignored by 1.7.1, and will be removed in 1.8
+ along with ``min_verify_time``.
.. _context-algorithm-options:
@@ -400,7 +384,7 @@ For example, a CryptContext could be set up as follows::
... sha256_crypt__default_rounds=77000,
... staff__sha256_crypt__default_rounds=88000)
- >>> # In this case, calling encrypt with ``category=None`` would result
+ >>> # In this case, calling hash() with ``category=None`` would result
>>> # in a hash that used 77000 sha256-crypt rounds:
>>> myctx.hash("password", category=None)
'$5$rounds=77000$sj3XI0AbKlEydAKt$BhFvyh4.IoxaUeNlW6rvQ.O0w8BtgLQMYorkCOMzf84'
@@ -442,7 +426,7 @@ style methods provided by all the :class:`~passlib.ifc.PasswordHash` objects:
Hash Migration
--------------
-Applications which want to detect and re-encrypt deprecated
+Applications which want to detect and regenerate deprecated
hashes will want to use one of the following methods:
.. automethod:: CryptContext.verify_and_update
diff --git a/docs/lib/passlib.hash.argon2.rst b/docs/lib/passlib.hash.argon2.rst
index 0eb1ad6..fcc9508 100644
--- a/docs/lib/passlib.hash.argon2.rst
+++ b/docs/lib/passlib.hash.argon2.rst
@@ -17,7 +17,7 @@ for new applications. This class can be used directly as follows::
>>> from passlib.hash import argon2
- >>> # generate new salt, encrypt password
+ >>> # generate new salt, hash password
>>> h = argon2.hash("password")
>>> h
'$argon2i$v=19$m=512,t=2,p=2$aI2R0hpDyLm3ltLa+1/rvQ$LqPKjd6n8yniKtAithoR7A'
diff --git a/docs/lib/passlib.hash.bcrypt.rst b/docs/lib/passlib.hash.bcrypt.rst
index 946c5ff..c7c5951 100644
--- a/docs/lib/passlib.hash.bcrypt.rst
+++ b/docs/lib/passlib.hash.bcrypt.rst
@@ -13,7 +13,7 @@ for new applications. This class can be used directly as follows::
>>> from passlib.hash import bcrypt
- >>> # generate new salt, encrypt password
+ >>> # generate new salt, hash password
>>> h = bcrypt.hash("password")
>>> h
'$2a$12$NT0I31Sa7ihGEWpka9ASYrEFkhuTNeBQ2xfZskIiiJeyFXhRgS.Sy'
@@ -169,7 +169,7 @@ This implementation of bcrypt differs from others in a few ways:
generated with the buggy algorithm. Passlib 1.6 recognizes (but does not
currently support generating or verifying) these hashes.
- ``$2y$``, the default for crypt_blowfish 1.1 and newer, indicates
+ ``$2y$``, the default for crypt_blowfish 1.1-1.2, indicates
the hash was generated with the canonical OpenBSD-compatible algorithm,
and should match *correctly* generated ``$2a$`` hashes.
Passlib 1.6 can generate and verify these hashes.
@@ -180,6 +180,8 @@ This implementation of bcrypt differs from others in a few ways:
does not support this algorithmic variant either, though it should
be *very* rarely encountered in practice.
+ (crypt_blowfish 1.3 switched to the ``$2b$`` standard as the default)
+
.. versionchanged:: 1.6.3
Passlib will now throw a :exc:`~passlib.exc.PasslibSecurityError` if an attempt is
@@ -223,4 +225,5 @@ This implementation of bcrypt differs from others in a few ways:
`CVE-2011-2483 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2483>`_
.. [#wraparound] The wraparound flaw is described here -
- `<http://www.openwall.com/lists/oss-security/2012/01/02/4>`_
\ No newline at end of file
+ `<http://www.openwall.com/lists/oss-security/2012/01/02/4>`_
+
diff --git a/docs/lib/passlib.hash.bcrypt_sha256.rst b/docs/lib/passlib.hash.bcrypt_sha256.rst
index a7470c0..c9d2870 100644
--- a/docs/lib/passlib.hash.bcrypt_sha256.rst
+++ b/docs/lib/passlib.hash.bcrypt_sha256.rst
@@ -15,7 +15,7 @@ This class can be used directly as follows::
>>> from passlib.hash import bcrypt_sha256
- >>> # generate new salt, encrypt password
+ >>> # generate new salt, hash password
>>> h = bcrypt_sha256.hash("password")
>>> h
'$bcrypt-sha256$2a,12$LrmaIX5x4TRtAwEfwJZa1.$2ehnw6LvuIUTM0iz4iz9hTxv21B6KFO'
diff --git a/docs/lib/passlib.hash.bsdi_crypt.rst b/docs/lib/passlib.hash.bsdi_crypt.rst
index cb82797..605f190 100644
--- a/docs/lib/passlib.hash.bsdi_crypt.rst
+++ b/docs/lib/passlib.hash.bsdi_crypt.rst
@@ -14,7 +14,7 @@ It class can be used directly as follows::
>>> from passlib.hash import bsdi_crypt
- >>> # generate new salt, encrypt password
+ >>> # generate new salt, hash password
>>> hash = bsdi_crypt.hash("password")
>>> hash
'_7C/.Bf/4gZk10RYRs4Y'
@@ -48,7 +48,7 @@ Interface
Format
======
An example hash (of the string ``password``) is ``_EQ0.jzhSVeUyoSqLupI``.
-A bsdi_crypt hash string consists of a 21 character string of the form :samp:`_{rounds}{salt}{checksum}`.
+A bsdi_crypt hash string consists of a 20 character string of the form :samp:`_{rounds}{salt}{checksum}`.
All characters except the underscore prefix are drawn from ``[./0-9A-Za-z]``.
* ``_`` - the underscore is used to distinguish this scheme from others, such as des-crypt.
diff --git a/docs/lib/passlib.hash.cisco_asa.rst b/docs/lib/passlib.hash.cisco_asa.rst
index 3b9e757..5875214 100644
--- a/docs/lib/passlib.hash.cisco_asa.rst
+++ b/docs/lib/passlib.hash.cisco_asa.rst
@@ -1,7 +1,7 @@
.. index:: Cisco; ASA hash
==================================================================
-:class:`passlib.hash.cisco_asa` - Cisco ASA hash
+:class:`passlib.hash.cisco_asa` - Cisco ASA MD5 hash
==================================================================
.. include:: ../_fragments/insecure_hash_warning.rst
@@ -10,9 +10,11 @@
.. versionadded:: 1.7
-The :class:`!cisco_asa` handler provides support for the 2005 revision of the older :class:`!cisco_pix` hash.
-The usage, functionality, and format is the same as for :class:`!cisco_pix`,
+.. include:: ../_fragments/asa_verify_callout.rst
-.. seealso::
+The :class:`!cisco_asa` class provides support for Cisco ASA "encrypted" hash format.
+This is a revision of the older :class:`!cisco_pix` hash;
+and the usage and format is the same.
- :doc:`cisco_pix <passlib.hash.cisco_pix>` documentation page.
+**See the** :doc:`cisco_pix <passlib.hash.cisco_pix>` **documentation page**
+for combined details of both these classes.
diff --git a/docs/lib/passlib.hash.cisco_pix.rst b/docs/lib/passlib.hash.cisco_pix.rst
index d879748..f9978f2 100644
--- a/docs/lib/passlib.hash.cisco_pix.rst
+++ b/docs/lib/passlib.hash.cisco_pix.rst
@@ -1,57 +1,57 @@
.. index:: Cisco; PIX hash
==================================================================
-:class:`passlib.hash.cisco_pix` - Cisco PIX hash
+:class:`passlib.hash.cisco_pix` - Cisco PIX MD5 hash
==================================================================
+.. currentmodule:: passlib.hash
+
.. include:: ../_fragments/insecure_hash_warning.rst
.. versionadded:: 1.6
-.. todo::
-
- Passlib currently lack a thorough set of test cases for the :class:`cisco_asa` hash
- For people with access to such a system, verifying passlib's reference vectors
- would be a great help (see :issue:`51`).
- In the mean time, there are no guarantees that its behavior correctly replicates
- the official implementation. *caveat emptor*.
-
-.. warning::
-
- This class does not correctly handle hashes generated by
- Pix/ASA 7.0 (2005) or newer; particularly for passwords 13 characters or more
- (:issue:`51`). A new :class:`!cisco_asa` will be added in Passlib 1.7 to support these hashes.
+Overview
+========
+.. include:: ../_fragments/asa_verify_callout.rst
-.. currentmodule:: passlib.hash
+The :class:`cisco_asa` class implements the "encrypted" password hash algorithm commonly found on Cisco
+ASA systems. The companion :class:`cisco_pix` class
+implements the older variant found on Cisco PIX.
+Aside from internal differences, and slightly different limitations,
+the two hashes have the same format, and in some cases the same output.
-The :class:`cisco_pix` class implements the password hash algorithm commonly found on older Cisco
-PIX firewalls. The :class:`cisco_asa` class implements a newer variant found Cisco ASA 7.0 and
-newer systems. They can be used directly as follows::
+These classes can be used directly to generate or verify a hash for a specific
+user. Specifying the user account name is required for this hash::
- >>> from passlib.hash import cisco_pix as pix
+ >>> from passlib.hash import cisco_asa
- >>> # encrypt password using specified username
- >>> hash = pix.hash("password", user="user")
+ >>> # hash password using specified username
+ >>> hash = cisco_asa.hash("password", user="user")
>>> hash
'A5XOy94YKDPXCo7U'
>>> # verify correct password
- >>> pix.verify("password", hash, user="user")
+ >>> cisco_asa.verify("password", hash, user="user")
True
+
>>> # verify correct password w/ wrong username
- >>> pm.verify("password", hash, user="other")
+ >>> cisco_asa.verify("password", hash, user="other")
False
+
>>> # verify incorrect password
- >>> pm.verify("letmein", hash, user="user")
+ >>> cisco_asa.verify("letmein", hash, user="user")
False
- >>> # encrypt password without associate user account
- >>> hash2 = pix.hash("password")
+The main "enable" password can be hashes / verified just by omitting
+the ``user`` parameter, or setting ``user=""``::
+
+ >>> # hash password without associated user account
+ >>> hash2 = cisco_asa.hash("password")
>>> hash2
'NuLKvvWGg.x9HEKO'
>>> # verify password without associated user account
- >>> pix.verify("password", hash2)
+ >>> cisco_asa.verify("password", hash2)
True
.. seealso:: the generic :ref:`PasswordHash usage examples <password-hash-examples>`
@@ -66,8 +66,8 @@ Interface
.. note::
These hash algorithms have a context-sensitive peculiarity.
- It takes in an optional username, used to salt the hash,
- but with specific restrictions...
+ They take in an optional username to salt the hash,
+ but have specific restrictions...
* The username *must* be provided in order to correctly hash passwords
associated with a user account on the Cisco device.
@@ -80,15 +80,19 @@ Interface
Format & Algorithm
==================
-Cisco PIX / ASA hashes consist of a 12 byte digest, encoded as a 16 character
+Cisco PIX & ASA hashes consist of a 12 byte digest, encoded as a 16 character
:data:`HASH64 <passlib.utils.binary.h64>`-encoded string. An example
-hash (of ``"password"``) is ``"NuLKvvWGg.x9HEKO"``.
+hash (of ``"password"``, with user ``""``) is ``"NuLKvvWGg.x9HEKO"``.
The PIX / ASA digests are calculated as follows:
-1. The password is encoded using an ``ASCII``-compatible encoding
- (all known references are strict 7-bit ascii, and Passlib uses ``UTF-8``
- to provide unicode support).
+1. The password is encoded using ``UTF-8`` (though entering non-ASCII
+ characters is subject to interface-specific issues, and may lead
+ to problems such as double-encoding).
+
+ If the result is greater than 16 bytes (for PIX), or 32 bytes (for ASA),
+ the password is not allowed -- it will be rejected when set,
+ and simplify not verify during authentication.
2. If the hash is associated with a user account,
append the first four bytes of the user account name
@@ -96,14 +100,18 @@ The PIX / ASA digests are calculated as follows:
with a user account (e.g. it's the "enable" password),
this step should be omitted.
+ If the user account is 1-3 bytes, it is repeated until all 4 bytes are filled
+ up (e.g. "usr" becomes "usru").
+
For :class:`!cisco_asa`,
this step is omitted if the password is 28 bytes or more.
-3. The password should be truncated to 16 bytes, or the right side NULL
- padded to 16 bytes, as appropriate.
+3. The password+user string is truncated, or right-padded with NULLs,
+ until it's 16 bytes in size.
For :class:`!cisco_asa`,
- if the password is 13 or more bytes, the truncate/padding size is increased to 32 bytes.
+ if the password+user string is 16 or more bytes,
+ a padding size of 32 is used instead.
4. Run the result of step 3 through MD5.
@@ -112,6 +120,10 @@ The PIX / ASA digests are calculated as follows:
6. Encode the 12-byte result using :data:`HASH64 <passlib.utils.binary.h64>`.
+.. versionchanged:: 1.7.1
+
+ Updated to reflect current understanding of the algorithm.
+
Security Issues
===============
This algorithm is not suitable for *any* use besides manipulating existing
@@ -138,22 +150,44 @@ Cisco PIX hashes, due to the following flaws:
Deviations
==========
-This implementation differs from the standard in one main way:
+This implementation tries to adhere to the canonical Cisco implementation,
+but without an official specification, there may be other unknown deviations.
+The following are known issues:
* Unicode Policy:
- The official Cisco PIX algorithm is primarily used with ``ascii`` passwords,
- how it handles other characters is not known.
+ ASA documentation [#charset]_ indicates it uses UTF-8 encoding,
+ and Passlib does as well. However, some ASA interfaces
+ have issues such as: ASDM may double-encode unicode characters,
+ and SSH connections may drop non-ASCII characters entirely.
+
+* How usernames are added is not entirely pinned down. Under ASA, 3-character
+ usernames have their last character repeated to make a string of length 4.
+ It is currently assumed that a similar repetition would be applied to
+ usernames of 1-2 characters, and that this applies to PIX as well;
+ though neither assumption has been confirmed.
+
+* .. _passlib-asa96-bug:
- In order to provide support for unicode strings,
- Passlib will encode unicode passwords using ``utf-8``
- before running them through this algorithm. If a different
- encoding is desired by an application, the password should be encoded
- before handing it to Passlib.
+ **Passlib 1.7.1 Bugfix**: Prior releases of Passlib had a number of issues
+ with their implementation of the PIX & ASA algorithms. As of 1.7.1,
+ the reference vectors were greatly expanded, and then tested against
+ an ASA 9.6 system. This revealed a number of errors in passlib's implementation,
+ which under the following conditions would create hashes that were
+ unverifiable on a Cisco system:
-* While this implementation agrees with all known references,
- the actual algorithm has not been published by Cisco, so there may be other
- unknown deviations.
+ - PIX and ASA: Usernames containing 1-3 characters were not appended correctly (step 2, above).
+
+ - ASA omits the user entirely (step 2, above) for passwords with >= 28 characters,
+ not >= 27. Non-enable passwords of exactly 27 characters were previous hashed
+ incorrectly.
+
+ - ASA's padding size decision (step 3, above) is made after the user
+ has been appended, not before. This caused prior releases to
+ incorrectly hash non-enable passwords of length 13-15.
+
+ Anyone relying on cisco_asa or cisco_pix should upgrade to Passlib 1.7.1 or newer
+ to avoid these issues.
.. rubric:: Footnotes
@@ -166,3 +200,6 @@ This implementation differs from the standard in one main way:
.. [#] Partial description of ASA algorithm -
`<https://github.com/stekershaw/asa-password-encrypt/blob/master/README.md>`_
+
+.. [#charset] Character set used by ASA 8.4 -
+ `<http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_cli.html#Supported_Character_Sets>`_
diff --git a/docs/lib/passlib.hash.des_crypt.rst b/docs/lib/passlib.hash.des_crypt.rst
index 7aa6528..c282d5e 100644
--- a/docs/lib/passlib.hash.des_crypt.rst
+++ b/docs/lib/passlib.hash.des_crypt.rst
@@ -13,7 +13,7 @@ It can used directly as follows::
>>> from passlib.hash import des_crypt
- >>> # generate new salt, encrypt password
+ >>> # generate new salt, hash password
>>> hash = des_crypt.hash("password")
'JQMuyS6H.AGMo'
diff --git a/docs/lib/passlib.hash.django_std.rst b/docs/lib/passlib.hash.django_std.rst
index 02116c6..5135f4f 100644
--- a/docs/lib/passlib.hash.django_std.rst
+++ b/docs/lib/passlib.hash.django_std.rst
@@ -96,7 +96,7 @@ These classes can be used directly as follows::
>>> from passlib.hash import django_pbkdf2_sha256 as handler
- >>> # encrypt password
+ >>> # hash password
>>> h = handler.hash("password")
>>> h
'pbkdf2_sha256$10000$s1w0UXDd00XB$+4ORmyvVWAQvoAEWlDgN34vlaJx1ZTZpa1pCSRey2Yk='
@@ -176,7 +176,7 @@ These classes can be used directly as follows::
>>> from passlib.hash import django_salted_sha1 as handler
- >>> # encrypt password
+ >>> # hash password
>>> h = handler.hash("password")
>>> h
'sha1$c6218$161d1ac8ab38979c5a31cbaba4a67378e7e60845'
diff --git a/docs/lib/passlib.hash.fshp.rst b/docs/lib/passlib.hash.fshp.rst
index 6ffefd0..ef959d3 100644
--- a/docs/lib/passlib.hash.fshp.rst
+++ b/docs/lib/passlib.hash.fshp.rst
@@ -23,7 +23,7 @@ It can be used directly as follows::
... 4231 lines suppressed ...
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-passlib.git
More information about the Python-modules-commits
mailing list