Merge with stable

12 files changed, 69 insertions, 34 deletions

diff --git a/docs/history/1.5.rst b/docs/history/1.5.rst
index 9d4135c..9d084c2 100644
--- a/docs/history/1.5.rst
+++ b/docs/history/1.5.rst
@@ -99,8 +99,8 @@ Passlib 1.5
 
     * improved version datestamps in build script.
 
-**1.5** (2011-07-11)
-====================
+**1.5.0** (2011-07-11)
+======================
 
 *"20% more unicode than the leading breakfast cereal"*
 
diff --git a/docs/history/1.6.rst b/docs/history/1.6.rst
index 466343f..45ae322 100644
--- a/docs/history/1.6.rst
+++ b/docs/history/1.6.rst
@@ -115,8 +115,8 @@ Other Changes
 
     * Various documentation updates and corrections.
 
-**1.6** (2012-05-01)
-====================
+**1.6.0** (2012-05-01)
+======================
 
 Overview
 --------
diff --git a/docs/history/1.7.rst b/docs/history/1.7.rst
index 449ee56..60319dd 100644
--- a/docs/history/1.7.rst
+++ b/docs/history/1.7.rst
@@ -13,6 +13,11 @@ Passlib 1.7
 
 * bugfix: setup.py: prevent erroneous version strings when run from an sdist.
 
+* bugfix: TOTP tests: test setup now traps additional errors utcfromtimestamp()
+  may throw under python 3.
+
+* various documentation updates
+
 .. rst-class:: emphasize-children toc-always-open
 
 **1.7.0** (2016-11-22)
diff --git a/docs/lib/passlib.hash.bcrypt.rst b/docs/lib/passlib.hash.bcrypt.rst
index 4683690..c7c5951 100644
--- a/docs/lib/passlib.hash.bcrypt.rst
+++ b/docs/lib/passlib.hash.bcrypt.rst
@@ -169,7 +169,7 @@ This implementation of bcrypt differs from others in a few ways:
   generated with the buggy algorithm. Passlib 1.6 recognizes (but does not
   currently support generating or verifying) these hashes.
 
-  ``$2y$``, the default for crypt_blowfish 1.1 and newer, indicates
+  ``$2y$``, the default for crypt_blowfish 1.1-1.2, indicates
   the hash was generated with the canonical OpenBSD-compatible algorithm,
   and should match *correctly* generated ``$2a$`` hashes.
   Passlib 1.6 can generate and verify these hashes.
@@ -180,6 +180,8 @@ This implementation of bcrypt differs from others in a few ways:
   does not support this algorithmic variant either, though it should
   be *very* rarely encountered in practice.
 
+  (crypt_blowfish 1.3 switched to the ``$2b$`` standard as the default)
+
   .. versionchanged:: 1.6.3
 
         Passlib will now throw a :exc:`~passlib.exc.PasslibSecurityError` if an attempt is
@@ -223,4 +225,5 @@ This implementation of bcrypt differs from others in a few ways:
             `CVE-2011-2483 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2483>`_
 
 .. [#wraparound] The wraparound flaw is described here -
-            `<http://www.openwall.com/lists/oss-security/2012/01/02/4>`_
\ No newline at end of file
+            `<http://www.openwall.com/lists/oss-security/2012/01/02/4>`_
+
diff --git a/passlib/_setup/stamp.py b/passlib/_setup/stamp.py
index 2ce3eb3..5806479 100644
--- a/passlib/_setup/stamp.py
+++ b/passlib/_setup/stamp.py
@@ -24,14 +24,10 @@ def get_command_class(opts, name):
     return opts['cmdclass'].get(name) or Distribution().get_command_class(name)
 
 def get_command_options(opts, command):
-    return opts.setdefault("command_options", {}).setdefault(command, {})
-
-def set_command_options(opts, command, _source_="setup.py", **kwds):
-    target = get_command_options(opts, command)
-    target.update(
-        (key, (_source_, value))
-        for key, value in kwds.items()
-    )
+    return opts.setdefault("options", {}).setdefault(command, {})
+
+def set_command_options(opts, command, **kwds):
+    get_command_options(opts, command).update(kwds)
 
 def _get_file(path):
     with open(path, "r") as fh:
diff --git a/passlib/crypto/digest.py b/passlib/crypto/digest.py
index 18dce85..d26f892 100644
--- a/passlib/crypto/digest.py
+++ b/passlib/crypto/digest.py
@@ -124,7 +124,7 @@ def _get_hash_aliases(name):
         return result
 
     # try to clean name up some more
-    m = re.match("(?i)^(?P<name>[a-z]+)-?(?P<rev>\d)?-?(?P<size>\d{3,4})?$", name)
+    m = re.match(r"(?i)^(?P<name>[a-z]+)-?(?P<rev>\d)?-?(?P<size>\d{3,4})?$", name)
     if m:
         # roughly follows "SHA2-256" style format, normalize representation,
         # and checked table.
diff --git a/passlib/handlers/bcrypt.py b/passlib/handlers/bcrypt.py
index 117bc64..e5fbfe0 100644
--- a/passlib/handlers/bcrypt.py
+++ b/passlib/handlers/bcrypt.py
@@ -775,13 +775,13 @@ class bcrypt(_NoBackend, _BcryptCommon):
     :type ident: str
     :param ident:
         Specifies which version of the BCrypt algorithm will be used when creating a new hash.
-        Typically this option is not needed, as the default (``"2a"``) is usually the correct choice.
+        Typically this option is not needed, as the default (``"2b"``) is usually the correct choice.
         If specified, it must be one of the following:
 
         * ``"2"`` - the first revision of BCrypt, which suffers from a minor security flaw and is generally not used anymore.
         * ``"2a"`` - some implementations suffered from rare security flaws, replaced by 2b.
         * ``"2y"`` - format specific to the *crypt_blowfish* BCrypt implementation,
-          identical to ``"2a"`` in all but name.
+          identical to ``"2b"`` in all but name.
         * ``"2b"`` - latest revision of the official BCrypt algorithm, current default.
 
     :param bool truncate_error:
diff --git a/passlib/ifc.py b/passlib/ifc.py
index 606fd05..7adf665 100644
--- a/passlib/ifc.py
+++ b/passlib/ifc.py
@@ -91,7 +91,7 @@ class PasswordHash(object):
     @abstractmethod
     def hash(cls, secret,  # *
              **setting_and_context_kwds):  # pragma: no cover -- abstract method
-        """
+        r"""
         Hash secret, returning result.
         Should handle generating salt, etc, and should return string
         containing identifier, salt & other configuration, as well as digest.
diff --git a/passlib/tests/test_totp.py b/passlib/tests/test_totp.py
index 9af4d15..54a9d91 100644
--- a/passlib/tests/test_totp.py
+++ b/passlib/tests/test_totp.py
@@ -53,15 +53,45 @@ KEY4_RAW = b'Hello!\xde\xad\xbe\xef'
 assert sys.float_info.radix == 2, "unexpected float_info.radix"
 assert sys.float_info.mant_dig >= 44, "double precision unexpectedly small"
 
-# work out maximum value acceptable by hosts's time_t
-# this is frequently 2**37, though smaller on some systems.
-max_time_t = 30
-while True:
-    try:
-        datetime.datetime.utcfromtimestamp(max_time_t << 1)
-        max_time_t <<= 1
-    except ValueError:
-        break
+def _get_max_time_t():
+    """
+    helper to calc max_time_t constant (see below)
+    """
+    value = 1 << 30  # even for 32 bit systems will handle this
+    year = 0
+    while True:
+        next_value = value << 1
+        try:
+            next_year = datetime.datetime.utcfromtimestamp(next_value-1).year
+        except (ValueError, OSError, OverflowError):
+            # utcfromtimestamp() may throw any of the following:
+            #
+            # * year out of range for datetime:
+            #   py < 3.6 throws ValueError.
+            #   (py 3.6.0 returns odd value instead, see workaround below)
+            #
+            # * int out of range for host's gmtime/localtime:
+            #   py2 throws ValueError, py3 throws OSError.
+            #
+            # * int out of range for host's time_t:
+            #   py2 throws ValueError, py3 throws OverflowError.
+            #
+            return value-1
+
+        # Workaround for python 3.6.0 issue --
+        # Instead of throwing ValueError if year out of range for datetime,
+        # Python 3.6 will do some weird behavior that masks high bits
+        # e.g. (1<<40) -> year 36812, but (1<<41) -> year 6118.
+        # (Filed as bug -- http://bugs.python.org/issue29346)
+        # This check stops at largest non-wrapping bit size.
+        if next_year < year:
+            return value-1
+
+        value = next_value
+
+#: Rough approximation of max value acceptable by hosts's time_t.
+#: This is frequently ~2**37 on 64 bit, and ~2**31 on 32 bit systems.
+max_time_t = _get_max_time_t()
 
 def to_b32_size(raw_size):
     return (raw_size * 8 + 4) // 5
diff --git a/passlib/tests/utils.py b/passlib/tests/utils.py
index 62f3ab3..e1b7b0e 100644
--- a/passlib/tests/utils.py
+++ b/passlib/tests/utils.py
@@ -246,7 +246,7 @@ def hb(source):
 
     usage: ``hb("deadbeef23")``
     """
-    return unhexlify(re.sub("\s", "", source))
+    return unhexlify(re.sub(r"\s", "", source))
 
 def limit(value, lower, upper):
     if value < lower:
@@ -261,7 +261,7 @@ def quicksleep(delay):
     while tick()-start < delay:
         pass
 
-def time_call(func, setup=None, maxtime=1, bestof=3):
+def time_call(func, setup=None, maxtime=1, bestof=10):
     """
     timeit() wrapper which tries to get as accurate a measurement as possible w/in maxtime seconds.
 
@@ -366,8 +366,8 @@ class TestCase(_TestCase):
             # ignore warnings about PasswordHash features deprecated in 1.7
             # TODO: should be cleaned in 2.0, when support will be dropped.
             #       should be kept until then, so we test the legacy paths.
-            warnings.filterwarnings("ignore", "the method .*\.(encrypt|genconfig|genhash)\(\) is deprecated")
-            warnings.filterwarnings("ignore", "the 'vary_rounds' option is deprecated")
+            warnings.filterwarnings("ignore", r"the method .*\.(encrypt|genconfig|genhash)\(\) is deprecated")
+            warnings.filterwarnings("ignore", r"the 'vary_rounds' option is deprecated")
 
     #---------------------------------------------------------------
     # tweak message formatting so longMessage mode is only enabled
diff --git a/passlib/totp.py b/passlib/totp.py
index f0edf36..c2e8891 100644
--- a/passlib/totp.py
+++ b/passlib/totp.py
@@ -83,7 +83,7 @@ if sys.version_info < (2,7,4):
 #-----------------------------------------------------------------------------
 
 #: regex used to clean whitespace from tokens & keys
-_clean_re = re.compile(u("\s|[-=]"), re.U)
+_clean_re = re.compile(u(r"\s|[-=]"), re.U)
 
 _chunk_sizes = [4,6,5]
 
@@ -1140,7 +1140,7 @@ class TOTP(object):
 
     @classmethod
     def verify(cls, token, source, **kwds):
-        """
+        r"""
         Convenience wrapper around :meth:`TOTP.from_source` and :meth:`TOTP.match`.
 
         This parses a TOTP key & configuration from the specified source,
diff --git a/passlib/utils/handlers.py b/passlib/utils/handlers.py
index ef553ab..76613bf 100644
--- a/passlib/utils/handlers.py
+++ b/passlib/utils/handlers.py
@@ -654,7 +654,8 @@ class GenericHandler(MinimalHandler):
 
     @classmethod
     def from_string(cls, hash, **context): # pragma: no cover
-        """return parsed instance from hash/configuration string
+        r"""
+        return parsed instance from hash/configuration string
 
         :param \*\*context:
             context keywords to pass to constructor (if applicable).