From 945c3c4f90c0b755a0f607dcceecc9095f165e4f Mon Sep 17 00:00:00 2001 From: Eli Collins Date: Sat, 10 Mar 2012 18:37:57 -0500 Subject: added some notes --- docs/notes.txt | 18 ------------------ passlib/exc.py | 9 ++++++--- passlib/handlers/des_crypt.py | 6 ++++++ passlib/tests/test_handlers.py | 1 + passlib/utils/__init__.py | 6 +++++- 5 files changed, 18 insertions(+), 22 deletions(-) diff --git a/docs/notes.txt b/docs/notes.txt index 078843f..ebafa5f 100644 --- a/docs/notes.txt +++ b/docs/notes.txt @@ -5,7 +5,6 @@ Todo Internal Changes ---------------- * C extensions to speed up some implementations -* py3k support Other Hash Formats ------------------ @@ -18,23 +17,6 @@ Other Hash Formats Notes on various hash formats ============================= -Cisco PIX ---------- -sample hashes found - http://www.freerainbowtables.com/phpBB3/viewtopic.php?f=2&t=1441 - - 8Ry2YjIyt7RRXU24 '' - 2KFQnbNIdI.2KYOU 'cisco' - hN7LzeyYjw12FSIU 'john'/'cisco' - 7DrfeZ7cyOj/PslD 'jack'/'cisco' - -alg - secret+user - truncate/pad-right-null to 16 bytes - md5().digest() - h64 encode - -todo: get some samples w/ passwords longer than 16 chars to verify - Mac OSX ------- Summary of info from http://www.dribin.org/dave/blog/archives/2006/04/28/os_x_passwords_2/ diff --git a/passlib/exc.py b/passlib/exc.py index 29813cd..0192951 100644 --- a/passlib/exc.py +++ b/passlib/exc.py @@ -49,9 +49,12 @@ class PasslibHashWarning(PasslibWarning): """ class PasslibRuntimeWarning(PasslibWarning): - """Warning issued when something strange but correctable happens during - runtime. These are generally ok, but the developers would love to hear - the conditions under which it occurred.""" + """Warning issued when something unexpected happens during runtime. + + The fact that it's a warning instead of an error means Passlib + was able to correct for the issue, but that it's anonmalous enough + that the developers would love to hear under what conditions it occurred. + """ #========================================================================== # eof diff --git a/passlib/handlers/des_crypt.py b/passlib/handlers/des_crypt.py index 3eea448..5e3cb4c 100644 --- a/passlib/handlers/des_crypt.py +++ b/passlib/handlers/des_crypt.py @@ -231,6 +231,12 @@ class des_crypt(uh.HasManyBackends, uh.HasSalt, uh.GenericHandler): #handler #========================================================= +#FIXME: phpass code notes that even rounds values should be avoided for BSDI-Crypt, +# so as not to reveal weak des keys. given the random salt, this shouldn't be +# a very likely issue anyways, but should do something about default rounds generation anyways. +# http://wiki.call-cc.org/eggref/4/crypt sez even rounds of DES may reveal weak keys. +# list of semi-weak keys - http://dolphinburger.com/cgi-bin/bsdi-man?proto=1.1&query=bdes&msection=1&apropos=0 + class bsdi_crypt(uh.HasManyBackends, uh.HasRounds, uh.HasSalt, uh.GenericHandler): """This class implements the BSDi-Crypt password hash, and follows the :ref:`password-hash-api`. diff --git a/passlib/tests/test_handlers.py b/passlib/tests/test_handlers.py index dbb410e..4547e56 100644 --- a/passlib/tests/test_handlers.py +++ b/passlib/tests/test_handlers.py @@ -1074,6 +1074,7 @@ class msdcc2_test(UserHandlerMixin, HandlerCase): class mssql2000_test(HandlerCase): handler = hash.mssql2000 secret_case_insensitive = "verify-only" + # FIXME: fix UT framework - this hash is sensitive to password case, but verify() is not known_correct_hashes = [ # diff --git a/passlib/utils/__init__.py b/passlib/utils/__init__.py index 051c93a..3edfaca 100644 --- a/passlib/utils/__init__.py +++ b/passlib/utils/__init__.py @@ -90,7 +90,8 @@ unix_crypt_schemes = [ "sha512_crypt", "sha256_crypt", "sha1_crypt", "bcrypt", "md5_crypt", - "bsdi_crypt", "des_crypt" + # "bsd_nthash", + "bsdi_crypt", "des_crypt", ] # list of rounds_cost constants @@ -1445,6 +1446,9 @@ def getrandbytes(rng, count): def getrandstr(rng, charset, count): """return string containing *count* number of chars/bytes, whose elements are drawn from specified charset, using specified rng""" + # NOTE: tests determined this is 4x faster than rng.sample(), + # which is why that's not being used here. + #check alphabet & count if count < 0: raise ValueError("count must be >= 0") -- cgit v1.2.1