From 8583409d34d9491553f6c8e545653842518f311c Mon Sep 17 00:00:00 2001 From: Eli Collins Date: Tue, 17 Apr 2012 19:37:20 -0400 Subject: retuned default_rounds for a few hashes based on benchmarks --- passlib/handlers/pbkdf2.py | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) (limited to 'passlib/handlers/pbkdf2.py') diff --git a/passlib/handlers/pbkdf2.py b/passlib/handlers/pbkdf2.py index 662bdcd..20824b2 100644 --- a/passlib/handlers/pbkdf2.py +++ b/passlib/handlers/pbkdf2.py @@ -44,7 +44,7 @@ class Pbkdf2DigestHandler(uh.HasRounds, uh.HasRawSalt, uh.HasRawChecksum, uh.Gen max_salt_size = 1024 #--HasRounds-- - default_rounds = 6400 + default_rounds = None # set by subclass min_rounds = 1 max_rounds = 2**32-1 rounds_cost = "linear" @@ -84,7 +84,7 @@ class Pbkdf2DigestHandler(uh.HasRounds, uh.HasRawSalt, uh.HasRawChecksum, uh.Gen secret = secret.encode("utf-8") return pbkdf2(secret, self.salt, self.rounds, self.checksum_size, self._prf) -def create_pbkdf2_hash(hash_name, digest_size, ident=None): +def create_pbkdf2_hash(hash_name, digest_size, rounds=6400, ident=None): "create new Pbkdf2DigestHandler subclass for a specific hash" name = 'pbkdf2_' + hash_name if ident is None: @@ -95,6 +95,7 @@ def create_pbkdf2_hash(hash_name, digest_size, ident=None): name=name, ident=ident, _prf = prf, + default_rounds=rounds, checksum_size=digest_size, encoded_checksum_size=(digest_size*4+2)//3, __doc__="""This class implements a generic ``PBKDF2-%(prf)s``-based password hash, and follows the :ref:`password-hash-api`. @@ -121,9 +122,9 @@ def create_pbkdf2_hash(hash_name, digest_size, ident=None): #--------------------------------------------------------- #derived handlers #--------------------------------------------------------- -pbkdf2_sha1 = create_pbkdf2_hash("sha1", 20, ident=u("$pbkdf2$")) -pbkdf2_sha256 = create_pbkdf2_hash("sha256", 32) -pbkdf2_sha512 = create_pbkdf2_hash("sha512", 64) +pbkdf2_sha1 = create_pbkdf2_hash("sha1", 20, 32000, ident=u("$pbkdf2$")) +pbkdf2_sha256 = create_pbkdf2_hash("sha256", 32, 4000) +pbkdf2_sha512 = create_pbkdf2_hash("sha512", 64, 3200) ldap_pbkdf2_sha1 = uh.PrefixWrapper("ldap_pbkdf2_sha1", pbkdf2_sha1, "{PBKDF2}", "$pbkdf2$") ldap_pbkdf2_sha256 = uh.PrefixWrapper("ldap_pbkdf2_sha256", pbkdf2_sha256, "{PBKDF2-SHA256}", "$pbkdf2-sha256$") @@ -173,8 +174,8 @@ class cta_pbkdf2_sha1(uh.HasRounds, uh.HasRawSalt, uh.HasRawChecksum, uh.Generic min_salt_size = 0 max_salt_size = 1024 - #--HasROunds-- - default_rounds = 10000 + #--HasRounds-- + default_rounds = 20000 min_rounds = 1 max_rounds = 2**32-1 rounds_cost = "linear" @@ -260,8 +261,8 @@ class dlitz_pbkdf2_sha1(uh.HasRounds, uh.HasSalt, uh.GenericHandler): max_salt_size = 1024 salt_chars = uh.HASH64_CHARS - #--HasROunds-- - default_rounds = 10000 + #--HasRounds-- + default_rounds = 20000 min_rounds = 1 max_rounds = 2**32-1 rounds_cost = "linear" -- cgit v1.2.1 From ceb7a00ddae502624d609bc63a9048f0de9f1b23 Mon Sep 17 00:00:00 2001 From: Eli Collins Date: Tue, 17 Apr 2012 21:55:38 -0400 Subject: a bunch of bugfixes found during unittesting * bsdi_crypt apparently available on openbsd 4.9 * typo fixes * ConfigParser apparently only uses OrderedDict for >= PY27, adjusted CryptContext test accordingly * fixed test that depended on sha256_crypt.default_rounds * handle os_crypt backend w/ no fallback (bcrypt) * let _norm_rounds accept longs --- passlib/handlers/pbkdf2.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'passlib/handlers/pbkdf2.py') diff --git a/passlib/handlers/pbkdf2.py b/passlib/handlers/pbkdf2.py index 20824b2..9980518 100644 --- a/passlib/handlers/pbkdf2.py +++ b/passlib/handlers/pbkdf2.py @@ -116,7 +116,7 @@ def create_pbkdf2_hash(hash_name, digest_size, rounds=6400, ident=None): :param rounds: Optional number of rounds to use. Defaults to %(dr)d, but must be within ``range(1,1<<32)``. - """ % dict(prf=prf.upper(), dsc=base.default_salt_size, dr=base.default_rounds) + """ % dict(prf=prf.upper(), dsc=base.default_salt_size, dr=rounds) )) #--------------------------------------------------------- -- cgit v1.2.1