Mercurial > p > roundup > code
comparison roundup/password.py @ 8239:6bd11a73f2ed
issue2551253. default hash is PBKDF2-SHA512.
The default password hashing algorithm has been upgraded to
PBKDF2-SHA512 from PBKDF2-SHA1. The default pbkdf2 rounds in the
config file has been changed to 250000.
Doc updated.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 30 Dec 2024 02:57:46 -0500 |
| parents | 1b326a3d76b4 |
| children | 98011edc6c60 |
comparison
equal
deleted
inserted
replaced
| 8238:05405220dc38 | 8239:6bd11a73f2ed |
|---|---|
| 329 """ Password dummy instance intended for journal operation. | 329 """ Password dummy instance intended for journal operation. |
| 330 We do not store passwords in the journal any longer. The dummy | 330 We do not store passwords in the journal any longer. The dummy |
| 331 version only reads the encryption scheme from the given | 331 version only reads the encryption scheme from the given |
| 332 encrypted password. | 332 encrypted password. |
| 333 """ | 333 """ |
| 334 default_scheme = 'PBKDF2' # new encryptions use this scheme | 334 default_scheme = 'PBKDF2S5' # new encryptions use this scheme |
| 335 pwre = re.compile(r'{(\w+)}(.+)') | 335 pwre = re.compile(r'{(\w+)}(.+)') |
| 336 | 336 |
| 337 def __init__(self, encrypted=''): | 337 def __init__(self, encrypted=''): |
| 338 if isinstance(encrypted, self.__class__): | 338 if isinstance(encrypted, self.__class__): |
| 339 self.scheme = encrypted.scheme or self.default_scheme | 339 self.scheme = encrypted.scheme or self.default_scheme |
| 392 1 | 392 1 |
| 393 >>> 'not sekrit' != p | 393 >>> 'not sekrit' != p |
| 394 1 | 394 1 |
| 395 """ | 395 """ |
| 396 | 396 |
| 397 deprecated_schemes = ["SSHA", "SHA", "MD5", "plaintext"] | 397 deprecated_schemes = ["PBKDF2", "SSHA", "SHA", "MD5", "plaintext"] |
| 398 if crypt: | 398 if crypt: |
| 399 # place just before plaintext if crypt is available | 399 # place just before plaintext if crypt is available |
| 400 deprecated_schemes.insert(-1, "crypt") | 400 deprecated_schemes.insert(-1, "crypt") |
| 401 experimental_schemes = ["PBKDF2S5"] | 401 experimental_schemes = [] |
| 402 known_schemes = ["PBKDF2"] + experimental_schemes + \ | 402 known_schemes = ["PBKDF2S5"] + experimental_schemes + \ |
| 403 deprecated_schemes | 403 deprecated_schemes |
| 404 | 404 |
| 405 def __init__(self, plaintext=None, scheme=None, encrypted=None, | 405 def __init__(self, plaintext=None, scheme=None, encrypted=None, |
| 406 strict=False, config=None): | 406 strict=False, config=None): |
| 407 """Call setPassword if plaintext is not None.""" | 407 """Call setPassword if plaintext is not None.""" |
| 440 else: | 440 else: |
| 441 # for testing | 441 # for testing |
| 442 new_rounds = 1000 | 442 new_rounds = 1000 |
| 443 if rounds < int(new_rounds): | 443 if rounds < int(new_rounds): |
| 444 return True | 444 return True |
| 445 | |
| 446 if (self.scheme == "PBKDF2S5"): | |
| 447 new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS | |
| 448 if ("pytest" in sys.modules and | |
| 449 "PYTEST_CURRENT_TEST" in os.environ): | |
| 450 if ("PYTEST_USE_CONFIG" in os.environ): | |
| 451 new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS | |
| 452 else: | |
| 453 # for testing | |
| 454 new_rounds = 1000 | |
| 455 if rounds < int(new_rounds): | |
| 456 return True | |
| 457 | |
| 445 return False | 458 return False |
| 446 | 459 |
| 447 def unpack(self, encrypted, scheme=None, strict=False, config=None): | 460 def unpack(self, encrypted, scheme=None, strict=False, config=None): |
| 448 """Set the password info from the scheme:<encrypted info> string | 461 """Set the password info from the scheme:<encrypted info> string |
| 449 (the inverse of __str__) | 462 (the inverse of __str__) |