Message4272
Attached is a patch which addresses points (a) and (b) raised by Joseph.
This patch adds a support for a new encrypt format based on PBKDF2, and
makes it the default for new passwords; as well as some other cleanups I
made in an attempt to move some parts of the password parsing out of
roundup proper, and into password.py.
The new hash has the following:
* It uses the format "{PBKDF2}<rounds>$<salt>$<digest>", with an encoding
format adapted from what Linux's SHA512-Crypt uses, for simplicity.
* It defaults to 10000 rounds (I would like to make this configurable via
config.ini, but can't quite figure out how to get a hold of a config
instance from inside encryptPassword).
* For new passwords, it generates a random 20-byte salt (which can be
easily increased in the future).
* It uses a 20-byte digest to match the underlying HMAC-SHA1 prf used by
the PBKDF2 implementation.
* For the backend, it uses M2Crypto.EVP.pbkdf2 if available, else falls
back to a pure-python implementation built into password.py
If this looks useful, I'm willing to take a stab writing code to migrate
existing hashes (though I may have some questions for roundup-devel in
that case).
- Eli |
|
Date |
User |
Action |
Args |
2011-04-13 22:28:49 | elic | set | messageid: <1302733729.71.0.430685872757.issue2550688@psf.upfronthosting.co.za> |
2011-04-13 22:28:49 | elic | set | recipients:
+ elic, ber, joseph_myers |
2011-04-13 22:28:49 | elic | link | issue2550688 messages |
2011-04-13 22:28:49 | elic | create | |
|