1=========== 2Passlib 1.5 3=========== 4 5.. _bcrypt-padding-issue: 6 7**1.5.3** (2011-10-08) 8====================== 9 10 Bugfix release -- fixes BCrypt padding/verification issue (:issue:`25`) 11 12 This release fixes a single issue with Passlib's BCrypt support: Many 13 BCrypt hashes generated by Passlib (<= 1.5.2) will not successfully verify 14 under some of the other BCrypt implementations, such as OpenBSD's 15 ``/etc/master.passwd``. 16 17 *In detail:* 18 19 BCrypt hashes contain 4 "padding" bits in the encoded salt, and Passlib 20 (<= 1.5.2) generated salts in a manner which frequently set some of the 21 padding bits to 1. While Passlib ignores these bits, many BCrypt 22 implementations perform password verification in a way which rejects 23 *all* passwords if any of the padding bits are set. Thus Passlib's 24 BCrypt salt generation needed to be fixed to ensure compatibility, 25 and a route provided to correct existing hashes already out in the wild 26 :issue:`25`. 27 28 *Changes in this release:* 29 30 .. currentmodule:: passlib.context 31 32 * BCrypt hashes generated by Passlib now have all padding bits cleared. 33 34 * Passlib will continue to accept BCrypt hashes that have padding bits 35 set, but when it encounters them, it will issue a :exc:`UserWarning` 36 recommending that the hash should be fixed (see below). 37 38 * Applications which use :meth:`CryptContext.verify_and_update` will 39 have any such hashes automatically re-encoded the next time the user 40 logs in. 41 42 *To fix existing hashes:* 43 44 If you have BCrypt hashes which might have their padding bits set, 45 you can import :class:`!passlib.hash.bcrypt`, and 46 call ``clean_hash = bcrypt.normhash(hash)``. 47 This function will clear the padding bits of any BCrypt hashes, 48 and should leave all other strings alone. 49 50**1.5.2** (2011-09-19) 51====================== 52 53 Minor bugfix release -- mainly Django-related fixes 54 55 Hashes 56 57 .. currentmodule:: passlib.hash 58 59 * *bugfix:* :class:`django_des_crypt` now accepts all 60 :data:`hash64 <passlib.utils.binary.h64>` characters in its salts; 61 previously it accepted only lower-case hexadecimal characters (:issue:`22`). 62 63 * Additional unittests added for all 64 standard :doc:`Django hashes </lib/passlib.hash.django_std>`. 65 66 * :class:`django_des_crypt` now rejects hashes where salt and checksum 67 containing mismatched salt characters. 68 69 CryptContext 70 71 .. currentmodule:: passlib.context 72 73 * *bugfix:* fixed exception in :meth:`CryptPolicy.iter_config` 74 that occurred when iterating over deprecation options. 75 76 * Added documentation for the (mistakenly undocumented) 77 :meth:`CryptContext.verify_and_update` method. 78 79**1.5.1** (2011-08-17) 80====================== 81 82 Minor bugfix release -- now compatible with Google App Engine. 83 84 * *bugfix:* make ``passlib.hash.__loader__`` attribute writable - 85 needed by Google App Engine (GAE) :issue:`19`. 86 87 * *bugfix:* provide fallback for loading ``passlib/default.cfg`` 88 if :mod:`pkg_resources` is not present, such as for GAE :issue:`19`. 89 90 * *bugfix:* fixed error thrown by CryptContext.verify 91 when issuing min_verify_time warning :issue:`17`. 92 93 * removed min_verify_time setting from custom_app_context, 94 min_verify_time is too host & load dependant to be hardcoded :issue:`17`. 95 96 * under GAE, disable all unittests which require writing to filesystem. 97 98 * more unittest coverage for :mod:`passlib.apps` and :mod:`passlib.hosts`. 99 100 * improved version datestamps in build script. 101 102**1.5.0** (2011-07-11) 103====================== 104 105*"20% more unicode than the leading breakfast cereal"* 106 107The main new feature in this release is that 108Passlib now supports Python 3 (via the 2to3 tool). 109Everything has been recoded to have better separation 110between unicode and bytes, and to use unicode internally 111where possible. 112When run under Python 2, Passlib 1.5 attempts 113to provide the same behavior as Passlib 1.4; 114but when run under Python 3, most functions 115will return unicode instead of ascii bytes. 116 117Besides this major change, there have 118been some other additions: 119 120Hashes 121------ 122 123 * added support for Cryptacular's PBKDF2 format. 124 * added support for the FSHP family of hashes. 125 * added support for using BCryptor as BCrypt backend. 126 * added support for all of Django's hash formats. 127 128CryptContext 129------------ 130 131 .. currentmodule:: passlib.context 132 133 * interpolation deprecation: 134 135 :meth:`CryptPolicy.from_path` and :meth:`CryptPolicy.from_string` 136 now use :class:`!SafeConfigParser` instead of :class:`!ConfigParser`. 137 This may cause some existing config files containing unescaped ``%`` 138 to result in errors; Passlib 1.5 will demote these to warnings, 139 but any extant config files should be updated, 140 as the errors will be fatal in Passlib 1.6. 141 142 * added encoding keyword to :class:`!CryptPolicy`'s 143 :meth:`!.from_path()`, :meth:`!.from_string`, 144 and :meth:`!.to_string` methods. 145 146 * both classes in :mod:`passlib.apache` 147 now support specifying an encoding for the username/realm. 148 149Documentation 150------------- 151 152 * Password Hash API expanded to include explicit 153 :ref:`unicode vs bytes policy <hash-unicode-behavior>`. 154 * Added quickstart guide to documentation. 155 * Various minor improvements. 156 157Internal Changes 158---------------- 159 160 * Added more handler utility functions to reduce code duplication. 161 * Expanded kdf helpers in :mod:`!passlib.utils.pbkdf2`. 162 * Removed deprecated parts of :mod:`passlib.utils.handlers`. 163 * Various minor changes to 164 :class:`passlib.utils.handlers.HasManyBackends`; 165 main change is that multi-backend handlers now raise 166 :exc:`~passlib.exc.MissingBackendError` 167 if no backends are available. 168 169 * Builtin tests now use :mod:`!unittest2` if available. 170 * Setup script no longer requires distribute or setuptools. 171 * added (undocumented, experimental) Django app 172 for overriding Django's default hash format, 173 see ``docs/lib/passlib.ext.django.rst`` for more. 174