1===========
2Passlib 1.5
3===========
4
5.. _bcrypt-padding-issue:
6
7**1.5.3** (2011-10-08)
8======================
9
10    Bugfix release -- fixes BCrypt padding/verification issue (:issue:`25`)
11
12    This release fixes a single issue with Passlib's BCrypt support: Many
13    BCrypt hashes generated by Passlib (<= 1.5.2) will not successfully verify
14    under some of the other BCrypt implementations, such as OpenBSD's
15    ``/etc/master.passwd``.
16
17    *In detail:*
18
19        BCrypt hashes contain 4 "padding" bits in the encoded salt, and Passlib
20        (<= 1.5.2) generated salts in a manner which frequently set some of the
21        padding bits to 1.  While Passlib ignores these bits, many BCrypt
22        implementations perform password verification in a way which rejects
23        *all* passwords if any of the padding bits are set.  Thus Passlib's
24        BCrypt salt generation needed to be fixed to ensure compatibility,
25        and a route provided to correct existing hashes already out in the wild
26        :issue:`25`.
27
28    *Changes in this release:*
29
30    .. currentmodule:: passlib.context
31
32    * BCrypt hashes generated by Passlib now have all padding bits cleared.
33
34    * Passlib will continue to accept BCrypt hashes that have padding bits
35      set, but when it encounters them, it will issue a :exc:`UserWarning`
36      recommending that the hash should be fixed (see below).
37
38    * Applications which use :meth:`CryptContext.verify_and_update` will
39      have any such hashes automatically re-encoded the next time the user
40      logs in.
41
42    *To fix existing hashes:*
43
44        If you have BCrypt hashes which might have their padding bits set,
45        you can import :class:`!passlib.hash.bcrypt`, and
46        call ``clean_hash = bcrypt.normhash(hash)``.
47        This function will clear the padding bits of any BCrypt hashes,
48        and should leave all other strings alone.
49
50**1.5.2** (2011-09-19)
51======================
52
53    Minor bugfix release -- mainly Django-related fixes
54
55    Hashes
56
57        .. currentmodule:: passlib.hash
58
59        * *bugfix:* :class:`django_des_crypt` now accepts all
60          :data:`hash64 <passlib.utils.binary.h64>` characters in its salts;
61          previously it accepted only lower-case hexadecimal characters (:issue:`22`).
62
63        * Additional unittests added for all
64          standard :doc:`Django hashes </lib/passlib.hash.django_std>`.
65
66        * :class:`django_des_crypt` now rejects hashes where salt and checksum
67          containing mismatched salt characters.
68
69    CryptContext
70
71        .. currentmodule:: passlib.context
72
73        * *bugfix:* fixed exception in :meth:`CryptPolicy.iter_config`
74          that occurred when iterating over deprecation options.
75
76        * Added documentation for the (mistakenly undocumented)
77          :meth:`CryptContext.verify_and_update` method.
78
79**1.5.1** (2011-08-17)
80======================
81
82    Minor bugfix release -- now compatible with Google App Engine.
83
84    * *bugfix:* make ``passlib.hash.__loader__`` attribute writable -
85      needed by Google App Engine (GAE) :issue:`19`.
86
87    * *bugfix:* provide fallback for loading ``passlib/default.cfg``
88      if :mod:`pkg_resources` is not present, such as for GAE :issue:`19`.
89
90    * *bugfix:* fixed error thrown by CryptContext.verify
91      when issuing min_verify_time warning :issue:`17`.
92
93    * removed min_verify_time setting from custom_app_context,
94      min_verify_time is too host & load dependant to be hardcoded :issue:`17`.
95
96    * under GAE, disable all unittests which require writing to filesystem.
97
98    * more unittest coverage for :mod:`passlib.apps` and :mod:`passlib.hosts`.
99
100    * improved version datestamps in build script.
101
102**1.5.0** (2011-07-11)
103======================
104
105*"20% more unicode than the leading breakfast cereal"*
106
107The main new feature in this release is that
108Passlib now supports Python 3 (via the 2to3 tool).
109Everything has been recoded to have better separation
110between unicode and bytes, and to use unicode internally
111where possible.
112When run under Python 2, Passlib 1.5 attempts
113to provide the same behavior as Passlib 1.4;
114but when run under Python 3, most functions
115will return unicode instead of ascii bytes.
116
117Besides this major change, there have
118been some other additions:
119
120Hashes
121------
122
123    * added support for Cryptacular's PBKDF2 format.
124    * added support for the FSHP family of hashes.
125    * added support for using BCryptor as BCrypt backend.
126    * added support for all of Django's hash formats.
127
128CryptContext
129------------
130
131    .. currentmodule:: passlib.context
132
133    * interpolation deprecation:
134
135      :meth:`CryptPolicy.from_path` and :meth:`CryptPolicy.from_string`
136      now use :class:`!SafeConfigParser` instead of :class:`!ConfigParser`.
137      This may cause some existing config files containing unescaped ``%``
138      to result in errors; Passlib 1.5 will demote these to warnings,
139      but any extant config files should be updated,
140      as the errors will be fatal in Passlib 1.6.
141
142    * added encoding keyword to :class:`!CryptPolicy`'s
143      :meth:`!.from_path()`, :meth:`!.from_string`,
144      and :meth:`!.to_string` methods.
145
146    * both classes in :mod:`passlib.apache`
147      now support specifying an encoding for the username/realm.
148
149Documentation
150-------------
151
152    * Password Hash API expanded to include explicit
153      :ref:`unicode vs bytes policy <hash-unicode-behavior>`.
154    * Added quickstart guide to documentation.
155    * Various minor improvements.
156
157Internal Changes
158----------------
159
160    * Added more handler utility functions to reduce code duplication.
161    * Expanded kdf helpers in :mod:`!passlib.utils.pbkdf2`.
162    * Removed deprecated parts of :mod:`passlib.utils.handlers`.
163    * Various minor changes to
164      :class:`passlib.utils.handlers.HasManyBackends`;
165      main change is that multi-backend handlers now raise
166      :exc:`~passlib.exc.MissingBackendError`
167      if no backends are available.
168
169    * Builtin tests now use :mod:`!unittest2` if available.
170    * Setup script no longer requires distribute or setuptools.
171    * added (undocumented, experimental) Django app
172      for overriding Django's default hash format,
173      see ``docs/lib/passlib.ext.django.rst`` for more.
174