-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace PBKDF2 class by python stdlib implementation #69
Conversation
hashlib.pbkdf2_hmac has been backported to Python 2.7 (see PEP 466). In order to avoid reinventing the wheel and to include less third party code we switch to the stdlib implementation.
@@ -19,6 +19,8 @@ | |||
import sys, binascii, random, logging | |||
from struct import pack | |||
from binascii import b2a_hex, a2b_hex | |||
from base64 import b64encode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did you want to remove the local implementation of b64encode()
as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The b64encode()
function was part of the PBKDF2
implementation we included from a third party as well, so I replaced it by using the equivalent stdlib function. It's not used anywhere else in the code.
Right now the only thing left from the borrowed PBKDF2
implementation are the crypt()
and _makesalt()
functions. Maybe I will do some more changes to these functions as well but I will have to think a bit more about it in order to avoid braking stuff.
Thanks! I guess that some day we should move to python3 eventually... Could you maybe have a look at the problem regarding pycrypto https://travis-ci.org/frankmorgner/vsmartcard/jobs/113253979#L3229? It's there since some time due to a change of the travis-ci environment. I was unsuccessful in resolving this so far, https://github.com/frankmorgner/vsmartcard/tree/test... |
BTW, there is a chance that this change breaks the deserialization of cards saved with |
Well, maybe rewriting the python code from scratch is the fastest and easiest way of solving the python issues... Unfortunately I won't have time for that in the near future. I know that |
Unfortunately, the change does indeed break backwards compatibility, see the new tests introduced in commits c8f2776 and 82e9248. I couldn't yet figure out what breaks exactly and how to fix it. Before I spend more time debugging I wanted to ask: do we care? As I see it there are several options (in no order of preference):
I'd vote for options 3. or 1. |
On 03.03.2016 17:45, Frank Morgner wrote:
I concur that rewriting the python code from scratch is currently |
No problem, we continue with the change as is. |
Replace PBKDF2 class by python stdlib implementation
This commit breaks my environment :-( I suggest to keep backwards compatibility for a longer time than on your systems! |
quoted from the Python 2.7.8 Release notes:
I'd advice you to upgrade your system to the latest version (anyway). Here is a description of how to install upgrade Python without breaking things https://renoirboulanger.com/blog/2015/04/upgrade-python-2-7-9-ubuntu-14-04-lts-making-deb-package/ |
I'm pretty sure Ubuntu LTS backports the security fixes so asking all users of a pretty common and supported Linux distribution feels like the wrong way to go. We could do one of the following things:
On 21 March 2016 16:41:42 CET, Frank Morgner [email protected] wrote:
Sent from my Android device with K-9 Mail. Please excuse my brevity. |
Frank, I know that blog entry, but you know I can not use every "fancy newest package" ;-) Why not using both? Can you separate the usage via such Determination?
If nothing helps, I have to wait some days until Ubuntu 16.04 LTS will be released in April and it contains Phyton 2.7.11 |
Could you check whether our test suite works for you with 0415f32 applied? It should be executed with something like this:
|
IMHO that is the least desirable option with regard to simplicity, maintainability and code quality. I would be happy to nuke serialization support or migrate to a different KDF (like bcrypt or scrypt both of which have implementations available in PIP). However, I'm currently travelling and will only be able to do start doing that in 2.5 weeks. On 24 March 2016 10:43:14 CET, Frank Morgner [email protected] wrote:
Sent from my Android device with K-9 Mail. Please excuse my brevity. |
Agreed @d0 , we'll let this be as is for now... |
Hello Frank, your current branch pbkdf2 with mentioned patch
works fine at least for me. |
One of the problems with the pbkdf2 branch is that the hashlib implemenation and the fallback implementation are not interoperable. So if a user creates a serialized card with one implementation it cannot be loaded with the other. I have prepared two branches:
|
@frankmorgner Any feedback on this? |
I agree, we can remove serialization. Sorry for the late response. Will you make a PR? |
I created a PR to remove serialization (#78) |
hashlib.pbkdf2_hmac
has been backported to Python 2.7 (see PEP 466). Inorder to avoid reinventing the wheel and to include less third party
code we should consider switching to the stdlib implementation.