support SASLprep in CryptContext

Issue #24 open
Eli Collins repo owner created an issue

===== //(Imported from Google Code)//

Passlib currently takes in whatever unicode sequence is offered, and hashes it. However, there unicode normalization issues, non-printing code points (eg SHY) that should be discarded, and many other things which might cause problems reproducing the correct hash from differing user input.

SASL has already addressed this problem via the SASL stringprep profile - [[https://tools.ietf.org/html/rfc4013|https://tools.ietf.org/html/rfc4013]] - this provides a well-thought out unicode normalization policy to prepare passwords for hashing.

It would be good to integrate this into passlib, but it would have to be done in a way that wouldn't impact existing hashes and deployments, which may be relying on other policies. One possible way would be to added a 'stringprep' option to CryptContext, and let it take care of preparing passwords before hashing them.

Comments (3)

  1. Eli Collins reporter
    • changed status to open
    • changed Milestone to 1.7
    (Imported from Google Code)

    I decided the implementation of feature was half-baked...

    * the config interface was too flexible in useless ways
    * the simple case was hard to enable
    * the whole codebase needs to mess with per-hash 'encoding' kwds, which it doesn't.
    * it would also need to mesh with context-wide encoding policies when/if though are added.

    Given all that, removed the CryptContext integration for saslprep until another release. The passlib.utils.saslprep() function will still be there for applications to use on their own, though.

  2. Log in to comment