Add support of new crypt methods

[serhiy-storchaka]

BPO	31664
Nosy	@gpshead, @vstinner, @tiran, @serhiy-storchaka, @dstufft
PRs	bpo-31664: Add support of Blowfish in crypt. #3854 bpo-31664: Fix test_crypt for the openwall implementation of crypt. #4116 bpo-44309: Add support for yescrypt in crypt. #26526

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2017-10-25.14:41:00.466>
created_at = <Date 2017-10-02.09:24:48.630>
labels = ['3.7', 'type-feature', 'library']
title = 'Add support of new crypt methods'
updated_at = <Date 2021-06-04.10:57:10.268>
user = 'https://github.com/serhiy-storchaka'

bugs.python.org fields:

activity = <Date 2021-06-04.10:57:10.268>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2017-10-25.14:41:00.466>
closer = 'serhiy.storchaka'
components = ['Library (Lib)']
creation = <Date 2017-10-02.09:24:48.630>
creator = 'serhiy.storchaka'
dependencies = []
files = []
hgrepos = []
issue_num = 31664
keywords = ['patch']
message_count = 8.0
messages = ['303516', '303527', '303545', '303761', '304927', '304949', '304985', '304990']
nosy_count = 7.0
nosy_names = ['gregory.p.smith', 'jafo', 'vstinner', 'christian.heimes', 'python-dev', 'serhiy.storchaka', 'dstufft']
pr_nums = ['3854', '4116', '26526']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue31664'
versions = ['Python 3.7']

[serhiy-storchaka]

Proposed PR adds support of three new methods in the crypt module.

1. Blowfish. It is considered as strong as SSH512 for crypt() purpose. There are several variants of this method: '2', '2a', '2b' and '2y'. '2y' looks the same as '2b', other variants have different flaws. All four are supported on FreeBSD. '2b' is the only method available on OpenBSD, hence this change also fixes crypt on OpenBSD (see bpo-25287). Blowfish is not supported in glibc, but it is added in some Linux distributions (not in Ubuntu). The most strong of the available variants is chosen.

2. Extended DES. In contrary to traditional default algorithm it uses salt longer than 2 characters. It is supported on FreeBSD.

3. NT-Hash. It doesn't use salt and is compatible with Microsoft's NT scheme. It is supported on FreeBSD.

mksalt() now takes the log_rounds argument for Blowfish. I'm not sure this is the best solution. And what should be a default value?

[tiran]

-1 on DES and NT Hash

These are very old, very bad algorithms and should no longer be used. We are in the 21th century.

[serhiy-storchaka]

I concur. Initially I implemented all three methods, then removed they except Blowfish, and then re-added they back just for showing they to security experts.

[serhiy-storchaka]

In bpo-31702 I propose related improvement for the SHA-* methods.

[serhiy-storchaka]

New changeset eab3ff7 by Serhiy Storchaka in branch 'master':
bpo-31664: Add support for the Blowfish method in crypt. (bpo-3854)
eab3ff7

[vstinner]

Failure on s390x SLES 3.x:

http://buildbot.python.org/all/#/builders/16/builds/65

======================================================================
FAIL: test_invalid_log_rounds (test.test_crypt.CryptTestCase)
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/home/dje/cpython-buildarea/3.x.edelsohn-sles-z/build/Lib/test/test_crypt.py", line 60, in test_invalid_log_rounds
    self.assertIsNone(crypt.crypt('mypassword', salt))
AssertionError: '*0' is not None

[serhiy-storchaka]

New changeset 0f26158 by Serhiy Storchaka in branch 'master':
bpo-31664: Fix test_crypt for the openwall implementation of crypt. (bpo-4116)
0f26158

[serhiy-storchaka]

Tests on s390x SLES 3.x are passed.