mirror of
				https://github.com/django/django.git
				synced 2025-10-26 07:06:08 +00:00 
			
		
		
		
	Refs #27468 -- Added algorithm parameter to django.utils.crypto.salted_hmac().
This commit is contained in:
		
				
					committed by
					
						 Mariusz Felisiak
						Mariusz Felisiak
					
				
			
			
				
	
			
			
			
						parent
						
							c00b863ac6
						
					
				
				
					commit
					50cf183d21
				
			| @@ -9,10 +9,16 @@ from django.conf import settings | |||||||
| from django.utils.encoding import force_bytes | from django.utils.encoding import force_bytes | ||||||
|  |  | ||||||
|  |  | ||||||
| def salted_hmac(key_salt, value, secret=None): | class InvalidAlgorithm(ValueError): | ||||||
|  |     """Algorithm is not supported by hashlib.""" | ||||||
|  |     pass | ||||||
|  |  | ||||||
|  |  | ||||||
|  | def salted_hmac(key_salt, value, secret=None, *, algorithm='sha1'): | ||||||
|     """ |     """ | ||||||
|     Return the HMAC-SHA1 of 'value', using a key generated from key_salt and a |     Return the HMAC of 'value', using a key generated from key_salt and a | ||||||
|     secret (which defaults to settings.SECRET_KEY). |     secret (which defaults to settings.SECRET_KEY). Default algorithm is SHA1, | ||||||
|  |     but any algorithm name supported by hashlib.new() can be passed. | ||||||
|  |  | ||||||
|     A different key_salt should be passed in for every application of HMAC. |     A different key_salt should be passed in for every application of HMAC. | ||||||
|     """ |     """ | ||||||
| @@ -21,16 +27,21 @@ def salted_hmac(key_salt, value, secret=None): | |||||||
|  |  | ||||||
|     key_salt = force_bytes(key_salt) |     key_salt = force_bytes(key_salt) | ||||||
|     secret = force_bytes(secret) |     secret = force_bytes(secret) | ||||||
|  |     try: | ||||||
|  |         hasher = getattr(hashlib, algorithm) | ||||||
|  |     except AttributeError as e: | ||||||
|  |         raise InvalidAlgorithm( | ||||||
|  |             '%r is not an algorithm accepted by the hashlib module.' | ||||||
|  |             % algorithm | ||||||
|  |         ) from e | ||||||
|     # We need to generate a derived key from our base key.  We can do this by |     # We need to generate a derived key from our base key.  We can do this by | ||||||
|     # passing the key_salt and our base key through a pseudo-random function and |     # passing the key_salt and our base key through a pseudo-random function. | ||||||
|     # SHA1 works nicely. |     key = hasher(key_salt + secret).digest() | ||||||
|     key = hashlib.sha1(key_salt + secret).digest() |  | ||||||
|     # If len(key_salt + secret) > block size of the hash algorithm, the above |     # If len(key_salt + secret) > block size of the hash algorithm, the above | ||||||
|     # line is redundant and could be replaced by key = key_salt + secret, since |     # line is redundant and could be replaced by key = key_salt + secret, since | ||||||
|     # the hmac module does the same thing for keys longer than the block size. |     # the hmac module does the same thing for keys longer than the block size. | ||||||
|     # However, we need to ensure that we *always* do this. |     # However, we need to ensure that we *always* do this. | ||||||
|     return hmac.new(key, msg=force_bytes(value), digestmod=hashlib.sha1) |     return hmac.new(key, msg=force_bytes(value), digestmod=hasher) | ||||||
|  |  | ||||||
|  |  | ||||||
| def get_random_string(length=12, | def get_random_string(length=12, | ||||||
|   | |||||||
| @@ -1,10 +1,13 @@ | |||||||
| import hashlib | import hashlib | ||||||
| import unittest | import unittest | ||||||
|  |  | ||||||
| from django.utils.crypto import constant_time_compare, pbkdf2, salted_hmac | from django.test import SimpleTestCase | ||||||
|  | from django.utils.crypto import ( | ||||||
|  |     InvalidAlgorithm, constant_time_compare, pbkdf2, salted_hmac, | ||||||
|  | ) | ||||||
|  |  | ||||||
|  |  | ||||||
| class TestUtilsCryptoMisc(unittest.TestCase): | class TestUtilsCryptoMisc(SimpleTestCase): | ||||||
|  |  | ||||||
|     def test_constant_time_compare(self): |     def test_constant_time_compare(self): | ||||||
|         # It's hard to test for constant time, just test the result. |         # It's hard to test for constant time, just test the result. | ||||||
| @@ -27,11 +30,31 @@ class TestUtilsCryptoMisc(unittest.TestCase): | |||||||
|                 {'secret': 'x' * hashlib.sha1().block_size}, |                 {'secret': 'x' * hashlib.sha1().block_size}, | ||||||
|                 'bd3749347b412b1b0a9ea65220e55767ac8e96b0', |                 'bd3749347b412b1b0a9ea65220e55767ac8e96b0', | ||||||
|             ), |             ), | ||||||
|  |             ( | ||||||
|  |                 ('salt', 'value'), | ||||||
|  |                 {'algorithm': 'sha256'}, | ||||||
|  |                 'ee0bf789e4e009371a5372c90f73fcf17695a8439c9108b0480f14e347b3f9ec', | ||||||
|  |             ), | ||||||
|  |             ( | ||||||
|  |                 ('salt', 'value'), | ||||||
|  |                 { | ||||||
|  |                     'algorithm': 'blake2b', | ||||||
|  |                     'secret': 'x' * hashlib.blake2b().block_size, | ||||||
|  |                 }, | ||||||
|  |                 'fc6b9800a584d40732a07fa33fb69c35211269441823bca431a143853c32f' | ||||||
|  |                 'e836cf19ab881689528ede647dac412170cd5d3407b44c6d0f44630690c54' | ||||||
|  |                 'ad3d58', | ||||||
|  |             ), | ||||||
|         ] |         ] | ||||||
|         for args, kwargs, digest in tests: |         for args, kwargs, digest in tests: | ||||||
|             with self.subTest(args=args, kwargs=kwargs): |             with self.subTest(args=args, kwargs=kwargs): | ||||||
|                 self.assertEqual(salted_hmac(*args, **kwargs).hexdigest(), digest) |                 self.assertEqual(salted_hmac(*args, **kwargs).hexdigest(), digest) | ||||||
|  |  | ||||||
|  |     def test_invalid_algorithm(self): | ||||||
|  |         msg = "'whatever' is not an algorithm accepted by the hashlib module." | ||||||
|  |         with self.assertRaisesMessage(InvalidAlgorithm, msg): | ||||||
|  |             salted_hmac('salt', 'value', algorithm='whatever') | ||||||
|  |  | ||||||
|  |  | ||||||
| class TestUtilsCryptoPBKDF2(unittest.TestCase): | class TestUtilsCryptoPBKDF2(unittest.TestCase): | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user