mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #31358 -- Increased salt entropy of password hashers.

Browse Source 
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
This commit is contained in:
Jon Moroney
2020-06-24 19:28:07 -07:00
committed by Mariusz Felisiak
parent 6bd206e1ff
commit 76ae6ccf85
5 changed files with 77 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
tests/auth_tests/test_hashers.py
View File

@@ -74,6 +74,12 @@ class TestUtilsHashPass(SimpleTestCase):
self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded))
# Salt entropy check.
hasher = get_hasher('pbkdf2_sha256')
encoded_weak_salt = make_password('lètmein', 'iodizedsalt', 'pbkdf2_sha256')
encoded_strong_salt = make_password('lètmein', hasher.salt(), 'pbkdf2_sha256')
self.assertIs(hasher.must_update(encoded_weak_salt), True)
self.assertIs(hasher.must_update(encoded_strong_salt), False)
@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher'])
def test_sha1(self):
@@ -89,6 +95,12 @@ class TestUtilsHashPass(SimpleTestCase):
self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded))
# Salt entropy check.
hasher = get_hasher('sha1')
encoded_weak_salt = make_password('lètmein', 'iodizedsalt', 'sha1')
encoded_strong_salt = make_password('lètmein', hasher.salt(), 'sha1')
self.assertIs(hasher.must_update(encoded_weak_salt), True)
self.assertIs(hasher.must_update(encoded_strong_salt), False)
@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.MD5PasswordHasher'])
def test_md5(self):
@@ -104,6 +116,12 @@ class TestUtilsHashPass(SimpleTestCase):
self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded))
# Salt entropy check.
hasher = get_hasher('md5')
encoded_weak_salt = make_password('lètmein', 'iodizedsalt', 'md5')
encoded_strong_salt = make_password('lètmein', hasher.salt(), 'md5')
self.assertIs(hasher.must_update(encoded_weak_salt), True)
self.assertIs(hasher.must_update(encoded_strong_salt), False)
@override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.UnsaltedMD5PasswordHasher'])
def test_unsalted_md5(self):
@@ -537,6 +555,12 @@ class TestUtilsHashPassArgon2(SimpleTestCase):
)
self.assertIs(check_password('secret', encoded), True)
self.assertIs(check_password('wrong', encoded), False)
# Salt entropy check.
hasher = get_hasher('argon2')
encoded_weak_salt = make_password('lètmein', 'iodizedsalt', 'argon2')
encoded_strong_salt = make_password('lètmein', hasher.salt(), 'argon2')
self.assertIs(hasher.must_update(encoded_weak_salt), True)
self.assertIs(hasher.must_update(encoded_strong_salt), False)
def test_argon2_decode(self):
salt = 'abcdefghijk'