From c76d51b3ad34bc2ed2155054bfb283ef53beb26a Mon Sep 17 00:00:00 2001
From: Florian Apolloner <florian@apolloner.eu>
Date: Sun, 27 Dec 2020 17:25:22 +0100
Subject: [PATCH] Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher.

Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
---
 django/contrib/auth/hashers.py   |  5 ++++-
 tests/auth_tests/test_hashers.py | 10 ++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
index 99d3d5ff6a..0e44614fcb 100644
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -344,7 +344,10 @@ class Argon2PasswordHasher(BasePasswordHasher):
         algorithm, rest = encoded.split('$', 1)
         assert algorithm == self.algorithm
         params = argon2.extract_parameters('$' + rest)
-        variety, *_, salt, hash = rest.split('$')
+        variety, *_, b64salt, hash = rest.split('$')
+        # Add padding.
+        b64salt += '=' * (-len(b64salt) % 4)
+        salt = base64.b64decode(b64salt).decode('latin1')
         return {
             'algorithm': algorithm,
             'hash': hash,
diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
index ec056660b7..55c436b993 100644
--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
@@ -526,6 +526,16 @@ class TestUtilsHashPassArgon2(SimpleTestCase):
         self.assertIs(check_password('secret', encoded), True)
         self.assertIs(check_password('wrong', encoded), False)
 
+    def test_argon2_decode(self):
+        salt = 'abcdefghijk'
+        encoded = make_password('lètmein', salt=salt, hasher='argon2')
+        hasher = get_hasher('argon2')
+        decoded = hasher.decode(encoded)
+        self.assertEqual(decoded['memory_cost'], hasher.memory_cost)
+        self.assertEqual(decoded['parallelism'], hasher.parallelism)
+        self.assertEqual(decoded['salt'], salt)
+        self.assertEqual(decoded['time_cost'], hasher.time_cost)
+
     def test_argon2_upgrade(self):
         self._test_argon2_upgrade('time_cost', 'time cost', 1)
         self._test_argon2_upgrade('memory_cost', 'memory cost', 64)