From d0e4dd5cdd743a5c43c4ccc2c8fa29d3982eaa71 Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Tue, 26 Aug 2025 13:37:34 +0200 Subject: [PATCH] Fixed #36572 -- Revert "Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0. --- django/contrib/auth/__init__.py | 14 +++++++------- django/contrib/auth/hashers.py | 16 ++++++++++------ django/contrib/auth/tokens.py | 5 ++--- django/core/signing.py | 5 ++--- django/middleware/csrf.py | 5 ++--- django/utils/crypto.py | 9 +-------- docs/internals/deprecation.txt | 2 -- docs/releases/6.0.txt | 3 --- tests/utils_tests/test_crypto.py | 17 ++++------------- 9 files changed, 28 insertions(+), 48 deletions(-) diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py index f83007ac94..d752e3172b 100644 --- a/django/contrib/auth/__init__.py +++ b/django/contrib/auth/__init__.py @@ -1,4 +1,3 @@ -import hmac import inspect import re import warnings @@ -7,6 +6,7 @@ from django.apps import apps as django_apps from django.conf import settings from django.core.exceptions import ImproperlyConfigured, PermissionDenied from django.middleware.csrf import rotate_token +from django.utils.crypto import constant_time_compare from django.utils.deprecation import RemovedInDjango61Warning from django.utils.module_loading import import_string from django.views.decorators.debug import sensitive_variables @@ -175,7 +175,7 @@ def login(request, user, backend=None): if SESSION_KEY in request.session: if _get_user_session_key(request) != user.pk or ( session_auth_hash - and not hmac.compare_digest( + and not constant_time_compare( request.session.get(HASH_SESSION_KEY, ""), session_auth_hash ) ): @@ -217,7 +217,7 @@ async def alogin(request, user, backend=None): if await request.session.ahas_key(SESSION_KEY): if await _aget_user_session_key(request) != user.pk or ( session_auth_hash - and not hmac.compare_digest( + and not constant_time_compare( await request.session.aget(HASH_SESSION_KEY, ""), session_auth_hash, ) @@ -323,7 +323,7 @@ def get_user(request): session_hash_verified = False else: session_auth_hash = user.get_session_auth_hash() - session_hash_verified = hmac.compare_digest( + session_hash_verified = constant_time_compare( session_hash, session_auth_hash ) if not session_hash_verified: @@ -331,7 +331,7 @@ def get_user(request): # with the fallback secrets and stop when a matching one is # found. if session_hash and any( - hmac.compare_digest(session_hash, fallback_auth_hash) + constant_time_compare(session_hash, fallback_auth_hash) for fallback_auth_hash in user.get_session_auth_fallback_hash() ): request.session.cycle_key() @@ -364,7 +364,7 @@ async def aget_user(request): session_hash_verified = False else: session_auth_hash = user.get_session_auth_hash() - session_hash_verified = hmac.compare_digest( + session_hash_verified = constant_time_compare( session_hash, session_auth_hash ) if not session_hash_verified: @@ -372,7 +372,7 @@ async def aget_user(request): # with the fallback secrets and stop when a matching one is # found. if session_hash and any( - hmac.compare_digest(session_hash, fallback_auth_hash) + constant_time_compare(session_hash, fallback_auth_hash) for fallback_auth_hash in user.get_session_auth_fallback_hash() ): await request.session.acycle_key() diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index 4767ad560b..4bb518cb89 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -2,7 +2,6 @@ import base64 import binascii import functools import hashlib -import hmac import importlib import math import warnings @@ -13,7 +12,12 @@ from django.conf import settings from django.core.exceptions import ImproperlyConfigured from django.core.signals import setting_changed from django.dispatch import receiver -from django.utils.crypto import RANDOM_STRING_CHARS, get_random_string, pbkdf2 +from django.utils.crypto import ( + RANDOM_STRING_CHARS, + constant_time_compare, + get_random_string, + pbkdf2, +) from django.utils.encoding import force_bytes, force_str from django.utils.module_loading import import_string from django.utils.translation import gettext_noop as _ @@ -345,7 +349,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher): def verify(self, password, encoded): decoded = self.decode(encoded) encoded_2 = self.encode(password, decoded["salt"], decoded["iterations"]) - return hmac.compare_digest(encoded, encoded_2) + return constant_time_compare(encoded, encoded_2) def safe_summary(self, encoded): decoded = self.decode(encoded) @@ -529,7 +533,7 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher): algorithm, data = encoded.split("$", 1) assert algorithm == self.algorithm encoded_2 = self.encode(password, data.encode("ascii")) - return hmac.compare_digest(encoded, encoded_2) + return constant_time_compare(encoded, encoded_2) def safe_summary(self, encoded): decoded = self.decode(encoded) @@ -624,7 +628,7 @@ class ScryptPasswordHasher(BasePasswordHasher): decoded["block_size"], decoded["parallelism"], ) - return hmac.compare_digest(encoded, encoded_2) + return constant_time_compare(encoded, encoded_2) def safe_summary(self, encoded): decoded = self.decode(encoded) @@ -677,7 +681,7 @@ class MD5PasswordHasher(BasePasswordHasher): def verify(self, password, encoded): decoded = self.decode(encoded) encoded_2 = self.encode(password, decoded["salt"]) - return hmac.compare_digest(encoded, encoded_2) + return constant_time_compare(encoded, encoded_2) def safe_summary(self, encoded): decoded = self.decode(encoded) diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py index 8e5d95cefd..09cc2b5195 100644 --- a/django/contrib/auth/tokens.py +++ b/django/contrib/auth/tokens.py @@ -1,8 +1,7 @@ -import hmac from datetime import datetime from django.conf import settings -from django.utils.crypto import salted_hmac +from django.utils.crypto import constant_time_compare, salted_hmac from django.utils.http import base36_to_int, int_to_base36 @@ -68,7 +67,7 @@ class PasswordResetTokenGenerator: # Check that the timestamp/uid has not been tampered with for secret in [self.secret, *self.secret_fallbacks]: - if hmac.compare_digest( + if constant_time_compare( self._make_token_with_timestamp(user, ts, secret), token, ): diff --git a/django/core/signing.py b/django/core/signing.py index 222710efee..ed56ce0908 100644 --- a/django/core/signing.py +++ b/django/core/signing.py @@ -36,13 +36,12 @@ These functions make use of all of them. import base64 import datetime -import hmac import json import time import zlib from django.conf import settings -from django.utils.crypto import salted_hmac +from django.utils.crypto import constant_time_compare, salted_hmac from django.utils.encoding import force_bytes from django.utils.module_loading import import_string from django.utils.regex_helper import _lazy_re_compile @@ -210,7 +209,7 @@ class Signer: raise BadSignature('No "%s" found in value' % self.sep) value, sig = signed_value.rsplit(self.sep, 1) for key in [self.key, *self.fallback_keys]: - if hmac.compare_digest(sig, self.signature(value, key)): + if constant_time_compare(sig, self.signature(value, key)): return value raise BadSignature('Signature "%s" does not match' % sig) diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py index 113db56196..c2800cfad4 100644 --- a/django/middleware/csrf.py +++ b/django/middleware/csrf.py @@ -5,7 +5,6 @@ This module provides a middleware that implements protection against request forgeries from other sites. """ -import hmac import logging import string from collections import defaultdict @@ -16,7 +15,7 @@ from django.core.exceptions import DisallowedHost, ImproperlyConfigured from django.http import HttpHeaders, UnreadablePostError from django.urls import get_callable from django.utils.cache import patch_vary_headers -from django.utils.crypto import get_random_string +from django.utils.crypto import constant_time_compare, get_random_string from django.utils.deprecation import MiddlewareMixin from django.utils.functional import cached_property from django.utils.http import is_same_domain @@ -155,7 +154,7 @@ def _does_token_match(request_csrf_token, csrf_secret): if len(request_csrf_token) == CSRF_TOKEN_LENGTH: request_csrf_token = _unmask_cipher_token(request_csrf_token) assert len(request_csrf_token) == CSRF_SECRET_LENGTH - return hmac.compare_digest(request_csrf_token, csrf_secret) + return constant_time_compare(request_csrf_token, csrf_secret) class RejectRequest(Exception): diff --git a/django/utils/crypto.py b/django/utils/crypto.py index b6145709c3..4b8146695a 100644 --- a/django/utils/crypto.py +++ b/django/utils/crypto.py @@ -5,10 +5,8 @@ Django's standard crypto functions and utilities. import hashlib import hmac import secrets -import warnings from django.conf import settings -from django.utils.deprecation import RemovedInDjango70Warning from django.utils.encoding import force_bytes @@ -66,12 +64,7 @@ def get_random_string(length, allowed_chars=RANDOM_STRING_CHARS): def constant_time_compare(val1, val2): """Return True if the two strings are equal, False otherwise.""" - warnings.warn( - "constant_time_compare() is deprecated. Use hmac.compare_digest() instead.", - RemovedInDjango70Warning, - stacklevel=2, - ) - return hmac.compare_digest(val1, val2) + return secrets.compare_digest(force_bytes(val1), force_bytes(val2)) def pbkdf2(password, salt, iterations, dklen=0, digest=None): diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index 5337800d67..22105090d2 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -53,8 +53,6 @@ details on these changes. * The ``django.core.mail.forbid_multi_line_headers()`` and ``django.core.mail.message.sanitize_address()`` functions will be removed. -* The ``django.utils.crypto.constant_time_compare()`` function will be removed. - .. _deprecation-removed-in-6.1: 6.1 diff --git a/docs/releases/6.0.txt b/docs/releases/6.0.txt index f131ac7c0d..e54b9788ce 100644 --- a/docs/releases/6.0.txt +++ b/docs/releases/6.0.txt @@ -570,9 +570,6 @@ Miscellaneous * The undocumented ``django.core.mail.forbid_multi_line_headers()`` and ``django.core.mail.message.sanitize_address()`` functions are deprecated. -* The ``django.utils.crypto.constant_time_compare()`` function is deprecated - because it is merely an alias of :py:func:`hmac.compare_digest`. - Features removed in 6.0 ======================= diff --git a/tests/utils_tests/test_crypto.py b/tests/utils_tests/test_crypto.py index bbedb3080d..6fb4bfa453 100644 --- a/tests/utils_tests/test_crypto.py +++ b/tests/utils_tests/test_crypto.py @@ -2,34 +2,25 @@ import hashlib import unittest from django.test import SimpleTestCase -from django.test.utils import ignore_warnings from django.utils.crypto import ( InvalidAlgorithm, constant_time_compare, pbkdf2, salted_hmac, ) -from django.utils.deprecation import RemovedInDjango70Warning class TestUtilsCryptoMisc(SimpleTestCase): - # RemovedInDjango70Warning. - @ignore_warnings(category=RemovedInDjango70Warning) def test_constant_time_compare(self): # It's hard to test for constant time, just test the result. self.assertTrue(constant_time_compare(b"spam", b"spam")) self.assertFalse(constant_time_compare(b"spam", b"eggs")) self.assertTrue(constant_time_compare("spam", "spam")) self.assertFalse(constant_time_compare("spam", "eggs")) - - def test_constant_time_compare_deprecated(self): - msg = ( - "constant_time_compare() is deprecated. " - "Use hmac.compare_digest() instead." - ) - with self.assertWarnsMessage(RemovedInDjango70Warning, msg) as ctx: - constant_time_compare(b"spam", b"spam") - self.assertEqual(ctx.filename, __file__) + self.assertTrue(constant_time_compare(b"spam", "spam")) + self.assertFalse(constant_time_compare("spam", b"eggs")) + self.assertTrue(constant_time_compare("ありがとう", "ありがとう")) + self.assertFalse(constant_time_compare("ありがとう", "おはよう")) def test_salted_hmac(self): tests = [