Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

[1.6.x] Force update of the password on iteration count changes.

Backport of 7d0d0db from master.
  • Loading branch information...
commit 823951ec55f17373561b4e97ecbe369c2cac364c 1 parent 37aea82
@apollo13 apollo13 authored
View
9 django/contrib/auth/hashers.py
@@ -56,6 +56,8 @@ def check_password(password, encoded, setter=None, preferred='default'):
hasher = identify_hasher(encoded)
must_update = hasher.algorithm != preferred.algorithm
+ if not must_update:
+ must_update = hasher.must_update(encoded)
is_correct = hasher.verify(password, encoded)
if setter and is_correct and must_update:
setter(password)
@@ -212,6 +214,9 @@ def safe_summary(self, encoded):
"""
raise NotImplementedError()
+ def must_update(self, encoded):
+ return False
+
class PBKDF2PasswordHasher(BasePasswordHasher):
"""
@@ -250,6 +255,10 @@ def safe_summary(self, encoded):
(_('hash'), mask_hash(hash)),
])
+ def must_update(self, encoded):
+ algorithm, iterations, salt, hash = encoded.split('$', 3)
+ return int(iterations) != self.iterations
+
class PBKDF2SHA1PasswordHasher(PBKDF2PasswordHasher):
"""
View
31 django/contrib/auth/tests/test_hashers.py
@@ -244,6 +244,37 @@ def setter():
self.assertFalse(check_password('WRONG', encoded, setter))
self.assertFalse(state['upgraded'])
+ def test_pbkdf2_upgrade(self):
+ self.assertEqual('pbkdf2_sha256', get_hasher('default').algorithm)
+ hasher = get_hasher('default')
+ self.assertNotEqual(hasher.iterations, 1)
+
+ old_iterations = hasher.iterations
+ try:
+ # Generate a password with 1 iteration.
+ hasher.iterations = 1
+ encoded = make_password('letmein')
+ algo, iterations, salt, hash = encoded.split('$', 3)
+ self.assertEqual(iterations, '1')
+
+ state = {'upgraded': False}
+ def setter(password):
+ state['upgraded'] = True
+
+ # Check that no upgrade is triggerd
+ self.assertTrue(check_password('letmein', encoded, setter))
+ self.assertFalse(state['upgraded'])
+
+ # Revert to the old iteration count and ...
+ hasher.iterations = old_iterations
+
+ # ... check if the password would get updated to the new iteration count.
+ self.assertTrue(check_password('letmein', encoded, setter))
+ self.assertTrue(state['upgraded'])
+ finally:
+ hasher.iterations = old_iterations
+
+
def test_load_library_no_algorithm(self):
with self.assertRaises(ValueError) as e:
BasePasswordHasher()._load_library()
Please sign in to comment.
Something went wrong with that request. Please try again.