Skip to content

Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher. #13815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 28, 2020
Merged

Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher. #13815

merged 2 commits into from
Dec 28, 2020

Conversation

apollo13
Copy link
Member

Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode we
now b64decode it and decode from latin1 (for the remote possibility that
someone supplied a custom hash consisting solely of bytes -- this would
require a manual construction of the hash though, Django's interface
does not allow for that).

I ran into this while working on #12553 just now.

@apollo13 apollo13 requested a review from felixxm December 27, 2020 16:33
@apollo13 apollo13 mentioned this pull request Dec 27, 2020
Merged
@apollo13
Copy link
Member Author

I have pushed a followup commit which uses decode in must_update like the other hashers do. This will give #12553 access to the needed salt then.

@apollo13 @felixxm
Refs #31358 -- Simplified Argon2PasswordHasher.must_update() by using…
1b7086b 
… decode().
@apollo13 @felixxm
Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher.
c76d51b 
Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
@felixxm felixxm changed the title Properly return salt of argon2 hashes in decode/safe_summary. Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher. Dec 28, 2020
felixxm
felixxm approved these changes Dec 28, 2020
View reviewed changes
Copy link
Member

@felixxm felixxm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@apollo13 Thanks 👍

@felixxm felixxm merged commit c76d51b into django:master Dec 28, 2020
@apollo13 apollo13 deleted the argon2_summary branch May 8, 2022 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felixxm felixxm felixxm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@apollo13 @felixxm