[1.6.x] Fixed #21535 -- Fixed password hash iteration upgrade.

Thanks jared_mess for the report. Backport of fddb0131d3 from master
2013-11-29 20:49:56 -05:00 · 2013-11-29 20:49:56 -05:00 · 2f42bbaba7
parent 14ddc1b517
commit 2f42bbaba7
3 changed files with 35 additions and 2 deletions
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@ -57,7 +57,7 @@ def check_password(password, encoded, setter=None, preferred='default'):

    must_update = hasher.algorithm != preferred.algorithm
    if not must_update:
-        must_update = hasher.must_update(encoded)
+        must_update = preferred.must_update(encoded)
    is_correct = hasher.verify(password, encoded)
    if setter and is_correct and must_update:
        setter(password)
--- a/django/contrib/auth/tests/test_hashers.py
+++ b/django/contrib/auth/tests/test_hashers.py
@ -5,6 +5,7 @@ from django.conf.global_settings import PASSWORD_HASHERS as default_hashers
 from django.contrib.auth.hashers import (is_password_usable, BasePasswordHasher,
    check_password, make_password, PBKDF2PasswordHasher, load_hashers, PBKDF2SHA1PasswordHasher,
    get_hasher, identify_hasher, UNUSABLE_PASSWORD_PREFIX, UNUSABLE_PASSWORD_SUFFIX_LENGTH)
+from django.test import SimpleTestCase
 from django.utils import six
 from django.utils import unittest
 from django.utils.unittest import skipUnless
@ -21,7 +22,11 @@ except ImportError:
    bcrypt = None


-class TestUtilsHashPass(unittest.TestCase):
+class PBKDF2SingleIterationHasher(PBKDF2PasswordHasher):
+    iterations = 1
+
+
+class TestUtilsHashPass(SimpleTestCase):

    def setUp(self):
        load_hashers(password_hashers=default_hashers)
@ -274,6 +279,33 @@ class TestUtilsHashPass(unittest.TestCase):
        finally:
            hasher.iterations = old_iterations

+    def test_pbkdf2_upgrade_new_hasher(self):
+        self.assertEqual('pbkdf2_sha256', get_hasher('default').algorithm)
+        hasher = get_hasher('default')
+        self.assertNotEqual(hasher.iterations, 1)
+
+        state = {'upgraded': False}
+
+        def setter(password):
+            state['upgraded'] = True
+
+        with self.settings(PASSWORD_HASHERS=[
+                'django.contrib.auth.tests.test_hashers.PBKDF2SingleIterationHasher']):
+            encoded = make_password('letmein')
+            algo, iterations, salt, hash = encoded.split('$', 3)
+            self.assertEqual(iterations, '1')
+
+            # Check that no upgrade is triggerd
+            self.assertTrue(check_password('letmein', encoded, setter))
+            self.assertFalse(state['upgraded'])
+
+        # Revert to the old iteration count and check if the password would get
+        # updated to the new iteration count.
+        with self.settings(PASSWORD_HASHERS=[
+                'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+                'django.contrib.auth.tests.test_hashers.PBKDF2SingleIterationHasher']):
+            self.assertTrue(check_password('letmein', encoded, setter))
+            self.assertTrue(state['upgraded'])

    def test_load_library_no_algorithm(self):
        with self.assertRaises(ValueError) as e:
--- a/docs/releases/1.6.1.txt
+++ b/docs/releases/1.6.1.txt
@ -40,3 +40,4 @@ Bug fixes
 * Fixed test client ``logout()`` method when using the cookie-based session
  backend (#21448).
 * Fixed a crash when a ``GeometryField`` uses a non-geometric widget (#21496).
+* Fixed password hash upgrade when changing the iteration count (#21535).