Revert "[1.6.x] Ensure that passwords are never long enough for a DoS."

This reverts commit 5ecc0f828e.

This fix is no longer necessary, our pbkdf2 (see next commit) implementation
no longer rehashes the password every iteration.
This commit is contained in:
Florian Apolloner 2013-09-24 21:09:52 +02:00
parent 1a922870ea
commit 50a811a170
3 changed files with 17 additions and 145 deletions

View File

@ -15,9 +15,7 @@ from django.utils.translation import ugettext, ugettext_lazy as _
from django.contrib.auth import authenticate, get_user_model from django.contrib.auth import authenticate, get_user_model
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.contrib.auth.hashers import ( from django.contrib.auth.hashers import UNUSABLE_PASSWORD_PREFIX, identify_hasher
MAXIMUM_PASSWORD_LENGTH, UNUSABLE_PASSWORD_PREFIX, identify_hasher,
)
from django.contrib.auth.tokens import default_token_generator from django.contrib.auth.tokens import default_token_generator
from django.contrib.sites.models import get_current_site from django.contrib.sites.models import get_current_site
@ -83,10 +81,9 @@ class UserCreationForm(forms.ModelForm):
'invalid': _("This value may contain only letters, numbers and " 'invalid': _("This value may contain only letters, numbers and "
"@/./+/-/_ characters.")}) "@/./+/-/_ characters.")})
password1 = forms.CharField(label=_("Password"), password1 = forms.CharField(label=_("Password"),
widget=forms.PasswordInput, max_length=MAXIMUM_PASSWORD_LENGTH) widget=forms.PasswordInput)
password2 = forms.CharField(label=_("Password confirmation"), password2 = forms.CharField(label=_("Password confirmation"),
widget=forms.PasswordInput, widget=forms.PasswordInput,
max_length=MAXIMUM_PASSWORD_LENGTH,
help_text=_("Enter the same password as above, for verification.")) help_text=_("Enter the same password as above, for verification."))
class Meta: class Meta:
@ -160,11 +157,7 @@ class AuthenticationForm(forms.Form):
username/password logins. username/password logins.
""" """
username = forms.CharField(max_length=254) username = forms.CharField(max_length=254)
password = forms.CharField( password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
label=_("Password"),
widget=forms.PasswordInput,
max_length=MAXIMUM_PASSWORD_LENGTH,
)
error_messages = { error_messages = {
'invalid_login': _("Please enter a correct %(username)s and password. " 'invalid_login': _("Please enter a correct %(username)s and password. "
@ -271,16 +264,10 @@ class SetPasswordForm(forms.Form):
error_messages = { error_messages = {
'password_mismatch': _("The two password fields didn't match."), 'password_mismatch': _("The two password fields didn't match."),
} }
new_password1 = forms.CharField( new_password1 = forms.CharField(label=_("New password"),
label=_("New password"), widget=forms.PasswordInput)
widget=forms.PasswordInput, new_password2 = forms.CharField(label=_("New password confirmation"),
max_length=MAXIMUM_PASSWORD_LENGTH, widget=forms.PasswordInput)
)
new_password2 = forms.CharField(
label=_("New password confirmation"),
widget=forms.PasswordInput,
max_length=MAXIMUM_PASSWORD_LENGTH,
)
def __init__(self, user, *args, **kwargs): def __init__(self, user, *args, **kwargs):
self.user = user self.user = user
@ -313,11 +300,8 @@ class PasswordChangeForm(SetPasswordForm):
'password_incorrect': _("Your old password was entered incorrectly. " 'password_incorrect': _("Your old password was entered incorrectly. "
"Please enter it again."), "Please enter it again."),
}) })
old_password = forms.CharField( old_password = forms.CharField(label=_("Old password"),
label=_("Old password"), widget=forms.PasswordInput)
widget=forms.PasswordInput,
max_length=MAXIMUM_PASSWORD_LENGTH,
)
def clean_old_password(self): def clean_old_password(self):
""" """
@ -344,16 +328,10 @@ class AdminPasswordChangeForm(forms.Form):
error_messages = { error_messages = {
'password_mismatch': _("The two password fields didn't match."), 'password_mismatch': _("The two password fields didn't match."),
} }
password1 = forms.CharField( password1 = forms.CharField(label=_("Password"),
label=_("Password"), widget=forms.PasswordInput)
widget=forms.PasswordInput, password2 = forms.CharField(label=_("Password (again)"),
max_length=MAXIMUM_PASSWORD_LENGTH, widget=forms.PasswordInput)
)
password2 = forms.CharField(
label=_("Password (again)"),
widget=forms.PasswordInput,
max_length=MAXIMUM_PASSWORD_LENGTH,
)
def __init__(self, user, *args, **kwargs): def __init__(self, user, *args, **kwargs):
self.user = user self.user = user

View File

@ -2,7 +2,6 @@ from __future__ import unicode_literals
import base64 import base64
import binascii import binascii
import functools
import hashlib import hashlib
from django.dispatch import receiver from django.dispatch import receiver
@ -20,7 +19,6 @@ from django.utils.translation import ugettext_noop as _
UNUSABLE_PASSWORD_PREFIX = '!' # This will never be a valid encoded hash UNUSABLE_PASSWORD_PREFIX = '!' # This will never be a valid encoded hash
UNUSABLE_PASSWORD_SUFFIX_LENGTH = 40 # number of random chars to add after UNUSABLE_PASSWORD_PREFIX UNUSABLE_PASSWORD_SUFFIX_LENGTH = 40 # number of random chars to add after UNUSABLE_PASSWORD_PREFIX
MAXIMUM_PASSWORD_LENGTH = 4096 # The maximum length a password can be to prevent DoS
HASHERS = None # lazily loaded from PASSWORD_HASHERS HASHERS = None # lazily loaded from PASSWORD_HASHERS
PREFERRED_HASHER = None # defaults to first item in PASSWORD_HASHERS PREFERRED_HASHER = None # defaults to first item in PASSWORD_HASHERS
@ -33,18 +31,6 @@ def reset_hashers(**kwargs):
PREFERRED_HASHER = None PREFERRED_HASHER = None
def password_max_length(max_length):
def inner(fn):
@functools.wraps(fn)
def wrapper(self, password, *args, **kwargs):
if len(password) > max_length:
raise ValueError("Invalid password; Must be less than or equal"
" to %d bytes" % max_length)
return fn(self, password, *args, **kwargs)
return wrapper
return inner
def is_password_usable(encoded): def is_password_usable(encoded):
if encoded is None or encoded.startswith(UNUSABLE_PASSWORD_PREFIX): if encoded is None or encoded.startswith(UNUSABLE_PASSWORD_PREFIX):
return False return False
@ -239,7 +225,6 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
iterations = 12000 iterations = 12000
digest = hashlib.sha256 digest = hashlib.sha256
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt, iterations=None): def encode(self, password, salt, iterations=None):
assert password is not None assert password is not None
assert salt and '$' not in salt assert salt and '$' not in salt
@ -249,7 +234,6 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
hash = base64.b64encode(hash).decode('ascii').strip() hash = base64.b64encode(hash).decode('ascii').strip()
return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash) return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded): def verify(self, password, encoded):
algorithm, iterations, salt, hash = encoded.split('$', 3) algorithm, iterations, salt, hash = encoded.split('$', 3)
assert algorithm == self.algorithm assert algorithm == self.algorithm
@ -296,7 +280,6 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher):
bcrypt = self._load_library() bcrypt = self._load_library()
return bcrypt.gensalt(self.rounds) return bcrypt.gensalt(self.rounds)
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt): def encode(self, password, salt):
bcrypt = self._load_library() bcrypt = self._load_library()
# Need to reevaluate the force_bytes call once bcrypt is supported on # Need to reevaluate the force_bytes call once bcrypt is supported on
@ -314,7 +297,6 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher):
data = bcrypt.hashpw(password, salt) data = bcrypt.hashpw(password, salt)
return "%s$%s" % (self.algorithm, force_text(data)) return "%s$%s" % (self.algorithm, force_text(data))
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded): def verify(self, password, encoded):
algorithm, data = encoded.split('$', 1) algorithm, data = encoded.split('$', 1)
assert algorithm == self.algorithm assert algorithm == self.algorithm
@ -371,14 +353,12 @@ class SHA1PasswordHasher(BasePasswordHasher):
""" """
algorithm = "sha1" algorithm = "sha1"
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt): def encode(self, password, salt):
assert password is not None assert password is not None
assert salt and '$' not in salt assert salt and '$' not in salt
hash = hashlib.sha1(force_bytes(salt + password)).hexdigest() hash = hashlib.sha1(force_bytes(salt + password)).hexdigest()
return "%s$%s$%s" % (self.algorithm, salt, hash) return "%s$%s$%s" % (self.algorithm, salt, hash)
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded): def verify(self, password, encoded):
algorithm, salt, hash = encoded.split('$', 2) algorithm, salt, hash = encoded.split('$', 2)
assert algorithm == self.algorithm assert algorithm == self.algorithm
@ -401,14 +381,12 @@ class MD5PasswordHasher(BasePasswordHasher):
""" """
algorithm = "md5" algorithm = "md5"
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt): def encode(self, password, salt):
assert password is not None assert password is not None
assert salt and '$' not in salt assert salt and '$' not in salt
hash = hashlib.md5(force_bytes(salt + password)).hexdigest() hash = hashlib.md5(force_bytes(salt + password)).hexdigest()
return "%s$%s$%s" % (self.algorithm, salt, hash) return "%s$%s$%s" % (self.algorithm, salt, hash)
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded): def verify(self, password, encoded):
algorithm, salt, hash = encoded.split('$', 2) algorithm, salt, hash = encoded.split('$', 2)
assert algorithm == self.algorithm assert algorithm == self.algorithm
@ -439,13 +417,11 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher):
def salt(self): def salt(self):
return '' return ''
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt): def encode(self, password, salt):
assert salt == '' assert salt == ''
hash = hashlib.sha1(force_bytes(password)).hexdigest() hash = hashlib.sha1(force_bytes(password)).hexdigest()
return 'sha1$$%s' % hash return 'sha1$$%s' % hash
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded): def verify(self, password, encoded):
encoded_2 = self.encode(password, '') encoded_2 = self.encode(password, '')
return constant_time_compare(encoded, encoded_2) return constant_time_compare(encoded, encoded_2)
@ -475,12 +451,10 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher):
def salt(self): def salt(self):
return '' return ''
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt): def encode(self, password, salt):
assert salt == '' assert salt == ''
return hashlib.md5(force_bytes(password)).hexdigest() return hashlib.md5(force_bytes(password)).hexdigest()
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded): def verify(self, password, encoded):
if len(encoded) == 37 and encoded.startswith('md5$$'): if len(encoded) == 37 and encoded.startswith('md5$$'):
encoded = encoded[5:] encoded = encoded[5:]
@ -506,7 +480,6 @@ class CryptPasswordHasher(BasePasswordHasher):
def salt(self): def salt(self):
return get_random_string(2) return get_random_string(2)
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def encode(self, password, salt): def encode(self, password, salt):
crypt = self._load_library() crypt = self._load_library()
assert len(salt) == 2 assert len(salt) == 2
@ -514,7 +487,6 @@ class CryptPasswordHasher(BasePasswordHasher):
# we don't need to store the salt, but Django used to do this # we don't need to store the salt, but Django used to do this
return "%s$%s$%s" % (self.algorithm, '', data) return "%s$%s$%s" % (self.algorithm, '', data)
@password_max_length(MAXIMUM_PASSWORD_LENGTH)
def verify(self, password, encoded): def verify(self, password, encoded):
crypt = self._load_library() crypt = self._load_library()
algorithm, salt, data = encoded.split('$', 2) algorithm, salt, data = encoded.split('$', 2)
@ -529,3 +501,4 @@ class CryptPasswordHasher(BasePasswordHasher):
(_('salt'), salt), (_('salt'), salt),
(_('hash'), mask_hash(data, show=3)), (_('hash'), mask_hash(data, show=3)),
]) ])

View File

@ -2,12 +2,9 @@
from __future__ import unicode_literals from __future__ import unicode_literals
from django.conf.global_settings import PASSWORD_HASHERS as default_hashers from django.conf.global_settings import PASSWORD_HASHERS as default_hashers
from django.contrib.auth.hashers import ( from django.contrib.auth.hashers import (is_password_usable, BasePasswordHasher,
is_password_usable, BasePasswordHasher, check_password, make_password, check_password, make_password, PBKDF2PasswordHasher, load_hashers, PBKDF2SHA1PasswordHasher,
PBKDF2PasswordHasher, load_hashers, PBKDF2SHA1PasswordHasher, get_hasher, get_hasher, identify_hasher, UNUSABLE_PASSWORD_PREFIX, UNUSABLE_PASSWORD_SUFFIX_LENGTH)
identify_hasher, UNUSABLE_PASSWORD_PREFIX, UNUSABLE_PASSWORD_SUFFIX_LENGTH,
MAXIMUM_PASSWORD_LENGTH, password_max_length
)
from django.utils import six from django.utils import six
from django.utils import unittest from django.utils import unittest
from django.utils.unittest import skipUnless from django.utils.unittest import skipUnless
@ -41,12 +38,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded)) self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded))
# Long password
self.assertRaises(
ValueError,
make_password,
b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
)
def test_pkbdf2(self): def test_pkbdf2(self):
encoded = make_password('lètmein', 'seasalt', 'pbkdf2_sha256') encoded = make_password('lètmein', 'seasalt', 'pbkdf2_sha256')
@ -62,14 +53,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded)) self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded))
# Long password
self.assertRaises(
ValueError,
make_password,
b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
"seasalt",
"pbkdf2_sha256",
)
def test_sha1(self): def test_sha1(self):
encoded = make_password('lètmein', 'seasalt', 'sha1') encoded = make_password('lètmein', 'seasalt', 'sha1')
@ -85,14 +68,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded)) self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded))
# Long password
self.assertRaises(
ValueError,
make_password,
b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
"seasalt",
"sha1",
)
def test_md5(self): def test_md5(self):
encoded = make_password('lètmein', 'seasalt', 'md5') encoded = make_password('lètmein', 'seasalt', 'md5')
@ -108,14 +83,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded)) self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded))
# Long password
self.assertRaises(
ValueError,
make_password,
b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
"seasalt",
"md5",
)
def test_unsalted_md5(self): def test_unsalted_md5(self):
encoded = make_password('lètmein', '', 'unsalted_md5') encoded = make_password('lètmein', '', 'unsalted_md5')
@ -134,14 +101,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded)) self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded))
# Long password
self.assertRaises(
ValueError,
make_password,
b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
"",
"unsalted_md5",
)
def test_unsalted_sha1(self): def test_unsalted_sha1(self):
encoded = make_password('lètmein', '', 'unsalted_sha1') encoded = make_password('lètmein', '', 'unsalted_sha1')
@ -159,14 +118,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded)) self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded))
# Long password
self.assertRaises(
ValueError,
make_password,
b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
"",
"unslated_sha1",
)
@skipUnless(crypt, "no crypt module to generate password.") @skipUnless(crypt, "no crypt module to generate password.")
def test_crypt(self): def test_crypt(self):
@ -182,14 +133,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded)) self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded))
# Long password
self.assertRaises(
ValueError,
make_password,
b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
"seasalt",
"crypt",
)
@skipUnless(bcrypt, "bcrypt not installed") @skipUnless(bcrypt, "bcrypt not installed")
def test_bcrypt_sha256(self): def test_bcrypt_sha256(self):
@ -212,13 +155,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded)) self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded))
# Long password
self.assertRaises(
ValueError,
make_password,
b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
hasher="bcrypt_sha256",
)
@skipUnless(bcrypt, "bcrypt not installed") @skipUnless(bcrypt, "bcrypt not installed")
def test_bcrypt(self): def test_bcrypt(self):
@ -234,13 +170,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(is_password_usable(blank_encoded))
self.assertTrue(check_password('', blank_encoded)) self.assertTrue(check_password('', blank_encoded))
self.assertFalse(check_password(' ', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded))
# Long password
self.assertRaises(
ValueError,
make_password,
b"1" * (MAXIMUM_PASSWORD_LENGTH + 1),
hasher="bcrypt",
)
def test_unusable(self): def test_unusable(self):
encoded = make_password(None) encoded = make_password(None)
@ -273,14 +202,6 @@ class TestUtilsHashPass(unittest.TestCase):
self.assertFalse(is_password_usable('lètmein_badencoded')) self.assertFalse(is_password_usable('lètmein_badencoded'))
self.assertFalse(is_password_usable('')) self.assertFalse(is_password_usable(''))
def test_max_password_length_decorator(self):
@password_max_length(10)
def encode(s, password, salt):
return True
self.assertTrue(encode(None, b"1234", b"1234"))
self.assertRaises(ValueError, encode, None, b"1234567890A", b"1234")
def test_low_level_pkbdf2(self): def test_low_level_pkbdf2(self):
hasher = PBKDF2PasswordHasher() hasher = PBKDF2PasswordHasher()
encoded = hasher.encode('lètmein', 'seasalt2') encoded = hasher.encode('lètmein', 'seasalt2')