Fixed #3604 -- django.contrib.auth password checking now uses hashlib if it's available. Thanks, Rob Hudson

git-svn-id: http://code.djangoproject.com/svn/django/trunk@6318 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-15 19:45:33 +00:00 · 2007-09-15 19:45:33 +00:00 · bcfaa73514
parent 07447a0f56
commit bcfaa73514
1 changed files with 35 additions and 18 deletions
--- a/django/contrib/auth/models.py
+++ b/django/contrib/auth/models.py
@ -15,25 +15,43 @@ try:
 except NameError:
    from sets import Set as set   # Python 2.3 fallback

+def get_hexdigest(algorithm, salt, raw_password):
+    """
+    Returns a string of the hexdigest of the given plaintext password and salt
+    using the given algorithm ('md5', 'sha1' or 'crypt').
+    """
+    raw_password, salt = smart_str(raw_password), smart_str(salt)
+    if algorithm == 'crypt':
+        try:
+            import crypt
+        except ImportError:
+            raise ValueError('"crypt" password algorithm not supported in this environment')
+        return crypt.crypt(raw_password, salt)
+    # The rest of the supported algorithms are supported by hashlib, but
+    # hashlib is only available in Python 2.5.
+    try:
+        import hashlib
+    except ImportError:
+        if algorithm == 'md5':
+            import md5
+            return md5.new(salt + raw_password).hexdigest()
+        elif algorithm == 'sha1':
+            import sha
+            return sha.new(salt + raw_password).hexdigest()
+    else:
+        if algorithm == 'md5':
+            return hashlib.md5(salt + raw_password).hexdigest()
+        elif algorithm == 'sha1':
+            return hashlib.sha1(salt + raw_password).hexdigest()
+    raise ValueError("Got unknown password algorithm type in password.")
+
 def check_password(raw_password, enc_password):
    """
    Returns a boolean of whether the raw_password was correct. Handles
    encryption formats behind the scenes.
    """
    algo, salt, hsh = enc_password.split('$')
-    if algo == 'md5':
-        import md5
-        return hsh == md5.new(smart_str(salt + raw_password)).hexdigest()
-    elif algo == 'sha1':
-        import sha
-        return hsh == sha.new(smart_str(salt + raw_password)).hexdigest()
-    elif algo == 'crypt':
-        try:
-            import crypt
-        except ImportError:
-            raise ValueError, "Crypt password algorithm not supported in this environment."
-        return hsh == crypt.crypt(smart_str(raw_password), smart_str(salt))
-    raise ValueError, "Got unknown password algorithm type in password."
+    return hsh == get_hexdigest(algo, salt, raw_password)

 class SiteProfileNotAvailable(Exception):
    pass
@ -162,10 +180,10 @@ class User(models.Model):
        return full_name.strip()

    def set_password(self, raw_password):
-        import sha, random
+        import random
        algo = 'sha1'
-        salt = sha.new(str(random.random())).hexdigest()[:5]
-        hsh = sha.new(salt + smart_str(raw_password)).hexdigest()
+        salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]
+        hsh = get_hexdigest(algo, salt, raw_password)
        self.password = '%s$%s$%s' % (algo, salt, hsh)

    def check_password(self, raw_password):
@ -176,8 +194,7 @@ class User(models.Model):
        # Backwards-compatibility check. Older passwords won't include the
        # algorithm or salt.
        if '$' not in self.password:
-            import md5
-            is_correct = (self.password == md5.new(smart_str(raw_password)).hexdigest())
+            is_correct = (self.password == get_hexdigest('md5', '', raw_password))
            if is_correct:
                # Convert the password to the new, more secure format.
                self.set_password(raw_password)