Commit Graph

58 Commits

Author SHA1 Message Date
django-bot 9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Ade Lee d10c7bfe56 Fixed #28401 -- Allowed hashlib.md5() calls to work with FIPS kernels.
md5 is not an approved algorithm in FIPS mode, and trying to instantiate
a hashlib.md5() will fail when the system is running in FIPS mode.

md5 is allowed when in a non-security context. There is a plan to add a
keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether
or not the instance is being used in a security context.

In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.

Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() has been added.
This encapsulation will pass through the usedforsecurity parameter in
the case where the parameter is supported, and strip it if it is not.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-10-12 08:58:27 +02:00
Mariusz Felisiak be6e468130 Refs #31359 -- Made get_random_string()'s length argument required.
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Florian Apolloner 64cc9dcdad Refs #31358 -- Added constant for get_random_string()'s default alphabet. 2021-01-13 20:40:40 +01:00
Francisco Couzo 5ea1621c72
Fixed #31985 -- Corrected salted_hmac()'s docstring about supported algorithms.
salted_hmac() validates supported algorithms by checking hashlib
methods.
2020-09-07 10:59:36 +02:00
Mariusz Felisiak 3c35825009 Fixed typo in django/utils/crypto.py. 2020-03-11 14:38:27 +01:00
Claude Paroz e663f695fb Fixed #31359 -- Deprecated get_random_string() calls without an explicit length. 2020-03-11 13:16:44 +01:00
Claude Paroz 50cf183d21 Refs #27468 -- Added algorithm parameter to django.utils.crypto.salted_hmac(). 2020-01-27 12:42:21 +01:00
Mariusz Felisiak c5e373d48c Fixed obsolete comment in django.utils.crypto.salted_hmac().
Obsolete since 13864703bc.
2020-01-15 12:53:21 +01:00
Nick Pope 1d0bab0bfd Fixed #27635 -- Used secrets module in django.utils.crypto. 2019-05-20 11:21:22 +02:00
Nick Pope 068005a349 Refs #27635 -- Removed fallback when SystemRandom() isn't available that doesn't work.
Fallback was untested and likely never triggered.
2019-05-20 11:21:22 +02:00
Дилян Палаузов d7b2aa24f7 Fixed #28982 -- Simplified code with and/or. 2018-01-03 20:12:23 -05:00
Anton Samarchyan 9718fa2e8a Refs #27656 -- Updated django.utils docstring verbs according to PEP 257. 2017-02-11 16:11:08 -05:00
Tim Graham 500532c95d Refs #23919 -- Removed default 'utf-8' argument for str.encode()/decode(). 2017-02-09 09:03:47 -05:00
Tim Graham d4bb37593e Refs #23919 -- Removed obsolete compare_digest() and pbkdf2() implementations. 2017-01-19 11:55:23 -05:00
Claude Paroz 2b281cc35e Refs #23919 -- Removed most of remaining six usage
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz c716fe8782 Refs #23919 -- Removed six.PY2/PY3 usage
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Ramin Farajpour Cami 0a63ef3f61 Fixed #27463 -- Fixed E741 flake8 warnings. 2016-11-14 17:40:28 -05:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Michael Hall 895dc880eb Fixed #23812 -- Changed django.utils.six.moves.xrange imports to range 2014-12-13 12:45:58 -05:00
Alex Gaynor 6732566967 Bump the default iterations for PBKDF2.
The rate at which we've increased this has not been keeping up with hardware (and software) improvements, and we're now considerably behind where we should be. The delta between our performance and an optimized implementation's performance prevents us from improving that further, but hopefully once Python 2.7.8 and 3.4+ get into more hands we can more aggressively increase this number.
2014-07-11 22:43:26 -07:00
Alex Gaynor 875ce287e2 Note that the stdlib's version of pbkdf2_hmac will also be used in the upcoming Python 2.7.8 release 2014-05-31 13:50:07 -07:00
Florian Apolloner 7e3cf3cfd2 Fixed constant_time_compare on Python 2.7.7
Python 2.7.7 includes compare_digest in the hmac module, but it requires
both arguments to have the same type. This is usually not a problem on
Python 3 since everything is text, but we have mixed unicode and str on
Python 2 -- hence make sure everything is bytes before feeding it into
compare_digest.
2014-05-28 19:51:39 +02:00
Alex Gaynor 58176dee88 Use the stdlib's compare_digest for constant time comparisons when available 2014-04-22 14:45:00 -07:00
Alex Gaynor 21a1fddcc4 Typo fix 2014-04-17 11:04:57 -07:00
Alex Gaynor cb68eb3e6d Use the stdlib's PBKDF2 implementation when available.
This is a bit faster than ours, which is good, because it lets you increase
the iteration counts.

This will be used on Python 3.4+, and, pending the acceptance of PEP466, on
newer Python 2.7s.
2014-04-17 11:02:42 -07:00
MattBlack85 a8ba76c2d3 Fixed #19980: Signer broken for binary keys (with non-ASCII chars).
With this pull request, request #878 should considered closed.

Thanks to nvie for the patch.
2014-02-16 16:50:50 +01:00
Alex Gaynor 8a0489221e Flake8 fixes 2013-11-05 09:17:50 -08:00
Alex Gaynor 8ecba51ea0 Simplify (and very very slightly speed up) the pbkdf2 implementation 2013-11-04 09:45:27 -08:00
Florian Apolloner 1e4f53a6eb Fixed #21253 -- PBKDF2 with cached HMAC key
This gives a 2x speed increase compared to the existing implementation.

Thanks to Steve Thomas for the initial patch and Tim Graham for finishing it.
2013-10-21 19:54:47 +02:00
Alasdair Nicol a800036981 Fixed #21287 -- Fixed E123 pep8 warnings 2013-10-18 10:07:39 +01:00
Florian Apolloner 68540fe4df Fixed #21138 -- Increased the performance of our PBKDF2 implementation.
Thanks go to Michael Gebetsroither for pointing out this issue and help on
the patch.
2013-09-24 21:06:26 +02:00
Paul McMillan a075e2ad0d Increase default PBKDF2 iterations
Increases the default PBKDF2 iterations, since computers have gotten
faster since 2011. In the future, we plan to increment by 10% per
major version.
2013-09-19 18:02:25 +01:00
Simon Charette 11cd7388f7 Fixed #20989 -- Removed useless explicit list comprehensions. 2013-08-30 10:57:51 -04:00
Alex Gaynor 09d0568697 Switched to using some constants the hmac module exposes. 2013-06-02 10:31:38 -07:00
Aymeric Augustin 7cf0f04230 Clarified that constant_time_compare doesn't protect string lengths. 2013-03-18 09:45:44 +01:00
Łukasz Langa 40b9f4fb8b [py3] Always fed hashlib with bytes. 2013-02-27 10:02:07 +01:00
Claude Paroz ebc773ada3 Replaced many smart_bytes by force_bytes
In all those occurrences, we didn't care about preserving the
lazy status of the strings, but we really wanted to obtain a
real bytestring.
2012-08-29 11:20:32 +02:00
Aymeric Augustin e89bc39935 Reverted type check added in 62954ba04c.
Refs #17040.
2012-08-21 09:00:55 +02:00
Aymeric Augustin 62954ba04c [py3] Fixed #17040 -- ported django.utils.crypto.constant_time_compare.
This is a private API; adding a type check is acceptable.
2012-08-20 22:50:49 +02:00
Aymeric Augustin 127b461b11 [py3] Ported django.utils.crypto. 2012-08-07 12:00:23 +02:00
Aymeric Augustin c5ef65bcf3 [py3] Ported django.utils.encoding.
* Renamed smart_unicode to smart_text (but kept the old name under
  Python 2 for backwards compatibility).
* Renamed smart_str to smart_bytes.
* Re-introduced smart_str as an alias for smart_text under Python 3
  and smart_bytes under Python 2 (which is backwards compatible).
  Thus smart_str always returns a str objects.
* Used the new smart_str in a few places where both Python 2 and 3
  want a str.
2012-08-07 12:00:22 +02:00
Claude Paroz 690cabe203 Used a Python 3-compatible syntax for building a translation table 2012-07-22 18:05:53 +02:00
Aymeric Augustin a84d79f572 [py3] Added Python 3 compatibility for xrange. 2012-07-22 09:29:56 +02:00
Aymeric Augustin 56dbe924a6 [py3] Removed longs. 2012-07-22 09:29:53 +02:00
Claude Paroz 4a103086d5 Fixed #18269 -- Applied unicode_literals for Python 3 compatibility.
Thanks Vinay Sajip for the support of his django3 branch and
Jannis Leidel for the review.
2012-06-07 18:08:47 +02:00
Claude Paroz eb286aa22f Delayed encoding of password and salt in password checking.
Applied the rule that string encoding should happen as late as
possible. This is also a preparation for Python 3 compatibility.
2012-06-06 10:53:16 +02:00
Claude Paroz 35e6585568 Imported reduce from functools for forward compatibility.
In Python 3, reduce has to be imported from functools.
2012-05-20 00:25:46 +02:00
Claude Paroz 38408f8007 Marked bytestrings with b prefix. Refs #18269
This is a preparation for unicode literals general usage in
Django (Python 3 compatibility).
2012-05-19 17:43:34 +02:00