summaryrefslogtreecommitdiff
path: root/django/utils/crypto.py
AgeCommit message (Collapse)Author
2012-07-22[py3] Removed longs.Aymeric Augustin
2012-06-07Fixed #18269 -- Applied unicode_literals for Python 3 compatibility.Claude Paroz
Thanks Vinay Sajip for the support of his django3 branch and Jannis Leidel for the review.
2012-06-06Delayed encoding of password and salt in password checking.Claude Paroz
Applied the rule that string encoding should happen as late as possible. This is also a preparation for Python 3 compatibility.
2012-05-20Imported reduce from functools for forward compatibility.Claude Paroz
In Python 3, reduce has to be imported from functools.
2012-05-19Marked bytestrings with b prefix. Refs #18269Claude Paroz
This is a preparation for unicode literals general usage in Django (Python 3 compatibility).
2012-02-23Improved get_random_string().Paul McMillan
Improved the behavior of get_random_string to re-seed itself each time it is called if the system does not have a secure random number generator. This will change the properties of the random string produced, but will be unpredictable to an attacker. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17581 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-23Cleanup to use get_random_string consistently.Paul McMillan
Removes several ad hoc implementations of get_random_string() and removes an innapropriate use of settings.SECRET_KEY. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17580 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-11Fixes #16827. Adds a length check to CSRF tokens before applying the ↵Paul McMillan
santizing regex. Thanks to jedie for the report and zsiciarz for the initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17500 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-02Fixed #17481. pbkdf2 hashes no longer ommit leading zeros. Paul McMillan
Some existing user passwords may need to be reset or converted after this change. See the 1.4-beta release notes for more details. Thanks bhuztez for the report and initial patch, claudep for the test. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17418 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-12-23Renovated password hashing. Many thanks to Justine Tunney for help with the ↵Paul McMillan
initial patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17253 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28Removed a bunch more Python 2.4 workarounds now that we don't support that ↵Adrian Holovaty
version. Refs #15702 -- thanks to jonash for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15927 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-15Fixed Python 2.4 incompatibility introduced in [14218]Luke Plant
sha_constructor was incorrectly used instead of sha_hmac (which only made a difference under 2.4). Thanks to Steffan Kaminski for report and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14233 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14Fixed #14445 - Use HMAC and constant-time comparison functions where needed.Luke Plant
All adhoc MAC applications have been updated to use HMAC, using SHA1 to generate unique keys for each application based on the SECRET_KEY, which is common practice for this situation. In all cases, backwards compatibility with existing hashes has been maintained, aiming to phase this out as per the normal deprecation process. In this way, under most normal circumstances the old hashes will have expired (e.g. by session expiration etc.) before they become invalid. In the case of the messages framework and the cookie backend, which was already using HMAC, there is the possibility of a backwards incompatibility if the SECRET_KEY is shorter than the default 50 bytes, but the low likelihood and low impact meant compatibility code was not worth it. All known instances where tokens/hashes were compared using simple string equality, which could potentially open timing based attacks, have also been fixed using a constant-time comparison function. There are no known practical attacks against the existing implementations, so these security improvements will not be backported. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37