diff options
| author | Jon Moroney <darakian@gmail.com> | 2020-06-24 19:28:07 -0700 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-01-14 11:20:28 +0100 |
| commit | 76ae6ccf859bf677bfcb5b992f4c17f5af80ae9d (patch) | |
| tree | 1f1b7bca42ce69a113c725af7dda4603333287a2 /tests/auth_tests/test_hashers.py | |
| parent | 6bd206e1ffcd6f2e16d6f615b6ba992448a149a8 (diff) | |
Fixed #31358 -- Increased salt entropy of password hashers.
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
Diffstat (limited to 'tests/auth_tests/test_hashers.py')
| -rw-r--r-- | tests/auth_tests/test_hashers.py | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py index 8cd70d6721..8bc61bc8b2 100644 --- a/tests/auth_tests/test_hashers.py +++ b/tests/auth_tests/test_hashers.py @@ -74,6 +74,12 @@ class TestUtilsHashPass(SimpleTestCase): self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(check_password('', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded)) + # Salt entropy check. + hasher = get_hasher('pbkdf2_sha256') + encoded_weak_salt = make_password('lètmein', 'iodizedsalt', 'pbkdf2_sha256') + encoded_strong_salt = make_password('lètmein', hasher.salt(), 'pbkdf2_sha256') + self.assertIs(hasher.must_update(encoded_weak_salt), True) + self.assertIs(hasher.must_update(encoded_strong_salt), False) @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher']) def test_sha1(self): @@ -89,6 +95,12 @@ class TestUtilsHashPass(SimpleTestCase): self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(check_password('', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded)) + # Salt entropy check. + hasher = get_hasher('sha1') + encoded_weak_salt = make_password('lètmein', 'iodizedsalt', 'sha1') + encoded_strong_salt = make_password('lètmein', hasher.salt(), 'sha1') + self.assertIs(hasher.must_update(encoded_weak_salt), True) + self.assertIs(hasher.must_update(encoded_strong_salt), False) @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.MD5PasswordHasher']) def test_md5(self): @@ -104,6 +116,12 @@ class TestUtilsHashPass(SimpleTestCase): self.assertTrue(is_password_usable(blank_encoded)) self.assertTrue(check_password('', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded)) + # Salt entropy check. + hasher = get_hasher('md5') + encoded_weak_salt = make_password('lètmein', 'iodizedsalt', 'md5') + encoded_strong_salt = make_password('lètmein', hasher.salt(), 'md5') + self.assertIs(hasher.must_update(encoded_weak_salt), True) + self.assertIs(hasher.must_update(encoded_strong_salt), False) @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.UnsaltedMD5PasswordHasher']) def test_unsalted_md5(self): @@ -537,6 +555,12 @@ class TestUtilsHashPassArgon2(SimpleTestCase): ) self.assertIs(check_password('secret', encoded), True) self.assertIs(check_password('wrong', encoded), False) + # Salt entropy check. + hasher = get_hasher('argon2') + encoded_weak_salt = make_password('lètmein', 'iodizedsalt', 'argon2') + encoded_strong_salt = make_password('lètmein', hasher.salt(), 'argon2') + self.assertIs(hasher.must_update(encoded_weak_salt), True) + self.assertIs(hasher.must_update(encoded_strong_salt), False) def test_argon2_decode(self): salt = 'abcdefghijk' |