summaryrefslogtreecommitdiff
path: root/django/utils/crypto.py
AgeCommit message (Collapse)Author
2025-08-27Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵Sarah Boyce
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
2025-08-25Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵SaJH
favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com>
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-01-18Fixed #34233 -- Dropped support for Python 3.8 and 3.9.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-10-12Fixed #28401 -- Allowed hashlib.md5() calls to work with FIPS kernels.Ade Lee
md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added. This encapsulation will pass through the usedforsecurity parameter in the case where the parameter is supported, and strip it if it is not. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-01-14Refs #31359 -- Made get_random_string()'s length argument required.Mariusz Felisiak
Per deprecation timeline.
2021-01-13Refs #31358 -- Added constant for get_random_string()'s default alphabet.Florian Apolloner
2020-09-07Fixed #31985 -- Corrected salted_hmac()'s docstring about supported algorithms.Francisco Couzo
salted_hmac() validates supported algorithms by checking hashlib methods.
2020-03-11Fixed typo in django/utils/crypto.py.Mariusz Felisiak
2020-03-11Fixed #31359 -- Deprecated get_random_string() calls without an explicit length.Claude Paroz
2020-01-27Refs #27468 -- Added algorithm parameter to django.utils.crypto.salted_hmac().Claude Paroz
2020-01-15Fixed obsolete comment in django.utils.crypto.salted_hmac().Mariusz Felisiak
Obsolete since 13864703bc1d5dd4dac63c96c6a4b42a392bc57f.
2019-05-20Fixed #27635 -- Used secrets module in django.utils.crypto.Nick Pope
2019-05-20Refs #27635 -- Removed fallback when SystemRandom() isn't available that ↵Nick Pope
doesn't work. Fallback was untested and likely never triggered.
2018-01-03Fixed #28982 -- Simplified code with and/or.Дилян Палаузов
2017-02-11Refs #27656 -- Updated django.utils docstring verbs according to PEP 257.Anton Samarchyan
2017-02-09Refs #23919 -- Removed default 'utf-8' argument for str.encode()/decode().Tim Graham
2017-01-19Refs #23919 -- Removed obsolete compare_digest() and pbkdf2() implementations.Tim Graham
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed six.PY2/PY3 usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-11-14Fixed #27463 -- Fixed E741 flake8 warnings.Ramin Farajpour Cami
2015-02-06Sorted imports with isort; refs #23860.Tim Graham
2014-12-13Fixed #23812 -- Changed django.utils.six.moves.xrange imports to rangeMichael Hall
2014-07-11Bump the default iterations for PBKDF2.Alex Gaynor
The rate at which we've increased this has not been keeping up with hardware (and software) improvements, and we're now considerably behind where we should be. The delta between our performance and an optimized implementation's performance prevents us from improving that further, but hopefully once Python 2.7.8 and 3.4+ get into more hands we can more aggressively increase this number.
2014-05-31Note that the stdlib's version of pbkdf2_hmac will also be used in the ↵Alex Gaynor
upcoming Python 2.7.8 release
2014-05-28Fixed constant_time_compare on Python 2.7.7Florian Apolloner
Python 2.7.7 includes compare_digest in the hmac module, but it requires both arguments to have the same type. This is usually not a problem on Python 3 since everything is text, but we have mixed unicode and str on Python 2 -- hence make sure everything is bytes before feeding it into compare_digest.
2014-04-22Use the stdlib's compare_digest for constant time comparisons when availableAlex Gaynor
2014-04-17Typo fixAlex Gaynor
2014-04-17Use the stdlib's PBKDF2 implementation when available.Alex Gaynor
This is a bit faster than ours, which is good, because it lets you increase the iteration counts. This will be used on Python 3.4+, and, pending the acceptance of PEP466, on newer Python 2.7s.
2014-02-16Fixed #19980: Signer broken for binary keys (with non-ASCII chars).MattBlack85
With this pull request, request #878 should considered closed. Thanks to nvie for the patch.
2013-11-05Flake8 fixesAlex Gaynor
2013-11-04Simplify (and very very slightly speed up) the pbkdf2 implementationAlex Gaynor
2013-10-21Fixed #21253 -- PBKDF2 with cached HMAC keyFlorian Apolloner
This gives a 2x speed increase compared to the existing implementation. Thanks to Steve Thomas for the initial patch and Tim Graham for finishing it.
2013-10-18Fixed #21287 -- Fixed E123 pep8 warningsAlasdair Nicol
2013-09-24Fixed #21138 -- Increased the performance of our PBKDF2 implementation.Florian Apolloner
Thanks go to Michael Gebetsroither for pointing out this issue and help on the patch.
2013-09-19Increase default PBKDF2 iterationsPaul McMillan
Increases the default PBKDF2 iterations, since computers have gotten faster since 2011. In the future, we plan to increment by 10% per major version.
2013-08-30Fixed #20989 -- Removed useless explicit list comprehensions.Simon Charette
2013-06-02Switched to using some constants the hmac module exposes.Alex Gaynor
2013-03-18Clarified that constant_time_compare doesn't protect string lengths.Aymeric Augustin
2013-02-27[py3] Always fed hashlib with bytes.Łukasz Langa
2012-08-29Replaced many smart_bytes by force_bytesClaude Paroz
In all those occurrences, we didn't care about preserving the lazy status of the strings, but we really wanted to obtain a real bytestring.
2012-08-21Reverted type check added in 62954ba04c.Aymeric Augustin
Refs #17040.
2012-08-20[py3] Fixed #17040 -- ported django.utils.crypto.constant_time_compare.Aymeric Augustin
This is a private API; adding a type check is acceptable.
2012-08-07[py3] Ported django.utils.crypto.Aymeric Augustin
2012-08-07[py3] Ported django.utils.encoding.Aymeric Augustin
* Renamed smart_unicode to smart_text (but kept the old name under Python 2 for backwards compatibility). * Renamed smart_str to smart_bytes. * Re-introduced smart_str as an alias for smart_text under Python 3 and smart_bytes under Python 2 (which is backwards compatible). Thus smart_str always returns a str objects. * Used the new smart_str in a few places where both Python 2 and 3 want a str.
2012-07-22Used a Python 3-compatible syntax for building a translation tableClaude Paroz
2012-07-22[py3] Added Python 3 compatibility for xrange.Aymeric Augustin
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 02:10:25 +0000