You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

hashers.py 22KB

5 years ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637
  1. import base64
  2. import binascii
  3. import functools
  4. import hashlib
  5. import importlib
  6. import warnings
  7. from collections import OrderedDict
  8. from django.conf import settings
  9. from django.core.exceptions import ImproperlyConfigured
  10. from django.core.signals import setting_changed
  11. from django.dispatch import receiver
  12. from django.utils.crypto import (
  13. constant_time_compare, get_random_string, pbkdf2,
  14. )
  15. from django.utils.module_loading import import_string
  16. from django.utils.translation import gettext_noop as _
  17. UNUSABLE_PASSWORD_PREFIX = '!' # This will never be a valid encoded hash
  18. UNUSABLE_PASSWORD_SUFFIX_LENGTH = 40 # number of random chars to add after UNUSABLE_PASSWORD_PREFIX
  19. def is_password_usable(encoded):
  20. """
  21. Return True if this password wasn't generated by
  22. User.set_unusable_password(), i.e. make_password(None).
  23. """
  24. return encoded is None or not encoded.startswith(UNUSABLE_PASSWORD_PREFIX)
  25. def check_password(password, encoded, setter=None, preferred='default'):
  26. """
  27. Return a boolean of whether the raw password matches the three
  28. part encoded digest.
  29. If setter is specified, it'll be called when you need to
  30. regenerate the password.
  31. """
  32. if password is None or not is_password_usable(encoded):
  33. return False
  34. preferred = get_hasher(preferred)
  35. try:
  36. hasher = identify_hasher(encoded)
  37. except ValueError:
  38. # encoded is gibberish or uses a hasher that's no longer installed.
  39. return False
  40. hasher_changed = hasher.algorithm != preferred.algorithm
  41. must_update = hasher_changed or preferred.must_update(encoded)
  42. is_correct = hasher.verify(password, encoded)
  43. # If the hasher didn't change (we don't protect against enumeration if it
  44. # does) and the password should get updated, try to close the timing gap
  45. # between the work factor of the current encoded password and the default
  46. # work factor.
  47. if not is_correct and not hasher_changed and must_update:
  48. hasher.harden_runtime(password, encoded)
  49. if setter and is_correct and must_update:
  50. setter(password)
  51. return is_correct
  52. def make_password(password, salt=None, hasher='default'):
  53. """
  54. Turn a plain-text password into a hash for database storage
  55. Same as encode() but generate a new random salt. If password is None then
  56. return a concatenation of UNUSABLE_PASSWORD_PREFIX and a random string,
  57. which disallows logins. Additional random string reduces chances of gaining
  58. access to staff or superuser accounts. See ticket #20079 for more info.
  59. """
  60. if password is None:
  61. return UNUSABLE_PASSWORD_PREFIX + get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH)
  62. hasher = get_hasher(hasher)
  63. salt = salt or hasher.salt()
  64. return hasher.encode(password, salt)
  65. @functools.lru_cache()
  66. def get_hashers():
  67. hashers = []
  68. for hasher_path in settings.PASSWORD_HASHERS:
  69. hasher_cls = import_string(hasher_path)
  70. hasher = hasher_cls()
  71. if not getattr(hasher, 'algorithm'):
  72. raise ImproperlyConfigured("hasher doesn't specify an "
  73. "algorithm name: %s" % hasher_path)
  74. hashers.append(hasher)
  75. return hashers
  76. @functools.lru_cache()
  77. def get_hashers_by_algorithm():
  78. return {hasher.algorithm: hasher for hasher in get_hashers()}
  79. @receiver(setting_changed)
  80. def reset_hashers(**kwargs):
  81. if kwargs['setting'] == 'PASSWORD_HASHERS':
  82. get_hashers.cache_clear()
  83. get_hashers_by_algorithm.cache_clear()
  84. def get_hasher(algorithm='default'):
  85. """
  86. Return an instance of a loaded password hasher.
  87. If algorithm is 'default', return the default hasher. Lazily import hashers
  88. specified in the project's settings file if needed.
  89. """
  90. if hasattr(algorithm, 'algorithm'):
  91. return algorithm
  92. elif algorithm == 'default':
  93. return get_hashers()[0]
  94. else:
  95. hashers = get_hashers_by_algorithm()
  96. try:
  97. return hashers[algorithm]
  98. except KeyError:
  99. raise ValueError("Unknown password hashing algorithm '%s'. "
  100. "Did you specify it in the PASSWORD_HASHERS "
  101. "setting?" % algorithm)
  102. def identify_hasher(encoded):
  103. """
  104. Return an instance of a loaded password hasher.
  105. Identify hasher algorithm by examining encoded hash, and call
  106. get_hasher() to return hasher. Raise ValueError if
  107. algorithm cannot be identified, or if hasher is not loaded.
  108. """
  109. # Ancient versions of Django created plain MD5 passwords and accepted
  110. # MD5 passwords with an empty salt.
  111. if ((len(encoded) == 32 and '$' not in encoded) or
  112. (len(encoded) == 37 and encoded.startswith('md5$$'))):
  113. algorithm = 'unsalted_md5'
  114. # Ancient versions of Django accepted SHA1 passwords with an empty salt.
  115. elif len(encoded) == 46 and encoded.startswith('sha1$$'):
  116. algorithm = 'unsalted_sha1'
  117. else:
  118. algorithm = encoded.split('$', 1)[0]
  119. return get_hasher(algorithm)
  120. def mask_hash(hash, show=6, char="*"):
  121. """
  122. Return the given hash, with only the first ``show`` number shown. The
  123. rest are masked with ``char`` for security reasons.
  124. """
  125. masked = hash[:show]
  126. masked += char * len(hash[show:])
  127. return masked
  128. class BasePasswordHasher:
  129. """
  130. Abstract base class for password hashers
  131. When creating your own hasher, you need to override algorithm,
  132. verify(), encode() and safe_summary().
  133. PasswordHasher objects are immutable.
  134. """
  135. algorithm = None
  136. library = None
  137. def _load_library(self):
  138. if self.library is not None:
  139. if isinstance(self.library, (tuple, list)):
  140. name, mod_path = self.library
  141. else:
  142. mod_path = self.library
  143. try:
  144. module = importlib.import_module(mod_path)
  145. except ImportError as e:
  146. raise ValueError("Couldn't load %r algorithm library: %s" %
  147. (self.__class__.__name__, e))
  148. return module
  149. raise ValueError("Hasher %r doesn't specify a library attribute" %
  150. self.__class__.__name__)
  151. def salt(self):
  152. """Generate a cryptographically secure nonce salt in ASCII."""
  153. return get_random_string()
  154. def verify(self, password, encoded):
  155. """Check if the given password is correct."""
  156. raise NotImplementedError('subclasses of BasePasswordHasher must provide a verify() method')
  157. def encode(self, password, salt):
  158. """
  159. Create an encoded database value.
  160. The result is normally formatted as "algorithm$salt$hash" and
  161. must be fewer than 128 characters.
  162. """
  163. raise NotImplementedError('subclasses of BasePasswordHasher must provide an encode() method')
  164. def safe_summary(self, encoded):
  165. """
  166. Return a summary of safe values.
  167. The result is a dictionary and will be used where the password field
  168. must be displayed to construct a safe representation of the password.
  169. """
  170. raise NotImplementedError('subclasses of BasePasswordHasher must provide a safe_summary() method')
  171. def must_update(self, encoded):
  172. return False
  173. def harden_runtime(self, password, encoded):
  174. """
  175. Bridge the runtime gap between the work factor supplied in `encoded`
  176. and the work factor suggested by this hasher.
  177. Taking PBKDF2 as an example, if `encoded` contains 20000 iterations and
  178. `self.iterations` is 30000, this method should run password through
  179. another 10000 iterations of PBKDF2. Similar approaches should exist
  180. for any hasher that has a work factor. If not, this method should be
  181. defined as a no-op to silence the warning.
  182. """
  183. warnings.warn('subclasses of BasePasswordHasher should provide a harden_runtime() method')
  184. class PBKDF2PasswordHasher(BasePasswordHasher):
  185. """
  186. Secure password hashing using the PBKDF2 algorithm (recommended)
  187. Configured to use PBKDF2 + HMAC + SHA256.
  188. The result is a 64 byte binary string. Iterations may be changed
  189. safely but you must rename the algorithm if you change SHA256.
  190. """
  191. algorithm = "pbkdf2_sha256"
  192. iterations = 150000
  193. digest = hashlib.sha256
  194. def encode(self, password, salt, iterations=None):
  195. assert password is not None
  196. assert salt and '$' not in salt
  197. iterations = iterations or self.iterations
  198. hash = pbkdf2(password, salt, iterations, digest=self.digest)
  199. hash = base64.b64encode(hash).decode('ascii').strip()
  200. return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
  201. def verify(self, password, encoded):
  202. algorithm, iterations, salt, hash = encoded.split('$', 3)
  203. assert algorithm == self.algorithm
  204. encoded_2 = self.encode(password, salt, int(iterations))
  205. return constant_time_compare(encoded, encoded_2)
  206. def safe_summary(self, encoded):
  207. algorithm, iterations, salt, hash = encoded.split('$', 3)
  208. assert algorithm == self.algorithm
  209. return OrderedDict([
  210. (_('algorithm'), algorithm),
  211. (_('iterations'), iterations),
  212. (_('salt'), mask_hash(salt)),
  213. (_('hash'), mask_hash(hash)),
  214. ])
  215. def must_update(self, encoded):
  216. algorithm, iterations, salt, hash = encoded.split('$', 3)
  217. return int(iterations) != self.iterations
  218. def harden_runtime(self, password, encoded):
  219. algorithm, iterations, salt, hash = encoded.split('$', 3)
  220. extra_iterations = self.iterations - int(iterations)
  221. if extra_iterations > 0:
  222. self.encode(password, salt, extra_iterations)
  223. class PBKDF2SHA1PasswordHasher(PBKDF2PasswordHasher):
  224. """
  225. Alternate PBKDF2 hasher which uses SHA1, the default PRF
  226. recommended by PKCS #5. This is compatible with other
  227. implementations of PBKDF2, such as openssl's
  228. PKCS5_PBKDF2_HMAC_SHA1().
  229. """
  230. algorithm = "pbkdf2_sha1"
  231. digest = hashlib.sha1
  232. class Argon2PasswordHasher(BasePasswordHasher):
  233. """
  234. Secure password hashing using the argon2 algorithm.
  235. This is the winner of the Password Hashing Competition 2013-2015
  236. (https://password-hashing.net). It requires the argon2-cffi library which
  237. depends on native C code and might cause portability issues.
  238. """
  239. algorithm = 'argon2'
  240. library = 'argon2'
  241. time_cost = 2
  242. memory_cost = 512
  243. parallelism = 2
  244. def encode(self, password, salt):
  245. argon2 = self._load_library()
  246. data = argon2.low_level.hash_secret(
  247. password.encode(),
  248. salt.encode(),
  249. time_cost=self.time_cost,
  250. memory_cost=self.memory_cost,
  251. parallelism=self.parallelism,
  252. hash_len=argon2.DEFAULT_HASH_LENGTH,
  253. type=argon2.low_level.Type.I,
  254. )
  255. return self.algorithm + data.decode('ascii')
  256. def verify(self, password, encoded):
  257. argon2 = self._load_library()
  258. algorithm, rest = encoded.split('$', 1)
  259. assert algorithm == self.algorithm
  260. try:
  261. return argon2.low_level.verify_secret(
  262. ('$' + rest).encode('ascii'),
  263. password.encode(),
  264. type=argon2.low_level.Type.I,
  265. )
  266. except argon2.exceptions.VerificationError:
  267. return False
  268. def safe_summary(self, encoded):
  269. (algorithm, variety, version, time_cost, memory_cost, parallelism,
  270. salt, data) = self._decode(encoded)
  271. assert algorithm == self.algorithm
  272. return OrderedDict([
  273. (_('algorithm'), algorithm),
  274. (_('variety'), variety),
  275. (_('version'), version),
  276. (_('memory cost'), memory_cost),
  277. (_('time cost'), time_cost),
  278. (_('parallelism'), parallelism),
  279. (_('salt'), mask_hash(salt)),
  280. (_('hash'), mask_hash(data)),
  281. ])
  282. def must_update(self, encoded):
  283. (algorithm, variety, version, time_cost, memory_cost, parallelism,
  284. salt, data) = self._decode(encoded)
  285. assert algorithm == self.algorithm
  286. argon2 = self._load_library()
  287. return (
  288. argon2.low_level.ARGON2_VERSION != version or
  289. self.time_cost != time_cost or
  290. self.memory_cost != memory_cost or
  291. self.parallelism != parallelism
  292. )
  293. def harden_runtime(self, password, encoded):
  294. # The runtime for Argon2 is too complicated to implement a sensible
  295. # hardening algorithm.
  296. pass
  297. def _decode(self, encoded):
  298. """
  299. Split an encoded hash and return: (
  300. algorithm, variety, version, time_cost, memory_cost,
  301. parallelism, salt, data,
  302. ).
  303. """
  304. bits = encoded.split('$')
  305. if len(bits) == 5:
  306. # Argon2 < 1.3
  307. algorithm, variety, raw_params, salt, data = bits
  308. version = 0x10
  309. else:
  310. assert len(bits) == 6
  311. algorithm, variety, raw_version, raw_params, salt, data = bits
  312. assert raw_version.startswith('v=')
  313. version = int(raw_version[len('v='):])
  314. params = dict(bit.split('=', 1) for bit in raw_params.split(','))
  315. assert len(params) == 3 and all(x in params for x in ('t', 'm', 'p'))
  316. time_cost = int(params['t'])
  317. memory_cost = int(params['m'])
  318. parallelism = int(params['p'])
  319. return (
  320. algorithm, variety, version, time_cost, memory_cost, parallelism,
  321. salt, data,
  322. )
  323. class BCryptSHA256PasswordHasher(BasePasswordHasher):
  324. """
  325. Secure password hashing using the bcrypt algorithm (recommended)
  326. This is considered by many to be the most secure algorithm but you
  327. must first install the bcrypt library. Please be warned that
  328. this library depends on native C code and might cause portability
  329. issues.
  330. """
  331. algorithm = "bcrypt_sha256"
  332. digest = hashlib.sha256
  333. library = ("bcrypt", "bcrypt")
  334. rounds = 12
  335. def salt(self):
  336. bcrypt = self._load_library()
  337. return bcrypt.gensalt(self.rounds)
  338. def encode(self, password, salt):
  339. bcrypt = self._load_library()
  340. password = password.encode()
  341. # Hash the password prior to using bcrypt to prevent password
  342. # truncation as described in #20138.
  343. if self.digest is not None:
  344. # Use binascii.hexlify() because a hex encoded bytestring is str.
  345. password = binascii.hexlify(self.digest(password).digest())
  346. data = bcrypt.hashpw(password, salt)
  347. return "%s$%s" % (self.algorithm, data.decode('ascii'))
  348. def verify(self, password, encoded):
  349. algorithm, data = encoded.split('$', 1)
  350. assert algorithm == self.algorithm
  351. encoded_2 = self.encode(password, data.encode('ascii'))
  352. return constant_time_compare(encoded, encoded_2)
  353. def safe_summary(self, encoded):
  354. algorithm, empty, algostr, work_factor, data = encoded.split('$', 4)
  355. assert algorithm == self.algorithm
  356. salt, checksum = data[:22], data[22:]
  357. return OrderedDict([
  358. (_('algorithm'), algorithm),
  359. (_('work factor'), work_factor),
  360. (_('salt'), mask_hash(salt)),
  361. (_('checksum'), mask_hash(checksum)),
  362. ])
  363. def must_update(self, encoded):
  364. algorithm, empty, algostr, rounds, data = encoded.split('$', 4)
  365. return int(rounds) != self.rounds
  366. def harden_runtime(self, password, encoded):
  367. _, data = encoded.split('$', 1)
  368. salt = data[:29] # Length of the salt in bcrypt.
  369. rounds = data.split('$')[2]
  370. # work factor is logarithmic, adding one doubles the load.
  371. diff = 2**(self.rounds - int(rounds)) - 1
  372. while diff > 0:
  373. self.encode(password, salt.encode('ascii'))
  374. diff -= 1
  375. class BCryptPasswordHasher(BCryptSHA256PasswordHasher):
  376. """
  377. Secure password hashing using the bcrypt algorithm
  378. This is considered by many to be the most secure algorithm but you
  379. must first install the bcrypt library. Please be warned that
  380. this library depends on native C code and might cause portability
  381. issues.
  382. This hasher does not first hash the password which means it is subject to
  383. bcrypt's 72 bytes password truncation. Most use cases should prefer the
  384. BCryptSHA256PasswordHasher.
  385. """
  386. algorithm = "bcrypt"
  387. digest = None
  388. class SHA1PasswordHasher(BasePasswordHasher):
  389. """
  390. The SHA1 password hashing algorithm (not recommended)
  391. """
  392. algorithm = "sha1"
  393. def encode(self, password, salt):
  394. assert password is not None
  395. assert salt and '$' not in salt
  396. hash = hashlib.sha1((salt + password).encode()).hexdigest()
  397. return "%s$%s$%s" % (self.algorithm, salt, hash)
  398. def verify(self, password, encoded):
  399. algorithm, salt, hash = encoded.split('$', 2)
  400. assert algorithm == self.algorithm
  401. encoded_2 = self.encode(password, salt)
  402. return constant_time_compare(encoded, encoded_2)
  403. def safe_summary(self, encoded):
  404. algorithm, salt, hash = encoded.split('$', 2)
  405. assert algorithm == self.algorithm
  406. return OrderedDict([
  407. (_('algorithm'), algorithm),
  408. (_('salt'), mask_hash(salt, show=2)),
  409. (_('hash'), mask_hash(hash)),
  410. ])
  411. def harden_runtime(self, password, encoded):
  412. pass
  413. class MD5PasswordHasher(BasePasswordHasher):
  414. """
  415. The Salted MD5 password hashing algorithm (not recommended)
  416. """
  417. algorithm = "md5"
  418. def encode(self, password, salt):
  419. assert password is not None
  420. assert salt and '$' not in salt
  421. hash = hashlib.md5((salt + password).encode()).hexdigest()
  422. return "%s$%s$%s" % (self.algorithm, salt, hash)
  423. def verify(self, password, encoded):
  424. algorithm, salt, hash = encoded.split('$', 2)
  425. assert algorithm == self.algorithm
  426. encoded_2 = self.encode(password, salt)
  427. return constant_time_compare(encoded, encoded_2)
  428. def safe_summary(self, encoded):
  429. algorithm, salt, hash = encoded.split('$', 2)
  430. assert algorithm == self.algorithm
  431. return OrderedDict([
  432. (_('algorithm'), algorithm),
  433. (_('salt'), mask_hash(salt, show=2)),
  434. (_('hash'), mask_hash(hash)),
  435. ])
  436. def harden_runtime(self, password, encoded):
  437. pass
  438. class UnsaltedSHA1PasswordHasher(BasePasswordHasher):
  439. """
  440. Very insecure algorithm that you should *never* use; store SHA1 hashes
  441. with an empty salt.
  442. This class is implemented because Django used to accept such password
  443. hashes. Some older Django installs still have these values lingering
  444. around so we need to handle and upgrade them properly.
  445. """
  446. algorithm = "unsalted_sha1"
  447. def salt(self):
  448. return ''
  449. def encode(self, password, salt):
  450. assert salt == ''
  451. hash = hashlib.sha1(password.encode()).hexdigest()
  452. return 'sha1$$%s' % hash
  453. def verify(self, password, encoded):
  454. encoded_2 = self.encode(password, '')
  455. return constant_time_compare(encoded, encoded_2)
  456. def safe_summary(self, encoded):
  457. assert encoded.startswith('sha1$$')
  458. hash = encoded[6:]
  459. return OrderedDict([
  460. (_('algorithm'), self.algorithm),
  461. (_('hash'), mask_hash(hash)),
  462. ])
  463. def harden_runtime(self, password, encoded):
  464. pass
  465. class UnsaltedMD5PasswordHasher(BasePasswordHasher):
  466. """
  467. Incredibly insecure algorithm that you should *never* use; stores unsalted
  468. MD5 hashes without the algorithm prefix, also accepts MD5 hashes with an
  469. empty salt.
  470. This class is implemented because Django used to store passwords this way
  471. and to accept such password hashes. Some older Django installs still have
  472. these values lingering around so we need to handle and upgrade them
  473. properly.
  474. """
  475. algorithm = "unsalted_md5"
  476. def salt(self):
  477. return ''
  478. def encode(self, password, salt):
  479. assert salt == ''
  480. return hashlib.md5(password.encode()).hexdigest()
  481. def verify(self, password, encoded):
  482. if len(encoded) == 37 and encoded.startswith('md5$$'):
  483. encoded = encoded[5:]
  484. encoded_2 = self.encode(password, '')
  485. return constant_time_compare(encoded, encoded_2)
  486. def safe_summary(self, encoded):
  487. return OrderedDict([
  488. (_('algorithm'), self.algorithm),
  489. (_('hash'), mask_hash(encoded, show=3)),
  490. ])
  491. def harden_runtime(self, password, encoded):
  492. pass
  493. class CryptPasswordHasher(BasePasswordHasher):
  494. """
  495. Password hashing using UNIX crypt (not recommended)
  496. The crypt module is not supported on all platforms.
  497. """
  498. algorithm = "crypt"
  499. library = "crypt"
  500. def salt(self):
  501. return get_random_string(2)
  502. def encode(self, password, salt):
  503. crypt = self._load_library()
  504. assert len(salt) == 2
  505. data = crypt.crypt(password, salt)
  506. assert data is not None # A platform like OpenBSD with a dummy crypt module.
  507. # we don't need to store the salt, but Django used to do this
  508. return "%s$%s$%s" % (self.algorithm, '', data)
  509. def verify(self, password, encoded):
  510. crypt = self._load_library()
  511. algorithm, salt, data = encoded.split('$', 2)
  512. assert algorithm == self.algorithm
  513. return constant_time_compare(data, crypt.crypt(password, data))
  514. def safe_summary(self, encoded):
  515. algorithm, salt, data = encoded.split('$', 2)
  516. assert algorithm == self.algorithm
  517. return OrderedDict([
  518. (_('algorithm'), algorithm),
  519. (_('salt'), salt),
  520. (_('hash'), mask_hash(data, show=3)),
  521. ])
  522. def harden_runtime(self, password, encoded):
  523. pass