Loading django/contrib/auth/hashers.py +57 −20 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ import base64 import binascii import hashlib import importlib import warnings from collections import OrderedDict from django.conf import settings Loading Loading @@ -46,10 +47,17 @@ def check_password(password, encoded, setter=None, preferred='default'): preferred = get_hasher(preferred) hasher = identify_hasher(encoded) must_update = hasher.algorithm != preferred.algorithm if not must_update: must_update = preferred.must_update(encoded) hasher_changed = hasher.algorithm != preferred.algorithm must_update = hasher_changed or preferred.must_update(encoded) is_correct = hasher.verify(password, encoded) # If the hasher didn't change (we don't protect against enumeration if it # does) and the password should get updated, try to close the timing gap # between the work factor of the current encoded password and the default # work factor. if not is_correct and not hasher_changed and must_update: hasher.harden_runtime(password, encoded) if setter and is_correct and must_update: setter(password) return is_correct Loading Loading @@ -216,6 +224,19 @@ class BasePasswordHasher(object): def must_update(self, encoded): return False def harden_runtime(self, password, encoded): """ Bridge the runtime gap between the work factor supplied in `encoded` and the work factor suggested by this hasher. Taking PBKDF2 as an example, if `encoded` contains 20000 iterations and `self.iterations` is 30000, this method should run password through another 10000 iterations of PBKDF2. Similar approaches should exist for any hasher that has a work factor. If not, this method should be defined as a no-op to silence the warning. """ warnings.warn('subclasses of BasePasswordHasher should provide a harden_runtime() method') class PBKDF2PasswordHasher(BasePasswordHasher): """ Loading Loading @@ -258,6 +279,12 @@ class PBKDF2PasswordHasher(BasePasswordHasher): algorithm, iterations, salt, hash = encoded.split('$', 3) return int(iterations) != self.iterations def harden_runtime(self, password, encoded): algorithm, iterations, salt, hash = encoded.split('$', 3) extra_iterations = self.iterations - int(iterations) if extra_iterations > 0: self.encode(password, salt, extra_iterations) class PBKDF2SHA1PasswordHasher(PBKDF2PasswordHasher): """ Loading Loading @@ -308,23 +335,8 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher): def verify(self, password, encoded): algorithm, data = encoded.split('$', 1) assert algorithm == self.algorithm bcrypt = self._load_library() # Hash the password prior to using bcrypt to prevent password truncation # See: https://code.djangoproject.com/ticket/20138 if self.digest is not None: # We use binascii.hexlify here because Python3 decided that a hex encoded # bytestring is somehow a unicode. password = binascii.hexlify(self.digest(force_bytes(password)).digest()) else: password = force_bytes(password) # Ensure that our data is a bytestring data = force_bytes(data) # force_bytes() necessary for py-bcrypt compatibility hashpw = force_bytes(bcrypt.hashpw(password, data)) return constant_time_compare(data, hashpw) encoded_2 = self.encode(password, force_bytes(data)) return constant_time_compare(encoded, encoded_2) def safe_summary(self, encoded): algorithm, empty, algostr, work_factor, data = encoded.split('$', 4) Loading @@ -337,6 +349,16 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher): (_('checksum'), mask_hash(checksum)), ]) def harden_runtime(self, password, encoded): _, data = encoded.split('$', 1) salt = data[:29] # Length of the salt in bcrypt. rounds = data.split('$')[2] # work factor is logarithmic, adding one doubles the load. diff = 2**(self.rounds - int(rounds)) - 1 while diff > 0: self.encode(password, force_bytes(salt)) diff -= 1 class BCryptPasswordHasher(BCryptSHA256PasswordHasher): """ Loading Loading @@ -384,6 +406,9 @@ class SHA1PasswordHasher(BasePasswordHasher): (_('hash'), mask_hash(hash)), ]) def harden_runtime(self, password, encoded): pass class MD5PasswordHasher(BasePasswordHasher): """ Loading Loading @@ -412,6 +437,9 @@ class MD5PasswordHasher(BasePasswordHasher): (_('hash'), mask_hash(hash)), ]) def harden_runtime(self, password, encoded): pass class UnsaltedSHA1PasswordHasher(BasePasswordHasher): """ Loading Loading @@ -444,6 +472,9 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher): (_('hash'), mask_hash(hash)), ]) def harden_runtime(self, password, encoded): pass class UnsaltedMD5PasswordHasher(BasePasswordHasher): """ Loading Loading @@ -477,6 +508,9 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher): (_('hash'), mask_hash(encoded, show=3)), ]) def harden_runtime(self, password, encoded): pass class CryptPasswordHasher(BasePasswordHasher): """ Loading Loading @@ -511,3 +545,6 @@ class CryptPasswordHasher(BasePasswordHasher): (_('salt'), salt), (_('hash'), mask_hash(data, show=3)), ]) def harden_runtime(self, password, encoded): pass docs/releases/1.8.10.txt +33 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,39 @@ redirecting to this URL sends the user to ``attacker.com``. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade ================================================================================================ In each major version of Django since 1.6, the default number of iterations for the ``PBKDF2PasswordHasher`` and its subclasses has increased. This improves the security of the password as the speed of hardware increases, however, it also creates a timing difference between a login request for a user with a password encoded in an older number of iterations and login request for a nonexistent user (which runs the default hasher's default number of iterations since Django 1.6). This only affects users who haven't logged in since the iterations were increased. The first time a user logs in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference. The new ``BasePasswordHasher.harden_runtime()`` method allows hashers to bridge the runtime gap between the work factor (e.g. iterations) supplied in existing encoded passwords and the default work factor of the hasher. This method is implemented for ``PBKDF2PasswordHasher`` and ``BCryptPasswordHasher``. The number of rounds for the latter hasher hasn't changed since Django 1.4, but some projects may subclass it and increase the work factor as needed. A warning will be emitted for any :ref:`third-party password hashers that don't implement <write-your-own-password-hasher>` a ``harden_runtime()`` method. If you have different password hashes in your database (such as SHA1 hashes from users who haven't logged in since the default hasher switched to PBKDF2 in Django 1.4), the timing difference on a login request for these users may be even greater and this fix doesn't remedy that difference (or any difference when changing hashers). You may be able to :ref:`upgrade those hashes <wrapping-password-hashers>` to prevent a timing attack for that case. Bugfixes ======== Loading docs/topics/auth/passwords.txt +30 −0 Original line number Diff line number Diff line Loading @@ -194,6 +194,14 @@ sure never to *remove* entries from this list. If you do, users using unmentioned algorithms won't be able to upgrade. Passwords will be upgraded when changing the PBKDF2 iteration count. Be aware that if all the passwords in your database aren't encoded in the default hasher's algorithm, you may be vulnerable to a user enumeration timing attack due to a difference between the duration of a login request for a user with a password encoded in a non-default algorithm and the duration of a login request for a nonexistent user (which runs the default hasher). You may be able to mitigate this by :ref:`upgrading older password hashes <wrapping-password-hashers>`. .. _wrapping-password-hashers: Password upgrading without requiring a login Loading Loading @@ -283,6 +291,28 @@ Include any other hashers that your site uses in this list. .. _bcrypt: https://en.wikipedia.org/wiki/Bcrypt .. _`bcrypt library`: https://pypi.python.org/pypi/bcrypt/ .. _write-your-own-password-hasher: Writing your own hasher ----------------------- .. versionadded:: 1.8.10 If you write your own password hasher that contains a work factor such as a number of iterations, you should implement a ``harden_runtime(self, password, encoded)`` method to bridge the runtime gap between the work factor supplied in the ``encoded`` password and the default work factor of the hasher. This prevents a user enumeration timing attack due to difference between a login request for a user with a password encoded in an older number of iterations and a nonexistent user (which runs the default hasher's default number of iterations). Taking PBKDF2 as example, if ``encoded`` contains 20,000 iterations and the hasher's default ``iterations`` is 30,000, the method should run ``password`` through another 10,000 iterations of PBKDF2. If your hasher doesn't have a work factor, implement the method as a no-op (``pass``). Manually managing a user's password =================================== Loading tests/auth_tests/test_hashers.py +57 −1 Original line number Diff line number Diff line Loading @@ -10,9 +10,10 @@ from django.contrib.auth.hashers import ( check_password, get_hasher, identify_hasher, is_password_usable, make_password, ) from django.test import SimpleTestCase from django.test import SimpleTestCase, mock from django.test.utils import override_settings from django.utils import six from django.utils.encoding import force_bytes try: import crypt Loading Loading @@ -177,6 +178,28 @@ class TestUtilsHashPass(SimpleTestCase): self.assertTrue(check_password('', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded)) @skipUnless(bcrypt, "bcrypt not installed") def test_bcrypt_harden_runtime(self): hasher = get_hasher('bcrypt') self.assertEqual('bcrypt', hasher.algorithm) with mock.patch.object(hasher, 'rounds', 4): encoded = make_password('letmein', hasher='bcrypt') with mock.patch.object(hasher, 'rounds', 6), \ mock.patch.object(hasher, 'encode', side_effect=hasher.encode): hasher.harden_runtime('wrong_password', encoded) # Increasing rounds from 4 to 6 means an increase of 4 in workload, # therefore hardening should run 3 times to make the timing the # same (the original encode() call already ran once). self.assertEqual(hasher.encode.call_count, 3) # Get the original salt (includes the original workload factor) algorithm, data = encoded.split('$', 1) expected_call = (('wrong_password', force_bytes(data[:29])),) self.assertEqual(hasher.encode.call_args_list, [expected_call] * 3) def test_unusable(self): encoded = make_password(None) self.assertEqual(len(encoded), len(UNUSABLE_PASSWORD_PREFIX) + UNUSABLE_PASSWORD_SUFFIX_LENGTH) Loading Loading @@ -284,6 +307,25 @@ class TestUtilsHashPass(SimpleTestCase): finally: hasher.iterations = old_iterations def test_pbkdf2_harden_runtime(self): hasher = get_hasher('default') self.assertEqual('pbkdf2_sha256', hasher.algorithm) with mock.patch.object(hasher, 'iterations', 1): encoded = make_password('letmein') with mock.patch.object(hasher, 'iterations', 6), \ mock.patch.object(hasher, 'encode', side_effect=hasher.encode): hasher.harden_runtime('wrong_password', encoded) # Encode should get called once ... self.assertEqual(hasher.encode.call_count, 1) # ... with the original salt and 5 iterations. algorithm, iterations, salt, hash = encoded.split('$', 3) expected_call = (('wrong_password', salt, 5),) self.assertEqual(hasher.encode.call_args, expected_call) def test_pbkdf2_upgrade_new_hasher(self): hasher = get_hasher('default') self.assertEqual('pbkdf2_sha256', hasher.algorithm) Loading Loading @@ -312,6 +354,20 @@ class TestUtilsHashPass(SimpleTestCase): self.assertTrue(check_password('letmein', encoded, setter)) self.assertTrue(state['upgraded']) def test_check_password_calls_harden_runtime(self): hasher = get_hasher('default') encoded = make_password('letmein') with mock.patch.object(hasher, 'harden_runtime'), \ mock.patch.object(hasher, 'must_update', return_value=True): # Correct password supplied, no hardening needed check_password('letmein', encoded) self.assertEqual(hasher.harden_runtime.call_count, 0) # Wrong password supplied, hardening needed check_password('wrong_password', encoded) self.assertEqual(hasher.harden_runtime.call_count, 1) def test_load_library_no_algorithm(self): with self.assertRaises(ValueError) as e: BasePasswordHasher()._load_library() Loading Loading
django/contrib/auth/hashers.py +57 −20 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ import base64 import binascii import hashlib import importlib import warnings from collections import OrderedDict from django.conf import settings Loading Loading @@ -46,10 +47,17 @@ def check_password(password, encoded, setter=None, preferred='default'): preferred = get_hasher(preferred) hasher = identify_hasher(encoded) must_update = hasher.algorithm != preferred.algorithm if not must_update: must_update = preferred.must_update(encoded) hasher_changed = hasher.algorithm != preferred.algorithm must_update = hasher_changed or preferred.must_update(encoded) is_correct = hasher.verify(password, encoded) # If the hasher didn't change (we don't protect against enumeration if it # does) and the password should get updated, try to close the timing gap # between the work factor of the current encoded password and the default # work factor. if not is_correct and not hasher_changed and must_update: hasher.harden_runtime(password, encoded) if setter and is_correct and must_update: setter(password) return is_correct Loading Loading @@ -216,6 +224,19 @@ class BasePasswordHasher(object): def must_update(self, encoded): return False def harden_runtime(self, password, encoded): """ Bridge the runtime gap between the work factor supplied in `encoded` and the work factor suggested by this hasher. Taking PBKDF2 as an example, if `encoded` contains 20000 iterations and `self.iterations` is 30000, this method should run password through another 10000 iterations of PBKDF2. Similar approaches should exist for any hasher that has a work factor. If not, this method should be defined as a no-op to silence the warning. """ warnings.warn('subclasses of BasePasswordHasher should provide a harden_runtime() method') class PBKDF2PasswordHasher(BasePasswordHasher): """ Loading Loading @@ -258,6 +279,12 @@ class PBKDF2PasswordHasher(BasePasswordHasher): algorithm, iterations, salt, hash = encoded.split('$', 3) return int(iterations) != self.iterations def harden_runtime(self, password, encoded): algorithm, iterations, salt, hash = encoded.split('$', 3) extra_iterations = self.iterations - int(iterations) if extra_iterations > 0: self.encode(password, salt, extra_iterations) class PBKDF2SHA1PasswordHasher(PBKDF2PasswordHasher): """ Loading Loading @@ -308,23 +335,8 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher): def verify(self, password, encoded): algorithm, data = encoded.split('$', 1) assert algorithm == self.algorithm bcrypt = self._load_library() # Hash the password prior to using bcrypt to prevent password truncation # See: https://code.djangoproject.com/ticket/20138 if self.digest is not None: # We use binascii.hexlify here because Python3 decided that a hex encoded # bytestring is somehow a unicode. password = binascii.hexlify(self.digest(force_bytes(password)).digest()) else: password = force_bytes(password) # Ensure that our data is a bytestring data = force_bytes(data) # force_bytes() necessary for py-bcrypt compatibility hashpw = force_bytes(bcrypt.hashpw(password, data)) return constant_time_compare(data, hashpw) encoded_2 = self.encode(password, force_bytes(data)) return constant_time_compare(encoded, encoded_2) def safe_summary(self, encoded): algorithm, empty, algostr, work_factor, data = encoded.split('$', 4) Loading @@ -337,6 +349,16 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher): (_('checksum'), mask_hash(checksum)), ]) def harden_runtime(self, password, encoded): _, data = encoded.split('$', 1) salt = data[:29] # Length of the salt in bcrypt. rounds = data.split('$')[2] # work factor is logarithmic, adding one doubles the load. diff = 2**(self.rounds - int(rounds)) - 1 while diff > 0: self.encode(password, force_bytes(salt)) diff -= 1 class BCryptPasswordHasher(BCryptSHA256PasswordHasher): """ Loading Loading @@ -384,6 +406,9 @@ class SHA1PasswordHasher(BasePasswordHasher): (_('hash'), mask_hash(hash)), ]) def harden_runtime(self, password, encoded): pass class MD5PasswordHasher(BasePasswordHasher): """ Loading Loading @@ -412,6 +437,9 @@ class MD5PasswordHasher(BasePasswordHasher): (_('hash'), mask_hash(hash)), ]) def harden_runtime(self, password, encoded): pass class UnsaltedSHA1PasswordHasher(BasePasswordHasher): """ Loading Loading @@ -444,6 +472,9 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher): (_('hash'), mask_hash(hash)), ]) def harden_runtime(self, password, encoded): pass class UnsaltedMD5PasswordHasher(BasePasswordHasher): """ Loading Loading @@ -477,6 +508,9 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher): (_('hash'), mask_hash(encoded, show=3)), ]) def harden_runtime(self, password, encoded): pass class CryptPasswordHasher(BasePasswordHasher): """ Loading Loading @@ -511,3 +545,6 @@ class CryptPasswordHasher(BasePasswordHasher): (_('salt'), salt), (_('hash'), mask_hash(data, show=3)), ]) def harden_runtime(self, password, encoded): pass
docs/releases/1.8.10.txt +33 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,39 @@ redirecting to this URL sends the user to ``attacker.com``. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade ================================================================================================ In each major version of Django since 1.6, the default number of iterations for the ``PBKDF2PasswordHasher`` and its subclasses has increased. This improves the security of the password as the speed of hardware increases, however, it also creates a timing difference between a login request for a user with a password encoded in an older number of iterations and login request for a nonexistent user (which runs the default hasher's default number of iterations since Django 1.6). This only affects users who haven't logged in since the iterations were increased. The first time a user logs in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference. The new ``BasePasswordHasher.harden_runtime()`` method allows hashers to bridge the runtime gap between the work factor (e.g. iterations) supplied in existing encoded passwords and the default work factor of the hasher. This method is implemented for ``PBKDF2PasswordHasher`` and ``BCryptPasswordHasher``. The number of rounds for the latter hasher hasn't changed since Django 1.4, but some projects may subclass it and increase the work factor as needed. A warning will be emitted for any :ref:`third-party password hashers that don't implement <write-your-own-password-hasher>` a ``harden_runtime()`` method. If you have different password hashes in your database (such as SHA1 hashes from users who haven't logged in since the default hasher switched to PBKDF2 in Django 1.4), the timing difference on a login request for these users may be even greater and this fix doesn't remedy that difference (or any difference when changing hashers). You may be able to :ref:`upgrade those hashes <wrapping-password-hashers>` to prevent a timing attack for that case. Bugfixes ======== Loading
docs/topics/auth/passwords.txt +30 −0 Original line number Diff line number Diff line Loading @@ -194,6 +194,14 @@ sure never to *remove* entries from this list. If you do, users using unmentioned algorithms won't be able to upgrade. Passwords will be upgraded when changing the PBKDF2 iteration count. Be aware that if all the passwords in your database aren't encoded in the default hasher's algorithm, you may be vulnerable to a user enumeration timing attack due to a difference between the duration of a login request for a user with a password encoded in a non-default algorithm and the duration of a login request for a nonexistent user (which runs the default hasher). You may be able to mitigate this by :ref:`upgrading older password hashes <wrapping-password-hashers>`. .. _wrapping-password-hashers: Password upgrading without requiring a login Loading Loading @@ -283,6 +291,28 @@ Include any other hashers that your site uses in this list. .. _bcrypt: https://en.wikipedia.org/wiki/Bcrypt .. _`bcrypt library`: https://pypi.python.org/pypi/bcrypt/ .. _write-your-own-password-hasher: Writing your own hasher ----------------------- .. versionadded:: 1.8.10 If you write your own password hasher that contains a work factor such as a number of iterations, you should implement a ``harden_runtime(self, password, encoded)`` method to bridge the runtime gap between the work factor supplied in the ``encoded`` password and the default work factor of the hasher. This prevents a user enumeration timing attack due to difference between a login request for a user with a password encoded in an older number of iterations and a nonexistent user (which runs the default hasher's default number of iterations). Taking PBKDF2 as example, if ``encoded`` contains 20,000 iterations and the hasher's default ``iterations`` is 30,000, the method should run ``password`` through another 10,000 iterations of PBKDF2. If your hasher doesn't have a work factor, implement the method as a no-op (``pass``). Manually managing a user's password =================================== Loading
tests/auth_tests/test_hashers.py +57 −1 Original line number Diff line number Diff line Loading @@ -10,9 +10,10 @@ from django.contrib.auth.hashers import ( check_password, get_hasher, identify_hasher, is_password_usable, make_password, ) from django.test import SimpleTestCase from django.test import SimpleTestCase, mock from django.test.utils import override_settings from django.utils import six from django.utils.encoding import force_bytes try: import crypt Loading Loading @@ -177,6 +178,28 @@ class TestUtilsHashPass(SimpleTestCase): self.assertTrue(check_password('', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded)) @skipUnless(bcrypt, "bcrypt not installed") def test_bcrypt_harden_runtime(self): hasher = get_hasher('bcrypt') self.assertEqual('bcrypt', hasher.algorithm) with mock.patch.object(hasher, 'rounds', 4): encoded = make_password('letmein', hasher='bcrypt') with mock.patch.object(hasher, 'rounds', 6), \ mock.patch.object(hasher, 'encode', side_effect=hasher.encode): hasher.harden_runtime('wrong_password', encoded) # Increasing rounds from 4 to 6 means an increase of 4 in workload, # therefore hardening should run 3 times to make the timing the # same (the original encode() call already ran once). self.assertEqual(hasher.encode.call_count, 3) # Get the original salt (includes the original workload factor) algorithm, data = encoded.split('$', 1) expected_call = (('wrong_password', force_bytes(data[:29])),) self.assertEqual(hasher.encode.call_args_list, [expected_call] * 3) def test_unusable(self): encoded = make_password(None) self.assertEqual(len(encoded), len(UNUSABLE_PASSWORD_PREFIX) + UNUSABLE_PASSWORD_SUFFIX_LENGTH) Loading Loading @@ -284,6 +307,25 @@ class TestUtilsHashPass(SimpleTestCase): finally: hasher.iterations = old_iterations def test_pbkdf2_harden_runtime(self): hasher = get_hasher('default') self.assertEqual('pbkdf2_sha256', hasher.algorithm) with mock.patch.object(hasher, 'iterations', 1): encoded = make_password('letmein') with mock.patch.object(hasher, 'iterations', 6), \ mock.patch.object(hasher, 'encode', side_effect=hasher.encode): hasher.harden_runtime('wrong_password', encoded) # Encode should get called once ... self.assertEqual(hasher.encode.call_count, 1) # ... with the original salt and 5 iterations. algorithm, iterations, salt, hash = encoded.split('$', 3) expected_call = (('wrong_password', salt, 5),) self.assertEqual(hasher.encode.call_args, expected_call) def test_pbkdf2_upgrade_new_hasher(self): hasher = get_hasher('default') self.assertEqual('pbkdf2_sha256', hasher.algorithm) Loading Loading @@ -312,6 +354,20 @@ class TestUtilsHashPass(SimpleTestCase): self.assertTrue(check_password('letmein', encoded, setter)) self.assertTrue(state['upgraded']) def test_check_password_calls_harden_runtime(self): hasher = get_hasher('default') encoded = make_password('letmein') with mock.patch.object(hasher, 'harden_runtime'), \ mock.patch.object(hasher, 'must_update', return_value=True): # Correct password supplied, no hardening needed check_password('letmein', encoded) self.assertEqual(hasher.harden_runtime.call_count, 0) # Wrong password supplied, hardening needed check_password('wrong_password', encoded) self.assertEqual(hasher.harden_runtime.call_count, 1) def test_load_library_no_algorithm(self): with self.assertRaises(ValueError) as e: BasePasswordHasher()._load_library() Loading
