diff options
| -rw-r--r-- | CHANGES.md | 1 | ||||
| -rw-r--r-- | example_project/settings.py | 2 | ||||
| -rw-r--r-- | ishtar_common/utils.py | 17 |
3 files changed, 19 insertions, 1 deletions
diff --git a/CHANGES.md b/CHANGES.md index 7fc883352..5615d8923 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -15,6 +15,7 @@ Ishtar changelog - Update and fix translations (refs #5578, refs #5579, refs #5581) - Default timeout for session is set to 5 days - Optional security for login attempt: loging, deactivate account after many failed login. +- Force using 128 bits salt for password hasher ### Bug fixes ### - Json fields: fix bad save of multi values diff --git a/example_project/settings.py b/example_project/settings.py index a0f677755..5f110acad 100644 --- a/example_project/settings.py +++ b/example_project/settings.py @@ -64,7 +64,7 @@ LOGOUT_REDIRECT_URL = "/" + URL_PATH ACCOUNT_ACTIVATION_DAYS = 7 PASSWORD_HASHERS = [ - 'django.contrib.auth.hashers.Argon2PasswordHasher', + 'ishtar_common.utils.Argon2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', diff --git a/ishtar_common/utils.py b/ishtar_common/utils.py index 12ab2e646..3a3c53853 100644 --- a/ishtar_common/utils.py +++ b/ishtar_common/utils.py @@ -28,6 +28,7 @@ from importlib import import_module import io from jinja2 import Template import locale +import math import os import random import re @@ -48,6 +49,7 @@ from django.apps import apps from django.conf import settings from django.conf.urls import url from django.contrib.auth.models import Permission +from django.contrib.auth.hashers import Argon2PasswordHasher as BaseArgon2PasswordHasher from django.contrib.contenttypes.models import ContentType from django.contrib.gis.geos import GEOSGeometry from django.contrib.sessions.backends.db import SessionStore @@ -60,6 +62,7 @@ from django.core.validators import EMPTY_VALUES from django.urls import reverse from django.db import models from django.http import HttpResponseRedirect +from django.utils.crypto import get_random_string from django.utils.datastructures import MultiValueDict as BaseMultiValueDict from django.utils.safestring import mark_safe from django.template.defaultfilters import slugify @@ -2290,3 +2293,17 @@ class EachCharacterTypeValidator: ) + ", ".join( [str(character_type[0]) for character_type in self.character_types] ) + str(_(".")) + + +# picked from Django 3.2 to assure 128 bites salt - should be removed on upgrade +class Argon2PasswordHasher(BaseArgon2PasswordHasher): + salt_entropy = 128 + RANDOM_STRING_CHARS = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' + + def salt(self): + """ + Generate a cryptographically secure nonce salt in ASCII with an entropy + of at least `salt_entropy` bits. + """ + char_count = math.ceil(self.salt_entropy / math.log2(len(self.RANDOM_STRING_CHARS))) + return get_random_string(char_count, allowed_chars=self.RANDOM_STRING_CHARS) |