Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.10/site-packages/django/utils/crypto.py: 40%

Shortcuts on this page

r m x   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

30 statements  

1""" 

2Django's standard crypto functions and utilities. 

3""" 

4 

5import hashlib 

6import hmac 

7import secrets 

8 

9from django.conf import settings 

10from django.utils.encoding import force_bytes 

11 

12 

13class InvalidAlgorithm(ValueError): 

14 """Algorithm is not supported by hashlib.""" 

15 

16 pass 

17 

18 

19def salted_hmac(key_salt, value, secret=None, *, algorithm="sha1"): 

20 """ 

21 Return the HMAC of 'value', using a key generated from key_salt and a 

22 secret (which defaults to settings.SECRET_KEY). Default algorithm is SHA1, 

23 but any algorithm name supported by hashlib can be passed. 

24 

25 A different key_salt should be passed in for every application of HMAC. 

26 """ 

27 if secret is None: 

28 secret = settings.SECRET_KEY 

29 

30 key_salt = force_bytes(key_salt) 

31 secret = force_bytes(secret) 

32 try: 

33 hasher = getattr(hashlib, algorithm) 

34 except AttributeError as e: 

35 raise InvalidAlgorithm( 

36 "%r is not an algorithm accepted by the hashlib module." % algorithm 

37 ) from e 

38 # We need to generate a derived key from our base key. We can do this by 

39 # passing the key_salt and our base key through a pseudo-random function. 

40 key = hasher(key_salt + secret).digest() 

41 # If len(key_salt + secret) > block size of the hash algorithm, the above 

42 # line is redundant and could be replaced by key = key_salt + secret, since 

43 # the hmac module does the same thing for keys longer than the block size. 

44 # However, we need to ensure that we *always* do this. 

45 return hmac.new(key, msg=force_bytes(value), digestmod=hasher) 

46 

47 

48RANDOM_STRING_CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 

49 

50 

51def get_random_string(length, allowed_chars=RANDOM_STRING_CHARS): 

52 """ 

53 Return a securely generated random string. 

54 

55 The bit length of the returned value can be calculated with the formula: 

56 log_2(len(allowed_chars)^length) 

57 

58 For example, with default `allowed_chars` (26+26+10), this gives: 

59 * length: 12, bit length =~ 71 bits 

60 * length: 22, bit length =~ 131 bits 

61 """ 

62 return "".join(secrets.choice(allowed_chars) for i in range(length)) 

63 

64 

65def constant_time_compare(val1, val2): 

66 """Return True if the two strings are equal, False otherwise.""" 

67 return secrets.compare_digest(force_bytes(val1), force_bytes(val2)) 

68 

69 

70def pbkdf2(password, salt, iterations, dklen=0, digest=None): 

71 """Return the hash of password using pbkdf2.""" 

72 if digest is None: 

73 digest = hashlib.sha256 

74 dklen = dklen or None 

75 password = force_bytes(password) 

76 salt = force_bytes(salt) 

77 return hashlib.pbkdf2_hmac(digest().name, password, salt, iterations, dklen)