Ticket #4151: password2.diff

django/conf/global_settings.py

@@ -318 +318 @@
 
 LOGIN_REDIRECT_URL = '/accounts/profile/'
 
+# Hash algorithm that will be used by admin app if the
+# hashlib module is available (Python 2.5 onwards).
+# Allowed values are 'sha1', 'sha224', 'sha256', 'sha384'.
+PASSWORD_HASH_ALGORITHM = 'sha256'
+
 ###########
 # TESTING #
 ###########

django/contrib/auth/models.py

@@ -17 +17 @@
     elif algo == 'sha1':
         import sha
         return hsh == sha.new(salt+raw_password).hexdigest()
+    elif algo in ('sha224', 'sha256', 'sha384'):
+        # Note: sha512 could be supported by making password
+        # field of User model longer than 128 chars
+        try:
+            import hashlib
+        except ImportError:
+            # Python version is presumably earlier than 2.5
+            raise ValueError, "%s not supported in this environment." % algo
+        return hsh == hashlib.new(algo, salt+raw_password).hexdigest()
     elif algo == 'crypt':
         try:
             import crypt
@@ -149 +158 @@
         return full_name.strip()
 
     def set_password(self, raw_password):
-        import sha, random
-        algo = 'sha1'
-        salt = sha.new(str(random.random())).hexdigest()[:5]
-        hsh = sha.new(salt+raw_password).hexdigest()
+        import random
+        try:
+            import hashlib
+            from django.conf import settings
+            algo = settings.PASSWORD_HASH_ALGORITHM
+            salt = hashlib.new(algo, str(random.random())).hexdigest()[:5]
+            hsh = hashlib.new(algo, salt+raw_password).hexdigest()
+        except ImportError:
+            # Python version presumably earlier than 2.5,
+            # so fall back on using SHA-1 hash
+            import sha
+            algo = 'sha1'
+            salt = sha.new(str(random.random())).hexdigest()[:5]
+            hsh = sha.new(salt+raw_password).hexdigest()
         self.password = '%s$%s$%s' % (algo, salt, hsh)
 
     def check_password(self, raw_password):