Argon2PasswordHasher.verify() should be agnostic to the algorithm version
44 views
Skip to first unread message
Till Kolter
Oct 23, 2017, 6:23:56 PM10/23/17
to Django developers (Contributions to Django itself)
Hi,
In my opinion the decoding `verify` function should be agnostic to the version of the algorithm and set the type on the part of the string like:
```
def verify(self, password, encoded):
argon2 =3D self._load_library()
algorithm, rest =3D encoded.split('$', 1)
assert algorithm =3D=3D self.algorithm
alg_identifier, _ =3D rest.split('$', 1)
alg_short =3D alg_identifier.split('argon2')[1]
type =3D getattr(argon2.low_level.Type, alg_short.upper())
try:
return argon2.low_level.verify_secret(
force_bytes('$' + rest),
force_bytes(password),
type=3Dtype,
)
except argon2.exceptions.VerificationError:
return False
```
What do you think?
Till
I have two seperate sources capable of generating user passwords (one is a legacy system but unfortunately it will not go away for a while).
The legacy system uses Argon2id while the new Django-based system is fixed to version Argon2i for both encoding and decoding.
In my opinion the decoding `verify` function should be agnostic to the version of the algorithm and set the type on the part of the string like:
```
def verify(self, password, encoded):
argon2 =3D self._load_library()
algorithm, rest =3D encoded.split('$', 1)
assert algorithm =3D=3D self.algorithm
alg_identifier, _ =3D rest.split('$', 1)
alg_short =3D alg_identifier.split('argon2')[1]
type =3D getattr(argon2.low_level.Type, alg_short.upper())
try:
return argon2.low_level.verify_secret(
force_bytes('$' + rest),
force_bytes(password),
type=3Dtype,
)
except argon2.exceptions.VerificationError:
return False
```
What do you think?
Till
Reply all
Reply to author
Forward
0 new messages