Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure crypto #3

Open
usrbinsam opened this issue Dec 5, 2017 · 1 comment
Open

Insecure crypto #3

usrbinsam opened this issue Dec 5, 2017 · 1 comment
Assignees
@pyskell
Labels
bug

Comments

@usrbinsam
Copy link

LicenseServer/auth.py

Line 48 in 9beb984

salt = ''.join(random.choice(ALPHABET) for i in range(16))

I would not trust the randomness of this function. You should use this module instead: https://docs.python.org/3/library/secrets.html#module-secrets.

LicenseServer/auth.py

Line 35 in 9beb984

return key == stored_key

This is vulnerable to a timing attack, Use a constant time comparison function or https://docs.python.org/3.6/library/hmac.html#hmac.compare_digest

LicenseServer/requirements.txt

Line 6 in 9beb984

passlib==1.7.1

I see you listed passlib as a requirement but you aren't using it, which supports sha256_crypt and it generates a salt for you, and includes a constant time comparison function. This would solve both of the above issues.
@pyskell pyskell self-assigned this Dec 5, 2017
@pyskell pyskell added the bug label Dec 5, 2017
@pyskell
Copy link
Owner

pyskell commented Dec 5, 2017

Thanks! I agree on both points and will need to adopt these changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pyskell pyskell

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@usrbinsam @pyskell