Message 192683 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	christian.heimes
Recipients	christian.heimes, gregory.p.smith
Date	2013年07月08日.17:57:19
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1373306240.23.0.797149936972.issue18405@psf.upfronthosting.co.za>

Content
crypt.mksalt() creates a salt with a lower entropy than possible. It uses random.SystemRandom().sample() to generate a salt string from the set of 64 chars (string.ascii_letters + string.digits + './'). SystemRandom() uses a CPRNG (good) but sample() returns n UNIQUE members of the set (very bad). sample() reduces the set possible chars by one for each salt char. Suggested fix: salt = base64.b64encode(os.urandom(salt_chars * 3 // 4), b"./").decode("ascii")

Content

crypt.mksalt() creates a salt with a lower entropy than possible. It uses random.SystemRandom().sample() to generate a salt string from the set of 64 chars (string.ascii_letters + string.digits + './'). SystemRandom() uses a CPRNG (good) but sample() returns n UNIQUE members of the set (very bad). sample() reduces the set possible chars by one for each salt char.
Suggested fix:
salt = base64.b64encode(os.urandom(salt_chars * 3 // 4), b"./").decode("ascii")

History
Date	User	Action	Args
2013年07月08日 17:57:20	christian.heimes	set	recipients: + christian.heimes, gregory.p.smith
2013年07月08日 17:57:20	christian.heimes	set	messageid: <1373306240.23.0.797149936972.issue18405@psf.upfronthosting.co.za>
2013年07月08日 17:57:20	christian.heimes	link	issue18405 messages
2013年07月08日 17:57:19	christian.heimes	create

homepage