LicenseServer icon indicating copy to clipboard operation
LicenseServer copied to clipboard
verified publisher icon pyskell

Insecure crypto

Open usrbinsam opened this issue 8 years ago • 1 comments

https://github.com/pyskell/LicenseServer/blob/9beb984c92f8c37a591c1c26a715eabff0a57374/auth.py#L48

I would not trust the randomness of this function. You should use this module instead: https://docs.python.org/3/library/secrets.html#module-secrets.

https://github.com/pyskell/LicenseServer/blob/9beb984c92f8c37a591c1c26a715eabff0a57374/auth.py#L35

This is vulnerable to a timing attack, Use a constant time comparison function or https://docs.python.org/3.6/library/hmac.html#hmac.compare_digest

https://github.com/pyskell/LicenseServer/blob/9beb984c92f8c37a591c1c26a715eabff0a57374/requirements.txt#L6

I see you listed passlib as a requirement but you aren't using it, which supports sha256_crypt and it generates a salt for you, and includes a constant time comparison function. This would solve both of the above issues.

usrbinsam avatar Dec 05 '17 00:12 usrbinsam

Thanks! I agree on both points and will need to adopt these changes.

pyskell avatar Dec 05 '17 14:12 pyskell