diff options
author | Carl Dong <accounts@carldong.me> | 2018-11-16 23:24:57 -0800 |
---|---|---|
committer | Carl Dong <accounts@carldong.me> | 2018-11-17 01:26:49 -0800 |
commit | 6be7d14d243eeeaaf6b4b98c3359c3e1695f2046 (patch) | |
tree | c3909ee2454344e6f1d990287a9ef852e2854721 /share | |
parent | 35739976c1d9ad250ece573980c57e7e7976ae23 (diff) |
Properly generate salt in rpcauth.py, update tests
Previously, when iterating over bytes of the generated salt to construct
a hex string, only one character would be outputted when the byte is
less than 0x10. Meaning that for a 16 byte salt, the hex string might be
less than 32 characters and collisions would occur.
Diffstat (limited to 'share')
-rwxr-xr-x | share/rpcauth/rpcauth.py | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/share/rpcauth/rpcauth.py b/share/rpcauth/rpcauth.py index 13bef3d37a..cecc6c30a4 100755 --- a/share/rpcauth/rpcauth.py +++ b/share/rpcauth/rpcauth.py @@ -5,17 +5,13 @@ import sys import os -from random import SystemRandom import base64 +from binascii import hexlify import hmac -def generate_salt(): - # This uses os.urandom() underneath - cryptogen = SystemRandom() - - # Create 16 byte hex salt - salt_sequence = [cryptogen.randrange(256) for _ in range(16)] - return ''.join([format(r, 'x') for r in salt_sequence]) +def generate_salt(size): + """Create size byte hex salt""" + return hexlify(os.urandom(size)).decode() def generate_password(): """Create 32 byte b64 password""" @@ -32,7 +28,8 @@ def main(): username = sys.argv[1] - salt = generate_salt() + # Create 16 byte hex salt + salt = generate_salt(16) if len(sys.argv) > 2: password = sys.argv[2] else: |