Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 5488:52cb53eedf77
reworked random number use
prefer secrets module from Python 3.6+, random.SystemRandom and finally plain random
| author | Christof Meerwald <cmeerw@cmeerw.org> |
|---|---|
| date | Sat, 04 Aug 2018 22:40:16 +0100 |
| parents | da22ff1c3501 |
| children | 725266c03eab |
comparison
equal
deleted
inserted
replaced
| 5487:ce171c81d823 | 5488:52cb53eedf77 |
|---|---|
| 9 import quopri, re, stat, sys, time | 9 import quopri, re, stat, sys, time |
| 10 import socket, errno, hashlib | 10 import socket, errno, hashlib |
| 11 import email.utils | 11 import email.utils |
| 12 from traceback import format_exc | 12 from traceback import format_exc |
| 13 | 13 |
| 14 try: | 14 import roundup.anypy.random_ as random_ |
| 15 # Use the cryptographic source of randomness if available | 15 if not random_.is_weak: |
| 16 from random import SystemRandom | |
| 17 random=SystemRandom() | |
| 18 logger.debug("Importing good random generator") | 16 logger.debug("Importing good random generator") |
| 19 except ImportError: | 17 else: |
| 20 from random import random | |
| 21 logger.warning("**SystemRandom not available. Using poor random generator") | 18 logger.warning("**SystemRandom not available. Using poor random generator") |
| 22 | 19 |
| 23 try: | 20 try: |
| 24 from OpenSSL.SSL import SysCallError | 21 from OpenSSL.SSL import SysCallError |
| 25 except ImportError: | 22 except ImportError: |
| 175 self._data = self.session_db.getall(self._sid) | 172 self._data = self.session_db.getall(self._sid) |
| 176 | 173 |
| 177 def _gen_sid(self): | 174 def _gen_sid(self): |
| 178 """ generate a unique session key """ | 175 """ generate a unique session key """ |
| 179 while 1: | 176 while 1: |
| 180 s = '%s%s'%(time.time(), random.random()) | 177 s = b2s(binascii.b2a_base64(random_.token_bytes(32)).strip()) |
| 181 s = b2s(binascii.b2a_base64(s2b(s)).strip()) | |
| 182 if not self.session_db.exists(s): | 178 if not self.session_db.exists(s): |
| 183 break | 179 break |
| 184 | 180 |
| 185 # clean up the base64 | 181 # clean up the base64 |
| 186 if s[-1] == '=': | 182 if s[-1] == '=': |
| 321 ) | 317 ) |
| 322 | 318 |
| 323 def __init__(self, instance, request, env, form=None, translator=None): | 319 def __init__(self, instance, request, env, form=None, translator=None): |
| 324 # re-seed the random number generator. Is this is an instance of | 320 # re-seed the random number generator. Is this is an instance of |
| 325 # random.SystemRandom it has no effect. | 321 # random.SystemRandom it has no effect. |
| 326 random.seed() | 322 random_.seed() |
| 327 # So we also seed the pseudorandom random source obtained from | 323 # So we also seed the pseudorandom random source obtained from |
| 328 # import random | 324 # import random |
| 329 # to make sure that every forked copy of the client will return | 325 # to make sure that every forked copy of the client will return |
| 330 # new random numbers. | 326 # new random numbers. |
| 331 seed_pseudorandom() | 327 seed_pseudorandom() |
| 399 self.classname = None | 395 self.classname = None |
| 400 self.template = None | 396 self.template = None |
| 401 | 397 |
| 402 def _gen_nonce(self): | 398 def _gen_nonce(self): |
| 403 """ generate a unique nonce """ | 399 """ generate a unique nonce """ |
| 404 n = '%s%s%s'%(random.random(), id(self), time.time() ) | 400 n = b2s(base64.b32encode(random_.token_bytes(40))) |
| 405 n = hashlib.sha256(s2b(n)).hexdigest() | |
| 406 return n | 401 return n |
| 407 | 402 |
| 408 def setTranslator(self, translator=None): | 403 def setTranslator(self, translator=None): |
| 409 """Replace the translation engine | 404 """Replace the translation engine |
| 410 | 405 |
| 862 raise | 857 raise |
| 863 user = username | 858 user = username |
| 864 # try to seed with something harder to guess than | 859 # try to seed with something harder to guess than |
| 865 # just the time. If random is SystemRandom, | 860 # just the time. If random is SystemRandom, |
| 866 # this is a no-op. | 861 # this is a no-op. |
| 867 random.seed("%s%s"%(password,time.time())) | 862 random_.seed("%s%s"%(password,time.time())) |
| 868 | 863 |
| 869 # if user was not set by http authorization, try session lookup | 864 # if user was not set by http authorization, try session lookup |
| 870 if not user: | 865 if not user: |
| 871 user = self.session_api.get('user') | 866 user = self.session_api.get('user') |
| 872 if user: | 867 if user: |