[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt

Tyler Hicks tyhicks at canonical.com
Tue Jul 25 23:11:13 UTC 2017 

Hello! This is a very accelerated security review of python-scrypt. I
didn't look at the scrypt implementation itself but did have a quick
look at a few important areas of the project.

1) crypto_entropy_read() eventually calls entropy_read() which directly
   reads from /dev/urandom. New code that needs to fetch random data
   should be using the getrandom(2) syscall available in 3.17 and newer
   kernels. The main downside of entropy_read()'s implementation is that
   it can't detect if the urandom pool has not yet been initialized. It
   would be nice if the function were converted to use getrandom(2) when
   it is available.

2) It is great to see that tests/hashvectors.csv is inspired by the test
   vectors found in rfc7914:

    https://tools.ietf.org/html/rfc7914#section-12

   However, it only includes three of the four test vectors. It would be
   nice if hashvectors.csv could be updated to include the
   scrypt(P="pleaseletmein", S="SodiumChloride", N=1048576, r=8, p=1,
          dkLen=64) vector.

3) It is strongly recommended that BINDNOW hardening be enabled at build
   time.

Security team ack for pre-promotion but I'm requesting that you fix #2
and #3 ASAP (before 17.10 is released).

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-scrypt in Ubuntu.
https://bugs.launchpad.net/bugs/1695899

Title:
  [MIR] python-scrypt, python-bcrypt

Status in python-bcrypt package in Ubuntu:
  New
Status in python-scrypt package in Ubuntu:
  New

Bug description:
  >python-scrypt<
  [Availability]
  In universe

  [Rationale]
  keystone: Support new hashing algorithms for securely storing password hashes

  [Security]

  [Quality assurance]
  Package has not been well maintained in Debian; Python 3 support and new upstream release + misc package polish applied in Ubuntu.

  Package runs test suite for all python versions as part of build.

  [Dependencies]
  In main.

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  >python-bcrypt<
  [Availability]
  In universe

  [Rationale]
  keystone: Support new hashing algorithms for securely storing password hashes

  [Security]

  [Quality assurance]
  Package well maintained in Debian; Minor point release in Ubuntu over Debian unstable.

  Package runs test suite for all python versions as part of build.

  [Dependencies]
  In main.

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list