New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Surya/core 9290/py triplesec v4 #19
Conversation
triplesec/utils.py
Outdated
|
||
def __init__(self, string=b''): | ||
self._obj = Crypto.Hash.keccak.new(digest_bits=512) | ||
self.input = b"" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is storing this okay (used in copy
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Holding onto an empty string?
try: | ||
print(plaintext.decode('ascii', 'strict')) | ||
except UnicodeDecodeError: | ||
sys.stderr.write("Aborting: unable to decode plaintext as ASCII. Use -b to output binary.\n") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do you think about this change? to avoid printing arbitrary unicode to console
triplesec/utils.py
Outdated
|
||
def __init__(self, string=b''): | ||
self._obj = Crypto.Hash.keccak.new(digest_bits=512) | ||
self.input = b"" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Holding onto an empty string?
triplesec/utils.py
Outdated
def __init__(self, string=b''): | ||
self._obj = Crypto.Hash.keccak.new(digest_bits=512) | ||
self.input = b"" | ||
self.input += string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, you mean this....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it can be called with some of the MAC key data in the HMAC construction, and therefore might be passing a MAC key around. That ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I usually assume that anything in the processes' memory is safe. But I saw a lot of scrub
bing in the JS repo, is that necessary or just an extra precaution?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was an extra precaution and likely not ineffective since with interpreted languages, you never really know what happens to memory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense. I got rid of this custom stuff entirely. And I finally figured out what caused the sudden change: pysha3 upgraded to 1.0 and changed the default sha3 function, but we weren't version locked so tests started failing (which I just now did). Still using the library since it provides keccak which the python stdlib doesn't.
Resolves #15 #14
Wontfix's #8 due to deprecating py2.6