Open Stack

Reviewed:  https://review.openstack.org/105779
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=063e515e780c241ddac755b0b9a2414316d983f5
Submitter: Jenkins
Branch:    master

commit 063e515e780c241ddac755b0b9a2414316d983f5
Author: Ivan Kolodyazhny <e0ne at e0ne.info>
Date:   Wed Jul 9 19:08:18 2014 +0300

    Use PyCrypto to generate randomness passwords
    
    Standard random generator is not secure enouph. Use PyCrypto instead.
    Updated requirements.txt with pycrypto>=2.6 according to
    global-requirements
    
    Change-Id: I38fd47a30893a946de30fad95c57759781312be6
    Closes: bug #1319639


** Changed in: cinder
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1319639

Title:
  Standard random number generators (using shuffle )  should not be used
  to generate randomness

Status in Cinder:
  Fix Committed

Bug description:
  In cinder code :  /cinder/utils.py . Below two lines of code used
  shuffle to generate a random number, Standard random number generators
  should not be used to generate randomness used for security reasons.
  Could we use a crytographic randomness generator to provide sufficient
  entropy to instead of it?

   # If length < len(symbolgroups), the leading characters will only
   # be from the first length groups. Try our best to not be predictable
   # by shuffling and then truncating.
   r.shuffle(password) ----------------> This line of code has described issue.
   password = password[:length]
   length -= len(password)

  # finally shuffle to ensure first x characters aren't from a
  # predictable group
  r.shuffle(password) ----------------> This line of code has described issue.

  return ''.join(password)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1319639/+subscriptions