36 lines
1.0 KiB
Plaintext
36 lines
1.0 KiB
Plaintext
== How to fix it in pyca
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python,diff-id=2,diff-type=noncompliant]
|
|
----
|
|
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
|
|
from cryptography.hazmat.primitives import hashes
|
|
|
|
digest = PBKDF2HMAC(hashes.SHA256(), length=32, salt=b"F3MdWpeHeeSjlUxvKBnzzA", iterations=100000).derive(password)
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python,diff-id=2,diff-type=compliant]
|
|
----
|
|
import secrets
|
|
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
|
|
from cryptography.hazmat.primitives import hashes
|
|
|
|
salt = secrets.token_bytes(32)
|
|
digest = PBKDF2HMAC(hashes.SHA256(), length=32, salt=salt, iterations=100000).derive(password)
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/salt.adoc[]
|
|
|
|
Here, the compliant code example ensures the salt is random and has a sufficient
|
|
length by calling the `secrets.token_bytes` function. This one internally uses a
|
|
cryptographically secure pseudo random number generator.
|