updated pyotp to 2.6.0, used its secret generator with 32-char default

freedomofpress · Aug 16, 2021 · 96c16d4 · 96c16d4
1 parent 322e281
commit 96c16d4
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 15 deletions.
diff --git a/securedrop/models.py b/securedrop/models.py
@@ -4,7 +4,6 @@
 import base64
 import os
 import scrypt
-import secrets
 import pyotp
 import qrcode
 # Using svg because it doesn't require additional dependencies
@@ -37,14 +36,6 @@
 ARGON2_PARAMS = dict(memory_cost=2**16, rounds=4, parallelism=2)
 
 
-def generate_otp_secret() -> str:
-    """
-    Generate an OTP secret of 160 bits encoded base32
-    """
-    symbols = list('ABCDEFGHIJKLMNOPQRSTUVWXYZ234567')
-    return ''.join(secrets.choice(symbols) for i in range(32))
-
-
 def get_one_or_else(query: Query,
                     logger: 'Logger',
                     failure_method: 'Callable[[int], None]') -> db.Model:
@@ -412,7 +403,7 @@ class Journalist(db.Model):
     is_admin = Column(Boolean)  # type: Column[Optional[bool]]
     session_nonce = Column(Integer, nullable=False, default=0)
 
-    otp_secret = Column(String(32), default=generate_otp_secret)
+    otp_secret = Column(String(32), default=pyotp.random_base32)
     is_totp = Column(Boolean, default=True)  # type: Column[Optional[bool]]
     hotp_counter = Column(Integer, default=0)  # type: Column[Optional[int]]
     last_token = Column(String(6))
@@ -575,7 +566,7 @@ def valid_password(self, passphrase: 'Optional[str]') -> bool:
         return is_valid
 
     def regenerate_totp_shared_secret(self) -> None:
-        self.otp_secret = generate_otp_secret()
+        self.otp_secret = pyotp.random_base32()
 
     def set_hotp_secret(self, otp_secret: str) -> None:
         self.otp_secret = base64.b32encode(

diff --git a/securedrop/requirements/python3/securedrop-app-code-requirements.in b/securedrop/requirements/python3/securedrop-app-code-requirements.in
@@ -18,7 +18,7 @@ mod_wsgi
 passlib
 pretty-bad-protocol>=3.1.1
 psutil>=5.6.6
-pyotp
+pyotp>=2.6.0
 qrcode
 redis>=3.3.6
 rq>=1.1.0

diff --git a/securedrop/requirements/python3/securedrop-app-code-requirements.txt b/securedrop/requirements/python3/securedrop-app-code-requirements.txt
@@ -211,9 +211,9 @@ psutil==5.7.0 \
 pycparser==2.18 \
     --hash=sha256:99a8ca03e29851d96616ad0404b4aad7d9ee16f25c9f9708a11faf2810f7b226
     # via cffi
-pyotp==2.2.6 \
-    --hash=sha256:8f0df1fcf9e86cec41f0a31c91212b1a04fca6dd353426917222b21864b9310b \
-    --hash=sha256:dd9130dd91a0340d89a0f06f887dbd76dd07fb95a8886dc4bc401239f2eebd69
+pyotp==2.6.0 \
+    --hash=sha256:9d144de0f8a601d6869abe1409f4a3f75f097c37b50a36a3bf165810a6e23f28 \
+    --hash=sha256:d28ddfd40e0c1b6a6b9da961c7d47a10261fb58f378cb00f05ce88b26df9c432
     # via -r requirements/python3/securedrop-app-code-requirements.in
 python-dateutil==2.7.2 \
     --hash=sha256:3220490fb9741e2342e1cf29a503394fdac874bc39568288717ee67047ff29df \