Mersenne Twister used nonce values
bug description
In auth_nb.py and bosh.py the random number generator from Python random
module is used to generate nonce values. This values must be both unpredictable and nonrepeating.
http://www.xmpp.org/extensions/xep-0124.html#security-sidrid
But Python uses the Mersenne Twister as the core generator. However, being completely deterministic, it is completely unsuitable for cryptographic purposes.
http://docs.python.org/2/library/random.html
bug analysis
One possible solution is to use random.SystemRandom
. But this generator uses os.urandom
which on Windows platform uses CryptGenRandom
and has some issues.
http://docs.python.org/2/library/random.html#random.SystemRandom
https://en.wikipedia.org/wiki/CryptGenRandom#Security
Better solution is to use OpenSSL PRNG when possible.
https://trac.gajim.org/ticket/7550
https://wiki.openssl.org/index.php/Random_Numbers
fix recommendation
new module rndg
which uses OpenSSL PRNG, if OpenSSL is available. If OpenSSL is not available use random.SystemRandom