Usage of a cryptographically suitable RNG. Proposed by Seth Arnold.

3 files changed, 21 insertions, 28 deletions

diff --git a/setup.py b/setup.py
index 6b75ffd4..4e1aa41a 100755
--- a/setup.py
+++ b/setup.py
@@ -51,8 +51,8 @@ if sys.version_info < (2, 7):
 
 setup(
     name='pysaml2',
-    version='2.3.0',
-    description='Python implementation of SAML Version 2 to be used in a WSGI environment',
+    version='2.4.0beta',
+    description='Python implementation of SAML Version 2',
     # long_description = read("README"),
     author='Roland Hedberg',
     author_email='roland.hedberg@adm.umu.se',
diff --git a/src/saml2/s_utils.py b/src/saml2/s_utils.py
index e17c2b56..5f9fe42d 100644
--- a/src/saml2/s_utils.py
+++ b/src/saml2/s_utils.py
@@ -7,6 +7,7 @@ import time
 import base64
 import sys
 import hmac
+import string
 
 # from python 2.5
 import imp
@@ -154,31 +155,28 @@ def deflate_and_base64_encode(string_val):
     return base64.b64encode(zlib.compress(string_val)[2:-4])
 
 
-def rndstr(size=16):
+def rndstr(size=16, alphabet=""):
     """
     Returns a string of random ascii characters or digits
 
     :param size: The length of the string
     :return: string
     """
-    _basech = string.ascii_letters + string.digits
-    return "".join([random.choice(_basech) for _ in range(size)])
+    rng = random.SystemRandom()
+    if not alphabet:
+        alphabet = string.letters[0:52] + string.digits
+    return str().join(rng.choice(alphabet) for _ in range(size))
 
 
-def sid(seed=""):
-    """The hash of the server time + seed makes an unique SID for each session.
-    128-bits long so it fulfills the SAML2 requirements which states
+def sid():
+    """creates an unique SID for each session.
+    160-bits long so it fulfills the SAML2 requirements which states
     128-160 bits
 
-    :param seed: A seed string
-    :return: The hex version of the digest, prefixed by 'id-' to make it
+    :return: A random string prefix with 'id-' to make it
         compliant with the NCName specification
     """
-    ident = md5()
-    ident.update(repr(time.time()))
-    if seed:
-        ident.update(seed)
-    return "id-" + ident.hexdigest()
+    return "id-" + rndstr(17)
 
 
 def parse_attribute_map(filenames):
diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
index e598781b..0f2d1fbb 100644
--- a/src/saml2/sigver.py
+++ b/src/saml2/sigver.py
@@ -33,7 +33,7 @@ from saml2 import saml
 from saml2 import ExtensionElement
 from saml2 import VERSION
 
-from saml2.s_utils import sid
+from saml2.s_utils import sid, rndstr
 from saml2.s_utils import Unsupported
 
 from saml2.time_util import instant
@@ -322,18 +322,13 @@ def signed_instance_factory(instance, seccont, elements_to_sign=None):
 
 
 # --------------------------------------------------------------------------
-
-
-def create_id():
-    """ Create a string of 40 random characters from the set [a-p],
-    can be used as a unique identifier of objects.
-
-    :return: The string of random characters
-    """
-    ret = ""
-    for _ in range(40):
-        ret += chr(random.randint(0, 15) + ord('a'))
-    return ret
+# def create_id():
+#     """ Create a string of 40 random characters from the set [a-p],
+#     can be used as a unique identifier of objects.
+#
+#     :return: The string of random characters
+#     """
+#     return rndstr(40, "abcdefghijklmonp")
 
 
 def make_temp(string, suffix="", decode=True, delete=True):