3

so I'm running a flask python app on dotcloud, and I'm basically trying to hash a password (using hashlib.sha512; the salt is uuid.uuid4().bytes). 

user_dict['salt'] = uuid.uuid4().bytes
print_stderr(user_dict['salt'])
print_stderr(hashlib.sha512(user_dict['pwd'] + user_dict['salt']))
user_dict['pwd'] = hashlib.sha512(user_dict['pwd'] + user_dict['salt']).digest()
print_stderr(user_dict['pwd'])

This all works fine even in a python interpreter on dotcloud, but when I actually run the code on the server, it crashes (or something, the client gets a HTTP 500 code, but dotcloud logs just closes).

I can tell by which print statements are executed and which are not, that it crashes on the uuid.uuid4().bytes line. But if I replace that with a constant (e.g. "uehg83yydh") it doesn't fail immediately, rather on the hashlib.sha512(...).digest() line.

You may also notice that print_stderr is not a standard python function. It's a hack I am using to get dotcloud to print stuff from python (it prints to stderr instead of stdout). Surely there's a better way to debug on dotcloud that I'm not aware of?

gps
  • 1,360
  • 12
  • 12
geniass
  • 371
  • 1
  • 9
  • 20
  • What version of python are you using? Is there any error messages when it crashes? Look in /var/log/supervisor for the different log files. – Ken Cochrane Dec 10 '12 at 01:48
  • I'm using 2.7 (python_version: v2.7 in dotcloud.yml). There are no error messages in the CLI log viewer, it just stops. However in the uwsgi.log file there are some [strange characters](http://pastebin.com/Kz1Xx8ya) that the CLI viewer doesn't show. – geniass Dec 10 '12 at 11:19
  • can you post those logs? Are you using the sandbox or the live flavor? – Ken Cochrane Dec 10 '12 at 15:29
  • I'm using sandbox for development. Anyway, this part of the code miraculously started to work. There's a new problem now, but it seems much easier to sort out: http://pastebin.com/vyfn5hwu It seems as if either uuid or hashlib (or both) is not encoding something properly. – geniass Dec 10 '12 at 15:44

1 Answers1

1

Try this for your code.

  1. Switching uuid to hex instead of bytes
  2. changing to use update() instead of adding the strings together, it is a little cleaner.

Code:

>>> user_dict['salt'] = uuid.uuid4().hex
>>> print_stderr(user_dict['salt'])
>>> import hashlib
>>> m = hashlib.sha512()
>>> m.update(user_dict['pwd'])
>>> m.update(user_dict['salt'])
>>> user_dict['pwd'] = m.hexdigest()
>>> print_stderr(user_dict['pwd'])
Ken Cochrane
  • 75,357
  • 9
  • 52
  • 60
  • That seems to have fixed it, but after reading some more about password storage I decided to use bcrypt, rather than mess around with my own probably very insecure implementation – geniass Dec 10 '12 at 19:59