From ad71e39d31dc9c21821fea7ccc323dfc43db6fae Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Sun, 15 Jul 2012 16:16:28 -0700
Subject: [PATCH] simplify by removing hashes of random numbers

There may be circumstances where hashing random numbers might be
useful, but in order to justify it we would need to know something
about the generator that provides them.  However, checking with
strace shows that the CSPRNG in Crypto.Random may not reseed its
entropy enough, so we might ultimately want to use a different one.
It only reseeds 8 bytes per call even if you read megabytes of
random numbers from it!
---
 server-ca/chocolate.py | 14 ++------------
 server-ca/daemon.py    |  9 +++------
 2 files changed, 5 insertions(+), 18 deletions(-)

diff --git a/server-ca/chocolate.py b/server-ca/chocolate.py
index 2cb9694ad..737f675cb 100755
--- a/server-ca/chocolate.py
+++ b/server-ca/chocolate.py
@@ -1,9 +1,7 @@
 #!/usr/bin/env python
 
-import web, redis, time
+import web, redis, time, binascii
 import CSR
-import hashlib
-import hmac
 import hashcash
 from CSR import M2Crypto
 from Crypto import Random
@@ -24,15 +22,9 @@ urls = (
      '.*', 'session'
 )
 
-def sha256(m):
-    return hashlib.sha256(m).hexdigest()
-
-def hmac(k, m):
-    return hmac.new(k, m, hashlib.sha256).hexdigest()
-
 def random():
     """Return 64 hex digits representing a new 32-byte random number."""
-    return sha256(Random.get_random_bytes(32))
+    return binascii.hexlify(Random.get_random_bytes(32))
 
 def safe(what, s):
     """Is string s within the allowed-character policy for this field?"""
@@ -337,8 +329,6 @@ class session(object):
 
     def POST(self):
         web.header("Content-type", "application/x-protobuf+chocolate")
-#        web.setcookie("chocolate", hmac("foo", "bar"),
-#                       secure=True) # , httponly=True)
         m = chocolatemessage()
         r = chocolatemessage()
         r.chocolateversion = 1
diff --git a/server-ca/daemon.py b/server-ca/daemon.py
index 31f7363e2..a5050d8c8 100644
--- a/server-ca/daemon.py
+++ b/server-ca/daemon.py
@@ -48,7 +48,7 @@
 # the server or the daemon (due to timeout or error) causes
 # a session to be treated as dead by both.
 
-import redis, redis_lock, time, CSR, sys, signal, hashlib
+import redis, redis_lock, time, CSR, sys, signal, binascii
 from sni_challenge.verify import verify_challenge
 from Crypto import Random
 
@@ -86,16 +86,13 @@ def ancient(session, state):
         return True
     return False
 
-def sha256(m):
-    return hashlib.sha256(m).hexdigest()
-
 def random():
     """Return 64 hex digits representing a new 32-byte random number."""
-    return sha256(Random.get_random_bytes(32))
+    return binascii.hexlify(Random.get_random_bytes(32))
 
 def random_raw():
     """Return 32 random bytes."""
-    return hashlib.sha256(Random.get_random_bytes(32)).digest()
+    return Random.get_random_bytes(32)
 
 def makechallenge(session):
     if r.hget(session, "live") != "True":