This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author zooko
Recipients zooko
Date 2010-06-30.03:48:33
SpamBayes Score 0.040811814
Marked as misclassified No
Message-id <1277869715.19.0.305414138773.issue9123@psf.upfronthosting.co.za>
In-reply-to
Content 
os.urandom() on VMS invokes OpenSSL's RAND_pseudo_bytes(). That is documented on:

http://www.openssl.org/docs/crypto/RAND_bytes.html

as being predictable and therefore unsuitable for many cryptographic purposes. This is inconsistent with the documentation of os.urandom():

"""
urandom(n) -> str\n\n\
Return a string of n random bytes suitable for cryptographic use.
"""

This probably means that users of Python on VMS are vulnerable to attack based on the predictability of the results they get from os.urandom().

Honestly, I would have guessed that there *were* no users of Python on VMS when I started this bug report, but look--apparently there are:

http://www.vmspython.org

To fix this, change the call from RAND_pseudo_bytes() to RAND_bytes(). It has the same type signature and actually does what os.urandom() needs.
History
Date User Action Args
2010-06-30 03:48:35zookosetrecipients: + zooko
2010-06-30 03:48:35zookosetmessageid: <1277869715.19.0.305414138773.issue9123@psf.upfronthosting.co.za>
2010-06-30 03:48:33zookolinkissue9123 messages
2010-06-30 03:48:33zookocreate