diff -r ad141164c792 Include/pylifecycle.h --- a/Include/pylifecycle.h Tue Aug 16 18:27:44 2016 +0200 +++ b/Include/pylifecycle.h Tue Aug 16 18:50:27 2016 +0200 @@ -117,7 +117,8 @@ PyAPI_FUNC(PyOS_sighandler_t) PyOS_getsi PyAPI_FUNC(PyOS_sighandler_t) PyOS_setsig(int, PyOS_sighandler_t); /* Random */ -PyAPI_FUNC(int) _PyOS_URandom (void *buffer, Py_ssize_t size); +PyAPI_FUNC(int) _PyOS_URandom(void *buffer, Py_ssize_t size); +PyAPI_FUNC(int) _PyOS_URandomNonblock(void *buffer, Py_ssize_t size); #ifdef __cplusplus } diff -r ad141164c792 Lib/random.py --- a/Lib/random.py Tue Aug 16 18:27:44 2016 +0200 +++ b/Lib/random.py Tue Aug 16 18:50:27 2016 +0200 @@ -103,15 +103,6 @@ class Random(_random.Random): """ - if a is None: - try: - # Seed with enough bytes to span the 19937 bit - # state space for the Mersenne Twister - a = int.from_bytes(_urandom(2500), 'big') - except NotImplementedError: - import time - a = int(time.time() * 256) # use fractional seconds - if version == 2: if isinstance(a, (str, bytes, bytearray)): if isinstance(a, str): diff -r ad141164c792 Modules/_randommodule.c --- a/Modules/_randommodule.c Tue Aug 16 18:27:44 2016 +0200 +++ b/Modules/_randommodule.c Tue Aug 16 18:50:27 2016 +0200 @@ -169,7 +169,7 @@ init_genrand(RandomObject *self, PY_UINT /* initialize by an array with array-length */ /* init_key is the array for initializing keys */ /* key_length is its length */ -static PyObject * +static void init_by_array(RandomObject *self, PY_UINT32_T init_key[], size_t key_length) { size_t i, j, k; /* was signed in the original code. RDH 12/16/2002 */ @@ -194,8 +194,6 @@ init_by_array(RandomObject *self, PY_UIN } mt[0] = 0x80000000U; /* MSB is 1; assuring non-zero initial array */ - Py_INCREF(Py_None); - return Py_None; } /* @@ -203,6 +201,18 @@ init_by_array(RandomObject *self, PY_UIN * Twister download. */ +static int +random_seed_urandom(RandomObject *self) +{ + PY_UINT32_T key[N]; + + if (_PyOS_URandomNonblock(key, sizeof(key)) < 0) { + return -1; + } + init_by_array(self, key, Py_ARRAY_LENGTH(key)); + return 0; +} + static PyObject * random_seed(RandomObject *self, PyObject *args) { @@ -217,13 +227,12 @@ random_seed(RandomObject *self, PyObject return NULL; if (arg == NULL || arg == Py_None) { - time_t now; + if (random_seed_urandom(self) < 0) { + return NULL; + } + Py_RETURN_NONE; + } - time(&now); - init_genrand(self, (PY_UINT32_T)now); - Py_INCREF(Py_None); - return Py_None; - } /* This algorithm relies on the number being unsigned. * So: if the arg is a PyLong, use its absolute value. * Otherwise use its hash value, cast to unsigned. @@ -273,7 +282,11 @@ random_seed(RandomObject *self, PyObject } } #endif - result = init_by_array(self, key, keyused); + init_by_array(self, key, keyused); + + Py_INCREF(Py_None); + result = Py_None; + Done: Py_XDECREF(n); PyMem_Free(key); diff -r ad141164c792 Python/random.c --- a/Python/random.c Tue Aug 16 18:27:44 2016 +0200 +++ b/Python/random.c Tue Aug 16 18:50:27 2016 +0200 @@ -77,7 +77,7 @@ win32_urandom(unsigned char *buffer, Py_ } /* Issue #25003: Don't use getentropy() on Solaris (available since - Solaris 11.3), it is blocking whereas os.urandom() should not block. */ + * Solaris 11.3), it is blocking whereas os.urandom() should not block. */ #elif defined(HAVE_GETENTROPY) && !defined(sun) #define PY_GETENTROPY 1 @@ -121,24 +121,20 @@ py_getentropy(char *buffer, Py_ssize_t s /* Call getrandom() - Return 1 on success - - Return 0 if getrandom() syscall is not available (fails with ENOSYS). + - Return 0 if getrandom() syscall is not available (fails with ENOSYS) + or if getrandom(GRND_NONBLOCK) fails with EAGAIN (blocking=0 and system + urandom not initialized yet) and raise=0. - Raise an exception (if raise is non-zero) and return -1 on error: getrandom() failed with EINTR and the Python signal handler raised an exception, or getrandom() failed with a different error. */ static int -py_getrandom(void *buffer, Py_ssize_t size, int raise) +py_getrandom(void *buffer, Py_ssize_t size, int blocking, int raise) { - /* Is getrandom() supported by the running kernel? - Need Linux kernel 3.17 or newer, or Solaris 11.3 or newer */ + /* Is getrandom() supported by the running kernel? Set to 0 if getrandom() + fails with ENOSYS. Need Linux kernel 3.17 or newer, or Solaris 11.3 + or newer */ static int getrandom_works = 1; - - /* getrandom() on Linux will block if called before the kernel has - initialized the urandom entropy pool. This will cause Python - to hang on startup if called very early in the boot process - - see https://bugs.python.org/issue26839. To avoid this, use the - GRND_NONBLOCK flag. */ - const int flags = GRND_NONBLOCK; - + int flags; char *dest; long n; @@ -146,6 +142,7 @@ py_getrandom(void *buffer, Py_ssize_t si return 0; } + flags = blocking ? 0 : GRND_NONBLOCK; dest = buffer; while (0 < size) { #ifdef sun @@ -185,15 +182,12 @@ py_getrandom(void *buffer, Py_ssize_t si getrandom_works = 0; return 0; } - if (errno == EAGAIN) { - /* If we failed with EAGAIN, the entropy pool was - uninitialized. In this case, we return failure to fall - back to reading from /dev/urandom. - Note: In this case the data read will not be random so - should not be used for cryptographic purposes. Retaining - the existing semantics for practical purposes. */ - getrandom_works = 0; + /* getrandom(GRND_NONBLOCK) fails with EAGAIN if the system urandom + is not initialiazed yet. For _PyRandom_Init(), we ignore their + error and fall back on reading /dev/urandom which never blocks, + even if the system urandom is not initialized yet. */ + if (errno == EAGAIN && !raise && !blocking) { return 0; } @@ -228,38 +222,38 @@ static struct { } urandom_cache = { -1 }; -/* Read 'size' random bytes from getrandom(). Fall back on reading from - /dev/urandom if getrandom() is not available. - - Return 0 on success. Raise an exception (if raise is non-zero) and return -1 - on error. */ +/* Read size bytes from /dev/urandom into buffer. + Return 0 on success. Raise an exception and return -1 on error. */ static int -dev_urandom(char *buffer, Py_ssize_t size, int raise) +dev_urandom(char *buffer, Py_ssize_t size, int blocking, int raise) { - int fd; - Py_ssize_t n; + if (raise) { + int fd; + Py_ssize_t n; + struct _Py_stat_struct st; #ifdef PY_GETRANDOM - int res; + int res; #endif - assert(size > 0); + assert(size > 0); #ifdef PY_GETRANDOM - res = py_getrandom(buffer, size, raise); - if (res < 0) { - return -1; - } - if (res == 1) { - return 0; - } - /* getrandom() is not supported by the running kernel, fall back - on reading /dev/urandom */ + res = py_getrandom(buffer, size, blocking, 1); + if (res < 0) { + /* getrandom() failed */ + return -1; + } + if (res == 1) { + /* getrandom() succeeded */ + return 0; + } + + /* getrandom() is not supported by the running kernel (ENOSYS) or + getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom not + initialized yet): fall back on reading /dev/urandom which never blocks, + even if the system urandom is not initialized yet*/ #endif - - if (raise) { - struct _Py_stat_struct st; - if (urandom_cache.fd >= 0) { /* Does the fd point to the same thing as before? (issue #21207) */ if (_Py_fstat_noraise(urandom_cache.fd, &st) @@ -318,6 +312,31 @@ dev_urandom(char *buffer, Py_ssize_t siz } while (0 < size); } else { + int fd; + Py_ssize_t n; +#ifdef PY_GETRANDOM + int res; +#endif + + assert(size > 0); + +#ifdef PY_GETRANDOM + res = py_getrandom(buffer, size, blocking, 0); + if (res < 0) { + /* getrandom() failed */ + return -1; + } + if (res == 1) { + /* getrandom() succeeded */ + return 0; + } + + /* getrandom() is not supported by the running kernel (ENOSYS) or + getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom not + initialized yet): fall back on reading /dev/urandom which never blocks, + even if the system urandom is not initialized yet*/ +#endif + fd = _Py_open_noraise("/dev/urandom", O_RDONLY); if (fd < 0) { return -1; @@ -340,6 +359,7 @@ dev_urandom(char *buffer, Py_ssize_t siz } close(fd); } + return 0; } @@ -381,7 +401,7 @@ lcg_urandom(unsigned int x0, unsigned ch syscall) - Don't release the GIL to call syscalls. */ static int -pyurandom(void *buffer, Py_ssize_t size, int raise) +pyurandom(void *buffer, Py_ssize_t size, int blocking, int raise) { if (size < 0) { if (raise) { @@ -400,7 +420,7 @@ pyurandom(void *buffer, Py_ssize_t size, #elif defined(PY_GETENTROPY) return py_getentropy(buffer, size, raise); #else - return dev_urandom(buffer, size, raise); + return dev_urandom(buffer, size, blocking, raise); #endif } @@ -408,11 +428,24 @@ pyurandom(void *buffer, Py_ssize_t size, number generator (RNG). It is suitable for most cryptographic purposes except long living private keys for asymmetric encryption. - Return 0 on success, raise an exception and return -1 on error. */ + Return 0 on success. Raise an exception and return -1 on error. */ int _PyOS_URandom(void *buffer, Py_ssize_t size) { - return pyurandom(buffer, size, 1); + return pyurandom(buffer, size, 1, 1); +} + +/* Fill buffer with size pseudo-random bytes from the operating system random + number generator (RNG). It is not suitable for cryptographic purpose. + + On Linux 3.17 and newer (when getrandom() is used), if the system urandom + is not initialized yet, the function returns "weak" entropy. + + Return 0 on success. Raise an exception and return -1 on error. */ +int +_PyOS_URandomNonblock(void *buffer, Py_ssize_t size) +{ + return pyurandom(buffer, size, 0, 1); } void @@ -456,8 +489,11 @@ void int res; /* _PyRandom_Init() is called very early in the Python initialization - and so exceptions cannot be used (use raise=0). */ - res = pyurandom(secret, secret_size, 0); + and so exceptions cannot be used (use raise=0). + + _PyRandom_Init() must not block Python initialization: call + pyurandom() is non-blocking mode (blocking=0): see the PEP 524. */ + res = pyurandom(secret, secret_size, 0, 0); if (res < 0) { Py_FatalError("failed to get random numbers to initialize Python"); }