Title: insecure os.urandom on VMS
Type: security Stage: patch review
Components: Library (Lib) Versions: Python 3.1, Python 3.2, Python 3.3, Python 2.7, Python 2.6
Status: closed Resolution: wont fix
Dependencies: Superseder:
Assigned To: Nosy List: adiroiban, loewis, vstinner, zooko
Priority: normal Keywords:

Created on 2010-06-30 03:48 by zooko, last changed 2012-05-02 06:31 by loewis. This issue is now closed.

Messages (6)
msg108963 - (view) Author: Zooko O'Whielacronx (zooko) Date: 2010-06-30 03:48
os.urandom() on VMS invokes OpenSSL's RAND_pseudo_bytes(). That is documented on:

as being predictable and therefore unsuitable for many cryptographic purposes. This is inconsistent with the documentation of os.urandom():

urandom(n) -> str\n\n\
Return a string of n random bytes suitable for cryptographic use.

This probably means that users of Python on VMS are vulnerable to attack based on the predictability of the results they get from os.urandom().

Honestly, I would have guessed that there *were* no users of Python on VMS when I started this bug report, but look--apparently there are:

To fix this, change the call from RAND_pseudo_bytes() to RAND_bytes(). It has the same type signature and actually does what os.urandom() needs.
msg108964 - (view) Author: Zooko O'Whielacronx (zooko) Date: 2010-06-30 03:49
HACK Zooko-Ofsimplegeos-MacBook-Pro:~/playground/python/release27-trunk$ svn diff
Index: Modules/posixmodule.c
--- Modules/posixmodule.c       (revision 82382)
+++ Modules/posixmodule.c       (working copy)
@@ -8481,7 +8481,7 @@
     result = PyString_FromStringAndSize(NULL, howMany);
     if (result != NULL) {
         /* Get random data */
-        if (RAND_pseudo_bytes((unsigned char*)
+        if (RAND_bytes((unsigned char*)
                               howMany) < 0) {
msg108965 - (view) Author: Zooko O'Whielacronx (zooko) Date: 2010-06-30 03:49
This issue is a security vulnerability.
msg158203 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2012-04-13 09:58
> This issue is a security vulnerability.

I disagree, it's just an issue of a comment in the C code. The Python documentation doesn't guarantee that os.urandom() is cryptographic.

Use ssl.RAND_bytes(), added to Python 3.3, if you need cryptographic random numbers.

By the way, VMS is no more supported in Python 3.3, see the PEP 11:

    Name:             VMS
    Unsupported in:   Python 3.3
    Code removed in:  Python 3.4
msg158204 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2012-04-13 10:00
-        if (RAND_pseudo_bytes((unsigned char*)
+        if (RAND_bytes((unsigned char*)

This is not a good idea: RAND_bytes() is blocking, whereas os.urandom() doesn't block on other platforms. os.urandom() is similar to /dev/urandom (non blocking), whereas /dev/random is blocking. With this patch, Python may block at startup if there is not enough entropy.
msg159777 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-05-02 06:31
I'm closing this as "won't fix". Unless somebody is able to report that they actually tested the proposed change successfully, there is no point in adding it. Most likely, Python won't even build on VMS, in which case this is not a security issue at all.
Date User Action Args
2012-05-02 06:31:08loewissetstatus: open -> closed
resolution: wont fix
messages: + msg159777
2012-04-13 10:00:14vstinnersetmessages: + msg158204
2012-04-13 09:58:31vstinnersetmessages: + msg158203
2012-04-13 09:43:25pitrousetnosy: + vstinner
stage: patch review

versions: + Python 3.3
2012-04-12 22:02:13adiroibansetnosy: + adiroiban
2010-06-30 09:47:06pitrousetnosy: + loewis

type: security
components: + Library (Lib)
versions: + Python 2.6, Python 3.1, Python 2.7, Python 3.2
2010-06-30 03:49:55zookosetmessages: + msg108965
2010-06-30 03:49:26zookosetmessages: + msg108964
2010-06-30 03:48:33zookocreate