Message 275269 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	Lukasa, docs@python, georg.brandl, larry, martin.panter, ncoghlan, ned.deily, steven.daprano, vstinner
Date	2016-09-09.07:01:00
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1473404460.48.0.678679158937.issue27292@psf.upfronthosting.co.za>
In-reply-to

Content
> Though I imagine even Python 3.6’s os.urandom() will still fall back to /dev/urandom (with potential entropy problem) on older Linux versions. Right, but you should be more specific in the doc. os.urandom() is unsecure if and only if: * getrandom() is not available (ex: Linux < 3.17, or Python built without getrandom() for different reasons) or don't work (ex: blocked by a stupid SECCOMP policy, ex: issue #27955) * and /dev/urandom is not initialized yet which means that: - the currently running Python runs very early during the system initialization, - the system has no good source of entropy and slow entropy sources, - no entropy was stored on the disk on a previous boot. What I don't want: a doc warning that "oh hey, os.urandom() is unsafe, don't use it for anything serious". os.urandom() is always secure on all platforms except Linux. On Linux, it's secure is almost all cases, except on a very few very tiny corner cases. I proposed something like: "On Linux, os.urandom() can return weak entropy when /dev/urandom is used internally and the system urandom entropy pool is not initialized yet." I'm not even sure about "weak entropy" because in most cases, /dev/urandom is already partially initialized with good entropy, but just not enough to consider that it's fully initialized. Linux uses many entropy sources but don't trust them, so don't consider that these input data counts for the entropy counter.

> Though I imagine even Python 3.6’s os.urandom() will still fall back to /dev/urandom (with potential entropy problem) on older Linux versions.

Right, but you should be more specific in the doc.

os.urandom() is unsecure if and only if:

* getrandom() is not available (ex: Linux < 3.17, or Python built without getrandom() for different reasons) or don't work (ex: blocked by a stupid SECCOMP policy, ex: issue #27955)
* and /dev/urandom is not initialized yet which means that:

  - the currently running Python runs very early during the system initialization,
  - the system has no good source of entropy and slow entropy sources, 
  - no entropy was stored on the disk on a previous boot.

What I don't want: a doc warning that "oh hey, os.urandom() is unsafe, don't use it for anything serious".

os.urandom() is always secure on all platforms except Linux. On Linux, it's secure is almost all cases, except on a very few very tiny corner cases.

I proposed something like:

"On Linux, os.urandom() can return weak entropy when /dev/urandom is used internally and the system urandom entropy pool is not initialized yet."

I'm not even sure about "weak entropy" because in most cases, /dev/urandom is already partially initialized with good entropy, but just not enough to consider that it's fully initialized. Linux uses many entropy sources but don't trust them, so don't consider that these input data counts for the entropy counter.

History
Date	User	Action	Args
2016-09-09 07:01:00	vstinner	set	recipients: + vstinner, georg.brandl, ncoghlan, larry, ned.deily, steven.daprano, docs@python, martin.panter, Lukasa
2016-09-09 07:01:00	vstinner	set	messageid: <1473404460.48.0.678679158937.issue27292@psf.upfronthosting.co.za>
2016-09-09 07:01:00	vstinner	link	issue27292 messages
2016-09-09 07:01:00	vstinner	create