[New-bugs-announce] [issue9123] insecure os.urandom on VMS
Zooko O'Whielacronx
report at bugs.python.org
Wed Jun 30 05:48:35 CEST 2010
New submission from Zooko O'Whielacronx <zooko at zooko.com>:
os.urandom() on VMS invokes OpenSSL's RAND_pseudo_bytes(). That is documented on:
http://www.openssl.org/docs/crypto/RAND_bytes.html
as being predictable and therefore unsuitable for many cryptographic purposes. This is inconsistent with the documentation of os.urandom():
"""
urandom(n) -> str\n\n\
Return a string of n random bytes suitable for cryptographic use.
"""
This probably means that users of Python on VMS are vulnerable to attack based on the predictability of the results they get from os.urandom().
Honestly, I would have guessed that there *were* no users of Python on VMS when I started this bug report, but look--apparently there are:
http://www.vmspython.org
To fix this, change the call from RAND_pseudo_bytes() to RAND_bytes(). It has the same type signature and actually does what os.urandom() needs.
----------
messages: 108963
nosy: zooko
priority: normal
severity: normal
status: open
title: insecure os.urandom on VMS
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue9123>
_______________________________________
More information about the New-bugs-announce
mailing list