[Security-sig] PEP 522: Allow BlockingIOError in security sensitive APIs on Linux
Cory Benfield
cory at lukasa.co.uk
Wed Jun 22 06:23:33 EDT 2016
> On 22 Jun 2016, at 02:28, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
> Hi folks,
>
> Over the weekend, Nathaniel Smith and I put together a proposal to
> allow security sensitive APIs (os.urandom, random.SystemRandom and the
> new secrets module) to throw BlockingIOError if the operating system's
> random number generator isn't ready.
In general I like this approach. One note inline below.
> Limitations on scope
> --------------------
>
> No changes are proposed for Windows or Mac OS X systems, as neither of those
> platforms provides any mechanism to run Python code before the operating
> system random number generator has been initialized. Mac OS X goes so far as
> to kernel panic and abort the boot process if it can't properly initialize the
> random number generator (although Apple's restrictions on the supported
> hardware platforms make that exceedingly unlikely in practice).
>
> Similarly, no changes are proposed for other \*nix systems where
> ``os.urandom()`` will currently block waiting for the system random number
> generator to be initialized, rather than returning values that are potentially
> unsuitable for use in security sensitive applications.
You may want to be careful around this point. Solaris provides a getrandom() syscall as well, that Python *does* use. Furthermore, if other *nix OSes provide a getrandom() syscall then the current Python code will favour it over the urandom fallback: care should be taken to clarify what the expected plan is in these cases.
Cory
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/security-sig/attachments/20160622/a7cb32ac/attachment.sig>
More information about the Security-SIG
mailing list