[paramiko] paramiko random number regression: Stop using RandomPool!
Dwayne Litzenberger
dwayne at oscl.ca
Mon Apr 14 10:13:08 PDT 2008
On April 12, 2008 04:06:27 pm Robey Pointer wrote:
> Is there nothing Windows users can do? I added RandomPool as a
> fallback because on my Windows XP box did not have the winrandom
> module. Since I think XP will be the most widely used Windows release
> for the forseeable future, this is really bad. :(
It has nothing to do with Windows XP. The winrandom module is part of
*PyCrypto*, but there is a bug in PyCrypto 2.0.1 where the winrandom module
is omitted from setup.py.
On Windows systems, the os.urandom function in Python >= 2.4 is equivalent to
the winrandom.new().get_bytes function. That's why my previous patch kept
both os.urandom and /dev/urandom.
In addition to fixing this RNG regression, my latest patch also does several
other sanity checks to avoid running insecurely, and it combines RandomPool
with the OS RNG in a thread-safe manner, so that certain types of potential
weaknesses in the OS RNG don't become immediately exploitable in paramiko.
Since Microsoft is changing how the Windows RNG works, I think this is a good
idea.
For the long term, I plan to take over the maintainership of PyCrypto, and
move this functionality into PyCrypto itself. (When I contacted A. M.
Kuchling about the winrandom problem, he said that he's not doing much with
PyCrypto anymore. Nobody else seems to be maintaining PyCrypto either, so I
might as well do it.) It'll be a month or two before I start making releases
of PyCrypto; I'm moving across the country at the end of the month, and there
is a pile of bug reports and suggested changes to PyCrypto that I want to
sort through before I release anything. I don't want to risk making things
worse by rushing a PyCrypto release, but in the meantime, you can improve
paramiko's security by applying "paramiko-fix-rng-again.bundle".
--
Dwayne Litzenberger, B.A.Sc.
Information Technology Analyst
Open Systems Canada Limited
#210 - 2332 11th Ave
Regina, SK S4P0K1
Office: (306) 359-OSCL (6725)
http://www.oscl.ca/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://www.lag.net/pipermail/paramiko/attachments/20080414/0669aee3/attachment.pgp
More information about the paramiko
mailing list