[paramiko] [MERGE] insecure use of RandomPool
Dwayne Litzenberger
dwayne at oscl.ca
Mon Jan 14 07:31:57 PST 2008
On January 13, 2008 10:48:12 pm Dwayne C. Litzenberger wrote:
> The attached patch creates a new OSRandomPool class that provides a
> RandomPool-like interface, but gets its random numbers directly from the
> operating system. It also works around the recently-published Windows
> CryptGenRandom vulnerabilities (see http://eprint.iacr.org/2007/419).
Here's an updated bundle, which handles /dev/urandom properly in the event
that os.urandom is not available. (Thanks to David Guerizec
<david at guerizec.net> for pointing out the bug.)
The difference between the previous fix and this fix is:
=== modified file 'paramiko/osrandom.py'
--- paramiko/osrandom.py 2008-01-14 03:56:22 +0000
+++ paramiko/osrandom.py 2008-01-14 15:27:12 +0000
@@ -83,7 +83,7 @@
self.get_bytes = urandom
self.randomize()
-if osrandom_source in ("urandom", "os.urandom"):
+if osrandom_source in ("/dev/urandom", "os.urandom"):
OSRandomPool = UrandomOSRandomPool
elif osrandom_source == "winrandom":
OSRandomPool = WinrandomOSRandomPool
--
Dwayne Litzenberger <dwayne at oscl.ca>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: paramiko-osrandompool-fixed.bundle
Type: text/x-diff
Size: 8199 bytes
Desc: not available
Url : http://www.lag.net/pipermail/paramiko/attachments/20080114/d56d85dd/attachment.diff
More information about the paramiko
mailing list