[paramiko] [MERGE] insecure use of RandomPool
Robey Pointer
robey at lag.net
Mon Jan 21 11:44:36 PST 2008
On 14 Jan 2008, at 7:31, Dwayne Litzenberger wrote:
> On January 13, 2008 10:48:12 pm Dwayne C. Litzenberger wrote:
>> The attached patch creates a new OSRandomPool class that provides a
>> RandomPool-like interface, but gets its random numbers directly
>> from the
>> operating system. It also works around the recently-published
>> Windows
>> CryptGenRandom vulnerabilities (see http://eprint.iacr.org/2007/419).
>
> Here's an updated bundle, which handles /dev/urandom properly in the
> event
> that os.urandom is not available. (Thanks to David Guerizec
> <david at guerizec.net> for pointing out the bug.)
Looks good, and passes the unit tests on my mac, so I merged it --
thanks!
I will probably make a new paramiko release later today; it's been a
while.
robey
More information about the paramiko
mailing list