[Python-Dev] Should we use getentropy() for os.urandom()?
haypo s
victor.stinner at gmail.com
Sat Sep 5 00:45:52 CEST 2015
Hi,
I followed discussions on the new systems getrandom() on Linux and
getentropy() on OpenBSD. I wanted to use them in Python to avoid the
need of a file descriptor to read /dev/urandom.
Linux getrandom() is also more secure than /dev/urandom because it
blocks until /dev/urandom is feeded with enough entropy.
getentropy() and getrandom() are now used in Python 2.7.10, Python 3.4
and newer.
Today, an issue was reported on Solaris because os.urandom() is much
slower with Python 2.7.10:
https://bugs.python.org/issue25003
It looks like Solaris has getrandom() and getentropy(), and
getentropy() is slow.
Now I'm not sure that I understood the purpose of getentropy() even on
OpenBSD. Should it be used to feed a PRNG in user-space, or can it be
used as a PRNG?
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/getentropy.2?query=getentropy&sec=2
If getentropy() must only be used to feed a PRNG (which only use a few
bytes), we should remove the code using getentropy() (but getrandom()
should be kept).
Note: I didn't know that other operating systems supported getrandom()
and getentropy()! The feature looks recent in Solaris:
" Solaris 11.3 adds two new system calls, getrandom(2) and
getentropy(2), for getting random bit streams or raw entropy."
https://blogs.oracle.com/darren/entry/solaris_new_system_calls_getentropy
(article published at July, 2015)
Note2: There is an open discussion proposing to "Use arc4random under
OpenBSD for os.urandom() if /dev/urandom is not present"
https://bugs.python.org/issue22542
getentropy() issue in Python (closed):
https://bugs.python.org/issue22585
getrandom() issue in Python (closed):
https://bugs.python.org/issue22181
Victor
More information about the Python-Dev
mailing list