diff options
| author | Victor Stinner <victor.stinner@gmail.com> | 2016-09-06 23:33:52 (GMT) |
|---|---|---|
| committer | Victor Stinner <victor.stinner@gmail.com> | 2016-09-06 23:33:52 (GMT) |
| commit | e66987e626cfce8292c39d5b1394665e8aa6840b (patch) | |
| tree | ec94354a9ccb2f09e77e3a2381b52142544d0ee2 /Doc/library/os.rst | |
| parent | e256accd46af74d2695117e62361fe7ae9dfdfe3 (diff) | |
| download | cpython-e66987e626cfce8292c39d5b1394665e8aa6840b.zip cpython-e66987e626cfce8292c39d5b1394665e8aa6840b.tar.gz cpython-e66987e626cfce8292c39d5b1394665e8aa6840b.tar.bz2 | |
os.urandom() now blocks on Linux
Issue #27776: The os.urandom() function does now block on Linux 3.17 and newer
until the system urandom entropy pool is initialized to increase the security.
This change is part of the PEP 524.
Diffstat (limited to 'Doc/library/os.rst')
| -rw-r--r-- | Doc/library/os.rst | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/Doc/library/os.rst b/Doc/library/os.rst index 69c559c..e2b6e64 100644 --- a/Doc/library/os.rst +++ b/Doc/library/os.rst @@ -3968,14 +3968,27 @@ Random numbers returned data should be unpredictable enough for cryptographic applications, though its exact quality depends on the OS implementation. - On Linux, the ``getrandom()`` syscall is used if available and the urandom - entropy pool is initialized (``getrandom()`` does not block). - On a Unix-like system this will query ``/dev/urandom``. On Windows, it - will use ``CryptGenRandom()``. If a randomness source is not found, - :exc:`NotImplementedError` will be raised. - - For an easy-to-use interface to the random number generator - provided by your platform, please see :class:`random.SystemRandom`. + On Linux, if the ``getrandom()`` syscall is available, it is used in + blocking mode: block until the system urandom entropy pool is initialized + (128 bits of entropy are collected by the kernel). See the :pep:`524` for + the rationale. On Linux, the :func:`getrandom` function can be used to get + random bytes in non-blocking mode (using the :data:`GRND_NONBLOCK` flag) or + to poll until the system urandom entropy pool is initialized. + + On a Unix-like system, random bytes are read from the ``/dev/urandom`` + device. If the ``/dev/urandom`` device is not available or not readable, the + :exc:`NotImplementedError` exception is raised. + + On Windows, it will use ``CryptGenRandom()``. + + .. seealso:: + The :mod:`secrets` module provides higher level functions. For an + easy-to-use interface to the random number generator provided by your + platform, please see :class:`random.SystemRandom`. + + .. versionchanged:: 3.6.0 + On Linux, ``getrandom()`` is now used in blocking mode to increase the + security. .. versionchanged:: 3.5.2 On Linux, if the ``getrandom()`` syscall blocks (the urandom entropy pool |