CPython uses deprecated randomness API

[strombrg]

BPO	44611
Nosy	@tim-one, @pfmoore, @vstinner, @tjguk, @ambv, @zware, @zooba, @graingert, @corona10
PRs	bpo-44611: Use BCryptGenRandom instead of CryptGenRandom on Windows #27168 bpo-44611: Update docs for os and whatsnew 3.11 #27314

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2021-07-23.14:04:46.166>
created_at = <Date 2021-07-12.17:16:33.330>
labels = ['type-feature', 'OS-windows', '3.11']
title = 'CPython uses deprecated randomness API'
updated_at = <Date 2021-08-04.15:01:09.774>
user = 'https://bugs.python.org/strombrg'

bugs.python.org fields:

activity = <Date 2021-08-04.15:01:09.774>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2021-07-23.14:04:46.166>
closer = 'corona10'
components = ['Windows']
creation = <Date 2021-07-12.17:16:33.330>
creator = 'strombrg'
dependencies = []
files = []
hgrepos = []
issue_num = 44611
keywords = ['patch']
message_count = 9.0
messages = ['397339', '397361', '397362', '397371', '397920', '398056', '398126', '398901', '398902']
nosy_count = 10.0
nosy_names = ['tim.peters', 'paul.moore', 'vstinner', 'tim.golden', 'lukasz.langa', 'strombrg', 'zach.ware', 'steve.dower', 'graingert', 'corona10']
pr_nums = ['27168', '27314']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue44611'
versions = ['Python 3.11']

[strombrg]

CPython 3.9 uses CryptGenRandom(), which has been deprecated by Microsoft.

I'm told the randomness produced by CryptGenRandom() is fine, but Microsoft has introduced a newer API for getting randomness.

For these reasons, Python/bootstrap_hash.c should be updated to use https://docs.microsoft.com/en-us/windows/win32/seccng/cng-por , but it is not urgent, and is not needed in older versions of CPython.

Also the documentation that references CryptGenRandom() should be updated, EG: https://docs.python.org/3/library/os.html#os.urandom

[tim-one]

Dan, the Microsoft URL in your message gives a 404 for me. Did you perhaps mean to end it with "cng-portal" (instead of "cng-por")?

[graingert]

https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal ?

[strombrg]

Yes, cng-portal.

On Mon, Jul 12, 2021 at 3:24 PM Thomas Grainger <report@bugs.python.org>
wrote:

Thomas Grainger <tagrain@gmail.com> added the comment:

https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal ?

----------
nosy: +graingert

---

Python tracker <report@bugs.python.org>
<https://bugs.python.org/issue44611\>

---

--

Dan Stromberg | Senior Software Engineer

Mobile +1.949.342.6502

<https://keepersecurity.com/\>

** This email is confidential and is intended for the recipient(s)
addressed herein **

[corona10]

@tim.peters

Can you please take a look at #71355?
I would like to get your review before merging this PR :)

[corona10]

New changeset 906fe47 by Dong-hee Na in branch 'main':
bpo-44611: Use BCryptGenRandom instead of CryptGenRandom on Windows (GH-27168)
906fe47

[ambv]

New changeset 4463fa2 by Dong-hee Na in branch 'main':
bpo-44611: Update docs for os and whatsnew 3.11 (bpo-27314)
4463fa2

[vstinner]

Would it be possible to document in os.urandom() documentation that the BCryptGenRandom() function is used on Windows with the "system-preferred random number generator algorithm"? (I don't think that we should mention the BCRYPT_USE_SYSTEM_PREFERRED_RNG constant.)

[vstinner]

Thanks for this change, I like the fact that hCryptProv variable could be removed!