From 1229b7d3887432c6669eee52a73e7e09f7508213 Mon Sep 17 00:00:00 2001 From: LamentXU <108666168+LamentXU123@users.noreply.github.com> Date: Sun, 8 Jun 2025 19:46:16 +0800 Subject: [PATCH 1/2] =?UTF-8?q?[3.13]=20gh-135244:=20generate=20UUID=20ran?= =?UTF-8?q?dom=20Node=20ID=20with=20a=20CSPRNG=20as=20per=20RFC=209562,=20?= =?UTF-8?q?=C2=A76.10.3=20(GH-135226)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This aligns with the recommendations of RFC 9562, Section 6.10, paragraph 3 [1]. [1]: https://www.rfc-editor.org/rfc/rfc9562.html#section-6.10-3. --------- (cherry picked from commit 1cb716387255a7bdab5b580bcf8ac1b6fa32cc41) Co-authored-by: LamentXU <108666168+LamentXU123@users.noreply.github.com> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- Lib/uuid.py | 14 ++++++++------ .../2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst | 4 ++++ 2 files changed, 12 insertions(+), 6 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst diff --git a/Lib/uuid.py b/Lib/uuid.py index 009ede8adbf181..55f46eb5106a74 100644 --- a/Lib/uuid.py +++ b/Lib/uuid.py @@ -595,18 +595,20 @@ def _windll_getnode(): def _random_getnode(): """Get a random node ID.""" - # RFC 4122, $4.1.6 says "For systems with no IEEE address, a randomly or - # pseudo-randomly generated value may be used; see Section 4.5. The - # multicast bit must be set in such addresses, in order that they will - # never conflict with addresses obtained from network cards." + # RFC 9562, §6.10-3 says that + # + # Implementations MAY elect to obtain a 48-bit cryptographic-quality + # random number as per Section 6.9 to use as the Node ID. [...] [and] + # implementations MUST set the least significant bit of the first octet + # of the Node ID to 1. This bit is the unicast or multicast bit, which + # will never be set in IEEE 802 addresses obtained from network cards. # # The "multicast bit" of a MAC address is defined to be "the least # significant bit of the first octet". This works out to be the 41st bit # counting from 1 being the least significant bit, or 1<<40. # # See https://en.wikipedia.org/w/index.php?title=MAC_address&oldid=1128764812#Universal_vs._local_(U/L_bit) - import random - return random.getrandbits(48) | (1 << 40) + return int.from_bytes(os.urandom(6)) | (1 << 40) # _OS_GETTERS, when known, are targeted for a specific OS or platform. diff --git a/Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst b/Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst new file mode 100644 index 00000000000000..1f70358e64e2a0 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst @@ -0,0 +1,4 @@ +:mod:`uuid`: when the MAC address cannot be determined, the 48-bit node +ID is now generated with a cryptographically-secure pseudo-random number +generator (CSPRNG) as per :rfc:`RFC 9562, §6.10.3 <9562#section-6.10-3>`. +This affects :func:`~uuid.uuid1` and :func:`~uuid.uuid6`. From 13be0651751c4c7f349e7202991d86955c3287b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9n=C3=A9dikt=20Tran?= <10796600+picnixz@users.noreply.github.com> Date: Tue, 5 Aug 2025 10:39:04 +0200 Subject: [PATCH 2/2] update NEWS --- .../next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst b/Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst index 1f70358e64e2a0..bcf5766b510d3b 100644 --- a/Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst +++ b/Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst @@ -1,4 +1,4 @@ :mod:`uuid`: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per :rfc:`RFC 9562, §6.10.3 <9562#section-6.10-3>`. -This affects :func:`~uuid.uuid1` and :func:`~uuid.uuid6`. +This affects :func:`~uuid.uuid1`.