diff options
| author | Christian Heimes <christian@python.org> | 2016-12-09 17:02:26 +0100 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-12-09 10:02:26 -0600 |
| commit | 2e717761c364398dd81a3221d724369ebd74db43 (patch) | |
| tree | 51c02fd876afaa098ec5628deab48a3336e28a3f /docs | |
| parent | 0cf3690df91566c14c0c916f42af790de76e9e57 (diff) | |
| download | cryptography-2e717761c364398dd81a3221d724369ebd74db43.tar.gz cryptography-2e717761c364398dd81a3221d724369ebd74db43.tar.bz2 cryptography-2e717761c364398dd81a3221d724369ebd74db43.zip | |
New osrandom_engine in C (#3229)
* New osrandom_engine in C
Inspired by Python/random.c and the old implementation.
Signed-off-by: Christian Heimes <christian@python.org>
* osrandom_engine
* Fix naming bug caused by search 'n replace mistake
* Make it easier to override osrandom auto-detection
* Add engine ctrl and backend API to get implementation from ENGINE
Signed-off-by: Christian Heimes <christian@python.org>
* Better test coverage, documentation, LICENSE
Signed-off-by: Christian Heimes <christian@python.org>
* Coverage is hard.
Signed-off-by: Christian Heimes <christian@python.org>
* * enable win32 check
* read() returns size_t
Signed-off-by: Christian Heimes <christian@python.org>
* Add macOS to spelling list. Remove dead code from header file.
Signed-off-by: Christian Heimes <christian@python.org>
* remove CCRandomGenerateBytes path and update getentropy to work on macOS
This change allows us to test all the engines in our CI:
* getentropy (tested by macOS sierra)
* getrandom (tested on several linux builders)
* /dev/urandom (tested on FreeBSD, OS X 10.11 and below, & older linux)
* CryptGenRandom (tested on windows builders)
I also fixed bugs preventing compilation in the getentropy code
* getentropy() returns int and is restricted to 256 bytes on macOS, too.
Signed-off-by: Christian Heimes <christian@python.org>
* add versionadded
* Re-add import of os module
* Fixes related to Alex's recent review.
Signed-off-by: Christian Heimes <christian@python.org>
* Add error reporting and fail for EAGAIN
Add error reporting strings for various error cases. This gives us much
nicer and understandable error messages.
SYS_getrandom() EAGAIN is now an error. Cryptography refuses to
initialize its osrandom engine when the Kernel's CPRNG hasn't been
seeded yet.
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/hazmat/backends/openssl.rst | 21 | ||||
| -rw-r--r-- | docs/spelling_wordlist.txt | 4 |
2 files changed, 25 insertions, 0 deletions
diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst index 791aab3d..6a5ae6f7 100644 --- a/docs/hazmat/backends/openssl.rst +++ b/docs/hazmat/backends/openssl.rst @@ -40,6 +40,12 @@ greater. Activates the OS random engine. This will effectively disable OpenSSL's default CSPRNG. + .. method:: osrandom_engine_implementation() + + .. versionadded:: 1.7 + + Returns the implementation of OS random engine. + .. method:: activate_builtin_random() This will activate the default OpenSSL CSPRNG. @@ -81,6 +87,21 @@ details. Linux uses its own PRNG design. ``/dev/urandom`` is a non-blocking source seeded from the same pool as ``/dev/random``. ++------------------------------------------+------------------------------+ +| Windows | ``CryptGenRandom()`` | ++------------------------------------------+------------------------------+ +| Linux >= 3.4.17 with working | ``getrandom(GRND_NONBLOCK)`` | +| ``SYS_getrandom`` syscall | | ++------------------------------------------+------------------------------+ +| OpenBSD >= 5.6 | ``getentropy()`` | ++------------------------------------------+------------------------------+ +| BSD family (including macOS 10.12+) with | ``getentropy()`` | +| ``SYS_getentropy`` in ``sys/syscall.h`` | | ++------------------------------------------+------------------------------+ +| fallback | ``/dev/urandom`` with | +| | cached file descriptor | ++------------------------------------------+------------------------------+ + .. _`OpenSSL`: https://www.openssl.org/ .. _`initializing the RNG`: https://en.wikipedia.org/wiki/OpenSSL#Predictable_private_keys_.28Debian-specific.29 diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 186b7eeb..d57c4d27 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -33,6 +33,7 @@ Docstrings El Encodings endian +fallback Fernet fernet FIPS @@ -53,12 +54,14 @@ Mozilla multi namespace namespaces +macOS naïve Nonces nonces online paddings Parallelization +personalization pickleable plaintext pre @@ -75,6 +78,7 @@ serializer Serializers SHA Solaris +syscall Tanja testability tunable |