From d435a18c537a62a89a70005885e6e09f58997d8a Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Fri, 24 Jun 2022 11:05:53 +0200 Subject: [PATCH] gh-94199: Remove ssl.RAND_pseudo_bytes() function (#94202) Remove the ssl.RAND_pseudo_bytes() function, deprecated in Python 3.6: use os.urandom() or ssl.RAND_bytes() instead. --- Doc/library/ssl.rst | 25 ++------------ Doc/whatsnew/3.12.rst | 4 +++ Lib/ssl.py | 2 +- Lib/test/test_ssl.py | 6 ---- ...2-06-24-10-29-19.gh-issue-94199.pfehmz.rst | 3 ++ Modules/_ssl.c | 19 ----------- Modules/clinic/_ssl.c.h | 33 +------------------ 7 files changed, 11 insertions(+), 81 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2022-06-24-10-29-19.gh-issue-94199.pfehmz.rst diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 7e26e2ec6f1..8df64ffa89a 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -311,27 +311,6 @@ Random generation .. versionadded:: 3.3 -.. function:: RAND_pseudo_bytes(num) - - Return (bytes, is_cryptographic): bytes are *num* pseudo-random bytes, - is_cryptographic is ``True`` if the bytes generated are cryptographically - strong. Raises an :class:`SSLError` if the operation is not supported by the - current RAND method. - - Generated pseudo-random byte sequences will be unique if they are of - sufficient length, but are not necessarily unpredictable. They can be used - for non-cryptographic purposes and for certain purposes in cryptographic - protocols, but usually not for key generation etc. - - For almost all applications :func:`os.urandom` is preferable. - - .. versionadded:: 3.3 - - .. deprecated:: 3.6 - - OpenSSL has deprecated :func:`ssl.RAND_pseudo_bytes`, use - :func:`ssl.RAND_bytes` instead. - .. function:: RAND_status() Return ``True`` if the SSL pseudo-random number generator has been seeded @@ -2717,8 +2696,8 @@ for example the :mod:`multiprocessing` or :mod:`concurrent.futures` modules), be aware that OpenSSL's internal random number generator does not properly handle forked processes. Applications must change the PRNG state of the parent process if they use any SSL feature with :func:`os.fork`. Any -successful call of :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or -:func:`~ssl.RAND_pseudo_bytes` is sufficient. +successful call of :func:`~ssl.RAND_add` or :func:`~ssl.RAND_bytes` is +sufficient. .. _ssl-tlsv1_3: diff --git a/Doc/whatsnew/3.12.rst b/Doc/whatsnew/3.12.rst index 52e4d7e25b3..8526a130b36 100644 --- a/Doc/whatsnew/3.12.rst +++ b/Doc/whatsnew/3.12.rst @@ -214,6 +214,10 @@ Removed also a static method. (Contributed by Victor Stinner in :gh:`94169`.) +* Remove the :func:`ssl.RAND_pseudo_bytes` function, deprecated in Python 3.6: + use :func:`os.urandom` or :func:`ssl.RAND_bytes` instead. + (Contributed by Victor Stinner in :gh:`94199`.) + Porting to Python 3.12 ====================== diff --git a/Lib/ssl.py b/Lib/ssl.py index ebac1d60d52..7c990417c4a 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -106,7 +106,7 @@ from _ssl import ( SSLSyscallError, SSLEOFError, SSLCertVerificationError ) from _ssl import txt2obj as _txt2obj, nid2obj as _nid2obj -from _ssl import RAND_status, RAND_add, RAND_bytes, RAND_pseudo_bytes +from _ssl import RAND_status, RAND_add, RAND_bytes try: from _ssl import RAND_egd except ImportError: diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 3acafbdaa6e..0ba2d6b1efc 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -382,10 +382,6 @@ class BasicSocketTests(unittest.TestCase): % (v, (v and "sufficient randomness") or "insufficient randomness")) - with warnings_helper.check_warnings(): - data, is_cryptographic = ssl.RAND_pseudo_bytes(16) - self.assertEqual(len(data), 16) - self.assertEqual(is_cryptographic, v == 1) if v: data = ssl.RAND_bytes(16) self.assertEqual(len(data), 16) @@ -394,8 +390,6 @@ class BasicSocketTests(unittest.TestCase): # negative num is invalid self.assertRaises(ValueError, ssl.RAND_bytes, -5) - with warnings_helper.check_warnings(): - self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5) ssl.RAND_add("this is a random string", 75.0) ssl.RAND_add(b"this is a random bytes object", 75.0) diff --git a/Misc/NEWS.d/next/Library/2022-06-24-10-29-19.gh-issue-94199.pfehmz.rst b/Misc/NEWS.d/next/Library/2022-06-24-10-29-19.gh-issue-94199.pfehmz.rst new file mode 100644 index 00000000000..ed325c0f688 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2022-06-24-10-29-19.gh-issue-94199.pfehmz.rst @@ -0,0 +1,3 @@ +Remove the :func:`ssl.RAND_pseudo_bytes` function, deprecated in Python 3.6: +use :func:`os.urandom` or :func:`ssl.RAND_bytes` instead. Patch by Victor +Stinner. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 08596577086..f19ee6815af 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -5158,24 +5158,6 @@ _ssl_RAND_bytes_impl(PyObject *module, int n) return PySSL_RAND(module, n, 0); } -/*[clinic input] -_ssl.RAND_pseudo_bytes - n: int - / - -Generate n pseudo-random bytes. - -Return a pair (bytes, is_cryptographic). is_cryptographic is True -if the bytes generated are cryptographically strong. -[clinic start generated code]*/ - -static PyObject * -_ssl_RAND_pseudo_bytes_impl(PyObject *module, int n) -/*[clinic end generated code: output=b1509e937000e52d input=58312bd53f9bbdd0]*/ -{ - PY_SSL_DEPRECATED("ssl.RAND_pseudo_bytes() is deprecated", 1, NULL); - return PySSL_RAND(module, n, 1); -} /*[clinic input] _ssl.RAND_status @@ -5634,7 +5616,6 @@ static PyMethodDef PySSL_methods[] = { _SSL__TEST_DECODE_CERT_METHODDEF _SSL_RAND_ADD_METHODDEF _SSL_RAND_BYTES_METHODDEF - _SSL_RAND_PSEUDO_BYTES_METHODDEF _SSL_RAND_STATUS_METHODDEF _SSL_GET_DEFAULT_VERIFY_PATHS_METHODDEF _SSL_ENUM_CERTIFICATES_METHODDEF diff --git a/Modules/clinic/_ssl.c.h b/Modules/clinic/_ssl.c.h index 67b125f3d76..24604dd4368 100644 --- a/Modules/clinic/_ssl.c.h +++ b/Modules/clinic/_ssl.c.h @@ -1090,37 +1090,6 @@ exit: return return_value; } -PyDoc_STRVAR(_ssl_RAND_pseudo_bytes__doc__, -"RAND_pseudo_bytes($module, n, /)\n" -"--\n" -"\n" -"Generate n pseudo-random bytes.\n" -"\n" -"Return a pair (bytes, is_cryptographic). is_cryptographic is True\n" -"if the bytes generated are cryptographically strong."); - -#define _SSL_RAND_PSEUDO_BYTES_METHODDEF \ - {"RAND_pseudo_bytes", (PyCFunction)_ssl_RAND_pseudo_bytes, METH_O, _ssl_RAND_pseudo_bytes__doc__}, - -static PyObject * -_ssl_RAND_pseudo_bytes_impl(PyObject *module, int n); - -static PyObject * -_ssl_RAND_pseudo_bytes(PyObject *module, PyObject *arg) -{ - PyObject *return_value = NULL; - int n; - - n = _PyLong_AsInt(arg); - if (n == -1 && PyErr_Occurred()) { - goto exit; - } - return_value = _ssl_RAND_pseudo_bytes_impl(module, n); - -exit: - return return_value; -} - PyDoc_STRVAR(_ssl_RAND_status__doc__, "RAND_status($module, /)\n" "--\n" @@ -1361,4 +1330,4 @@ exit: #ifndef _SSL_ENUM_CRLS_METHODDEF #define _SSL_ENUM_CRLS_METHODDEF #endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */ -/*[clinic end generated code: output=2a488dd0cbc777df input=a9049054013a1b77]*/ +/*[clinic end generated code: output=9d806f8ff4a06ed3 input=a9049054013a1b77]*/