Issue 10924: Fixed mksalt() to use a RNG that is suitable for cryptographic purpose

tiran · tiran · commit afa2973d7af4 · 2012-06-27T15:36:46.000+02:00
diff --git a/Lib/crypt.py b/Lib/crypt.py
@@ -1,15 +1,16 @@
 """Wrapper to the POSIX crypt library call and associated functionality."""
 
 import _crypt
-import string
-from random import choice
-from collections import namedtuple
+import string as _string
+from random import SystemRandom as _SystemRandom
+from collections import namedtuple as _namedtuple
 
 
-_saltchars = string.ascii_letters + string.digits + './'
+_saltchars = _string.ascii_letters + _string.digits + './'
+_sr = _SystemRandom()
 
 
-class _Method(namedtuple('_Method', 'name ident salt_chars total_size')):
+class _Method(_namedtuple('_Method', 'name ident salt_chars total_size')):
 
     """Class representing a salt method per the Modular Crypt Format or the
     legacy 2-character crypt method."""
@@ -18,7 +19,6 @@ def __repr__(self):
         return '<crypt.METHOD_{}>'.format(self.name)
 
 
-
 def mksalt(method=None):
     """Generate a salt for the specified method.
 
@@ -28,7 +28,7 @@ def mksalt(method=None):
     if method is None:
         method = methods[0]
     s = '${}$'.format(method.ident) if method.ident else ''
-    s += ''.join(choice(_saltchars) for _ in range(method.salt_chars))
+    s += ''.join(_sr.sample(_saltchars, method.salt_chars))
     return s
 
 
@@ -60,3 +60,4 @@ def crypt(word, salt=None):
         methods.append(_method)
 methods.append(METHOD_CRYPT)
 del _result, _method
+
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -7,6 +7,16 @@ What's New in Python 3.3.0 Beta 2?
 
 *Release date: xx-xxx-2012*
 
+Core and Builtins
+-----------------
+
+
+Library
+-------
+
+- Issue 10924: Fixed mksalt() to use a RNG that is suitable for cryptographic
+  purpose.
+
 Extension Modules
 -----------------
 
