From 3cfbd4e4a2c971dd20912b89bc7628362e47a4bc Mon Sep 17 00:00:00 2001 From: Tim Felgentreff Date: Thu, 9 Apr 2026 17:37:33 +0200 Subject: [PATCH 1/9] [GR-74734] Add configurable initialization entropy source --- .../runtime/PythonContextEntropyTests.java | 142 ++++++++++++++++++ .../objects/random/RandomBuiltins.java | 11 +- .../graal/python/runtime/PythonContext.java | 137 ++++++++++++++++- .../graal/python/runtime/PythonOptions.java | 5 + 4 files changed, 289 insertions(+), 6 deletions(-) create mode 100644 graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java diff --git a/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java b/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java new file mode 100644 index 0000000000..3034bb4902 --- /dev/null +++ b/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java @@ -0,0 +1,142 @@ +/* + * Copyright (c) 2026, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * The Universal Permissive License (UPL), Version 1.0 + * + * Subject to the condition set forth below, permission is hereby granted to any + * person obtaining a copy of this software, associated documentation and/or + * data (collectively the "Software"), free of charge and under any and all + * copyright rights in the Software, and any and all patent rights owned or + * freely licensable by each licensor hereunder covering either (i) the + * unmodified Software as contributed to or provided by such licensor, or (ii) + * the Larger Works (as defined below), to deal in both + * + * (a) the Software, and + * + * (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if + * one is included with the Software each a "Larger Work" to which the Software + * is contributed by such licensors), + * + * without restriction, including without limitation the rights to copy, create + * derivative works of, display, perform, and distribute the Software and make, + * use, sell, offer for sale, import, export, have made, and have sold the + * Software and the Larger Work(s), and to sublicense the foregoing rights on + * either these or other terms. + * + * This license is subject to the following condition: + * + * The above copyright notice and either this complete permission notice or at a + * minimum a reference to the UPL must be included in all copies or substantial + * portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +package com.oracle.graal.python.test.runtime; + +import static org.junit.Assert.assertArrayEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.Map; +import java.util.Random; + +import org.graalvm.polyglot.PolyglotException; +import org.graalvm.polyglot.Context; +import org.junit.After; +import org.junit.Test; + +import com.oracle.graal.python.runtime.PythonContext; +import com.oracle.graal.python.test.PythonTests; + +public class PythonContextEntropyTests { + + @After + public void tearDown() { + PythonTests.closeContext(); + } + + @Test + public void fixedInitializationEntropySourceSeedsHashSecretDeterministically() { + long seed = 0x1234ABCDL; + PythonTests.enterContext(Map.of("python.InitializationEntropySource", "fixed:0x1234ABCD"), new String[0]); + PythonContext context = PythonContext.get(null); + + byte[] expected = new byte[24]; + new Random(seed).nextBytes(expected); + + assertArrayEquals(expected, context.getHashSecret()); + } + + @Test + public void deviceInitializationEntropySourceSeedsHashSecretFromConfiguredPath() throws IOException { + byte[] expected = new byte[24]; + for (int i = 0; i < expected.length; i++) { + expected[i] = (byte) (i + 1); + } + byte[] source = new byte[expected.length + 8]; + System.arraycopy(expected, 0, source, 0, expected.length); + for (int i = expected.length; i < source.length; i++) { + source[i] = (byte) 0xFF; + } + Path tempFile = Files.createTempFile("graalpy-init-entropy-", ".bin"); + Files.write(tempFile, source); + + try { + PythonTests.enterContext(Map.of("python.InitializationEntropySource", "device:" + tempFile), new String[0]); + PythonContext context = PythonContext.get(null); + assertArrayEquals(expected, context.getHashSecret()); + } finally { + Files.deleteIfExists(tempFile); + } + } + + @Test + public void deviceInitializationEntropySourceThrowsProviderExceptionWhenExhausted() throws IOException { + Path tempFile = Files.createTempFile("graalpy-init-entropy-short-", ".bin"); + Files.write(tempFile, new byte[]{1, 2, 3, 4}); + + try { + try { + PythonTests.enterContext(Map.of("python.InitializationEntropySource", "device:" + tempFile), new String[0]); + fail("expected PolyglotException"); + } catch (PolyglotException e) { + assertTrue(e.getMessage().contains("ProviderException")); + assertTrue(e.getMessage().contains("initialization entropy device exhausted")); + } + } finally { + Files.deleteIfExists(tempFile); + } + } + + @Test + public void randomSeedNoneConsumesInitializationEntropyBytes() { + long seed = 0x1234ABCDL; + Context polyglotContext = PythonTests.enterContext(Map.of("python.InitializationEntropySource", "fixed:0x1234ABCD"), new String[]{"-S"}); + try { + polyglotContext.eval("python", "import _random; _random.Random()"); + PythonContext context = PythonContext.get(null); + byte[] actual = new byte[16]; + context.fillInitializationEntropyBytes(actual); + + Random expectedRandom = new Random(seed); + expectedRandom.nextBytes(new byte[24]); + expectedRandom.nextBytes(new byte[624 * Integer.BYTES]); + byte[] expected = new byte[16]; + expectedRandom.nextBytes(expected); + + assertArrayEquals(expected, actual); + } finally { + PythonTests.closeContext(); + } + } +} diff --git a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/random/RandomBuiltins.java b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/random/RandomBuiltins.java index 1f4d3e8446..48fab4e7b2 100644 --- a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/random/RandomBuiltins.java +++ b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/random/RandomBuiltins.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2026, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * The Universal Permissive License (UPL), Version 1.0 @@ -47,7 +47,6 @@ import java.math.BigInteger; import java.nio.ByteBuffer; import java.nio.ByteOrder; -import java.security.SecureRandom; import java.util.List; import com.oracle.graal.python.PythonLanguage; @@ -132,10 +131,12 @@ public abstract static class SeedNode extends PythonBuiltinNode { @Specialization @TruffleBoundary PNone seedNone(PRandom random, @SuppressWarnings("unused") PNone none) { - SecureRandom secureRandom = getContext().getSecureRandom(); int[] seed = new int[PRandom.N]; - for (int i = 0; i < seed.length; ++i) { - seed[i] = secureRandom.nextInt(); + byte[] seedBytes = new byte[seed.length * Integer.BYTES]; + getContext().fillInitializationEntropyBytes(seedBytes); + ByteBuffer seedBuffer = ByteBuffer.wrap(seedBytes).order(ByteOrder.BIG_ENDIAN); + for (int i = 0; i < seed.length; i++) { + seed[i] = seedBuffer.getInt(); } random.seed(seed); return PNone.NONE; diff --git a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java index b4b378e299..8bb69da0ac 100644 --- a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java +++ b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java @@ -76,7 +76,9 @@ import java.lang.ref.WeakReference; import java.lang.reflect.Field; import java.nio.file.LinkOption; +import java.nio.file.Path; import java.security.NoSuchAlgorithmException; +import java.security.ProviderException; import java.security.SecureRandom; import java.text.MessageFormat; import java.util.ArrayDeque; @@ -88,6 +90,7 @@ import java.util.List; import java.util.Map; import java.util.Optional; +import java.util.Random; import java.util.WeakHashMap; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentSkipListMap; @@ -705,6 +708,8 @@ PythonThreadState getThreadState(Node n) { private final IDUtils idUtils = new IDUtils(); @CompilationFinal private SecureRandom secureRandom; + @CompilationFinal private SecureRandom initializationSecureRandom; + private InitializationEntropySource initializationEntropySource; // Equivalent of _Py_HashSecret @CompilationFinal(dimensions = 1) private byte[] hashSecret = new byte[24]; @@ -1460,6 +1465,53 @@ public SecureRandom getSecureRandom() { return secureRandom; } + public SecureRandom getInitRandom() { + assert !env.isPreInitialization(); + if (initializationSecureRandom == null) { + CompilerDirectives.transferToInterpreterAndInvalidate(); + initializationSecureRandom = new InitializationSecureRandom(getInitializationEntropySource()); + } + return initializationSecureRandom; + } + + public void fillInitializationEntropyBytes(byte[] bytes) { + getInitializationEntropySource().nextBytes(bytes); + } + + private InitializationEntropySource getInitializationEntropySource() { + assert !env.isPreInitialization(); + if (initializationEntropySource == null) { + CompilerDirectives.transferToInterpreterAndInvalidate(); + initializationEntropySource = createInitializationEntropySource(getOption(PythonOptions.InitializationEntropySource)); + } + return initializationEntropySource; + } + + private InitializationEntropySource createInitializationEntropySource(String spec) { + if ("default".equals(spec)) { + return new DefaultInitializationEntropySource(getSecureRandom()); + } + if (spec.startsWith("device:")) { + String path = spec.substring("device:".length()); + if (path.isEmpty()) { + throw new IllegalArgumentException("python.InitializationEntropySource device path must not be empty"); + } + return new DeviceInitializationEntropySource(path); + } + if (spec.startsWith("fixed:")) { + String seed = spec.substring("fixed:".length()); + if (seed.isEmpty()) { + throw new IllegalArgumentException("python.InitializationEntropySource fixed seed must not be empty"); + } + try { + return new FixedInitializationEntropySource(Long.decode(seed)); + } catch (NumberFormatException e) { + throw new IllegalArgumentException("python.InitializationEntropySource fixed seed must be a decimal or hexadecimal long", e); + } + } + throw new IllegalArgumentException("python.InitializationEntropySource must be 'default', 'device:', or 'fixed:'"); + } + public byte[] getHashSecret() { assert !env.isPreInitialization(); return hashSecret; @@ -1692,7 +1744,90 @@ private void initializeHashSecret() { } } else { // Generate random seed - getSecureRandom().nextBytes(hashSecret); + fillInitializationEntropyBytes(hashSecret); + } + } + + private interface InitializationEntropySource { + void nextBytes(byte[] bytes); + } + + private static final class InitializationSecureRandom extends SecureRandom { + private static final long serialVersionUID = 1L; + private final transient InitializationEntropySource source; + + InitializationSecureRandom(InitializationEntropySource source) { + this.source = source; + } + + @Override + public void setSeed(byte[] seed) { + } + + @Override + public void nextBytes(byte[] bytes) { + source.nextBytes(bytes); + } + + @Override + public byte[] generateSeed(int numBytes) { + byte[] seed = new byte[numBytes]; + source.nextBytes(seed); + return seed; + } + } + + private static final class DefaultInitializationEntropySource implements InitializationEntropySource { + private final SecureRandom secureRandom; + + DefaultInitializationEntropySource(SecureRandom secureRandom) { + this.secureRandom = secureRandom; + } + + @Override + public synchronized void nextBytes(byte[] bytes) { + secureRandom.nextBytes(bytes); + } + } + + private static final class DeviceInitializationEntropySource implements InitializationEntropySource { + private final InputStream inputStream; + + DeviceInitializationEntropySource(String path) { + try { + inputStream = java.nio.file.Files.newInputStream(Path.of(path)); + } catch (IOException e) { + throw new IllegalArgumentException("failed to open initialization entropy device: " + path, e); + } + } + + @Override + public synchronized void nextBytes(byte[] bytes) { + int offset = 0; + try { + while (offset < bytes.length) { + int read = inputStream.read(bytes, offset, bytes.length - offset); + if (read < 0) { + throw new ProviderException("initialization entropy device exhausted"); + } + offset += read; + } + } catch (IOException e) { + throw new ProviderException("failed to read initialization entropy device", e); + } + } + } + + private static final class FixedInitializationEntropySource implements InitializationEntropySource { + private final Random random; + + FixedInitializationEntropySource(long seed) { + this.random = new Random(seed); + } + + @Override + public synchronized void nextBytes(byte[] bytes) { + random.nextBytes(bytes); } } diff --git a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonOptions.java b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonOptions.java index 7080e7dc43..17131fd5e7 100644 --- a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonOptions.java +++ b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonOptions.java @@ -232,6 +232,11 @@ public static void checkBytecodeDSLEnv() { } })); + @Option(category = OptionCategory.EXPERT, help = "Entropy source used for reviewed initialization-time randomness. " + + "Use 'default' to reuse the default Java source, 'device:' to read bytes from a device or file, " + + "or 'fixed:' for deterministic testing.", usageSyntax = "default|device:|fixed:", stability = OptionStability.EXPERIMENTAL) // + public static final OptionKey InitializationEntropySource = new OptionKey<>("default"); + @EngineOption @Option(category = OptionCategory.USER, help = "Choose the backend for the POSIX module.", usageSyntax = "java|native", stability = OptionStability.STABLE) // public static final OptionKey PosixModuleBackend = new OptionKey<>(T_JAVA, TS_OPTION_TYPE); From 8197665b9388d05cc36ae93c3403275d3dd084ea Mon Sep 17 00:00:00 2001 From: Tim Felgentreff Date: Thu, 9 Apr 2026 18:30:21 +0200 Subject: [PATCH 2/9] [GR-74734] Add subprocess entropy routing tests --- .../src/tests/test_entropy_subprocess.py | 165 ++++++++++++++++++ 1 file changed, 165 insertions(+) create mode 100644 graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py diff --git a/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py new file mode 100644 index 0000000000..58db6e4d56 --- /dev/null +++ b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py @@ -0,0 +1,165 @@ +# Copyright (c) 2026, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# The Universal Permissive License (UPL), Version 1.0 +# +# Subject to the condition set forth below, permission is hereby granted to any +# person obtaining a copy of this software, associated documentation and/or +# data (collectively the "Software"), free of charge and under any and all +# copyright rights in the Software, and any and all patent rights owned or +# freely licensable by each licensor hereunder covering either (i) the +# unmodified Software as contributed to or provided by such licensor, or (ii) +# the Larger Works (as defined below), to deal in both +# +# (a) the Software, and +# +# (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if +# one is included with the Software each a "Larger Work" to which the Software +# is contributed by such licensors), +# +# without restriction, including without limitation the rights to copy, create +# derivative works of, display, perform, and distribute the Software and make, +# use, sell, offer for sale, import, export, have made, and have sold the +# Software and the Larger Work(s), and to sublicense the foregoing rights on +# either these or other terms. +# +# This license is subject to the following condition: +# +# The above copyright notice and either this complete permission notice or at a +# minimum a reference to the UPL must be included in all copies or substantial +# portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +import os +import subprocess +import sys +import tempfile +import unittest + + +@unittest.skipUnless(sys.implementation.name == "graalpy", "GraalPy-specific test") +class EntropySubprocessTests(unittest.TestCase): + HASH_SECRET_BYTES = 24 + RANDOM_SEED_BYTES = 624 * 4 + HASH_AND_RANDOM_IMPORT_BYTES = HASH_SECRET_BYTES + RANDOM_SEED_BYTES + + def _run_with_init_device(self, data: bytes, code: str): + with tempfile.NamedTemporaryFile(delete=False) as f: + f.write(data) + path = f.name + try: + return self._run_with_init_source(f"device:{path}", code) + finally: + os.unlink(path) + + def _run_with_init_source(self, source: str, code: str): + env = os.environ.copy() + env.pop("PYTHONHASHSEED", None) + return subprocess.run( + [ + sys.executable, + "-S", + "--experimental-options=true", + f"--python.InitializationEntropySource={source}", + "-c", + code, + ], + capture_output=True, + text=True, + env=env, + ) + + def assert_initrandom_exhausted(self, result): + self.assertNotEqual(0, result.returncode, result) + combined = f"{result.stdout}\n{result.stderr}" + self.assertIn("initialization entropy device exhausted", combined) + + def assert_subprocess_ok(self, result): + self.assertEqual(0, result.returncode, result) + + def test_startup_hash_secret_uses_initrandom(self): + result = self._run_with_init_device(b"\x00" * 4, "print('ok')") + self.assert_initrandom_exhausted(result) + + def test__random_random_uses_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + "import _random; _random.Random(); print('ok')", + ) + self.assert_initrandom_exhausted(result) + + def test_random_module_import_uses_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + "import random; print('ok')", + ) + self.assert_initrandom_exhausted(result) + + def test_systemrandom_does_not_mutate_random_state(self): + result = self._run_with_init_source( + "fixed:0x1234ABCD", + "import random; before = random.getstate(); " + "random.SystemRandom().getrandbits(32); " + "after = random.getstate(); " + "print(before == after)", + ) + self.assert_subprocess_ok(result) + self.assertEqual("True", result.stdout.strip()) + + def test_secrets_does_not_mutate_random_state(self): + result = self._run_with_init_source( + "fixed:0x1234ABCD", + "import random; before = random.getstate(); " + "import secrets; secrets.token_hex(8); " + "after = random.getstate(); " + "print(before == after)", + ) + self.assert_subprocess_ok(result) + self.assertEqual("True", result.stdout.strip()) + + def test_os_urandom_does_not_use_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + "import os; print(len(os.urandom(16)))", + ) + self.assert_subprocess_ok(result) + self.assertEqual("16", result.stdout.strip()) + + def test_multiprocessing_process_import_does_not_use_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + "import multiprocessing.process; print('ok')", + ) + self.assert_subprocess_ok(result) + self.assertEqual("ok", result.stdout.strip()) + + def test_pyexpat_import_does_not_use_additional_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + "import pyexpat; print(pyexpat.__name__)", + ) + self.assert_subprocess_ok(result) + self.assertEqual("pyexpat", result.stdout.strip()) + + def test_sqlite3_import_does_not_use_additional_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + "import _sqlite3; print(_sqlite3.__name__)", + ) + self.assert_subprocess_ok(result) + self.assertEqual("_sqlite3", result.stdout.strip()) + + def test_uuid4_does_not_use_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + "import uuid; print(uuid.uuid4().version)", + ) + self.assert_subprocess_ok(result) + self.assertEqual("4", result.stdout.strip()) From b28000dc3586f36f60840dc8d255adf9cc09875e Mon Sep 17 00:00:00 2001 From: Tim Felgentreff Date: Thu, 9 Apr 2026 19:14:55 +0200 Subject: [PATCH 3/9] [GR-74734] Expand subprocess entropy tests --- .../src/tests/test_entropy_subprocess.py | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py index 58db6e4d56..86046a634a 100644 --- a/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py +++ b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py @@ -140,6 +140,35 @@ def test_multiprocessing_process_import_does_not_use_initrandom(self): self.assert_subprocess_ok(result) self.assertEqual("ok", result.stdout.strip()) + def test_tempfile_candidate_names_use_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_AND_RANDOM_IMPORT_BYTES, + "import tempfile; next(tempfile._get_candidate_names()); print('ok')", + ) + self.assert_initrandom_exhausted(result) + + def test_tempfile_does_not_mutate_random_state(self): + result = self._run_with_init_source( + "fixed:0x1234ABCD", + "import random; before = random.getstate(); " + "import tempfile; next(tempfile._get_candidate_names()); " + "after = random.getstate(); " + "print(before == after)", + ) + self.assert_subprocess_ok(result) + self.assertEqual("True", result.stdout.strip()) + + def test_email_generator_boundary_mutates_random_state(self): + result = self._run_with_init_source( + "fixed:0x1234ABCD", + "import random; before = random.getstate(); " + "from email.generator import Generator; Generator._make_boundary(); " + "after = random.getstate(); " + "print(before == after)", + ) + self.assert_subprocess_ok(result) + self.assertEqual("False", result.stdout.strip()) + def test_pyexpat_import_does_not_use_additional_initrandom(self): result = self._run_with_init_device( b"\x00" * self.HASH_SECRET_BYTES, @@ -156,6 +185,17 @@ def test_sqlite3_import_does_not_use_additional_initrandom(self): self.assert_subprocess_ok(result) self.assertEqual("_sqlite3", result.stdout.strip()) + def test_uuid1_mutates_random_state(self): + result = self._run_with_init_source( + "fixed:0x1234ABCD", + "import random; before = random.getstate(); " + "import uuid; uuid.uuid1(node=1); " + "after = random.getstate(); " + "print(before == after)", + ) + self.assert_subprocess_ok(result) + self.assertEqual("False", result.stdout.strip()) + def test_uuid4_does_not_use_initrandom(self): result = self._run_with_init_device( b"\x00" * self.HASH_SECRET_BYTES, From 260298a0aeffa22e7dc5c7359b8398e24d6670b4 Mon Sep 17 00:00:00 2001 From: Tim Felgentreff Date: Thu, 9 Apr 2026 20:33:05 +0200 Subject: [PATCH 4/9] [GR-74734] Expand entropy subprocess coverage --- .../src/tests/test_entropy_subprocess.py | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py index 86046a634a..9b00caf5b1 100644 --- a/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py +++ b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py @@ -41,6 +41,7 @@ import subprocess import sys import tempfile +import textwrap import unittest @@ -49,6 +50,7 @@ class EntropySubprocessTests(unittest.TestCase): HASH_SECRET_BYTES = 24 RANDOM_SEED_BYTES = 624 * 4 HASH_AND_RANDOM_IMPORT_BYTES = HASH_SECRET_BYTES + RANDOM_SEED_BYTES + SSL_DATA_DIR = os.path.join(os.path.dirname(__file__), "ssldata") def _run_with_init_device(self, data: bytes, code: str): with tempfile.NamedTemporaryFile(delete=False) as f: @@ -140,6 +142,35 @@ def test_multiprocessing_process_import_does_not_use_initrandom(self): self.assert_subprocess_ok(result) self.assertEqual("ok", result.stdout.strip()) + def test_multiprocessing_deliver_challenge_does_not_mutate_random_state(self): + result = self._run_with_init_source( + "fixed:0x1234ABCD", + textwrap.dedent(""" + import random + import multiprocessing.connection as mc + auth = b'authkey' + + class Dummy: + def __init__(self): + self.sent = [] + + def send_bytes(self, data): + self.sent.append(data) + + def recv_bytes(self, _max): + msg = self.sent[-1][len(mc._CHALLENGE):] + return mc._create_response(auth, msg) + + before = random.getstate() + d = Dummy() + mc.deliver_challenge(d, auth) + after = random.getstate() + print(before == after) + """), + ) + self.assert_subprocess_ok(result) + self.assertEqual("True", result.stdout.strip()) + def test_tempfile_candidate_names_use_initrandom(self): result = self._run_with_init_device( b"\x00" * self.HASH_AND_RANDOM_IMPORT_BYTES, @@ -169,6 +200,47 @@ def test_email_generator_boundary_mutates_random_state(self): self.assert_subprocess_ok(result) self.assertEqual("False", result.stdout.strip()) + def test_imaplib_connect_mutates_random_state(self): + result = self._run_with_init_source( + "fixed:0x1234ABCD", + textwrap.dedent(""" + import random + import imaplib + + class Dummy(imaplib.IMAP4): + def open(self, host='', port=imaplib.IMAP4_PORT, timeout=None): + pass + + def _get_response(self): + self.untagged_responses = {'OK': [b'']} + return 'OK' + + def _get_capabilities(self): + self.capabilities = ('IMAP4REV1',) + + def shutdown(self): + pass + + before = random.getstate() + d = Dummy.__new__(Dummy) + d.debug = imaplib.Debug + d.state = 'LOGOUT' + d.literal = None + d.tagged_commands = {} + d.untagged_responses = {} + d.continuation_response = '' + d.is_readonly = False + d.tagnum = 0 + d._tls_established = False + d._mode_ascii() + d._connect() + after = random.getstate() + print(before == after) + """), + ) + self.assert_subprocess_ok(result) + self.assertEqual("False", result.stdout.strip()) + def test_pyexpat_import_does_not_use_additional_initrandom(self): result = self._run_with_init_device( b"\x00" * self.HASH_SECRET_BYTES, @@ -177,6 +249,14 @@ def test_pyexpat_import_does_not_use_additional_initrandom(self): self.assert_subprocess_ok(result) self.assertEqual("pyexpat", result.stdout.strip()) + def test_pyexpat_parsercreate_does_not_use_additional_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + "import pyexpat; p = pyexpat.ParserCreate(); print(type(p).__name__)", + ) + self.assert_subprocess_ok(result) + self.assertEqual("xmlparser", result.stdout.strip()) + def test_sqlite3_import_does_not_use_additional_initrandom(self): result = self._run_with_init_device( b"\x00" * self.HASH_SECRET_BYTES, @@ -185,6 +265,28 @@ def test_sqlite3_import_does_not_use_additional_initrandom(self): self.assert_subprocess_ok(result) self.assertEqual("_sqlite3", result.stdout.strip()) + def test_sqlite3_randomblob_does_not_use_initrandom(self): + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + "import sqlite3; " + "conn = sqlite3.connect(':memory:'); " + "print(conn.execute('select length(randomblob(16))').fetchone()[0])", + ) + self.assert_subprocess_ok(result) + self.assertEqual("16", result.stdout.strip()) + + def test_ssl_load_cert_chain_does_not_use_initrandom(self): + cert = os.path.join(self.SSL_DATA_DIR, "signed_cert.pem") + result = self._run_with_init_device( + b"\x00" * self.HASH_SECRET_BYTES, + f"import ssl; " + f"ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); " + f"ctx.load_cert_chain(r'{cert}'); " + f"print('ok')", + ) + self.assert_subprocess_ok(result) + self.assertEqual("ok", result.stdout.strip()) + def test_uuid1_mutates_random_state(self): result = self._run_with_init_source( "fixed:0x1234ABCD", From 6aec2f72a0cb92b652119b135b84008f6945530d Mon Sep 17 00:00:00 2001 From: Tim Felgentreff Date: Fri, 10 Apr 2026 08:19:17 +0200 Subject: [PATCH 5/9] [GR-74734] Limit entropy tests to Linux --- .../python/test/runtime/PythonContextEntropyTests.java | 7 +++++++ .../src/tests/test_entropy_subprocess.py | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java b/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java index 3034bb4902..58eb008897 100644 --- a/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java +++ b/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java @@ -53,13 +53,20 @@ import org.graalvm.polyglot.PolyglotException; import org.graalvm.polyglot.Context; import org.junit.After; +import org.junit.Before; import org.junit.Test; +import org.junit.Assume; import com.oracle.graal.python.runtime.PythonContext; import com.oracle.graal.python.test.PythonTests; public class PythonContextEntropyTests { + @Before + public void checkLinuxOnly() { + Assume.assumeTrue(System.getProperty("os.name").toLowerCase().contains("linux")); + } + @After public void tearDown() { PythonTests.closeContext(); diff --git a/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py index 9b00caf5b1..f06538021d 100644 --- a/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py +++ b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py @@ -45,7 +45,7 @@ import unittest -@unittest.skipUnless(sys.implementation.name == "graalpy", "GraalPy-specific test") +@unittest.skipUnless(sys.implementation.name == "graalpy" and sys.platform.startswith("linux"), "Linux GraalPy-specific test") class EntropySubprocessTests(unittest.TestCase): HASH_SECRET_BYTES = 24 RANDOM_SEED_BYTES = 624 * 4 From c96acc4cff94d9290d52b8c509b1dcb05c9ab1a2 Mon Sep 17 00:00:00 2001 From: Tim Felgentreff Date: Fri, 10 Apr 2026 09:51:26 +0200 Subject: [PATCH 6/9] Cleanup tests to be more focused and assert clearly expected entropy use --- .../runtime/PythonContextEntropyTests.java | 23 -- .../src/tests/test_entropy_subprocess.py | 240 +++++++++--------- 2 files changed, 122 insertions(+), 141 deletions(-) diff --git a/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java b/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java index 58eb008897..7dcee55008 100644 --- a/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java +++ b/graalpython/com.oracle.graal.python.test/src/com/oracle/graal/python/test/runtime/PythonContextEntropyTests.java @@ -51,7 +51,6 @@ import java.util.Random; import org.graalvm.polyglot.PolyglotException; -import org.graalvm.polyglot.Context; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -124,26 +123,4 @@ public void deviceInitializationEntropySourceThrowsProviderExceptionWhenExhauste Files.deleteIfExists(tempFile); } } - - @Test - public void randomSeedNoneConsumesInitializationEntropyBytes() { - long seed = 0x1234ABCDL; - Context polyglotContext = PythonTests.enterContext(Map.of("python.InitializationEntropySource", "fixed:0x1234ABCD"), new String[]{"-S"}); - try { - polyglotContext.eval("python", "import _random; _random.Random()"); - PythonContext context = PythonContext.get(null); - byte[] actual = new byte[16]; - context.fillInitializationEntropyBytes(actual); - - Random expectedRandom = new Random(seed); - expectedRandom.nextBytes(new byte[24]); - expectedRandom.nextBytes(new byte[624 * Integer.BYTES]); - byte[] expected = new byte[16]; - expectedRandom.nextBytes(expected); - - assertArrayEquals(expected, actual); - } finally { - PythonTests.closeContext(); - } - } } diff --git a/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py index f06538021d..379f88886c 100644 --- a/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py +++ b/graalpython/com.oracle.graal.python.test/src/tests/test_entropy_subprocess.py @@ -42,6 +42,7 @@ import sys import tempfile import textwrap +import threading import unittest @@ -49,17 +50,45 @@ class EntropySubprocessTests(unittest.TestCase): HASH_SECRET_BYTES = 24 RANDOM_SEED_BYTES = 624 * 4 - HASH_AND_RANDOM_IMPORT_BYTES = HASH_SECRET_BYTES + RANDOM_SEED_BYTES + RANDOM_INSTANCE_BYTES = HASH_SECRET_BYTES + RANDOM_SEED_BYTES + RANDOM_MODULE_BYTES = HASH_SECRET_BYTES + (2 * RANDOM_SEED_BYTES) + TEMPFILE_CANDIDATE_NAME_BYTES = HASH_SECRET_BYTES + (4 * RANDOM_SEED_BYTES) SSL_DATA_DIR = os.path.join(os.path.dirname(__file__), "ssldata") - def _run_with_init_device(self, data: bytes, code: str): - with tempfile.NamedTemporaryFile(delete=False) as f: - f.write(data) - path = f.name - try: - return self._run_with_init_source(f"device:{path}", code) - finally: - os.unlink(path) + def _run_with_init_pipe(self, byte_count: int, code: str): + with tempfile.TemporaryDirectory() as temp_dir: + path = os.path.join(temp_dir, "initrandom") + subprocess.run(["mkfifo", path], check=True) + writer_error = [] + bytes_written = 0 + + def feed_pipe(): + nonlocal bytes_written + try: + fd = os.open(path, os.O_WRONLY) + try: + remaining = byte_count + chunk = b"\x00" * min(4096, byte_count) + while remaining > 0: + written = os.write(fd, chunk[:remaining]) + bytes_written += written + remaining -= written + finally: + os.close(fd) + except BaseException as exc: # re-raised in the main thread + writer_error.append(exc) + + writer = threading.Thread(target=feed_pipe) + writer.start() + try: + result = self._run_with_init_source(f"device:{path}", code) + finally: + writer.join(timeout=10) + if writer.is_alive(): + self.fail("initrandom pipe writer thread did not finish") + if writer_error: + raise writer_error[0] + return result, bytes_written def _run_with_init_source(self, source: str, code: str): env = os.environ.copy() @@ -86,65 +115,64 @@ def assert_initrandom_exhausted(self, result): def assert_subprocess_ok(self, result): self.assertEqual(0, result.returncode, result) + def assert_initrandom_bytes_used(self, byte_count: int, code: str, stdout: str): + result, bytes_written = self._run_with_init_pipe(byte_count, code) + self.assert_subprocess_ok(result) + self.assertEqual(byte_count, bytes_written) + self.assertEqual(stdout, result.stdout.strip()) + + exhausted_result, exhausted_written = self._run_with_init_pipe(byte_count - 1, code) + self.assert_initrandom_exhausted(exhausted_result) + self.assertEqual(byte_count - 1, exhausted_written) + def test_startup_hash_secret_uses_initrandom(self): - result = self._run_with_init_device(b"\x00" * 4, "print('ok')") - self.assert_initrandom_exhausted(result) + self.assert_initrandom_bytes_used(self.HASH_SECRET_BYTES, "print('ok')", "ok") def test__random_random_uses_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.RANDOM_INSTANCE_BYTES, "import _random; _random.Random(); print('ok')", + "ok", ) - self.assert_initrandom_exhausted(result) def test_random_module_import_uses_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.RANDOM_MODULE_BYTES, "import random; print('ok')", + "ok", ) - self.assert_initrandom_exhausted(result) - - def test_systemrandom_does_not_mutate_random_state(self): - result = self._run_with_init_source( - "fixed:0x1234ABCD", - "import random; before = random.getstate(); " - "random.SystemRandom().getrandbits(32); " - "after = random.getstate(); " - "print(before == after)", + + def test_systemrandom_does_not_use_additional_initrandom(self): + self.assert_initrandom_bytes_used( + self.RANDOM_MODULE_BYTES, + "import random; random.SystemRandom().getrandbits(32); print('ok')", + "ok", ) - self.assert_subprocess_ok(result) - self.assertEqual("True", result.stdout.strip()) - - def test_secrets_does_not_mutate_random_state(self): - result = self._run_with_init_source( - "fixed:0x1234ABCD", - "import random; before = random.getstate(); " - "import secrets; secrets.token_hex(8); " - "after = random.getstate(); " - "print(before == after)", + + def test_secrets_does_not_use_additional_initrandom(self): + self.assert_initrandom_bytes_used( + self.RANDOM_MODULE_BYTES, + "import random; import secrets; secrets.token_hex(8); print('ok')", + "ok", ) - self.assert_subprocess_ok(result) - self.assertEqual("True", result.stdout.strip()) def test_os_urandom_does_not_use_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.HASH_SECRET_BYTES, "import os; print(len(os.urandom(16)))", + "16", ) - self.assert_subprocess_ok(result) - self.assertEqual("16", result.stdout.strip()) def test_multiprocessing_process_import_does_not_use_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.HASH_SECRET_BYTES, "import multiprocessing.process; print('ok')", + "ok", ) - self.assert_subprocess_ok(result) - self.assertEqual("ok", result.stdout.strip()) - def test_multiprocessing_deliver_challenge_does_not_mutate_random_state(self): - result = self._run_with_init_source( - "fixed:0x1234ABCD", + def test_multiprocessing_deliver_challenge_does_not_use_additional_initrandom(self): + self.assert_initrandom_bytes_used( + self.RANDOM_MODULE_BYTES, textwrap.dedent(""" import random import multiprocessing.connection as mc @@ -161,48 +189,37 @@ def recv_bytes(self, _max): msg = self.sent[-1][len(mc._CHALLENGE):] return mc._create_response(auth, msg) - before = random.getstate() d = Dummy() mc.deliver_challenge(d, auth) - after = random.getstate() - print(before == after) + print('ok') """), + "ok", ) - self.assert_subprocess_ok(result) - self.assertEqual("True", result.stdout.strip()) def test_tempfile_candidate_names_use_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_AND_RANDOM_IMPORT_BYTES, + self.assert_initrandom_bytes_used( + self.TEMPFILE_CANDIDATE_NAME_BYTES, "import tempfile; next(tempfile._get_candidate_names()); print('ok')", + "ok", ) - self.assert_initrandom_exhausted(result) - - def test_tempfile_does_not_mutate_random_state(self): - result = self._run_with_init_source( - "fixed:0x1234ABCD", - "import random; before = random.getstate(); " - "import tempfile; next(tempfile._get_candidate_names()); " - "after = random.getstate(); " - "print(before == after)", + + def test_tempfile_after_random_import_uses_initrandom(self): + self.assert_initrandom_bytes_used( + self.TEMPFILE_CANDIDATE_NAME_BYTES, + "import random; import tempfile; next(tempfile._get_candidate_names()); print('ok')", + "ok", ) - self.assert_subprocess_ok(result) - self.assertEqual("True", result.stdout.strip()) - - def test_email_generator_boundary_mutates_random_state(self): - result = self._run_with_init_source( - "fixed:0x1234ABCD", - "import random; before = random.getstate(); " - "from email.generator import Generator; Generator._make_boundary(); " - "after = random.getstate(); " - "print(before == after)", + + def test_email_generator_boundary_does_not_use_additional_initrandom(self): + self.assert_initrandom_bytes_used( + self.RANDOM_MODULE_BYTES, + "import random; from email.generator import Generator; Generator._make_boundary(); print('ok')", + "ok", ) - self.assert_subprocess_ok(result) - self.assertEqual("False", result.stdout.strip()) - def test_imaplib_connect_mutates_random_state(self): - result = self._run_with_init_source( - "fixed:0x1234ABCD", + def test_imaplib_connect_does_not_use_additional_initrandom(self): + self.assert_initrandom_bytes_used( + self.RANDOM_MODULE_BYTES, textwrap.dedent(""" import random import imaplib @@ -221,7 +238,6 @@ def _get_capabilities(self): def shutdown(self): pass - before = random.getstate() d = Dummy.__new__(Dummy) d.debug = imaplib.Debug d.state = 'LOGOUT' @@ -234,74 +250,62 @@ def shutdown(self): d._tls_established = False d._mode_ascii() d._connect() - after = random.getstate() - print(before == after) + print('ok') """), + "ok", ) - self.assert_subprocess_ok(result) - self.assertEqual("False", result.stdout.strip()) def test_pyexpat_import_does_not_use_additional_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.HASH_SECRET_BYTES, "import pyexpat; print(pyexpat.__name__)", + "pyexpat", ) - self.assert_subprocess_ok(result) - self.assertEqual("pyexpat", result.stdout.strip()) def test_pyexpat_parsercreate_does_not_use_additional_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.HASH_SECRET_BYTES, "import pyexpat; p = pyexpat.ParserCreate(); print(type(p).__name__)", + "xmlparser", ) - self.assert_subprocess_ok(result) - self.assertEqual("xmlparser", result.stdout.strip()) def test_sqlite3_import_does_not_use_additional_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.HASH_SECRET_BYTES, "import _sqlite3; print(_sqlite3.__name__)", + "_sqlite3", ) - self.assert_subprocess_ok(result) - self.assertEqual("_sqlite3", result.stdout.strip()) def test_sqlite3_randomblob_does_not_use_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.HASH_SECRET_BYTES, "import sqlite3; " "conn = sqlite3.connect(':memory:'); " "print(conn.execute('select length(randomblob(16))').fetchone()[0])", + "16", ) - self.assert_subprocess_ok(result) - self.assertEqual("16", result.stdout.strip()) def test_ssl_load_cert_chain_does_not_use_initrandom(self): cert = os.path.join(self.SSL_DATA_DIR, "signed_cert.pem") - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.HASH_SECRET_BYTES, f"import ssl; " f"ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); " f"ctx.load_cert_chain(r'{cert}'); " f"print('ok')", + "ok", ) - self.assert_subprocess_ok(result) - self.assertEqual("ok", result.stdout.strip()) - - def test_uuid1_mutates_random_state(self): - result = self._run_with_init_source( - "fixed:0x1234ABCD", - "import random; before = random.getstate(); " - "import uuid; uuid.uuid1(node=1); " - "after = random.getstate(); " - "print(before == after)", + + def test_uuid1_does_not_use_additional_initrandom(self): + self.assert_initrandom_bytes_used( + self.RANDOM_MODULE_BYTES, + "import random; import uuid; uuid.uuid1(node=1); print('ok')", + "ok", ) - self.assert_subprocess_ok(result) - self.assertEqual("False", result.stdout.strip()) def test_uuid4_does_not_use_initrandom(self): - result = self._run_with_init_device( - b"\x00" * self.HASH_SECRET_BYTES, + self.assert_initrandom_bytes_used( + self.HASH_SECRET_BYTES, "import uuid; print(uuid.uuid4().version)", + "4", ) - self.assert_subprocess_ok(result) - self.assertEqual("4", result.stdout.strip()) From 661a6130b10ea9949a92dc90d05e731a73ac7109 Mon Sep 17 00:00:00 2001 From: Tim Felgentreff Date: Fri, 10 Apr 2026 09:57:05 +0200 Subject: [PATCH 7/9] Add changelog entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b83034a325..7371771806 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ language runtime. The main focus is on user-observable behavior of the engine. * Added support for specifying generics on foreign classes, and inheriting from such classes. Especially when using Java classes that support generics, this allows expressing the generic types in Python type annotations as well. * Added a new `java` backend for the `pyexpat` module that uses a Java XML parser instead of the native `expat` library. It can be useful when running without native access or multiple-context scenarios. This backend is the default when embedding and can be switched back to native `expat` by setting `python.PyExpatModuleBackend` option to `native`. Standalone distribution still defaults to native expat backend. * Add a new context option `python.UnicodeCharacterDatabaseNativeFallback` to control whether the ICU database may fall back to the native unicode character database from CPython for features and characters not supported by ICU. This requires native access to be enabled and is disabled by default for embeddings. +* Add an experimental `python.InitializationEntropySource` option to control the entropy source used for initialization-only randomness such as hash secret generation and `random.Random(None)` seeding. This means embeddings and tests can select deterministic or externally provided initialization entropy without affecting cryptographically relevant APIs like `os.urandom()` or `random.SystemRandom()`. * Foreign temporal objects (dates, times, and timezones) are now given a Python class corresponding to their interop traits, i.e., `date`, `time`, `datetime`, or `tzinfo`. This allows any foreign objects with these traits to be used in place of the native Python types and Python methods available on these types work on the foreign types. ## Version 25.0.1 From fa1cfb9eb25be2ac7935175c66fd9f2d6a3d025e Mon Sep 17 00:00:00 2001 From: Tim Felgentreff Date: Fri, 10 Apr 2026 11:40:06 +0200 Subject: [PATCH 8/9] Minor cleanup for more readable code --- .../graal/python/builtins/objects/random/RandomBuiltins.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/random/RandomBuiltins.java b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/random/RandomBuiltins.java index 48fab4e7b2..33b12a6040 100644 --- a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/random/RandomBuiltins.java +++ b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/random/RandomBuiltins.java @@ -134,10 +134,7 @@ PNone seedNone(PRandom random, @SuppressWarnings("unused") PNone none) { int[] seed = new int[PRandom.N]; byte[] seedBytes = new byte[seed.length * Integer.BYTES]; getContext().fillInitializationEntropyBytes(seedBytes); - ByteBuffer seedBuffer = ByteBuffer.wrap(seedBytes).order(ByteOrder.BIG_ENDIAN); - for (int i = 0; i < seed.length; i++) { - seed[i] = seedBuffer.getInt(); - } + ByteBuffer.wrap(seedBytes).order(ByteOrder.BIG_ENDIAN).asIntBuffer().get(seed); random.seed(seed); return PNone.NONE; } From 1e5c0f78a0c9de0210ce6b6975ab93607ef4a42f Mon Sep 17 00:00:00 2001 From: Tim Felgentreff Date: Wed, 15 Apr 2026 10:03:44 +0200 Subject: [PATCH 9/9] [GR-74734] Remove unused init random wrapper --- .../graal/python/runtime/PythonContext.java | 35 ------------------- 1 file changed, 35 deletions(-) diff --git a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java index 8bb69da0ac..f7aa6368cd 100644 --- a/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java +++ b/graalpython/com.oracle.graal.python/src/com/oracle/graal/python/runtime/PythonContext.java @@ -708,7 +708,6 @@ PythonThreadState getThreadState(Node n) { private final IDUtils idUtils = new IDUtils(); @CompilationFinal private SecureRandom secureRandom; - @CompilationFinal private SecureRandom initializationSecureRandom; private InitializationEntropySource initializationEntropySource; // Equivalent of _Py_HashSecret @@ -1465,15 +1464,6 @@ public SecureRandom getSecureRandom() { return secureRandom; } - public SecureRandom getInitRandom() { - assert !env.isPreInitialization(); - if (initializationSecureRandom == null) { - CompilerDirectives.transferToInterpreterAndInvalidate(); - initializationSecureRandom = new InitializationSecureRandom(getInitializationEntropySource()); - } - return initializationSecureRandom; - } - public void fillInitializationEntropyBytes(byte[] bytes) { getInitializationEntropySource().nextBytes(bytes); } @@ -1752,31 +1742,6 @@ private interface InitializationEntropySource { void nextBytes(byte[] bytes); } - private static final class InitializationSecureRandom extends SecureRandom { - private static final long serialVersionUID = 1L; - private final transient InitializationEntropySource source; - - InitializationSecureRandom(InitializationEntropySource source) { - this.source = source; - } - - @Override - public void setSeed(byte[] seed) { - } - - @Override - public void nextBytes(byte[] bytes) { - source.nextBytes(bytes); - } - - @Override - public byte[] generateSeed(int numBytes) { - byte[] seed = new byte[numBytes]; - source.nextBytes(seed); - return seed; - } - } - private static final class DefaultInitializationEntropySource implements InitializationEntropySource { private final SecureRandom secureRandom;