Standard random number generators (using shuffle ) should not be used to generate randomness

Cinder devs: could you comment on how much those "random" numbers are used in a security context ? We need to determine is this would be a welcome strengthening (no advisory published) or an exploitable vulnerability (advisory published).

This is used by some drivers to generate a CHAP secret, the base driver as well as IBM/Storwize and HP/Lefthand. I'm not sure I agree that his is a security concern at all.

While in general rand and shuffle should not be used for setting secure passwords, the algorithm here does a number of things in addition to rand and shuffle by then also filling in random symbols. Regardless, given that this is for a CHAP setting only I think that this can be improved without a security advisory or notification.

I second John's sentiment. I think it would be good to strengthen security here but an advisory is not necessary.

I've removed the advisory task, switched the bug from public security (indicating some sort of actual vulnerability) to public, and added the "security" tag to indicate it's a potential strengthening opportunity.

Fix proposed to branch: master
Review: https://review.openstack.org/105779

Reviewed: https://review.openstack.org/105779
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=063e515e780c241ddac755b0b9a2414316d983f5
Submitter: Jenkins
Branch: master

commit 063e515e780c241ddac755b0b9a2414316d983f5
Author: Ivan Kolodyazhny <email address hidden>
Date: Wed Jul 9 19:08:18 2014 +0300

    Use PyCrypto to generate randomness passwords

    Standard random generator is not secure enouph. Use PyCrypto instead.
    Updated requirements.txt with pycrypto>=2.6 according to
    global-requirements

    Change-Id: I38fd47a30893a946de30fad95c57759781312be6
    Closes: bug #1319639