gh-135244: generate UUID random Node ID with a CSPRNG as per RFC 9562, §6.10.3 (#135226)

This aligns with the recommendations of RFC 9562, Section 6.10, paragraph 3 [1]. [1]: https://www.rfc-editor.org/rfc/rfc9562.html#section-6.10-3. --------- Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
2025-07-07 11:25:30 +00:00 · 2025-06-08 19:46:16 +08:00 · 2025-06-08 19:46:16 +08:00 · 1cb7163872
commit 1cb7163872
parent 4372011928
3 changed files with 16 additions and 6 deletions
--- a/Doc/library/uuid.rst
+++ b/Doc/library/uuid.rst
@ -257,6 +257,10 @@ The :mod:`uuid` module defines the following functions:
   non-specified arguments are substituted for a pseudo-random integer of
   appropriate size.

+   By default, *a*, *b* and *c* are generated by a non-cryptographically
+   secure pseudo-random number generator (CSPRNG). Use :func:`uuid4` when
+   a UUID needs to be used in a security-sensitive context.
+
   .. versionadded:: 3.14


--- a/Lib/uuid.py
+++ b/Lib/uuid.py
@ -656,18 +656,20 @@ def _windll_getnode():

 def _random_getnode():
    """Get a random node ID."""
-    # RFC 4122, $4.1.6 says "For systems with no IEEE address, a randomly or
-    # pseudo-randomly generated value may be used; see Section 4.5.  The
-    # multicast bit must be set in such addresses, in order that they will
-    # never conflict with addresses obtained from network cards."
+    # RFC 9562, §6.10-3 says that
+    #
+    #   Implementations MAY elect to obtain a 48-bit cryptographic-quality
+    #   random number as per Section 6.9 to use as the Node ID. [...] [and]
+    #   implementations MUST set the least significant bit of the first octet
+    #   of the Node ID to 1. This bit is the unicast or multicast bit, which
+    #   will never be set in IEEE 802 addresses obtained from network cards.
    #
    # The "multicast bit" of a MAC address is defined to be "the least
    # significant bit of the first octet".  This works out to be the 41st bit
    # counting from 1 being the least significant bit, or 1<<40.
    #
    # See https://en.wikipedia.org/w/index.php?title=MAC_address&oldid=1128764812#Universal_vs._local_(U/L_bit)
-    import random
-    return random.getrandbits(48) | (1 << 40)
+    return int.from_bytes(os.urandom(6)) | (1 << 40)


 # _OS_GETTERS, when known, are targeted for a specific OS or platform.
--- a/Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst
+++ b/Misc/NEWS.d/next/Library/2025-06-08-10-22-22.gh-issue-135244.Y2SOTJ.rst
@ -0,0 +1,4 @@
+:mod:`uuid`: when the MAC address cannot be determined, the 48-bit node
+ID is now generated with a cryptographically-secure pseudo-random number
+generator (CSPRNG) as per :rfc:`RFC 9562, §6.10.3 <9562#section-6.10-3>`.
+This affects :func:`~uuid.uuid1` and :func:`~uuid.uuid6`.