BUG: glibc-2.5.1-arc4_prng-2.patch breaks strfry

Robert Connolly robert at linuxfromscratch.org
Mon Apr 28 16:42:01 PDT 2008


One problem with substituting strfry() with arc4random() is that with strfry() 
I think the input and output are always the same length. This could be 
causing the crashes. I'll look again at the strfry() routine because I think 
arc4random() can still be used, but I will need test programs/packages to 
verify. I thought strfry() was a cheap substitute for entropy, but it might 
be a little more than that.

robert

On Sunday April 27 2008 08:54:40 pm Robert Connolly wrote:
> The intention was to use high quality randomness whereever possible. Do you
> see any way arc4random() can continue to be used? Do you have a test
> program for strfry() so I can test this?
>
> robert
>
> On Sunday April 27 2008 04:34:25 am mordae at anilinux.org wrote:
> > Hi robert,
> >
> > 	I was reading Glibc patches and found this part:
> >
> >  char *
> >  strfry (char *string)
> >  {
> > ...
> > -  return string;
> > +  return (char)arc4random();
> >  }
> >
> > 	If you look into manual page or read the deleted code, you may get what
> > is wrong. The  strfry() function randomizes the contents of string by
> > using rand(3) to randomly swap characters in the string. The result is an
> > anagram of string. Anagram. Swapped characters. Not to mention that given
> > code will return random character instead of string, which will segfault
> > anything using strfry. Accidentally, strfry is such an exotic thing
> > nobody actually uses it.
> >
> > 	So, please, just remove that part of the patch. And do not try to use
> > arc4random to generate randomness for swapping. rand(3) is assumed to
> > return same results with the same seed on, at least, the very same
> > machine.
> >
> > Have a nice day.
> > 	- Mordae


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20080428/5cafc00b/attachment.sig>


More information about the hlfs-dev mailing list