Date: prev next · Thread: first prev next last
2014 Archives by date, by thread · List index


On 02/10/14 17:44, Caolán McNamara wrote:
The latest coverity has taken a dislike to "rand" and we've a big block
of cids, cid#1242372 to cid#1242410 now marked with
static_checker_DC.WEAK_CRYPTO "Don't call".

there were definitely bad implementations of standard C library random
functions; no idea if that is the case on current desktop platforms...
iirc couple years ago users were actually complaining about bad random
numbers in Calc generated from rand() on Windows.

We have our own random pool stuff in sal, is there a drop in replacement
for rand in there somewhere or a common pattern we could follow in
replacing those ?

let's see what we've got:

* direct usage of boost::random for fancy distributions in Calc,
  sc/source/ui/StatisticsDialogs/RandomNumberGeneratorDialog.cxx

* include/comphelper/random.hxx:
  double uniform() function with [0,1) range
  implemented with boost::random / MersenneTwister for speed

* include/rtl/random.h
  rtlRandomPool
  MD5-based PRNG, probably designed for cryptographic purposes,
  although mostly untouched since the 90s and perhaps insufficient
  for crypto today; it doesn't even appear to be seeded with *real*
  entropy... (if there are actual cryptographic uses of this they
  probably should be replaced with something from NSS)

... so i'd guess that the comphelper/random.hxx approach is most
promising for general-purpose random numbers (i.e. not crypto); it even
nicely encapsulates the boost template madness behind a small ABI.

oh, there is also a <random> header in C++11, likely inspired by
boost::random; i wonder if our new baseline toolchains have support for
this... actually GCC 4.5 release notes list it as a new feature, and
MSVC 2012 has it too:

http://msdn.microsoft.com/en-us/library/bb982398%28v=vs.110%29.aspx

... so perhaps <random> is usable for us already.



Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.