On 02/10/14 17:44, Caolán McNamara wrote: > The latest coverity has taken a dislike to "rand" and we've a big block > of cids, cid#1242372 to cid#1242410 now marked with > static_checker_DC.WEAK_CRYPTO "Don't call".
there were definitely bad implementations of standard C library random functions; no idea if that is the case on current desktop platforms... iirc couple years ago users were actually complaining about bad random numbers in Calc generated from rand() on Windows. > We have our own random pool stuff in sal, is there a drop in replacement > for rand in there somewhere or a common pattern we could follow in > replacing those ? let's see what we've got: * direct usage of boost::random for fancy distributions in Calc, sc/source/ui/StatisticsDialogs/RandomNumberGeneratorDialog.cxx * include/comphelper/random.hxx: double uniform() function with [0,1) range implemented with boost::random / MersenneTwister for speed * include/rtl/random.h rtlRandomPool MD5-based PRNG, probably designed for cryptographic purposes, although mostly untouched since the 90s and perhaps insufficient for crypto today; it doesn't even appear to be seeded with *real* entropy... (if there are actual cryptographic uses of this they probably should be replaced with something from NSS) ... so i'd guess that the comphelper/random.hxx approach is most promising for general-purpose random numbers (i.e. not crypto); it even nicely encapsulates the boost template madness behind a small ABI. oh, there is also a <random> header in C++11, likely inspired by boost::random; i wonder if our new baseline toolchains have support for this... actually GCC 4.5 release notes list it as a new feature, and MSVC 2012 has it too: http://msdn.microsoft.com/en-us/library/bb982398%28v=vs.110%29.aspx ... so perhaps <random> is usable for us already. _______________________________________________ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
