Re: Use arc4random in devel/glib2

Thu, 05 May 2016 05:07:29 -0700 

2016-05-05 3:00 GMT+03:00 Michael McConville <[email protected]>:
> I've had this sitting around for a while.
>
> GLib's g_rand* functions use a simple Mersenne Twister, and the docs
> warn against their use where strong randomness is needed:
>
> https://developer.gnome.org/glib/stable/glib-Random-Numbers.html
>
> g_rand_* are deterministic, while g_random_* are nondeterministic.
>
> Grepping for these functions in ports' source show that many projects
> use them in crypto code. I've talked to the GNOME developers about this,
> and they're considering how to deal with it. I've also reported bugs to
> a handful of projects using these functions dangerously.
>
> In the meantime, I think it's best to patch g_random_int() to call
> arc4random(). The semantics are identical and g_random_int() is the most
> commonly used of these functions, so I think it's a good place to start.
> The others will probably take a little more care.
>
> It doesn't cause test regressions, and the change seems straightforward.
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/devel/glib2/Makefile,v
> retrieving revision 1.252
> diff -u -p -u -r1.252 Makefile
> --- Makefile    18 Apr 2016 06:46:30 -0000      1.252
> +++ Makefile    4 May 2016 23:42:20 -0000
> @@ -4,6 +4,7 @@ COMMENT=                general-purpose utility librar
>
>  GNOME_PROJECT=         glib
>  GNOME_VERSION=         2.48.0
> +REVISION=              0
>  PKGNAME=               ${DISTNAME:S/glib/glib2/}
>
>  CATEGORIES=            devel
> Index: patches/patch-glib_grand_c
> ===================================================================
> RCS file: patches/patch-glib_grand_c
> diff -N patches/patch-glib_grand_c
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ patches/patch-glib_grand_c  4 May 2016 23:42:20 -0000
> @@ -0,0 +1,16 @@
> +$OpenBSD$
> +--- glib/grand.c.orig  Mon Feb 29 09:32:44 2016
> ++++ glib/grand.c       Wed May  4 19:31:36 2016
> +@@ -649,11 +649,7 @@ get_global_random (void)
> + guint32
> + g_random_int (void)
> + {
> +-  guint32 result;
> +-  G_LOCK (global_random);
> +-  result = g_rand_int (get_global_random ());
> +-  G_UNLOCK (global_random);
> +-  return result;
> ++  return arc4random ();
> + }
> +
> + /**

Nice work! okay zhuk@ (but my okay could be only complementary to one
of the GNOME maintainers).

--
  WBR,
  Vadim Zhukov

Reply via email to