Subject: Re: random()
To: Jun-ichiro itojun Hagino <itojun@itojun.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 09/05/2003 19:14:16
On Sat, Sep 06, 2003 at 07:48:15AM +0900, Jun-ichiro itojun Hagino wrote:
> perry:
> > Then perhaps we should remove random(9) before it causes more trouble,
> > or at least disable building it for now.
> 
> 	if there's no special reason for using random(9), could you please
> 	replace them with arc4random()? (mask it with INT32_MAX if you don't
> 	want the top bit set)
> 
> 	or we could do following in sys/lib/libkern/random.c:
> 
> u_long
> random()
> {
> 	return arc4random() & INT32_MAX;

Unfortunately, this won't work.  The profiling code requires that random()'s
output be uniform on [0, 2^31 -1 ].  I'm pretty sure RC4 output does not 
have this property.

Thor