Bug 234906 - Improve bash $RANDOM pseudo RNG
Summary: Improve bash $RANDOM pseudo RNG
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bash
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Pete Graner
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: F8Target
TreeView+ depends on / blocked
 
Reported: 2007-04-02 19:43 UTC by Tomas Mraz
Modified: 2008-01-11 22:04 UTC (History)
1 user (show)

Fixed In Version: 3.2-19.fc7
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-11 22:04:39 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Proposed patch (4.89 KB, patch)
2007-04-05 10:03 UTC, Tomas Mraz
no flags Details | Diff
Improved patch (5.69 KB, patch)
2007-08-20 14:48 UTC, Tomas Mraz
no flags Details | Diff

Description Tomas Mraz 2007-04-02 19:43:51 UTC
Description of problem:
The bash $RANDOM pseudo RNG is very weak and seeded with just PID and time.

It should at least use glibc's random() implementation which has better
properties. Or some other pseudo RNG with better cryptographic properties. Also
the default seed should be from /dev/urandom or at least using gettimeofday if
/dev/urandom is not available.

If you agree with the above I'll provide a patch.

Comment 1 Steve Grubb 2007-04-02 21:01:34 UTC
All other shells properly seed the random number generator. I tested ksh, tcsh,
and zsh. They all have better random number generators than bash. This patch
should get into RHEL5/4 at some point.

Comment 2 Tomas Mraz 2007-04-05 10:03:22 UTC
Created attachment 151746 [details]
Proposed patch

The patch uses glibc random number generator instead of the builtin and adds
support for seeding the rng from /dev/urandom.

Comment 3 Steve Grubb 2007-04-05 13:13:46 UTC
Reviewed patch. Looks OK to me. Assuming this patch looks good to others, we
should clone the bug for RHEL5.1 & RHEL4.6.

Comment 4 Tim Waugh 2007-04-05 13:30:28 UTC
Patch looks good to me.

Comment 5 Tomas Mraz 2007-04-05 14:30:30 UTC
Will you push it upstream Tim?


Comment 6 Steve Grubb 2007-06-11 12:49:53 UTC
Hi...what's the status on this? rawhide does not appear to have a good random
number generator nor does FC6 or 7. Thanks.

Comment 7 Tim Waugh 2007-06-11 12:56:12 UTC
Haven't had time to look at this yet.  I've marked it as an F8 target.

Comment 8 Pete Graner 2007-08-15 17:50:55 UTC
Patch appears to work, test packages are here:

https://koji.fedoraproject.org/packages/bash/3.2/13.fc8/

Comment 9 Steve Grubb 2007-08-19 12:31:45 UTC
Tomas, I was looking over the patch after seeing AVC's for all kinds of
programs. I think we can improve the patch by doing a lazy init of RANDOM. This
will improve performance since now every shell script has to open /dev/urandom
and read from it , reduce the number of AVC's to the programs that really need
access to /dev/uranmdom, and help preserve the entropy by not using it when not
needed.

Comment 10 Tomas Mraz 2007-08-20 14:48:09 UTC
Created attachment 161886 [details]
Improved patch

This improved patch initializes the bash random number generator only on demand
- that is when you'll ask for $RANDOM.
The patch also fixes another bug in the bash rng code - the rng was not
reinitialized in deeper subshells so this command:
(echo $RANDOM ; (echo $RANDOM ; echo $RANDOM) ; (echo $RANDOM ; echo $RANDOM) ;
(echo $RANDOM ; echo $RANDOM))
returned values like:
A
B
C
B
C
B
C

although they all should be random values instead.

Comment 11 Steve Grubb 2007-08-22 18:59:42 UTC
This patch tests good. We should apply this patch to bash and respin.

Comment 12 Pete Graner 2007-08-22 23:08:20 UTC
I built this on 2007-08-20 12:21:11 but we have not had a rawhide push in a few
days :-( you can find the pkg here until then:

https://koji.fedoraproject.org/packages/bash/3.2/15.fc8/

Putting in MODIFIED I'll move to CLOSED RAWHIDE once we actually have a new push.

Comment 13 Pete Graner 2007-08-28 20:18:42 UTC
Looks good. Closing.

Comment 14 Fedora Update System 2007-11-29 01:32:45 UTC
bash-3.2-19.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bash'

Comment 15 Fedora Update System 2008-01-11 22:04:31 UTC
bash-3.2-19.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.