mull has asked for the wisdom of the Perl Monks concerning the following question:

My security guy asked me a question about where my randomness came from. ( I assume he means random numbers in my scripts, not my general randomness ).

My platform does have /dev/urandom and I would hope that this would be the seed for perl's rand PRNG.

From reading perldoc -f srand I have:

uses a semi-random value supplied by the kernel (if it supports the /dev/urandom device) or based on the current time and process ID, among other things.

So now I know that I could possibly be using /dev/urandom. How can I tell if I am actually using it?

Replies are listed 'Best First'.
Re: What is the truth about srand()?
by merlyn (Sage) on Mar 29, 2006 at 15:45 UTC
    The wonderful thing about Perl is that we have the source code. So you can answer this question in the privacy of your own cubicle. First, let's find /dev/urandom: 
    $ grep /dev/urandom **/*.c
util.c:4550:#  define PERL_RANDOM_DEVICE "/dev/urandom"

    [download]
    OK, now we look in there, and we see that it just tries opening it if it can: 
    /* This test is an escape hatch, this symbol isn't set by Configure. *
+/
#ifndef PERL_NO_DEV_RANDOM
#ifndef PERL_RANDOM_DEVICE
   /* /dev/random isn't used by default because reads from it will blo
+ck
    * if there isn't enough entropy available.  You can compile with
    * PERL_RANDOM_DEVICE to it if you'd prefer Perl to block until the
+re
    * is enough real entropy to fill the seed. */
#  define PERL_RANDOM_DEVICE "/dev/urandom"
#endif
    fd = PerlLIO_open(PERL_RANDOM_DEVICE, 0);
    if (fd != -1) {
        if (PerlLIO_read(fd, (void*)&u, sizeof u) != sizeof u)
        u = 0;
    PerlLIO_close(fd);
    if (u)
        return u;
    }
#endif

    [download]
    So there's your answer. You can't know. It's not a configure constant. It just tries it, and if it fails, it doesn't use it.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

[reply]
[d/l]
[select]
Re: What is the truth about srand()?
by doc_faustroll (Scribe) on Mar 29, 2006 at 15:46 UTC
    call srand when you want a seed which is not /dev/urandom.
    What exactly are you using this for? if crypto, put care and thought into it.

    from my docs on srand:

    Note that you need something much more random than the default seed for cryptographic purposes. Checksumming the compressed output of one or more rapidly changing operating system status programs is the usual method. For example: srand (time ^ $$ ^ unpack "%L*", ‘ps axww │ gzip‘); If you’re particularly concerned with this, see the "Math::Tru lyRandom" module in CPAN.

    also, what is your version of Perl? I can't speak for your version but here is a relevant passage from mine. v5.8.5

    Most programs won’t even call srand() at all, except those that need a cryptographically-strong starting point rather than the generally acceptable default, which is based on time of day, process ID, and memory allocation, or the /dev/urandom device, if available.

[reply]
[reply]
        My knowledge is creaky and old, and my typing is worse! So, I'm glad someone is awake with a sense of humor around here. I need good slap down.

        How about this: calling srand without an expression causes it to use a default which my be /dev/urandom in a best case.

        But you usually don't want to explicitly call srand unless you are going to supply your own seed EXPR. let rand do it for you!

        update: I'm going to crawl back into my cubicle like bed and come back when I can actually read your question and respond more thoughtfully. You are obviously using rand and were just wondering what the seed was. on *nix, it will most likely be /dev/urandom. But if a security guy is asking and you need crypto level randomness then my over obvious post might have some mete of merit.

[reply]

Back to Seekers of Perl Wisdom