Skip to content

coin selection code uses unseeded rand() call #1057

dooglus opened this Issue Apr 7, 2012 · 5 comments

3 participants

dooglus commented Apr 7, 2012

In the code which selects which coins to use, the following appears:

if (nPass == 0 ? rand() % 2 : !vfIncluded[i])

but rand() is never seeded.

Should we use GetRandInt(2) instead to get unpredictable results?

Bitcoin member
laanwj commented Apr 7, 2012

Probably. It is the only place in the source where rand() is used.

dooglus commented Apr 7, 2012

I see it in commented code in main.cpp too:

    //while (rand() % 3 == 0)
    //    mapNext[pindex->pprev].push_back(pindex);

I wonder if perhaps it's deliberate, because the wallet rand() code is in a tight loop and we don't want to exhaust our entropy source.

gmaxwell commented Apr 7, 2012

That loop execute a great many times— a proper cryptographically secure RNG is probably going to be noticeably slow here. If it is, then would anyone object to using a fast PRNG seeded by RandBytes at the start of the function?

In general I don't think there is a big privacy concern here— even knowing the random sequence completely shouldn't matter unless you also know the inputs under consideration.

@laanwj laanwj closed this Apr 9, 2012
@laanwj laanwj reopened this Apr 9, 2012
Bitcoin member
laanwj commented Apr 9, 2012

@gmaxwell also, rand() is not thread-safe according to its man page, using rand_r(*seed) is recommended in that case is as it has explicit state.

If there is no privacy concern here, a simple solution would be using rand_r with the state (just one int) generated at the beginning of the function with GetRandInt().

Bitcoin member
laanwj commented Dec 22, 2013

We don't use rand() anymore but our own insecure_rand() for non-security-critical randomness that does get seeded. Closing this.

@laanwj laanwj closed this Dec 22, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.