Bug #34693 for Math-TrulyRandom: Hangs Forever

Sat Apr 05 01:59:34 2008 imacat [...] cpan.org - Ticket created

Subject:

Hangs Forever

Dear Gary Howland, Hi. This is imacat from Taiwan. I found that your Math-TrulyRandom-1.0 hangs forever with my Perl 5.8.8 and Perl 5.10.0 on my Linux 2.6. It hangs at "make test", but the CPU usage is 100%. I tried to investigate further, but do not see anything special. It just hangs when calling the first truly_random_value(). Besides that, I have no clue. I attached the sample terminal log below. Please tell me if you have any question, or if I could be of any help. Thank you. imacat@rinse tmp/Math-TrulyRandom-1.0 % perl -v This is perl, v5.8.8 built for x86_64-linux-thread-multi-ld Copyright 1987-2006, Larry Wall Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using "man perl" or "perldoc perl". If you have access to the Internet, point your browser at http://www.perl.org/, the Perl Home Page. imacat@rinse tmp/Math-TrulyRandom-1.0 % perl Makefile.PL Checking if your kit is complete... Looks good Writing Makefile for Math::TrulyRandom imacat@rinse tmp/Math-TrulyRandom-1.0 % make cp TrulyRandom.pod blib/lib/Math/TrulyRandom.pod cp TrulyRandom.pm blib/lib/Math/TrulyRandom.pm Please specify prototyping behavior for TrulyRandom.xs (see perlxs manual) maRunning Mkbootstrap for Math::TrulyRandom () Manifying blib/man3/Math::TrulyRandom.3 imacat@rinse tmp/Math-TrulyRandom-1.0 % make test 1 make: *** [test_dynamic] Interrupt imacat@rinse tmp/Math-TrulyRandom-1.0 %

Sat Apr 05 05:02:36 2008 nospam-abuse [...] bloodgate.com - Correspondence added

Subject:	Re: [rt.cpan.org #34693] Hangs Forever
Date:	Sat, 5 Apr 2008 10:40:55 +0200
To:	bug-Math-TrulyRandom [...] rt.cpan.org
From:	Tels <nospam-abuse [...] bloodgate.com>

Hello, On Saturday 05 April 2008 07:59:39 Yi Ma Mao via RT wrote: Show quoted text

> Sat Apr 05 01:59:34 2008: Request 34693 was acted upon. > Transaction: Ticket created by IMACAT > Queue: Math-TrulyRandom > Subject: Hangs Forever > Broken in: 1.0 > Severity: Critical > Owner: Nobody > Requestors: imacat@mail.imacat.idv.tw > Status: new > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=34693 > > > > Dear Gary Howland,

I am Tels, and I inherited a few modules from Gary Howland, who sadly passed away in 2003. Show quoted text

> Hi. This is imacat from Taiwan. I found that your > Math-TrulyRandom-1.0 hangs forever with my Perl 5.8.8 and Perl 5.10.0 > on my Linux 2.6. It hangs at "make test", but the CPU usage is 100%. > I tried to investigate further, but do not see anything special. It > just hangs when calling the first truly_random_value(). Besides > that, I have no clue. > > I attached the sample terminal log below. Please tell me if you > have any question, or if I could be of any help. Thank you.

Thank you for the report! However, nobody has maintained this module sind 1996, so I think the code might be just broken :( It might be that it hangs on your system because it is 64bit. Just tried it here with Perl v5.8.8 and it hangs, too, using one code to 100%. I cannot promise I have time to look into it, tho. Sorry. All the best, Tels -- Signed on Sat Apr 5 10:40:50 2008 with key 0x93B84C15. View my photo gallery: http://bloodgate.com/photos PGP key on http://bloodgate.com/tels.asc or per email. "Q: What do you get when you cross an insomniac, an agnostic, and a dyslexic? A: Someone who stays up all night wondering if there is a Dog." -- Groucho Marx

Download (untitled)
application/pgp-signature 481b

Message body not shown because it is not plain text.

Sat Apr 05 05:03:23 2008 The RT System itself - Status changed from 'new' to 'open'

Sat Apr 05 05:12:29 2008 nospam-abuse [...] bloodgate.com - Correspondence added

Subject:	Re: [rt.cpan.org #34693] Hangs Forever
Date:	Sat, 5 Apr 2008 11:08:14 +0200
To:	bug-Math-TrulyRandom [...] rt.cpan.org
From:	Tels <nospam-abuse [...] bloodgate.com>

On Saturday 05 April 2008 11:03:25 nospam-abuse@bloodgate.com via RT wrote: Show quoted text

> > I attached the sample terminal log below. Please tell me if > > you have any question, or if I could be of any help. Thank you.

> > Thank you for the report! However, nobody has maintained this module > sind 1996, so I think the code might be just broken :( > > It might be that it hangs on your system because it is 64bit. Just > tried it here with Perl v5.8.8 and it hangs, too, using one code to > 100%.

Sorry, I meant "one core". Having a look at the code, well, it is outright scary, and I am not even convinced it would actually generate really random numbers. I am inclined to just delete that module and replace it with something that can read "/dev/random" or "/dev/urandom". But I am not sure I have the permissions to delete that module from CPAN. All the best, Tels -- Signed on Sat Apr 5 11:06:51 2008 with key 0x93B84C15. View my photo gallery: http://bloodgate.com/photos PGP key on http://bloodgate.com/tels.asc or per email. "The UAC is making safer worlds through superior firepower."

Download (untitled)
application/pgp-signature 481b

Message body not shown because it is not plain text.

Sat Apr 05 10:46:08 2008 imacat [...] cpan.org - Correspondence added

On 2008-04-05 05:12:29 Sat, nospam-abuse@bloodgate.com wrote: Show quoted text

> On Saturday 05 April 2008 11:03:25 nospam-abuse@bloodgate.com via RT > wrote:

> > > I attached the sample terminal log below. Please tell me if > > > you have any question, or if I could be of any help. Thank you.

> > Thank you for the report! However, nobody has maintained this module > > sind 1996, so I think the code might be just broken :( > > It might be that it hangs on your system because it is 64bit. Just > > tried it here with Perl v5.8.8 and it hangs, too, using one code to > > 100%.

> Sorry, I meant "one core". Having a look at the code, well, it is > outright scary, and I am not even convinced it would actually generate > really random numbers. I am inclined to just delete that module and > replace it with something that can read "/dev/random" > or "/dev/urandom".

I see. It makes sense that /dev/random or /dev/urandom are not working poorly at 1996. But I believe /dev/random and /dev/urandom are really good now, at least on modern Linux, and the Perl built-in rand() is reading it nicely. I remember the time when rand() returns random numbers according to a fixed random number table, and that the script gets a same random number each time it runs. If that is the only reason to have Math::TrulyRandom, I suppose it is not needed anymore, and you do not really need to write a new version. Show quoted text

> But I am not sure I have the permissions to delete that module from > CPAN.

As long as you still have your password (I suppose your user name is "gary", you can delete them at: https://pause.perl.org/pause/authenquery?ACTION=delete_files Deletion of outdated distributions is encouraged by CPAN. This saves the burden of the worm-hearted mirror administrators.

Sat Apr 05 11:11:34 2008 nospam-abuse [...] bloodgate.com - Correspondence added

Subject:	Re: [rt.cpan.org #34693] Hangs Forever
Date:	Sat, 5 Apr 2008 17:10:37 +0200
To:	bug-Math-TrulyRandom [...] rt.cpan.org
From:	Tels <nospam-abuse [...] bloodgate.com>

Moin, On Saturday 05 April 2008 16:46:14 Yi Ma Mao via RT wrote: Show quoted text

> Queue: Math-TrulyRandom > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=34693 > > > On 2008-04-05 05:12:29 Sat, nospam-abuse@bloodgate.com wrote:

> > On Saturday 05 April 2008 11:03:25 nospam-abuse@bloodgate.com via > > RT > > > > wrote:

> > > > I attached the sample terminal log below. Please tell me > > > > if you have any question, or if I could be of any help. Thank > > > > you.

> > > > > > Thank you for the report! However, nobody has maintained this > > > module sind 1996, so I think the code might be just broken :( > > > It might be that it hangs on your system because it is 64bit. > > > Just tried it here with Perl v5.8.8 and it hangs, too, using one > > > code to 100%.

> > > > Sorry, I meant "one core". Having a look at the code, well, it is > > outright scary, and I am not even convinced it would actually > > generate really random numbers. I am inclined to just delete that > > module and replace it with something that can read "/dev/random" > > or "/dev/urandom".

> > I see. It makes sense that /dev/random or /dev/urandom are not > working poorly at 1996. But I believe /dev/random and /dev/urandom > are really good now, at least on modern Linux, and the Perl built-in > rand() is reading it nicely. I remember the time when rand() returns > random numbers according to a fixed random number table, and that the > script gets a same random number each time it runs. If that is the > only reason to have Math::TrulyRandom, I suppose it is not needed > anymore, and you do not really need to write a new version.

Yeah, looking at the code, it would probably not be secure e.g. MathTrulyRandom would produce numbers that are much worse that what you get from /dev/random nowadays. Show quoted text

> > But I am not sure I have the permissions to delete that module from > > CPAN.

> > As long as you still have your password (I suppose your user name > is "gary", you can delete them at: > > https://pause.perl.org/pause/authenquery?ACTION=delete_files > > Deletion of outdated distributions is encouraged by CPAN. This > saves the burden of the worm-hearted mirror administrators.

The problem is, I am _NOT_ gary :) My CPAN ID is tels, and I do not have access to his CPAN directory. And since Gary is dead, he neither has access ;) All the best, Tels -- Signed on Sat Apr 5 17:08:45 2008 with key 0x93B84C15. Get one of my photo posters: http://bloodgate.com/posters PGP key on http://bloodgate.com/tels.asc or per email. "To get something done, a committee should consist of no more than three persons, two of them absent." -- Unknown

Download (untitled)
application/pgp-signature 481b

Message body not shown because it is not plain text.

Sun Jan 13 03:35:27 2013 DANAJ [...] cpan.org - Correspondence added

I assume we could get the PAUSE admins to fix the access issues if it was warranted. Given the current situation where the one and only function hangs on most UNIX systems, I'd think it is. I do know that I'm posting on an RT that has been idle for 5 years... I'm attaching a Pure Perl version of the module, 2/3rds of which is documentation. It (should) implement the same functionality as the C code, and reduces the module to a single .pm file. It works on most UNIX systems and on Cygwin, but not on Win32 (no ualarm). (1) This implements the same version 1 of TrueRand that the original has. This version is obsolete, and version 2.1 (the newest I've seen) indicates that the raw output should not be used as it doesn't contain enough entropy. It also changes the mixing to a hash (SHA-1 I believe) and adds a second hash of two raw results to generate an output value. (2) The underlying concept isn't so bad on most systems, but /dev/random is so much better in basically every area that it almost never makes sense to use it if /dev/random or /dev/urandom is available. (3) I wrote another module (Crypt::Random::TESHA2) that does similar "userspace voodoo entropy" calculations. It works on Win32 as well as other platforms and is much faster. It uses SHA-256 and SHA-512 and feeds the raw output to a simple entropy pool. It shares most of the same underlying flaws when compared to /dev/random however. (4) There are plenty of modules that make it easy to get randomness, including Bytes::Random::Secure, Math::Random::Secure, Crypt::Random, Crypt::URandom, Math::Random::Source, and Crypt::Random::Seed to name a few. These are what most people should be pointed to, and let those modules use this one as a source if they want. All that said, I think deleting the module and all the references to it in CORE documentation (srand) and sending notes to the module authors that reference it is reasonable. Especially as the module name itself is misleading (it made sense in 1996). Another possibility is getting a name change to something like Crypt::Random::TrueRand (or Math::Random::TrueRand), especially with an update to the latest version of that algorithm. Lastly, if we don't like any of those options, patching it would be nice for either (1) the Pure Perl version 1 I've attached, (2) a Pure Perl version 2.1 using Digest::SHA and sha1, or (3) replace the C code with the latest TrueRand version 2.1 code. I can any of these if we want.

Subject:

TrulyRandom.pm

use strict; use warnings; use Time::HiRes qw/ualarm/; our $VERSION = '2.00'; use Exporter qw(import); our @EXPORT_OK = qw( truly_random_value random_byte ); our %EXPORT_TAGS = (all => [ @EXPORT_OK ]); # export everything by default our @EXPORT = qw( truly_random_value ); my $count = 0; my $ocount = 0; my $buffer = 0; sub _roulette { eval { local $SIG{ALRM} = sub { die "alarm\n" }; # DJ: Same constant and incrementing integer as in the original C code. ualarm(16665); $count++ while 1; alarm 0; }; die "alarm failed\n" unless $@; die unless $@ eq "alarm\n"; # Same mixing function as used in the original C code. # Modern systems would use a cryptographic hash for this. $count = $count ^ ($count >> 3) ^ ($count >> 6) ^ $ocount; $count &= 0x7; $ocount = $count; $buffer = ($buffer << 3) ^ $count; return ($buffer & 0xFFFFFFFF); } sub truly_random_value { $count = 0; _roulette(); _roulette(); _roulette(); _roulette(); _roulette(); _roulette(); _roulette(); _roulette(); _roulette(); _roulette(); _roulette(); } sub random_byte { $count = 0; _roulette(); _roulette(); chr(_roulette() & 0xFF); } 1; =head1 NAME TrulyRandom - Generate non-pseudo random numbers in pure Perl =head1 SYNOPSIS use Math::TrulyRandom; $random = truly_random_value(); =head1 DESCRIPTION The B<TrulyRandom> module provides an ability to generate non-pseudo random 32-bit numbers from within Perl programs. The source of the randomness is from interrupt timing discrepancies. =head1 EXAMPLE $random = truly_random_value(); =head1 BUGS This code uses only CORE Perl code, but needs Time::HiRes::ualarm which is not supported on Win32. The name is a bit misleading, as this technique generates decent entropy only on select platforms. My understanding is that one of the primary authors, Matt Blaze, now believes this to be an obsolete method, and O/S sources such as /dev/random are the proper solution. This implementation is based on version 1 of TrueRand, which had numerous issues and was superseded by TrueRand 2.1. The expected entropy for each 32-bit value of this code is approximately 8-16 bits, and the mixing method leaves much to be desired. The newer version uses cryptographic hashes for mixing, as well as mixing the result of multiple raw calls to create one result. The documentation specifically warns to not use the raw call (hence this earlier version does exactly what the author now indicates not to do). More sophisticated systems like L<HAVEGE|http://www.issihosts.com/haveged/> and L<EGD|http://egd.sourceforge.net/> generate randomness with more sources and run much faster. These are meant to feed entropy pools, which are in turn managed and doled out via /dev/random. This module is userspace "I<voodoo entropy>" and really shouldn't be used. The random numbers take a long time (in computer terms) to generate, so are only really useful for seeding pseudo random sequence generators. =head1 SEE ALSO =head2 L<Crypt::Random::TESHA2> is another module that generates non-pseudo random data from timer/scheduler variations. It works on more platforms and runs much faster while using less CPU. It uses SHA-256 and SHA-512 for mixing, as well as pushing all generated randomness through an entropy pool. =head2 L<Crypt::Random::Seed> is a simple module that finds the best strong random source available and uses it to return random data. =head2 L<Math::Random::Source> is a very flexible and oft-used module that finds available entropy sources and presents a unified interface for getting random data from them. =head2 L<Crypt::URandom> is a simple module that gets the best non-blocking random source available and uses it to return random data. =head2 L<Bytes::Random::Secure> is a straightforward module that (1) finds a good source of strong randomness, and (2) uses it to seed L<Math::Random::ISAAC> (a cryptographically secure pseudo-random number generator). This is a very good combination for most purposes. It provides a nice API. =head2 L<Math::Random::Secure> is similar to L<Bytes::Random::Secure>, but offers a different set of features. =head2 L<Crypt::Random> offers an interface to random values in arbitrary bigint ranges, using the best source of randomness it finds -- typically /dev/random. It uses the L<Math::Pari> module which creates portability issues, and its use of /dev/random for all activities means it blocks on many operations, making it unsuitable for embedded systems unless they have an entropy daemon running. =head1 COPYRIGHT This implementation derives from the truly random number generator function developed by Matt Blaze and Don Mitchell, and is copyright of AT&T. Other parts of this perl extension are copyright of Systemics Ltd (L<http://www.systemics.com/>). The rewrite in pure Perl is Copyright (c) 2013, Dana Jacobsen.