Update comments in rand_util.h.

Update comments in rand_util.h.

The random number function in rand_util.h always generate secure random
numbers, but the comments didn't mention that. Update the comments to
stipulate that the returned values must be cryptographically secure.

[willchan no longer on Chromium, 2012-06-04 17:45:10]

sleevi: please confirm, and I'll rubberstamp

[Ryan Sleevi, 2012-06-04 17:46:29]

Not a base owner, but a comment:

It's only cryptographically secure in the sandbox iff it's been initialized
outside of the sandbox first. We 'always' do this (heh, now), but it's a point
worth mentioning.

I'm a little nervous though about putting this statement in the API contract, if
only because any cryptographically secure (key, token, passphrase) generation
should be going through crypto/ code, IMO, even if that crypto/ code just calls
into base/.

http://codereview.chromium.org/10525003/diff/2001/base/rand_util.h
File base/rand_util.h (left):

http://codereview.chromium.org/10525003/diff/2001/base/rand_util.h#oldcode29
base/rand_util.h:29: // Returns a random double in range [0, 1). Thread-safe.
I feel like these comments were correct as originally written, in line with
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Functi...

[Sergey Ulanov, 2012-06-04 18:32:03]

On 2012/06/04 17:46:29, Ryan Sleevi wrote:
> Not a base owner, but a comment:
> 
> It's only cryptographically secure in the sandbox iff it's been initialized
> outside of the sandbox first. We 'always' do this (heh, now), but it's a point
> worth mentioning.

The posix implementation just reads from urandom, so if urandom FD is not
initialized properly it would just fail. So the returned value is always secure,
and it CHECKS() otherwise. 

> 
> I'm a little nervous though about putting this statement in the API contract,
if
> only because any cryptographically secure (key, token, passphrase) generation
> should be going through crypto/ code, IMO, even if that crypto/ code just
calls
> into base/.

I agree, that it would be better if we had this code in crypto, but the current
situation is not ideal either. There are already two functions in that file that
are documented to generate cryptographically secure randoms. What often comes up
when using this code is that currently the quality of randoms generated by these
functions I not defined anywhere. There is probably some code that relies on the
result of these function being secure, yet it not documented anywhere, so this
code can be easily broken if these functions are updated in the future (e.g.
reimplemented for a new platform).

We can move it to crypto later, if necessary.

> 
> http://codereview.chromium.org/10525003/diff/2001/base/rand_util.h
> File base/rand_util.h (left):
> 
> http://codereview.chromium.org/10525003/diff/2001/base/rand_util.h#oldcode29
> base/rand_util.h:29: // Returns a random double in range [0, 1). Thread-safe.
> I feel like these comments were correct as originally written, in line with
>
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Functi...

[willchan no longer on Chromium, 2012-06-04 22:51:59]

Thanks for the comments folks. I'd err on the side of caution and implement
rsleevi's suggestion of updating callers to invoke a crypto routine if they need
cryptographic guarantees, and just have them forward to the base implementation
for now.