apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <jerenkra...@ebuilt.com>
Subject Re: [PATCH] Add EGD-compatible random support
Date Sat, 05 Jan 2002 02:59:06 GMT
On Fri, Jan 04, 2002 at 09:35:48PM -0500, Jeff Trawick wrote:
> Justin Erenkrantz <jerenkrantz@ebuilt.com> writes:
> 
> > This patch adds EGD-gathering support to apr_generate_random_bytes.
> 
> My hero! (though I might disagree on the socket details :) )

I think it makes some good sense to eat our own dog food with
this EGD code.  We could use straight Unix calls (and indeed that
is the only platform where EGD can really be used).  But, I think
it might be beneficial to add the AF_UNIX sockets (Sander searched
his Win32 box and he saw AF_UNIX #defined in the headers). 
(I'll reply to your comments about the domain sockets in a sec...)

> > Ideally, I'd like to add an apr_generate_random_bytes_setup function
> > that takes in a path name that will configure the random device 
> 
> Do you mean something that could be a shell script to ensure that the
> EGD is running?

We could do that.  But, I expect that this would be the problem
of the APR-using program (such as httpd or flood).  I'd really
like to have them be able to specify where the EGD or 
prngd_commands file are.  So:

apr_generate_random_bytes_setup(char * path)
  - With /dev/[u]random platforms, this is a no-op.
  - With EGD, it allows configuration to where the EGD socket lives.
  - With an internal PRNGD (ala OpenSSH), this is the config file.

And, in httpd.conf, something like:

EGDSocket /tmp/egd-entropy

Remember that the reason I want an internal PRNGD is so that we don't
have to bother the user with making sure that EGD/PRNGd is running.
I had to fight mutt last night to get it to recognize my PRNGd
location.  It just reinforces my belief that this is something that
should be hidden from the user if at all possible.

While PRNGd works okay, I could not recommend it for general use.
Its build system and install is just too confusing to the point
where I believe it'd cause lots of install/configuration problems 
if we offered only this approach on non-/dev/random platforms.  And,
PRNGd's config file is identical to OpenSSH's and if I do an internal
entropy gatherer, it'd use the same config file - so the configs will 
be identical for all three programs...sort of nice...

> > P.S. It'd be nice if apr_generate_random_bytes took in a pool...
> 
> silly APR sockets ;)

=)

> maybe this truerand support should be junked (but that issue can wait
> for another day)

I agree, but I'd rather not take it out just now if someone is
using it.  Is anyone using it?  -- justin


Mime
View raw message