apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <jus...@erenkrantz.com>
Subject Re: non-availability of APR_HAS_RANDOM implications on security
Date Fri, 21 Mar 2003 06:47:30 GMT
--On Friday, March 21, 2003 1:52 PM +1100 Stas Bekman <stas@stason.org> wrote:

> However apr-util/crypto/getuuid.c provides a *sort of* random implementation
> where APR_HAS_RANDOM is not available in two functions. in the true_random()
> we have this nice note:
> /* crap. this isn't crypto quality, but it will be Good Enough */

IMHO, UUID's don't need crypto-quality random numbers - therefore, the 
pid/time hacks are good enough just for UUID's but not in the general case.

I'm sure someone will disagree with me though.  -- justin

View raw message