apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: apr_generate_random_bytes() blocks forever
Date Thu, 17 Apr 2003 17:39:18 GMT
At 10:59 AM 4/17/2003, Ben Laurie wrote:
>> 
>> SVN should absolutely NOT grow a UUID generator. Don't even start thinking
>> along those lines. That is squarely in the realm of APR, as it can simply
>> defer to Windows's builtin function for that platform. I think some unix
>> platforms actually have it, but APR just rolls its own according to the
>> spec.
>
>Except Windows UUIDs are evil and should not be used (they allow an
>attacker to collate all UUIDs that belong to the same machine).

You must be thinking of Win95/NT.  See the note in apr/misc/win32/rand.c

    /* Note: this call doesn't actually require CoInitialize() first 
     *
     * XXX: we should scramble the bytes or some such to eliminate the
     * possible misuse/abuse since uuid is based on the NIC address, and
     * is therefore not only a uniqifier, but an identity (which might not
     * be appropriate in all cases.
     *
     * Note that Win2000, XP and later no longer suffer from this problem,
     * a scrambling fix is only needed for (apr_os_level < APR_WIN_2000)
     */

The 'right fix' is probably to fall back on the Unix code for NT and 9x, leaving
the 'Windows' behavior for W2K/XP only.




Mime
View raw message