apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Hudson <ghud...@MIT.EDU>
Subject UUID generation stomps srand/rand seed
Date Fri, 14 Apr 2006 15:39:32 GMT
While reviewing the "APR-util UUID generator broken" thread, I noticed
the following code:

-    get_system_time(&time_now);
+    time_now = apr_time_now();
     srand((unsigned int)(((time_now >> 32) ^ time_now) & 0xffffffff));

     return rand() & 0x0FFFF;

Regardless of how time_now is determined, the application may be using
the srand/rand mechanism itself.  It seems inappropriate for a library
to stomp on the seed.

I know there is PRNG code in modern APR; can this code be fixed to use
it, instead of the (often broken, non-thread-safe, global-state-using)
libc PRNG?

Or we could just pull bits from /dev/urandom or a suitable alternative
on Windows, if we had an interface to do so.  (For some odd reason,
APR doesn't provide such an interface, unless it has changed
recently.)

Mime
View raw message