apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Hudson <ghud...@MIT.EDU>
Subject UUID generation stomps srand/rand seed
Date Fri, 14 Apr 2006 15:39:32 GMT
While reviewing the "APR-util UUID generator broken" thread, I noticed
the following code:

-    get_system_time(&time_now);
+    time_now = apr_time_now();
     srand((unsigned int)(((time_now >> 32) ^ time_now) & 0xffffffff));

     return rand() & 0x0FFFF;

Regardless of how time_now is determined, the application may be using
the srand/rand mechanism itself.  It seems inappropriate for a library
to stomp on the seed.

I know there is PRNG code in modern APR; can this code be fixed to use
it, instead of the (often broken, non-thread-safe, global-state-using)
libc PRNG?

Or we could just pull bits from /dev/urandom or a suitable alternative
on Windows, if we had an interface to do so.  (For some odd reason,
APR doesn't provide such an interface, unless it has changed

View raw message