apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Garrett Rooney" <roo...@electricjellyfish.net>
Subject Re: UUID generation stomps srand/rand seed
Date Fri, 14 Apr 2006 18:28:07 GMT
On 4/14/06, Greg Hudson <ghudson@mit.edu> wrote:
> While reviewing the "APR-util UUID generator broken" thread, I noticed
> the following code:
>
> -    get_system_time(&time_now);
> +    time_now = apr_time_now();
>      srand((unsigned int)(((time_now >> 32) ^ time_now) & 0xffffffff));
>
>      return rand() & 0x0FFFF;
>
> Regardless of how time_now is determined, the application may be using
> the srand/rand mechanism itself.  It seems inappropriate for a library
> to stomp on the seed.

Agreed, that does seem somewhat wrong...

> I know there is PRNG code in modern APR; can this code be fixed to use
> it, instead of the (often broken, non-thread-safe, global-state-using)
> libc PRNG?

The PRNG code in APR is incomplete, as far as I know.  I have no clue
what remains to be done with it, not having much clue on the internals
of PRNGs in general, but the impression I got when it was added was
that it wasn't ready for prime time yet, and nothing has changed
since.

> Or we could just pull bits from /dev/urandom or a suitable alternative
> on Windows, if we had an interface to do so.  (For some odd reason,
> APR doesn't provide such an interface, unless it has changed
> recently.)

I would LOVE to see an interface that does such a thing.  Patches to
add such a thing would be more than welcome.

-garrett

Mime
View raw message