apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lucian Adrian Grijincu" <lucian.griji...@gmail.com>
Subject Re: PR #44881
Date Thu, 01 May 2008 23:56:49 GMT
On Fri, May 2, 2008 at 2:05 AM, William A. Rowe, Jr.
<wrowe@rowe-clan.net> wrote:
>
>  As it turns out only UUID code is affected (on platforms which have no
>  native uuid generation function).  Note that predicting the next UUID is
>  a serious flaw when they are used as session identifiers, etc, and that the
>  native implementations all switched to strong crypto once this potential
>  flaw was identified.
>
>  So no, I would not change the manner that UUID's are generated to urandom.
>  generate_random_bytes is defined to provide the greatest entropy we can
>  obtain.  It is not, after all, generate_psuedorandom_bytes.

1. Some function in APR's uuid generator falls back to rand(3) if
apr_generate_random_bytes returns an error. ...
2. E2fsprogs on which other major open source UUID generators are
supposed to be based on (at least according to
http://en.wikipedia.org/wiki/UUID) tries to open /dev/urandom first
and /dev/random second. I don't know if posting the code snniplet here
is apropiate (licensing reasons).

-- 
Lucian

Mime
View raw message