apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Trouble in river city.
Date Thu, 26 Jun 2008 02:47:28 GMT
Steve Comstock wrote:
> William A. Rowe, Jr. wrote:
> [snip]
>> Guessing there was no source of entropy.  C.f. apr ./configure;
>>   --with-egd[=DIR]        use EGD-compatible socket
>>   --with-devrandom[=DEV]  use /dev/random or compatible [searches by 
>> default]
> I'm glad you suggested that. It gives me the opportunity to
> ask a few questions:
> * I've heard of entropy in the physics sense; I've seen
>   or two references to it in the software context; what
>   does "entropy" mean in the software context?

randomness that is not predicted, e.g. other than a pseudorandom sequence,
since these can be predicted.

> * What creates entropy? What is the significance of your
>   suggested --with options?

In the pc sense, usually /dev/random or /dev/urandom, there are various
prngd alternatives.  These work by deciding to watch sensors in the PC,
e.g. you might take a measurement of the cpu's temperature measured in
.001 degree (to .010), or the arrival timing of packets on the network,
etc.  /dev/random does so for all bits of entropy, /dev/urandom does the
best it can with true bits of entropy, and makes up the difference with
pseduorandom data so that it won't block.

You must have one.  bin/htpasswd was considered insecure, so it was
modified to grab a few mostly random bytes for seeding.  (httpd project's
choice, not ours).

> * What made you think, from my post, that there was no
>   source of entropy? What was your clue?

Someone else reported similar a while ago, and this parked itself away
in my brain for a month or two.

You mentioned apr_get_password - I had the same failure a couple of days
ago on HP/UX 11.11 (a new box) and realized that we hadn't installed the
HP/UX /dev/random, /dev/urandom drivers nor choose a source like prngd.
Seeing as I'm done supporting 11.00, HP's driver made more sense.


View raw message