httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: [PATCH] mod_unique_id: use ap_random_insecure_bytes() to get unique ID
Date Sat, 06 Jul 2013 00:04:58 GMT
On Wednesday 26 June 2013, Daniel Lescohier wrote:
> When I looked into the ap random functions, I didn't like the
> implementation, because I didn't see anywhere in the httpd codebase
> that entropy is periodically added to the entropy pool.  After
> reading the details of how the Linux entropy pool works
> (https://lwn
> .net/Articles/525204/), I decided to use /dev/urandom instead,
> since Linux is periodically adding entropy to it.  This code is
> not portable, but this was for a private Apache module that is
> only used on Linux.
> To preserve entropy on the web server machine, I also only generate
> a random number once per apache child, then increment an uint32
> portion of it for each unique id call.  I also have seconds and
> microseconds, so that's why I think it's OK to do increments from
> the random base, instead of generating a new random id on each
> request.

The "insecure" in ap_random_insecure_bytes is there for a reason. But 
if you only use it once per process, anyway, it should be sufficient. 
The fact that several consumers (especially with multi-threaded mpms) 
pull from the same pool in undefined order adds some entropy, too.

FWIW, there is apr_generate_random_bytes() which can do the reading of 
/dev/urandom for you.

View raw message