While reviewing the "APR-util UUID generator broken" thread, I noticed
the following code:
- get_system_time(&time_now);
+ time_now = apr_time_now();
srand((unsigned int)(((time_now >> 32) ^ time_now) & 0xffffffff));
return rand() & 0x0FFFF;
Regardless of how time_now is determined, the application may be using
the srand/rand mechanism itself. It seems inappropriate for a library
to stomp on the seed.
I know there is PRNG code in modern APR; can this code be fixed to use
it, instead of the (often broken, non-thread-safe, global-state-using)
libc PRNG?
Or we could just pull bits from /dev/urandom or a suitable alternative
on Windows, if we had an interface to do so. (For some odd reason,
APR doesn't provide such an interface, unless it has changed
recently.)
