On 4/14/06, Greg Hudson <[EMAIL PROTECTED]> wrote: > While reviewing the "APR-util UUID generator broken" thread, I noticed > the following code: > > - get_system_time(&time_now); > + time_now = apr_time_now(); > srand((unsigned int)(((time_now >> 32) ^ time_now) & 0xffffffff)); > > return rand() & 0x0FFFF; > > Regardless of how time_now is determined, the application may be using > the srand/rand mechanism itself. It seems inappropriate for a library > to stomp on the seed.
Agreed, that does seem somewhat wrong... > I know there is PRNG code in modern APR; can this code be fixed to use > it, instead of the (often broken, non-thread-safe, global-state-using) > libc PRNG? The PRNG code in APR is incomplete, as far as I know. I have no clue what remains to be done with it, not having much clue on the internals of PRNGs in general, but the impression I got when it was added was that it wasn't ready for prime time yet, and nothing has changed since. > Or we could just pull bits from /dev/urandom or a suitable alternative > on Windows, if we had an interface to do so. (For some odd reason, > APR doesn't provide such an interface, unless it has changed > recently.) I would LOVE to see an interface that does such a thing. Patches to add such a thing would be more than welcome. -garrett
