Re: svn commit: r629164 - /httpd/httpd/trunk/support/htpasswd.c

[André Malo <nd...@perlig.de>]

* pquerna@apache.org wrote:

> Author: pquerna
> Date: Tue Feb 19 09:05:26 2008
> New Revision: 629164
>
> URL: http://svn.apache.org/viewvc?rev=629164&view=rev
> Log:
> Improve generation of the seed to rand, by using
> apr_generate_random_bytes, rather than the current time as a seed.

Wouldn't it make more sense to drop all that seed and rand hassle and just 
use the apr-random bytes directly as salt (alphabet[byte % len(alphabet)])

nd
-- 
package Hacker::Perl::Another::Just;print
qq~@{[reverse split/::/ =>__PACKAGE__]}~;

#  André Malo  #  http://www.perlig.de  #

Re: svn commit: r629164 - /httpd/httpd/trunk/support/htpasswd.c

[Ruediger Pluem <rp...@apache.org>]

On 02/19/2008 07:48 PM, André Malo wrote:
> * pquerna@apache.org wrote:
> 
>> Author: pquerna
>> Date: Tue Feb 19 09:05:26 2008
>> New Revision: 629164
>>
>> URL: http://svn.apache.org/viewvc?rev=629164&view=rev
>> Log:
>> Improve generation of the seed to rand, by using
>> apr_generate_random_bytes, rather than the current time as a seed.
> 
> Wouldn't it make more sense to drop all that seed and rand hassle and just 
> use the apr-random bytes directly as salt (alphabet[byte % len(alphabet)])

This was also my first thought on this patch.

Regards

Rüdiger

Re: svn commit: r629164 - /httpd/httpd/trunk/support/htpasswd.c

[Jim Jagielski <ji...@jaguNET.com>]

On Feb 19, 2008, at 1:48 PM, André Malo wrote:

> * pquerna@apache.org wrote:
>
>> Author: pquerna
>> Date: Tue Feb 19 09:05:26 2008
>> New Revision: 629164
>>
>> URL: http://svn.apache.org/viewvc?rev=629164&view=rev
>> Log:
>> Improve generation of the seed to rand, by using
>> apr_generate_random_bytes, rather than the current time as a seed.
>
> Wouldn't it make more sense to drop all that seed and rand hassle  
> and just
> use the apr-random bytes directly as salt (alphabet[byte %  
> len(alphabet)])
>

Most likely simpler...

Re: svn commit: r629164 - /httpd/httpd/trunk/support/htpasswd.c

[Ruediger Pluem <rp...@apache.org>]

On 02/19/2008 08:15 PM, Paul Querna wrote:
> André Malo wrote:
>> * pquerna@apache.org wrote:
>>
>>> Author: pquerna
>>> Date: Tue Feb 19 09:05:26 2008
>>> New Revision: 629164
>>>
>>> URL: http://svn.apache.org/viewvc?rev=629164&view=rev
>>> Log:
>>> Improve generation of the seed to rand, by using
>>> apr_generate_random_bytes, rather than the current time as a seed.
>>
>> Wouldn't it make more sense to drop all that seed and rand hassle and 
>> just use the apr-random bytes directly as salt (alphabet[byte % 
>> len(alphabet)])
> 
> I guess so....
> 
> apr-random though has this nasty habit of using really random sources, 
> and using all entropy on a system, and I'd prefer to not use it more 
> than needed.....  As this has been the source of pain and several bug 
> reports in the past....

True. Thats why I normally compile with --with-devrandom=/dev/urandom.
But this may not be suitable for all situations.
Maybe there should be a apr_generate_urandom_bytes. But this is a story
for the apr list.

Regards

Rüdiger

Re: svn commit: r629164 - /httpd/httpd/trunk/support/htpasswd.c

[Paul Querna <ch...@force-elite.com>]

André Malo wrote:
> * pquerna@apache.org wrote:
> 
>> Author: pquerna
>> Date: Tue Feb 19 09:05:26 2008
>> New Revision: 629164
>>
>> URL: http://svn.apache.org/viewvc?rev=629164&view=rev
>> Log:
>> Improve generation of the seed to rand, by using
>> apr_generate_random_bytes, rather than the current time as a seed.
> 
> Wouldn't it make more sense to drop all that seed and rand hassle and just 
> use the apr-random bytes directly as salt (alphabet[byte % len(alphabet)])

I guess so....

apr-random though has this nasty habit of using really random sources, 
and using all entropy on a system, and I'd prefer to not use it more 
than needed.....  As this has been the source of pain and several bug 
reports in the past....

-Paul