You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apr.apache.org by Graham Leggett <mi...@sharp.fm> on 2012/11/16 12:59:20 UTC

apr_generate_random_bytes() - secure or pseudo?

Hi all,

The docs for apr_generate_random_bytes() just say "Generate random bytes.", but don't say what kind of random bytes are being generated, secure or pseudo?

Obviously the newer apr_random_secure_bytes() and apr_random_insecure_bytes() make this clear, but the older call doesn't.

A look at the source shows that on Unix, we either use /dev/random, EGD-compatible socket daemon, or truerand, implying that we are generating secure bytes.

Is it correct to amend the docs to something like:

"Generate secure random bytes.

Randomness is obtained from /dev/random, an EGD compatible socket daemon, or the truer and interface, depending on the platform."

Regards,
Graham
--