On Fri, Jan 04, 2002 at 09:35:48PM -0500, Jeff Trawick wrote: > Justin Erenkrantz <[EMAIL PROTECTED]> writes: > > > This patch adds EGD-gathering support to apr_generate_random_bytes. > > My hero! (though I might disagree on the socket details :) )
I think it makes some good sense to eat our own dog food with this EGD code. We could use straight Unix calls (and indeed that is the only platform where EGD can really be used). But, I think it might be beneficial to add the AF_UNIX sockets (Sander searched his Win32 box and he saw AF_UNIX #defined in the headers). (I'll reply to your comments about the domain sockets in a sec...) > > Ideally, I'd like to add an apr_generate_random_bytes_setup function > > that takes in a path name that will configure the random device > > Do you mean something that could be a shell script to ensure that the > EGD is running? We could do that. But, I expect that this would be the problem of the APR-using program (such as httpd or flood). I'd really like to have them be able to specify where the EGD or prngd_commands file are. So: apr_generate_random_bytes_setup(char * path) - With /dev/[u]random platforms, this is a no-op. - With EGD, it allows configuration to where the EGD socket lives. - With an internal PRNGD (ala OpenSSH), this is the config file. And, in httpd.conf, something like: EGDSocket /tmp/egd-entropy Remember that the reason I want an internal PRNGD is so that we don't have to bother the user with making sure that EGD/PRNGd is running. I had to fight mutt last night to get it to recognize my PRNGd location. It just reinforces my belief that this is something that should be hidden from the user if at all possible. While PRNGd works okay, I could not recommend it for general use. Its build system and install is just too confusing to the point where I believe it'd cause lots of install/configuration problems if we offered only this approach on non-/dev/random platforms. And, PRNGd's config file is identical to OpenSSH's and if I do an internal entropy gatherer, it'd use the same config file - so the configs will be identical for all three programs...sort of nice... > > P.S. It'd be nice if apr_generate_random_bytes took in a pool... > > silly APR sockets ;) =) > maybe this truerand support should be junked (but that issue can wait > for another day) I agree, but I'd rather not take it out just now if someone is using it. Is anyone using it? -- justin
