Joe Orton wrote:
In retrospect, I don't think it's a good idea for APR to venture further into this domain without a thorough review of what different randomness sources are available on different OSes, what are the common denominators, etc. The previous effort at providing something more general here is completely unused (apr/random) and been a waste of space AFAICT.
Tomcat advertises itself as offering "Secure session ID generation by default on all platforms (platforms other than Linux required random number generation using a configured entropy)" when APR is enabled within Tomcat.
They don't mention exactly which part of APR they are using to do this, but if it is apr/random, then it is being used.
What would be useful is a function which would return true if random number generation is crypto safe on that platform. At the very least, the user of the library gets no surprises as to the quality of the numbers they get.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
