Boost logo

Boost :

Subject: Re: [boost] [uuid] Issue 9407: please merge fix
From: Peter Dimov (lists_at_[hidden])
Date: 2015-01-16 12:04:46


Andrey Semashev wrote:
> On Friday 16 January 2015 18:33:28 Peter Dimov wrote:
> > Antony Polukhin wrote:
> > > Especially I'm interested in applying a pull request to fix 9407
> > > <https://svn.boost.org/trac/boost/ticket/9407> issue (
> > > https://github.com/boostorg/uuid/pull/2).
> >
> > On Windows, the usual procedure is to use RtlGenRandom, but I'm not sure
> > which approach is better.
>
> I think it's not public API. MSDN recommends using CryptGenRandom instead.

There are no longer any non-public Windows APIs as a result of the antitrust
lawsuit, but yes, it's probably better to use the supported version.

On a more general note, all this homegrown entropy gathering in that
function (for most of which I might be responsible, in fact) should just be
skipped if we have CryptGenRandom or /dev/urandom; it should merely be a
fallback. We're never going to improve upon CryptGenRandom's output, most we
could do is not damage it, and /dev/urandom is, I think, also
reasonably-crypto-quality on today's POSIX OSes.

There's one subtlety though, the fact that we currently proceed
unconditionally to mixing homegrown entropy allows us to not check for
errors from CryptGenRandom or fread, and if we're going to skip it, we
should check.

On an even more general note, this is actually a reimplementation of
random_device, so it might be worth fixing that to always work (and perhaps
take advantage of std::random_device if present?).


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk