[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Re: [RFC] ra_svn::make_nonce: how to cope with entropy shortages?

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Thu, 03 Nov 2011 23:35:15 +0200

On Thursday, November 03, 2011 4:26 PM, "Peter Samuelson" <peter_at_p12n.org> wrote:
>
> [Jonathan Nieder]
> > state = apr_random_standard_new(pool);
> >
> > for (;;) {
> > while (apr_random_secure_ready(state) == APR_ENOTENOUGHENTROPY) {
> > apr_generate_random_bytes(buf, sizeof(buf));
> > apr_random_add_entropy(state, buf, sizeof(buf));
> > }
> >
> > apr_random_secure_bytes(state, ret, n);
> > yield;
> > }
>
> The problem is that svnserve is often used in 'inetd' mode, one
> connection per process. I've recommended that for years, as being
> easier and less hassle than managing a separate daemon. Given inetd
> mode, your approach will exhaust /dev/random just as fast as the status
> quo.
>
> (Also, and this is minor, those functions didn't exist in apr 0.9, for
> those poor souls still needing to build Subversion on platforms with
> Apache 2.0. I don't _think_ we've ever dropped support for our
> original apr platform, have we?)

Yes, but I'm not sure that means we can't use the above code when we
detect a new APR at build time. I mean, APR_VERSION_AT_LEAST() exists
for a reason.

> --
> Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
>
Received on 2011-11-03 22:35:46 CET

This is an archived mail posted to the Subversion Dev mailing list.