Andrey Semashev wrote:
On Friday 16 January 2015 18:33:28 Peter Dimov wrote:
Antony Polukhin wrote:
Especially I'm interested in applying a pull request to fix 9407 https://svn.boost.org/trac/boost/ticket/9407 issue ( https://github.com/boostorg/uuid/pull/2).
On Windows, the usual procedure is to use RtlGenRandom, but I'm not sure which approach is better.
I think it's not public API. MSDN recommends using CryptGenRandom instead.
There are no longer any non-public Windows APIs as a result of the antitrust lawsuit, but yes, it's probably better to use the supported version. On a more general note, all this homegrown entropy gathering in that function (for most of which I might be responsible, in fact) should just be skipped if we have CryptGenRandom or /dev/urandom; it should merely be a fallback. We're never going to improve upon CryptGenRandom's output, most we could do is not damage it, and /dev/urandom is, I think, also reasonably-crypto-quality on today's POSIX OSes. There's one subtlety though, the fact that we currently proceed unconditionally to mixing homegrown entropy allows us to not check for errors from CryptGenRandom or fread, and if we're going to skip it, we should check. On an even more general note, this is actually a reimplementation of random_device, so it might be worth fixing that to always work (and perhaps take advantage of std::random_device if present?).