Re: gen_random_uuid security not explicit in documentation

Michael Paquier <michael.paquier@gmail.com>

From: Michael Paquier <michael.paquier@gmail.com>
To: rightfold@gmail.com
Cc: pgsql-docs@postgresql.org, Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2017-01-03T12:47:37Z
Lists: pgsql-hackers, pgsql-docs
(Adding Heikki in CC who committed this code)

On Mon, Jan 2, 2017 at 8:20 AM,  <rightfold@gmail.com> wrote:
> The C source code of gen_random_uuid reads:
>
>     /*
>     * Generate random bits. pg_backend_random() will do here, we don&#39;t
>     * promis UUIDs to be cryptographically random, when built with
>     * --disable-strong-random.
>     */
>
> However, the pgcrypto documentation does not mention
> --disable-strong-random
> at all. I think the documentation should mention under which conditions
> the function returns secure data.

That's actually a good idea. But as it does not only apply to
get_random_uuid(), I would think that a notice at the top of the
pgcrypto documentation would make the most sense. Something like:
"If PostgreSQL is built with --disable-strong-random, the data
generated by the functions is not guaranteed to be cryptographically
random."

> P.S. there is also a typo in the C comment: &quot;promis&quot; should be &quot;promise&quot;.

Indeed.
-- 
Michael


Commits

  1. Forbid gen_random_uuid() with --disable-strong-random