On Mon, 06 Oct 2003, Ian Clarke wrote: > Tracy R Reed wrote: > > >And now after finding that fred is unable to open /dev/random on my system > >due to what appears to be a bug (opening for write instead of read) I am > >now worried about the security of the encryption due to lack of entropy. > >I'm glad I don't use freenet for anything illegal/unpopular but I'm quite > >worried for those who do. > > This kind of hysteria is totally unproductive and hurts the project.
Partially hysteria. freenet/crypto/Yarrow.java attempts to write to the random seedfile. On windows, it's the only way to maintain a random seed. However, we catch and ignore read_seed errors. This is wrong and needs to be a fatal error. Also, I've traced my freenet process from startup and have not seen a successful open of /dev/urandom. On the flipside, tracing freenet.crypt.Yarrow (the test program) DOES successfully read it. I think it's a thread creation race with strace that causes us to miss seeing it. May be a good idea to refuse to write if we're using /dev/urandom? *NOTE: you cannot seed urandom, even as root, only random* --Dan
pgp00000.pgp
Description: PGP signature
_______________________________________________ Devl mailing list [EMAIL PROTECTED] http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/devl
