On 07/08/2020 18:27, Anthony Scarpino wrote:
Well if there were a bug it's with NativePRNG as the operation is
suppose to be non-blocking. Even so, /dev/urandom is nonblocking.
The only reason this looks to have been detected by the tool is
because it's a blocking read op. This all seems like an extremely
unlikely situation. I don't see this as something SSLEngine should be
compensating for.
Right, /dev/random is blocking, /dev/urandom is non-blocking. I just
checked BlockHound and it seems to have the names of private methods in
the java.io and java.net classes and I think instruments these methods
on the assumption that they are blocking calls. The list seems to have
been generated from an older JDK too, not really in sync with release
JDK releases. So not clear to me that there is really an issue here.
-Alan