On Thu, 22 Dec 2022 18:54:16 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> Volker Simonis has updated the pull request incrementally with one >> additional commit since the last revision: >> >> Moved stateless key logic from SSLContextImpl to SSLSessionContextImpl and >> addressed comments by @XueleiFan and @ascarpino > > src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java line > 95: > >> 93: // Should be "randomly generated" according to RFC 5077, >> 94: // but doesn't necessarily has to be a true random number. >> 95: currentKeyID = this.hashCode(); > > As the hashCode() is called in the constructor, I'm not very sure if it works > as expected. Maybe, the system nano time could be used instead. I don't think calling `hashCode()` is an issue as long as `SSLSessionContextImpl` doesn't override `hashCode()` (which it doesn't do) and that overridden version of `hashCode()` accesses uninitialized fields. But for the sake of getting this done, I've changed the initialization to use the result `System.nanoTime()` as a seed for a new `java.util.Random` instance and call `nextInt()` on that instance. That seems like a good compromise to me :) ------------- PR: https://git.openjdk.org/jdk/pull/11590
