marcsaeg 01/09/04 19:42:14
Modified: src/share/org/apache/tomcat/startup Tag: tomcat_32
Tomcat.java
src/share/org/apache/tomcat/util Tag: tomcat_32
SessionIdGenerator.java
Log:
Switch back to the default PRNG seed generator to avoid security weakness
in the manual seed generator. The PRNG is now initialized when the container
starts so that we don't take the hit on the first request.
Submitted by: Kevin E. Fu ([EMAIL PROTECTED])
Revision Changes Path
No revision
No revision
1.31.2.2 +5 -0 jakarta-tomcat/src/share/org/apache/tomcat/startup/Tomcat.java
Index: Tomcat.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/startup/Tomcat.java,v
retrieving revision 1.31.2.1
retrieving revision 1.31.2.2
diff -u -r1.31.2.1 -r1.31.2.2
--- Tomcat.java 2000/11/28 00:19:20 1.31.2.1
+++ Tomcat.java 2001/09/05 02:42:13 1.31.2.2
@@ -199,6 +199,11 @@
// auto-configured contexts are initialized.
generateServerConfig( cm );
+ // Initialize the Session ID Generator. Generating the PRNG seed
+ // can be very time consuming so do we want to do this before
+ // we start handling requests
+ SessionIdGenerator.initialize();
+
cm.start(); // start serving
}
No revision
No revision
1.3.2.4 +41 -33
jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java
Index: SessionIdGenerator.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java,v
retrieving revision 1.3.2.3
retrieving revision 1.3.2.4
diff -u -r1.3.2.3 -r1.3.2.4
--- SessionIdGenerator.java 2000/12/22 17:35:05 1.3.2.3
+++ SessionIdGenerator.java 2001/09/05 02:42:14 1.3.2.4
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java,v
1.3.2.3 2000/12/22 17:35:05 marcsaeg Exp $
- * $Revision: 1.3.2.3 $
- * $Date: 2000/12/22 17:35:05 $
+ * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java,v
1.3.2.4 2001/09/05 02:42:14 marcsaeg Exp $
+ * $Revision: 1.3.2.4 $
+ * $Date: 2001/09/05 02:42:14 $
*
* ====================================================================
*
@@ -125,35 +125,23 @@
* Return the entropy increaser value, or compute a semi-useful value
* if this String has not yet been set.
*/
- public static String getEntropy() {
-
- // Calculate a semi-useful value if this has not been set
- if (entropy == null)
- setEntropy((new Object()).toString());
-
- return (entropy);
-
+ public static String getEntropy()
+ {
+ return (entropy);
}
-
/**
* Set the entropy increaser value.
*
* @param entropy The new entropy increaser value
*/
- public static void setEntropy(String newEntropy) {
-
- entropy = newEntropy;
-
+ public static void setEntropy(String newEntropy)
+ {
+ entropy = newEntropy;
}
-
- // ** NOTE that this must work together with get_jserv_session_balance()
- // ** in jserv_balance.c
- static synchronized public String getIdentifier (String jsIdent)
+ public static void initialize()
{
- StringBuffer sessionId = new StringBuffer();
-
if (randomSource == null) {
String className = System.getProperty("tomcat.sessionid.randomclass");
if (className != null) {
@@ -168,19 +156,39 @@
if (randomSource == null)
randomSource = new java.security.SecureRandom();
- // Set the seed PRNG's seed value
- long seed = System.currentTimeMillis();
- char entropy[] = getEntropy().toCharArray();
- for (int i = 0; i < entropy.length; i++) {
- long update = ((byte) entropy[i]) << ((i % 8)
* 8);
- seed ^= update;
- }
- randomSource.setSeed(seed);
- }
+ String entropyValue = getEntropy();
+ if(entropyValue != null){
+ /*
+ * We only do the manual seed generation if there is a user
+ * supplied entropy value. This is only for backwards
+ * compatibility. It is expected that very few people
+ * ever took advantage of this feature and defaulting
+ * to the normal PRNG seed generator is more secure than this
+ * calculation.
+ */
+ long seed = System.currentTimeMillis();
+ char entropy[] = entropyValue.toCharArray();
+ for (int i = 0; i < entropy.length; i++) {
+ long update = ((byte) entropy[i]) << ((i % 8) * 8);
+ seed ^= update;
+ }
+ randomSource.setSeed(seed);
+ }else{
+ randomSource.nextInt();
+ }
+ }
+ }
+ // ** NOTE that this must work together with get_jserv_session_balance()
+ // ** in jserv_balance.c
+ static synchronized public String getIdentifier (String jsIdent)
+ {
+ StringBuffer sessionId = new StringBuffer();
+
+ initialize();
- // random value ..
- long n = randomSource.nextLong();
+ // random value ..
+ long n = randomSource.nextLong();
if (n < 0) n = -n;
n %= maxRandomLen;
// add maxLen to pad the leading characters with '0'; remove
