tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <bo...@binarix.com>
Subject /dev/urandom patch
Date Wed, 18 Apr 2001 09:39:00 GMT
Don't know if the patch for this was missed (since it was buried into a
long e-mail), you guys didn't like it or just didn't have time to
implement. Anyway, I'm doing it clean in this e-mail. Thanks to Doug
Barnes who explained the issues of random number generation...

Here is the patch (I had to move some of the code to engineInit,
hopefully without breaking too many things):
-------- Cut ---------------------------------------------------------

---jakarta-tomcat-3.3-build/src/share/org/apache/tomcat/modules/session/SessionIdGenerator.java
      
Mon Apr 16 21:28:34 2001
+++jakarta-tomcat-3.3-src-cvs-debug/src/share/org/apache/tomcat/modules/session/SessionIdGenerator.java
      
Mon Apr 16 21:40:20 2001
@@ -96,6 +96,8 @@
     String randomClassName=null;
     Random randomSource=null;
     DataInputStream randomIS=null;
+    boolean beParanoid=false;
+    boolean useDevRandom=false;
     
     static Jdk11Compat jdk11Compat=Jdk11Compat.getJdkCompat();
     
@@ -109,18 +111,26 @@
        randomSource=createRandomClass( randomClassName );
     }
 
-    /** Use /dev/random special device. This is new code, but may
reduce the
-     *  big delay in generating the random
+    /** When using special device random generator, be paranoid and
+     *  use /dev/random. When this option is not set (default), the
+     *  device /dev/urandom is used, which should be at least as safe
+     *  as java.security.SecureRandom.
+     *
+     *  Reads to /dev/random might block until additional environmental
+     *  noise is gathered and this can cause problems (ie. Tomcat might
+     *  hang until such noise is generated).
+     *  USE WITH CAUTION!!!
+     */
+    public void setBeParanoid( boolean p ) {
+        beParanoid = p;
+    }
+    
+
+    /** Use special device to generate random. This is new code,
+     *  but may reduce the big delay in generating the random.
      */
     public void setUseDevRandom( boolean u ) {
-       if( ! u ) return;
-       try {
-           randomIS= new DataInputStream( new
FileInputStream("/dev/random"));
-           randomIS.readLong();
-           log( "Opening /dev/random");
-       } catch( IOException ex ) {
-           randomIS=null;
-       }
+        useDevRandom = u;
     }
     
     
@@ -141,6 +151,23 @@
     /** Init session management stuff for this context. 
      */
     public void engineInit(ContextManager cm) throws TomcatException {
+        if( useDevRandom ){
+            String device="/dev/urandom";
+
+            if( beParanoid )
+                device="/dev/random";
+
+           try {
+               randomIS= new DataInputStream( new FileInputStream(
device ));
+               randomIS.readLong();
+               log( "Opening " + device );
+           } catch( IOException ex ) {
+               randomIS=null;
+           }
+        }
+
+       /* The following code gets executed even if randomIS is null due
to
+           IOException above, so we are covered */
        if( randomSource==null && randomIS==null ) {
            String randomClass=(String)cm.getProperty("randomClass" );
            if( randomClass==null ) {
@@ -261,7 +288,7 @@
        if( devRandomIS!=null ) {
            try {
                n=devRandomIS.readLong();
-               System.out.println("Getting /dev/random " + n );
+                System.out.println( "Getting from random device " + n
);
            } catch( IOException ex ) {
                ex.printStackTrace();
            }

-------- Cut ---------------------------------------------------------

Bojan

Mime
View raw message