tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From marcs...@apache.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util SessionIdGenerator.java
Date Wed, 05 Sep 2001 02:42:14 GMT
marcsaeg    01/09/04 19:42:14

  Modified:    src/share/org/apache/tomcat/startup Tag: tomcat_32
                        Tomcat.java
               src/share/org/apache/tomcat/util Tag: tomcat_32
                        SessionIdGenerator.java
  Log:
  Switch back to the default PRNG seed generator to avoid security weakness
  in the manual seed generator.  The PRNG is now initialized when the container
  starts so that we don't take the hit on the first request.
  
  Submitted by:	Kevin E. Fu (fubob@cisco.com)
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.31.2.2  +5 -0      jakarta-tomcat/src/share/org/apache/tomcat/startup/Tomcat.java
  
  Index: Tomcat.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/startup/Tomcat.java,v
  retrieving revision 1.31.2.1
  retrieving revision 1.31.2.2
  diff -u -r1.31.2.1 -r1.31.2.2
  --- Tomcat.java	2000/11/28 00:19:20	1.31.2.1
  +++ Tomcat.java	2001/09/05 02:42:13	1.31.2.2
  @@ -199,6 +199,11 @@
   	// auto-configured contexts are initialized.
   	generateServerConfig( cm );
   
  +    // Initialize the Session ID Generator.  Generating the PRNG seed
  +    // can be very time consuming so do we want to do this before 
  +    // we start handling requests
  +    SessionIdGenerator.initialize();
  +
   	cm.start(); // start serving
       }
   
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.3.2.4   +41 -33    jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java
  
  Index: SessionIdGenerator.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java,v
  retrieving revision 1.3.2.3
  retrieving revision 1.3.2.4
  diff -u -r1.3.2.3 -r1.3.2.4
  --- SessionIdGenerator.java	2000/12/22 17:35:05	1.3.2.3
  +++ SessionIdGenerator.java	2001/09/05 02:42:14	1.3.2.4
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java,v
1.3.2.3 2000/12/22 17:35:05 marcsaeg Exp $
  - * $Revision: 1.3.2.3 $
  - * $Date: 2000/12/22 17:35:05 $
  + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java,v
1.3.2.4 2001/09/05 02:42:14 marcsaeg Exp $
  + * $Revision: 1.3.2.4 $
  + * $Date: 2001/09/05 02:42:14 $
    *
    * ====================================================================
    *
  @@ -125,35 +125,23 @@
        * Return the entropy increaser value, or compute a semi-useful value
        * if this String has not yet been set.
        */
  -    public static String getEntropy() {
  -
  -	// Calculate a semi-useful value if this has not been set
  -	if (entropy == null)
  -	    setEntropy((new Object()).toString());
  -
  -	return (entropy);
  -
  +    public static String getEntropy()
  +    {
  +        return (entropy);
       }
   
  -
       /**
        * Set the entropy increaser value.
        *
        * @param entropy The new entropy increaser value
        */
  -    public static void setEntropy(String newEntropy) {
  -
  -	entropy = newEntropy;
  -
  +    public static void setEntropy(String newEntropy)
  +    {
  +        entropy = newEntropy;
       }
  -
   
  -	 // ** NOTE that this must work together with get_jserv_session_balance()
  -    // ** in jserv_balance.c
  -    static synchronized public String getIdentifier (String jsIdent)
  +    public static void initialize()
       {
  -        StringBuffer sessionId = new StringBuffer();
  -        
           if (randomSource == null) {
               String className = System.getProperty("tomcat.sessionid.randomclass");
               if (className != null) {
  @@ -168,19 +156,39 @@
               if (randomSource == null)
                   randomSource = new java.security.SecureRandom();
   
  -				// Set the seed PRNG's seed value
  -				long seed = System.currentTimeMillis();
  -				char entropy[] = getEntropy().toCharArray();
  -				for (int i = 0; i < entropy.length; i++) {
  -					 long update = ((byte) entropy[i]) << ((i % 8) * 8);
  -					 seed ^= update;		    
  -				}
  -				randomSource.setSeed(seed);
  -		  }
  +            String entropyValue = getEntropy();
  +            if(entropyValue != null){
  +                /*
  +                 *  We only do the manual seed generation if there is a user
  +                 * supplied entropy value.  This is only for backwards 
  +                 * compatibility.  It is expected that very few people
  +                 * ever took advantage of this feature and defaulting
  +                 * to the normal PRNG seed generator is more secure than this 
  +                 * calculation.
  +                 */
  +                long seed = System.currentTimeMillis();
  +                char entropy[] = entropyValue.toCharArray();
  +                for (int i = 0; i < entropy.length; i++) {
  +                    long update = ((byte) entropy[i]) << ((i % 8) * 8);
  +                    seed ^= update;		    
  +                }
  +                randomSource.setSeed(seed);
  +            }else{
  +                randomSource.nextInt();
  +            }
  +        }
  +    }
   
  +	 // ** NOTE that this must work together with get_jserv_session_balance()
  +    // ** in jserv_balance.c
  +    static synchronized public String getIdentifier (String jsIdent)
  +    {
  +        StringBuffer sessionId = new StringBuffer();
  +        
  +        initialize();
   
  -		  // random value ..
  -		  long n = randomSource.nextLong();
  +        // random value ..
  +        long n = randomSource.nextLong();
           if (n < 0) n = -n;
           n %= maxRandomLen;
           // add maxLen to pad the leading characters with '0'; remove
  
  
  

Mime
View raw message