/dev/urandom patch
Don't know if the patch for this was missed (since it was buried into a
long e-mail), you guys didn't like it or just didn't have time to
implement. Anyway, I'm doing it clean in this e-mail. Thanks to Doug
Barnes who explained the issues of random number generation...
Here is the patch (I had to move some of the code to engineInit,
hopefully without breaking too many things):
Cut -
---jakarta-tomcat-3.3-build/src/share/org/apache/tomcat/modules/session/SessionIdGenerator.java
Mon Apr 16 21:28:34 2001
+++jakarta-tomcat-3.3-src-cvs-debug/src/share/org/apache/tomcat/modules/session/SessionIdGenerator.java
+
Mon Apr 16 21:40:20 2001
@@ -96,6 +96,8 @@
String randomClassName=null;
Random randomSource=null;
DataInputStream randomIS=null;
+boolean beParanoid=false;
+boolean useDevRandom=false;
static Jdk11Compat jdk11Compat=Jdk11Compat.getJdkCompat();
@@ -109,18 +111,26 @@
randomSource=createRandomClass( randomClassName );
}
-/** Use /dev/random special device. This is new code, but may
reduce the
- * big delay in generating the random
+/** When using special device random generator, be paranoid and
+ * use /dev/random. When this option is not set (default), the
+ * device /dev/urandom is used, which should be at least as safe
+ * as java.security.SecureRandom.
+ *
+ * Reads to /dev/random might block until additional environmental
+ * noise is gathered and this can cause problems (ie. Tomcat might
+ * hang until such noise is generated).
+ * USE WITH CAUTION!!!
+ */
+public void setBeParanoid( boolean p ) {
+beParanoid = p;
+}
+
+
+/** Use special device to generate random. This is new code,
+ * but may reduce the big delay in generating the random.
*/
public void setUseDevRandom( boolean u ) {
- if( ! u ) return;
- try {
- randomIS= new DataInputStream( new
FileInputStream("/dev/random"));
- randomIS.readLong();
- log( "Opening /dev/random");
- } catch( IOException ex ) {
- randomIS=null;
- }
+useDevRandom = u;
}
@@ -141,6 +151,23 @@
/** Init session management stuff for this context.
*/
public void engineInit(ContextManager cm) throws TomcatException {
+if( useDevRandom ){
+String device="/dev/urandom";
+
+if( beParanoid )
+device="/dev/random";
+
+ try {
+ randomIS= new DataInputStream( new FileInputStream(
device ));
+ randomIS.readLong();
+ log( "Opening " + device );
+ } catch( IOException ex ) {
+ randomIS=null;
+ }
+}
+
+ /* The following code gets executed even if randomIS is null due
to
+ IOException above, so we are covered */
if( randomSource==null randomIS==null ) {
String randomClass=(String)cm.getProperty("randomClass" );
if( randomClass==null ) {
@@ -261,7 +288,7 @@
if( devRandomIS!=null ) {
try {
n=devRandomIS.readLong();
- System.out.println("Getting /dev/random " + n );
+System.out.println( "Getting from random device " + n
);
} catch( IOException ex ) {
ex.printStackTrace();
}
Cut -
Bojan
Re: /dev/urandom patch
Hi Bojan,
It's the third ( no time ), I am deep into some charset bugs and jasper
and most developers are busy with various projects.
You may file a feature request on bugzilla, attach you patch - this way
it'll be recorded.
Or send few more patches ( there are many open bugs, most of them are
easy to solve but require time to test and reproduce ), and you'll be
able to check in the patch yourself, as a commiter :-)
Costin
On Wed, 18 Apr 2001, Bojan Smojver wrote:
Don't know if the patch for this was missed (since it was buried into a
long e-mail), you guys didn't like it or just didn't have time to
implement. Anyway, I'm doing it clean in this e-mail. Thanks to Doug
Barnes who explained the issues of random number generation...
Here is the patch (I had to move some of the code to engineInit,
hopefully without breaking too many things):
Cut -
---jakarta-tomcat-3.3-build/src/share/org/apache/tomcat/modules/session/SessionIdGenerator.java
Mon Apr 16 21:28:34 2001
+++jakarta-tomcat-3.3-src-cvs-debug/src/share/org/apache/tomcat/modules/session/SessionIdGenerator.java
Mon Apr 16 21:40:20 2001
@@ -96,6 +96,8 @@
String randomClassName=null;
Random randomSource=null;
DataInputStream randomIS=null;
+boolean beParanoid=false;
+boolean useDevRandom=false;
static Jdk11Compat jdk11Compat=Jdk11Compat.getJdkCompat();
@@ -109,18 +111,26 @@
randomSource=createRandomClass( randomClassName );
}
-/** Use /dev/random special device. This is new code, but may
reduce the
- * big delay in generating the random
+/** When using special device random generator, be paranoid and
+ * use /dev/random. When this option is not set (default), the
+ * device /dev/urandom is used, which should be at least as safe
+ * as java.security.SecureRandom.
+ *
+ * Reads to /dev/random might block until additional environmental
+ * noise is gathered and this can cause problems (ie. Tomcat might
+ * hang until such noise is generated).
+ * USE WITH CAUTION!!!
+ */
+public void setBeParanoid( boolean p ) {
+beParanoid = p;
+}
+
+
+/** Use special device to generate random. This is new code,
+ * but may reduce the big delay in generating the random.
*/
public void setUseDevRandom( boolean u ) {
- if( ! u ) return;
- try {
- randomIS= new DataInputStream( new
FileInputStream("/dev/random"));
- randomIS.readLong();
- log( "Opening /dev/random");
- } catch( IOException ex ) {
- randomIS=null;
- }
+useDevRandom = u;
}
@@ -141,6 +151,23 @@
/** Init session management stuff for this context.
*/
public void engineInit(ContextManager cm) throws TomcatException {
+if( useDevRandom ){
+String device="/dev/urandom";
+
+if( beParanoid )
+device="/dev/random";
+
+ try {
+ randomIS= new DataInputStream( new FileInputStream(
device ));
+ randomIS.readLong();
+ log( "Opening " + device );
+ } catch( IOException ex ) {
+ randomIS=null;
+ }
+}
+
+ /* The following code gets executed even if randomIS is null due
to
+ IOException above, so we are covered */
if( randomSource==null randomIS==null ) {
String randomClass=(String)cm.getProperty("randomClass" );
if( randomClass==null ) {
@@ -261,7 +288,7 @@
if( devRandomIS!=null ) {
try {
n=devRandomIS.readLong();
- System.out.println("Getting /dev/random " + n );
+System.out.println( "Getting from random device " + n
);
} catch( IOException ex ) {
ex.printStackTrace();
}
Cut -
Bojan
Re: /dev/urandom patch
[EMAIL PROTECTED] wrote: You may file a feature request on bugzilla, attach you patch - this way it'll be recorded. Done. Or send few more patches ( there are many open bugs, most of them are easy to solve but require time to test and reproduce ), and you'll be able to check in the patch yourself, as a commiter :-) Huh, I have a bit of learning to do before that. Tomcat internals are still a bit of a mystery to me. Bojan
