1berry/openjdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

8349550: Improve SASL random usage

Browse Source 
Reviewed-by: mullan
This commit is contained in:
Koushik Thirupattur 2025-06-12 19:31:15 +00:00 committed by Sean Mullan
parent 99829950f6
commit db7af2b3c3
3 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/java.base/share/classes/module-info.java
View File

@ -318,6 +318,7 @@ module java.base {
exports sun.security.internal.spec to exports sun.security.internal.spec to
jdk.crypto.cryptoki; jdk.crypto.cryptoki;
exports sun.security.jca to exports sun.security.jca to
java.security.sasl,
java.smartcardio, java.smartcardio,
jdk.crypto.cryptoki, jdk.crypto.cryptoki,
jdk.naming.dns; jdk.naming.dns;

13
src/java.security.sasl/share/classes/com/sun/security/sasl/CramMD5Server.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -25,11 +25,13 @@
package com.sun.security.sasl; package com.sun.security.sasl;
import sun.security.jca.JCAUtil;
import java.io.IOException; import java.io.IOException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.Map; import java.util.Map;
import java.util.Random;
import javax.security.sasl.*; import javax.security.sasl.*;
import javax.security.auth.callback.*; import javax.security.auth.callback.*;
@ -52,6 +54,10 @@ import static java.nio.charset.StandardCharsets.UTF_8;
* @author Rosanna Lee * @author Rosanna Lee
*/ */
final class CramMD5Server extends CramMD5Base implements SaslServer { final class CramMD5Server extends CramMD5Base implements SaslServer {
/* SecureRandom instance to generate random digits used in challenge */
private static final SecureRandom SECURE_RANDOM = JCAUtil.getDefSecureRandom();
private String fqdn; private String fqdn;
private byte[] challengeData = null; private byte[] challengeData = null;
private String authzid; private String authzid;
@ -113,8 +119,7 @@ final class CramMD5Server extends CramMD5Base implements SaslServer {
} }
// Generate challenge {random, timestamp, fqdn} // Generate challenge {random, timestamp, fqdn}
Random random = new Random(); long rand = SECURE_RANDOM.nextLong();
long rand = random.nextLong();
long timestamp = System.currentTimeMillis(); long timestamp = System.currentTimeMillis();
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();

13
src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Base.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -33,10 +33,10 @@ import java.util.Map;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.Random;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException; import java.security.InvalidKeyException;
import java.security.SecureRandom;
import java.security.spec.KeySpec; import java.security.spec.KeySpec;
import java.security.spec.InvalidKeySpecException; import java.security.spec.InvalidKeySpecException;
import java.security.InvalidAlgorithmParameterException; import java.security.InvalidAlgorithmParameterException;
@ -59,6 +59,7 @@ import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.*; import javax.security.sasl.*;
import com.sun.security.sasl.util.AbstractSaslImpl; import com.sun.security.sasl.util.AbstractSaslImpl;
import sun.security.jca.JCAUtil;
/** /**
* Utility class for DIGEST-MD5 mechanism. Provides utility methods * Utility class for DIGEST-MD5 mechanism. Provides utility methods
@ -132,6 +133,9 @@ abstract class DigestMD5Base extends AbstractSaslImpl {
protected static final byte[] EMPTY_BYTE_ARRAY = new byte[0]; protected static final byte[] EMPTY_BYTE_ARRAY = new byte[0];
/* SecureRandom instance to generate nonce */
private static final SecureRandom SECURE_RANDOM = JCAUtil.getDefSecureRandom();
/* ------------------- Variable Fields ----------------------- */ /* ------------------- Variable Fields ----------------------- */
/* Used to track progress of authentication; step numbers from RFC 2831 */ /* Used to track progress of authentication; step numbers from RFC 2831 */
@ -269,7 +273,6 @@ abstract class DigestMD5Base extends AbstractSaslImpl {
* is slightly faster and a more compact representation of the same info. * is slightly faster and a more compact representation of the same info.
* @return A non-null byte array containing the nonce value for the * @return A non-null byte array containing the nonce value for the
* digest challenge or response. * digest challenge or response.
* Could use SecureRandom to be more secure but it is very slow.
*/ */
/** This array maps the characters to their 6 bit values */ /** This array maps the characters to their 6 bit values */
@ -293,10 +296,8 @@ abstract class DigestMD5Base extends AbstractSaslImpl {
protected static final byte[] generateNonce() { protected static final byte[] generateNonce() {
// SecureRandom random = new SecureRandom();
Random random = new Random();
byte[] randomData = new byte[RAW_NONCE_SIZE]; byte[] randomData = new byte[RAW_NONCE_SIZE];
random.nextBytes(randomData); SECURE_RANDOM.nextBytes(randomData);
byte[] nonce = new byte[ENCODED_NONCE_SIZE]; byte[] nonce = new byte[ENCODED_NONCE_SIZE];