Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6366924

REGRESSION: securerandom.source and/or java.security.egd dont work in 1.5.0_05

    Details

      Description

      FULL PRODUCT VERSION :
      java version "1.5.0_05"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_05-b05)
      Java HotSpot(TM) Client VM (build 1.5.0_05-b05, mixed mode)


      ADDITIONAL OS VERSION INFORMATION :
      Linux localhost 2.4.21-4.EL #1 Fri Oct 3 18:13:58 EDT 2003 i686 i686 i386 GNU/Linux

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      default installation

      A DESCRIPTION OF THE PROBLEM :
      In previous JDK versions 1.4.x the effect of specifying

      securerandom.source=file:/dev/urandom
      or the system property -Djava.security.egd=file:/dev/urandom

      would allow a Linux system with low entropy to run code that makes use of java.security.SecureRandom#generateSeed() calls to generate properly seeded instances of SecureRandom. This is no longer the case in J2SE 5.0. It appears that the internals always use /dev/random in addition or instead of the specified /dev/urandom. As a result applications that depend on this functionality appear to hang indefinitely during low mouse/keyboard activity times.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Execute the following code snippet in JDK 1.4.2 and JDK 1.5.0 with the command line option: -Djava.security.egd=file:/dev/urandom


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Process runs counting to 1000 and exits.
      ACTUAL -
      Process runs to completion very fast in JDK 1.4.2 running on Linux.

      Process hangs when ran on JDK 1.5.0 and will slowly produce more output as keyboard and/or mouse activity produces entropy. Much like what happens on 1.4.2 with /dev/random.



      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      None, process hung waiting for entropy from /dev/random

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------

      import java.security.SecureRandom;

      public class Test {
        public static void main(String args[]) throws Exception {
          SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG");
          for (int i=0; i < 1000; i++) {
            rnd.generateSeed(256);
            System.out.println("Got " + i);
          }
        }
      }


      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      In Linux execute the following as root:

      mv /dev/random /dev/random.real
      ln -s /dev/urandom /dev/random

      Release Regression From : 1.4.2
      The above release value was the last known release where this
      bug was known to work. Since then there has been a regression.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                andreas Andreas Sterbenz
                Reporter:
                ndcosta Nelson Dcosta (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: