RandomCookie problem ?
Xuelei Fan
xuelei.fan at oracle.com
Tue Dec 13 21:48:04 UTC 2016
On 12/13/2016 8:46 AM, Thomas Lußnig wrote:
> Hi,
>
> even if the case is with the current time not active. Is it an good idea
> to define an fixed value
> for random generator under special conditions that are time depending ?
>
The issue was fixed in JDK 9:
https://bugs.openjdk.java.net/browse/JDK-8046294
Thanks,
Xuelei
> Gruß Thomas
>
> ---
>
> package sun.security.ssl;
>
> RandomCookie(final SecureRandom sr) {
> final long ts0 = System.currentTimeMillis() / 1000L;
> int ts1;
> if(ts0 < Integer.MAX_VALUE) { ts1 = (int)ts0 ; }
> else *{ ts1 = Integer.MAX_VALUE; }*
> this.random_bytes = new byte[32];
> sr.nextBytes(this.random_bytes);
> this.random_bytes[0] = (byte)(ts1 >> 24);
> this.random_bytes[1] = (byte)(ts1 >> 16);
> this.random_bytes[2] = (byte)(ts1 >> 8);
> this.random_bytes[3] = (byte) ts1;
> }
More information about the security-dev
mailing list