From b06d86f87a237931295aa8374d035deabc68461f Mon Sep 17 00:00:00 2001 From: warunalakshitha Date: Tue, 17 Jan 2017 16:07:02 +0530 Subject: [PATCH] Fix Predictable pseudorandom number generator security issue --- .../advanced/transport/TransportUtils.java | 39 ++++++++++--------- .../virtual/VirtualHardwareManager.java | 11 ++++-- .../agent/transport/TransportUtils.java | 39 ++++++++++--------- .../agent/virtual/VirtualHardwareManager.java | 14 ++++--- 4 files changed, 56 insertions(+), 47 deletions(-) diff --git a/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/transport/TransportUtils.java b/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/transport/TransportUtils.java index 5045e4313..4fb1c5adb 100644 --- a/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/transport/TransportUtils.java +++ b/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/transport/TransportUtils.java @@ -34,6 +34,8 @@ import java.net.ServerSocket; import java.net.SocketException; import java.net.URL; import java.nio.charset.StandardCharsets; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Enumeration; import java.util.HashMap; @@ -172,27 +174,26 @@ public class TransportUtils { */ public static synchronized int getAvailablePort(int randomAttempts) { ArrayList failedPorts = new ArrayList(randomAttempts); - - Random randomNum = new Random(); - int randomPort = MAX_PORT_NUMBER; - - while (randomAttempts > 0) { - randomPort = randomNum.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER; - - if (checkIfPortAvailable(randomPort)) { - return randomPort; + try { + SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); + int randomPort = MAX_PORT_NUMBER; + while (randomAttempts > 0) { + randomPort = secureRandom.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER; + if (checkIfPortAvailable(randomPort)) { + return randomPort; + } + failedPorts.add(randomPort); + randomAttempts--; } - failedPorts.add(randomPort); - randomAttempts--; - } - - randomPort = MAX_PORT_NUMBER; - - while (true) { - if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) { - return randomPort; + randomPort = MAX_PORT_NUMBER; + while (true) { + if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) { + return randomPort; + } + randomPort--; } - randomPort--; + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA1PRNG algorithm could not be found."); } } diff --git a/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/virtual/VirtualHardwareManager.java b/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/virtual/VirtualHardwareManager.java index 59a13bb87..1a676ed82 100644 --- a/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/virtual/VirtualHardwareManager.java +++ b/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/virtual/VirtualHardwareManager.java @@ -33,6 +33,8 @@ import javax.sound.sampled.Clip; import javax.swing.*; import java.io.IOException; import java.io.InputStream; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; /** * This class use to emulate virtual hardware functionality @@ -188,9 +190,12 @@ public class VirtualHardwareManager { double mn = current - offset; min = (mn < min) ? min : (int) Math.round(mn); } - - double rnd = Math.random() * (max - min) + min; - return (int) Math.round(rnd); + try { + SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); + return secureRandom.nextInt(max - min) + min; + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA1PRNG algorithm could not be found."); + } } diff --git a/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java b/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java index 11ebc04bf..b55aee02d 100644 --- a/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java +++ b/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java @@ -36,6 +36,8 @@ import java.net.ServerSocket; import java.net.SocketException; import java.net.URL; import java.nio.charset.StandardCharsets; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Enumeration; import java.util.HashMap; @@ -173,27 +175,26 @@ public class TransportUtils { */ public static synchronized int getAvailablePort(int randomAttempts) { ArrayList failedPorts = new ArrayList(randomAttempts); - - Random randomNum = new Random(); - int randomPort = MAX_PORT_NUMBER; - - while (randomAttempts > 0) { - randomPort = randomNum.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER; - - if (checkIfPortAvailable(randomPort)) { - return randomPort; + try { + SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); + int randomPort = MAX_PORT_NUMBER; + while (randomAttempts > 0) { + randomPort = secureRandom.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER; + if (checkIfPortAvailable(randomPort)) { + return randomPort; + } + failedPorts.add(randomPort); + randomAttempts--; } - failedPorts.add(randomPort); - randomAttempts--; - } - - randomPort = MAX_PORT_NUMBER; - - while (true) { - if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) { - return randomPort; + randomPort = MAX_PORT_NUMBER; + while (true) { + if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) { + return randomPort; + } + randomPort--; } - randomPort--; + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA1PRNG algorithm could not be found."); } } diff --git a/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java b/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java index 3b777cf75..61135c58a 100644 --- a/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java +++ b/components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java @@ -33,6 +33,8 @@ import javax.sound.sampled.Clip; import javax.swing.*; import java.io.IOException; import java.io.InputStream; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; /** * This class use to emulate virtual hardware functionality @@ -174,19 +176,19 @@ public class VirtualHardwareManager { } private int getRandom(int max, int min, int current, boolean isSmoothed, int svf) { - if (isSmoothed) { int offset = (max - min) * svf / 100; double mx = current + offset; max = (mx > max) ? max : (int) Math.round(mx); - double mn = current - offset; min = (mn < min) ? min : (int) Math.round(mn); } - - double rnd = Math.random() * (max - min) + min; - return (int) Math.round(rnd); - + try { + SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); + return secureRandom.nextInt(max - min) + min; + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA1PRNG algorithm could not be found."); + } } private void setAudioSequencer() {