mirror of https://github.com/apache/lucene.git
SOLR-9068 / SOLR-5776: replace NullSecureRandom w/ NotSecurePsuedoRandom
This commit is contained in:
parent
a5586d29b2
commit
ac0e73a521
|
@ -44,8 +44,6 @@ import org.apache.solr.client.solrj.impl.HttpClientUtil;
|
|||
import org.apache.solr.client.solrj.impl.HttpClientUtil.SchemaRegistryProvider;
|
||||
import org.apache.solr.client.solrj.impl.SolrHttpClientBuilder;
|
||||
|
||||
import org.apache.lucene.util.Constants;
|
||||
|
||||
import org.eclipse.jetty.util.resource.Resource;
|
||||
import org.eclipse.jetty.util.security.CertificateUtils;
|
||||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
|
@ -101,7 +99,7 @@ public class SSLTestConfig extends SSLConfig {
|
|||
assert isSSLMode();
|
||||
|
||||
SSLContextBuilder builder = SSLContexts.custom();
|
||||
builder.setSecureRandom(NullSecureRandom.INSTANCE);
|
||||
builder.setSecureRandom(NotSecurePsuedoRandom.INSTANCE);
|
||||
|
||||
// NOTE: KeyStore & TrustStore are swapped because they are from configured from server perspective...
|
||||
// we are a client - our keystore contains the keys the server trusts, and vice versa
|
||||
|
@ -130,7 +128,7 @@ public class SSLTestConfig extends SSLConfig {
|
|||
assert isSSLMode();
|
||||
|
||||
SSLContextBuilder builder = SSLContexts.custom();
|
||||
builder.setSecureRandom(NullSecureRandom.INSTANCE);
|
||||
builder.setSecureRandom(NotSecurePsuedoRandom.INSTANCE);
|
||||
|
||||
builder.loadKeyMaterial(buildKeyStore(getKeyStore(), getKeyStorePassword()), getKeyStorePassword().toCharArray());
|
||||
|
||||
|
@ -263,93 +261,53 @@ public class SSLTestConfig extends SSLConfig {
|
|||
}
|
||||
|
||||
/**
|
||||
* A mocked up instance of SecureRandom that always does the minimal amount of work to generate
|
||||
* "random" numbers. This is to prevent blocking issues that arise in platform default
|
||||
* A mocked up instance of SecureRandom that just uses {@link Random} under the covers.
|
||||
* This is to prevent blocking issues that arise in platform default
|
||||
* SecureRandom instances due to too many instances / not enough random entropy.
|
||||
* Tests do not need secure SSL.
|
||||
*/
|
||||
private static class NullSecureRandom extends SecureRandom {
|
||||
|
||||
/**
|
||||
* The one and only instance that should be used, specific impl may vary based on platform
|
||||
* @see Constants#SUN_OS
|
||||
* @see <a href="https://issues.apache.org/jira/browse/SOLR-9068">SOLR-9068</a>
|
||||
*/
|
||||
public static final SecureRandom INSTANCE = Constants.SUN_OS
|
||||
? new NullSecureRandom(NullSecureRandomSpi.PSUEDO_RAND_INSTANCE)
|
||||
: new NullSecureRandom(NullSecureRandomSpi.NULL_INSTANCE);
|
||||
|
||||
/** A source of psuedo random data if needed */
|
||||
private static class NotSecurePsuedoRandom extends SecureRandom {
|
||||
public static final SecureRandom INSTANCE = new NotSecurePsuedoRandom();
|
||||
private static final Random RAND = new Random(42);
|
||||
|
||||
/** SPI base class for all NullSecureRandom instances */
|
||||
private static class NullSecureRandomSpi extends SecureRandomSpi {
|
||||
private NullSecureRandomSpi() {
|
||||
/* NOOP */
|
||||
}
|
||||
/**
|
||||
* Helper method that can be used to fill an array with non-zero data.
|
||||
* Default impl is No-Op
|
||||
*/
|
||||
public byte[] fillData(byte[] data) {
|
||||
return data; /* NOOP */
|
||||
}
|
||||
/**
|
||||
* Helper method that can be used to fill an array with non-zero data.
|
||||
* (Attempted workarround of Solaris SSL Padding bug: SOLR-9068)
|
||||
*/
|
||||
private static final byte[] fillData(byte[] data) {
|
||||
RAND.nextBytes(data);
|
||||
return data;
|
||||
}
|
||||
|
||||
/** SPI Used to init all instances */
|
||||
private static final SecureRandomSpi NOT_SECURE_SPI = new SecureRandomSpi() {
|
||||
/** returns a new byte[] filled with static data */
|
||||
@Override
|
||||
public byte[] engineGenerateSeed(int numBytes) {
|
||||
return fillData(new byte[numBytes]);
|
||||
}
|
||||
/** fills the byte[] with static data */
|
||||
@Override
|
||||
public void engineNextBytes(byte[] bytes) {
|
||||
fillData(bytes);
|
||||
}
|
||||
/** NOOP */
|
||||
@Override
|
||||
public void engineSetSeed(byte[] seed) { /* NOOP */ }
|
||||
|
||||
/** Instance to use on platforms w/SSLEngines that work fine when SecureRandom returns constant bytes */
|
||||
public static final NullSecureRandomSpi NULL_INSTANCE = new NullSecureRandomSpi();
|
||||
|
||||
/**
|
||||
* Instance to use on platforms that need at least psuedo-random data for the SSLEngine to not break
|
||||
* (Attempted workarround of Solaris SSL Padding bug: SOLR-9068)
|
||||
*/
|
||||
public static final NullSecureRandomSpi PSUEDO_RAND_INSTANCE = new NullSecureRandomSpi() {
|
||||
/**
|
||||
* Fill with Psuedo-Random data.
|
||||
* (Attempted workarround of Solaris SSL Padding bug: SOLR-9068)
|
||||
*/
|
||||
@Override
|
||||
public byte[] fillData(byte[] data) {
|
||||
RAND.nextBytes(data);
|
||||
return data;
|
||||
}
|
||||
};
|
||||
};
|
||||
|
||||
private NotSecurePsuedoRandom() {
|
||||
super(NOT_SECURE_SPI, null) ;
|
||||
}
|
||||
|
||||
private NullSecureRandom(NullSecureRandomSpi spi) {
|
||||
super(spi, null);
|
||||
this.spi = spi;
|
||||
}
|
||||
|
||||
private NullSecureRandomSpi spi;
|
||||
|
||||
/** fills a new byte[] with data from SPI */
|
||||
@Override
|
||||
/** returns a new byte[] filled with static data */
|
||||
public byte[] generateSeed(int numBytes) {
|
||||
return spi.fillData(new byte[numBytes]);
|
||||
return fillData(new byte[numBytes]);
|
||||
}
|
||||
/** fills the byte[] with data from SPI */
|
||||
@Override
|
||||
/** fills the byte[] with static data */
|
||||
synchronized public void nextBytes(byte[] bytes) {
|
||||
spi.fillData(bytes);
|
||||
fillData(bytes);
|
||||
}
|
||||
/** NOOP */
|
||||
@Override
|
||||
synchronized public void setSeed(byte[] seed) { /* NOOP */ }
|
||||
/** NOOP */
|
||||
@Override
|
||||
synchronized public void setSeed(long seed) { /* NOOP */ }
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue