Fix Predictable pseudorandom number generator security issue

2025-09-16 23:42:15 +00:00 · 2017-01-17 16:07:02 +05:30 · 2017-01-17 16:07:02 +05:30 · 5dbcbbe43a
commit 5dbcbbe43a
parent 8353954b16
2 changed files with 28 additions and 25 deletions
--- a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java
+++ b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java
@ -36,6 +36,8 @@ import java.net.ServerSocket;
 import java.net.SocketException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.HashMap;
@ -173,27 +175,26 @@ public class TransportUtils {
 	 */
 	public static synchronized int getAvailablePort(int randomAttempts) {
 		ArrayList<Integer> failedPorts = new ArrayList<Integer>(randomAttempts);
-
-		Random randomNum = new Random();
-		int randomPort = MAX_PORT_NUMBER;
-
-		while (randomAttempts > 0) {
-			randomPort = randomNum.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER;
-
-			if (checkIfPortAvailable(randomPort)) {
-				return randomPort;
+		try {
+			SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
+			int randomPort = MAX_PORT_NUMBER;
+			while (randomAttempts > 0) {
+				randomPort = secureRandom.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER;
+				if (checkIfPortAvailable(randomPort)) {
+					return randomPort;
+				}
+				failedPorts.add(randomPort);
+				randomAttempts--;
 			}
-			failedPorts.add(randomPort);
-			randomAttempts--;
-		}
-
-		randomPort = MAX_PORT_NUMBER;
-
-		while (true) {
-			if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) {
-				return randomPort;
+			randomPort = MAX_PORT_NUMBER;
+			while (true) {
+				if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) {
+					return randomPort;
+				}
+				randomPort--;
 			}
-			randomPort--;
+		} catch (NoSuchAlgorithmException e) {
+			throw new RuntimeException("SHA1PRNG algorithm could not be found.");
 		}
 	}

--- a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java
+++ b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java
@ -33,6 +33,8 @@ import javax.sound.sampled.Clip;
 import javax.swing.*;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;

 /**
 * This class use to emulate virtual hardware functionality
@ -174,19 +176,19 @@ public class VirtualHardwareManager {
    }

    private int getRandom(int max, int min, int current, boolean isSmoothed, int svf) {
-
        if (isSmoothed) {
            int offset = (max - min) * svf / 100;
            double mx = current + offset;
            max = (mx > max) ? max : (int) Math.round(mx);
-
            double mn = current - offset;
            min = (mn < min) ? min : (int) Math.round(mn);
        }
-
-        double rnd = Math.random() * (max - min) + min;
-        return (int) Math.round(rnd);
-
+        try {
+            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
+            return secureRandom.nextInt(max - min) + min;
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("SHA1PRNG algorithm could not be found.");
+        }
    }

    private void setAudioSequencer() {