Use a secure random generator to seed nonce for digest authentication

https://tools.ietf.org/html/rfc7616 says:

5.12.  Parameter Randomness

The security of this protocol is critically dependent on the
randomness of the randomly chosen parameters, such as client and
server nonces.  These should be generated by a strong random or
properly seeded pseudorandom source (see [RFC4086]).

Change-Id: I4da5316cb1eb3f59ae06c070ce1c3335e9ee87d6
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>

diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java
index de7a7dc1c7ecf5adb13e6c0a6b4199abdd83f400..56b202eab5ec67682016fb88771309d5034794d2 100644 (file)
--- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java
@@ -51,6 +51,7 @@ import java.io.IOException;
 import java.net.URL;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -59,7 +60,6 @@ import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Map.Entry;
-import java.util.Random;
 
 import org.eclipse.jgit.transport.http.HttpConnection;
 import org.eclipse.jgit.util.Base64;
@@ -323,7 +323,7 @@ abstract class HttpAuthMethod {
 
        /** Performs HTTP digest authentication. */
        private static class Digest extends HttpAuthMethod {
-               private static final Random PRNG = new Random();
+               private static final SecureRandom PRNG = new SecureRandom();
 
                private final Map<String, String> params;