From 78db9bd17545186a6cb320f5846069d5ece7baba Mon Sep 17 00:00:00 2001 From: Matthias Sohn Date: Fri, 11 May 2018 14:06:53 +0200 Subject: [PATCH] Use a secure random generator to seed nonce for digest authentication https://tools.ietf.org/html/rfc7616 says: 5.12. Parameter Randomness The security of this protocol is critically dependent on the randomness of the randomly chosen parameters, such as client and server nonces. These should be generated by a strong random or properly seeded pseudorandom source (see [RFC4086]). Change-Id: I4da5316cb1eb3f59ae06c070ce1c3335e9ee87d6 Signed-off-by: Matthias Sohn --- .../src/org/eclipse/jgit/transport/HttpAuthMethod.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java index de7a7dc1c7..56b202eab5 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java @@ -51,6 +51,7 @@ import java.io.IOException; import java.net.URL; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -59,7 +60,6 @@ import java.util.List; import java.util.Locale; import java.util.Map; import java.util.Map.Entry; -import java.util.Random; import org.eclipse.jgit.transport.http.HttpConnection; import org.eclipse.jgit.util.Base64; @@ -323,7 +323,7 @@ abstract class HttpAuthMethod { /** Performs HTTP digest authentication. */ private static class Digest extends HttpAuthMethod { - private static final Random PRNG = new Random(); + private static final SecureRandom PRNG = new SecureRandom(); private final Map params; -- 2.39.5