diff options
| author | Florian Zschocke <florian.zschocke@devolo.de> | 2016-12-10 01:00:27 +0100 |
|---|---|---|
| committer | Florian Zschocke <florian.zschocke@devolo.de> | 2016-12-12 14:25:41 +0100 |
| commit | 2be2c2c95c9a3747fd200e3ea3623607053d5299 (patch) | |
| tree | b3e2e6ee26565a351933c91bb8f31a752a3980fc /src/main/java/com/gitblit/models/UserModel.java | |
| parent | a1fc7e7228d7b8de05bc2cf074f112af757401d0 (diff) | |
| download | gitblit-2be2c2c95c9a3747fd200e3ea3623607053d5299.tar.gz gitblit-2be2c2c95c9a3747fd200e3ea3623607053d5299.zip | |
Introduce SecureRandom wrapper for properly seeded static instances
Introduce our own wrapper `SecureRandom` around `java.security.SecureRandom`.
This a) makes sure that the PRNG is seeded on creation and not when
random bytes are retrieved, and
b) uses a static instance in the `UserModel` so that lags do not occur
during operation due to potentially seeding getting blocked on Unix
when reading from the system's entropy pool. To keep the random data
still secure, the static instance will reseed all 24 hours, also a
functionality of the wrapper class.
This fixes #1063 and extends and closes PR #1116
Diffstat (limited to 'src/main/java/com/gitblit/models/UserModel.java')
| -rw-r--r-- | src/main/java/com/gitblit/models/UserModel.java | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/main/java/com/gitblit/models/UserModel.java b/src/main/java/com/gitblit/models/UserModel.java index edbdf028..f8f7ed6d 100644 --- a/src/main/java/com/gitblit/models/UserModel.java +++ b/src/main/java/com/gitblit/models/UserModel.java @@ -37,6 +37,7 @@ import com.gitblit.Constants.PermissionType; import com.gitblit.Constants.RegistrantType;
import com.gitblit.utils.ArrayUtils;
import com.gitblit.utils.ModelUtils;
+import com.gitblit.utils.SecureRandom;
import com.gitblit.utils.StringUtils;
/**
@@ -53,6 +54,8 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel> public static final UserModel ANONYMOUS = new UserModel();
+ private static final SecureRandom RANDOM = new SecureRandom();
+
// field names are reflectively mapped in EditUser page
public String username;
public String password;
@@ -661,11 +664,8 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel> String projectPath = StringUtils.getFirstPathElement(repository);
return !StringUtils.isEmpty(projectPath) && projectPath.equalsIgnoreCase(getPersonalPath());
}
-
+
public String createCookie() {
- SecureRandom random = new SecureRandom();
- byte[] values = new byte[20];
- random.nextBytes(values);
- return StringUtils.getSHA1(String.valueOf(values));
+ return StringUtils.getSHA1(RANDOM.randomBytes(32));
}
}
|