motiejus
/
jgit
1
Fork 0
Code Releases Activity

Use a secure random generator to seed nonce for digest authentication 

https://tools.ietf.org/html/rfc7616 says:

5.12.  Parameter Randomness

The security of this protocol is critically dependent on the
randomness of the randomly chosen parameters, such as client and
server nonces.  These should be generated by a strong random or
properly seeded pseudorandom source (see [RFC4086]).

Change-Id: I4da5316cb1eb3f59ae06c070ce1c3335e9ee87d6
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
This commit is contained in:
Matthias Sohn 2018-05-11 14:06:53 +02:00
parent 81fa158e7c
commit 78db9bd175
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java
View File

@ -51,6 +51,7 @@
import java.net.URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
@ -59,7 +60,6 @@
import java.util.Locale;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Random;
import org.eclipse.jgit.transport.http.HttpConnection;
import org.eclipse.jgit.util.Base64;
@ -323,7 +323,7 @@ void configureRequest(final HttpConnection conn) throws IOException {
/** Performs HTTP digest authentication. */
private static class Digest extends HttpAuthMethod {
private static final Random PRNG = new Random();
private static final SecureRandom PRNG = new SecureRandom();
private final Map<String, String> params;