From 88ec429b9c8adf09fb1bec3af554de6e9a7f8a3a Mon Sep 17 00:00:00 2001 From: gregw Date: Fri, 17 Jul 2020 13:02:46 +0200 Subject: [PATCH] Issue #5053 removed weak random from digest. --- .../jetty/client/util/DigestAuthentication.java | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java b/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java index 53b9bcd4d897..40a05a89bcd2 100644 --- a/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java +++ b/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java @@ -26,6 +26,7 @@ import java.util.List; import java.util.Locale; import java.util.Map; +import java.util.Objects; import java.util.Random; import java.util.concurrent.atomic.AtomicInteger; @@ -67,11 +68,12 @@ public DigestAuthentication(URI uri, String realm, String user, String password) * @param realm the realm to match for the authentication * @param user the user that wants to authenticate * @param password the password of the user - * @param random the Random generator to use for nonces, or null for a weak algorithm. + * @param random the Random generator to use for nonces. */ public DigestAuthentication(URI uri, String realm, String user, String password, Random random) { super(uri, realm); + Objects.requireNonNull(random); this.random = random; this.user = user; this.password = password; @@ -231,15 +233,9 @@ private String nextNonceCount() private String newClientNonce() { - if (random != null) - { - byte[] bytes = new byte[8]; - random.nextBytes(bytes); - return toHexString(bytes); - } - - long pseudoRandom = System.nanoTime() ^ System.identityHashCode(new Object()); - return Long.toHexString(pseudoRandom); + byte[] bytes = new byte[8]; + random.nextBytes(bytes); + return toHexString(bytes); } private String toHexString(byte[] bytes)