Issue #5053

removed weak random from digest.
jetty · Jul 17, 2020 · 88ec429 · 88ec429
1 parent f6d3984
commit 88ec429
Showing 1 changed file with 6 additions and 10 deletions.
diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java b/jetty-client/src/main/java/org/eclipse/jetty/client/util/DigestAuthentication.java
@@ -26,6 +26,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Random;
 import java.util.concurrent.atomic.AtomicInteger;
 
@@ -67,11 +68,12 @@ public DigestAuthentication(URI uri, String realm, String user, String password)
      * @param realm the realm to match for the authentication
      * @param user the user that wants to authenticate
      * @param password the password of the user
-     * @param random the Random generator to use for nonces, or null for a weak algorithm.
+     * @param random the Random generator to use for nonces.
      */
     public DigestAuthentication(URI uri, String realm, String user, String password, Random random)
     {
         super(uri, realm);
+        Objects.requireNonNull(random);
         this.random = random;
         this.user = user;
         this.password = password;
@@ -231,15 +233,9 @@ private String nextNonceCount()
 
         private String newClientNonce()
         {
-            if (random != null)
-            {
-                byte[] bytes = new byte[8];
-                random.nextBytes(bytes);
-                return toHexString(bytes);
-            }
-
-            long pseudoRandom = System.nanoTime() ^ System.identityHashCode(new Object());
-            return Long.toHexString(pseudoRandom);
+            byte[] bytes = new byte[8];
+            random.nextBytes(bytes);
+            return toHexString(bytes);
         }
 
         private String toHexString(byte[] bytes)