s...

jleroux Fri, 29 Apr 2016 11:55:40 -0700

Author: jleroux
Date: Fri Apr 29 18:54:49 2016
New Revision: 1741684

URL: http://svn.apache.org/viewvc?rev=1741684&view=rev
Log:
Changes for "Use SecureRandom instead of Random where appropriate, and 
randomUUID for externalKey" - https://issues.apache.org/jira/browse/OFBIZ-7028


Because using SecureRandom comes with a cost, I have identified the places 
where it's reasonable to keep the non secured Random (like tests, internal 
sequences, etc.).
Ant to use UUID.randomUUID to generate the external link id

Also, though there are no real proven vulnerabilities, I decided to backport as 
much as possible since it's now public.

Modified:
    
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java
    
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java
    
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java
    ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java
    ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
    
ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/cas/OFBizCasAuthenticationHandler.java

Modified: 
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java?rev=1741684&r1=1741683&r2=1741684&view=diff
==============================================================================
--- 
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java
 (original)
+++ 
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java
 Fri Apr 29 18:54:49 2016
@@ -19,6 +19,7 @@
 package org.ofbiz.accounting.payment;
 
 import java.math.BigDecimal;
+import java.security.SecureRandom;
 import java.sql.Timestamp;
 import java.util.HashMap;
 import java.util.List;
@@ -1443,7 +1444,7 @@ public class GiftCertificateServices {
             length = 19;
         }
 
-        Random rand = new Random();
+        Random rand = new SecureRandom();
         boolean isValid = false;
         StringBuilder number = null;
         while (!isValid) {

Modified: 
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java?rev=1741684&r1=1741683&r2=1741684&view=diff
==============================================================================
--- 
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java
 (original)
+++ 
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java
 Fri Apr 29 18:54:49 2016
@@ -158,7 +158,7 @@ public class IdealEvents {
             transaction.setDescription(orderDescription);
 
             String returnURL = merchantReturnURL + "?orderId=" + orderId;
-            Random random = new Random();
+            Random random = new SecureRandom();
             String EntranceCode = Long.toString(Math.abs(random.nextLong()), 
36);
             transaction.setEntranceCode(EntranceCode);
             transaction.setMerchantReturnURL(returnURL);

Modified: 
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java?rev=1741684&r1=1741683&r2=1741684&view=diff
==============================================================================
--- 
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java
 (original)
+++ 
ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java
 Fri Apr 29 18:54:49 2016
@@ -29,6 +29,7 @@ import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.spec.InvalidKeySpecException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -579,7 +580,7 @@ public class ValueLinkApi {
 
         // 8 bytes random data
         byte[] random = new byte[8];
-        Random ran = new Random();
+        Random ran = new SecureRandom();
         ran.nextBytes(random);
 
 
@@ -825,7 +826,7 @@ public class ValueLinkApi {
     }
 
     protected byte[] getRandomBytes(int length) {
-        Random rand = new Random();
+        Random rand = new SecureRandom();
         byte[] randomBytes = new byte[length];
         rand.nextBytes(randomBytes);
         return randomBytes;

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java?rev=1741684&r1=1741683&r2=1741684&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java 
(original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java Fri Apr 
29 18:54:49 2016
@@ -23,7 +23,7 @@ import static org.ofbiz.base.util.UtilIO
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.util.Random;
+import java.security.SecureRandom;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
@@ -124,7 +124,7 @@ public class HashCrypt {
             hashType = "SHA";
         }
         if (salt == null) {
-            salt = RandomStringUtils.random(new Random().nextInt(15) + 1, 
CRYPT_CHAR_SET);
+            salt = RandomStringUtils.random(new SecureRandom().nextInt(15) + 
1, CRYPT_CHAR_SET);
         }
         StringBuilder sb = new StringBuilder();
         sb.append("$").append(hashType).append("$").append(salt).append("$");

Modified: 
ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java?rev=1741684&r1=1741683&r2=1741684&view=diff
==============================================================================
--- ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java 
(original)
+++ ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java 
Fri Apr 29 18:54:49 2016
@@ -19,20 +19,20 @@
 package org.ofbiz.entity.util;
 
 import java.io.IOException;
+import java.security.Key;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Random;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 
-import java.security.Key;
-
 import org.apache.commons.codec.binary.Base64;
 import org.apache.shiro.crypto.AesCipherService;
 import org.apache.shiro.crypto.OperationMode;
+import org.apache.shiro.crypto.hash.DefaultHashService;
 import org.apache.shiro.crypto.hash.HashRequest;
 import org.apache.shiro.crypto.hash.HashService;
-import org.apache.shiro.crypto.hash.DefaultHashService;
 import org.ofbiz.base.crypto.DesCrypt;
 import org.ofbiz.base.crypto.HashCrypt;
 import org.ofbiz.base.util.Debug;
@@ -44,8 +44,8 @@ import org.ofbiz.entity.Delegator;
 import org.ofbiz.entity.EntityCryptoException;
 import org.ofbiz.entity.GenericEntityException;
 import org.ofbiz.entity.GenericValue;
-import org.ofbiz.entity.transaction.TransactionUtil;
 import org.ofbiz.entity.model.ModelField.EncryptMethod;
+import org.ofbiz.entity.transaction.TransactionUtil;
 
 public final class EntityCrypto {
 
@@ -413,7 +413,7 @@ public final class EntityCrypto {
             byte[] saltBytes;
             switch (encryptMethod) {
                 case SALT:
-                    Random random = new Random();
+                    Random random = new SecureRandom();
                     // random length 5-16
                     saltBytes = new byte[5 + random.nextInt(11)];
                     random.nextBytes(saltBytes);

Modified: 
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=1741684&r1=1741683&r2=1741684&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java 
(original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java 
Fri Apr 29 18:54:49 2016
@@ -29,6 +29,7 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.ServiceLoader;
+import java.util.UUID;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -157,7 +158,8 @@ public class LoginWorker {
 
             //no key made yet for this request, create one
             while (externalKey == null || 
externalLoginKeys.containsKey(externalKey)) {
-                externalKey = "EL" + Long.toString(Math.round(Math.random() * 
1000000)) + Long.toString(Math.round(Math.random() * 1000000));
+                UUID uuid = UUID.randomUUID();
+                externalKey = "EL" + uuid.toString();
             }
 
             request.setAttribute(EXTERNAL_LOGIN_KEY_ATTR, externalKey);

Modified: 
ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/cas/OFBizCasAuthenticationHandler.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/cas/OFBizCasAuthenticationHandler.java?rev=1741684&r1=1741683&r2=1741684&view=diff
==============================================================================
--- 
ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/cas/OFBizCasAuthenticationHandler.java
 (original)
+++ 
ofbiz/trunk/specialpurpose/ldap/src/org/ofbiz/ldap/cas/OFBizCasAuthenticationHandler.java
 Fri Apr 29 18:54:49 2016
@@ -26,11 +26,14 @@ import java.io.UnsupportedEncodingExcept
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLEncoder;
+import java.security.SecureRandom;
+
 import javax.naming.NamingException;
 import javax.naming.directory.SearchResult;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
 import org.ofbiz.base.util.UtilXml;
 import org.ofbiz.ldap.commons.AbstractOFBizAuthenticationHandler;
 import org.ofbiz.ldap.commons.InterfaceOFBizAuthenticationHandler;
@@ -129,7 +132,7 @@ public final class OFBizCasAuthenticatio
     }
 
     private static int rand(int lo, int hi) {
-        java.util.Random rn = new java.util.Random();
+        java.util.Random rn = new SecureRandom();
         int n = hi - lo + 1;
         int i = rn.nextInt() % n;
         if (i < 0)

svn commit: r1741684 - in /ofbiz/trunk: applications/accounting/src/org/ofbiz/accounting/payment/ applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/ applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ framework/base/s...

Reply via email to