JceRandom: use SecureRandom.getInstanceStrong()

Fall back to new SecureRandom() if we get a NoSuchAlgorithmException, which should never occur unless the JVM is wrongly configured. Every JVM must support at least one strong PRNG.
apache · Sep 2, 2024 · 139ff01 · 139ff01
1 parent 06c2034
commit 139ff01
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/sshd-common/src/main/java/org/apache/sshd/common/random/JceRandom.java b/sshd-common/src/main/java/org/apache/sshd/common/random/JceRandom.java
@@ -18,23 +18,39 @@
  */
 package org.apache.sshd.common.random;
 
+import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 /**
  * A <code>Random</code> implementation using the built-in {@link SecureRandom} PRNG.
  *
  * @author <a href="mailto:[email protected]">Apache MINA SSHD Project</a>
  */
 public class JceRandom extends AbstractRandom {
+
     public static final String NAME = "JCE";
 
+    private static final Logger LOG = LoggerFactory.getLogger(JceRandom.class);
+
     private byte[] tmp = new byte[16];
-    private final SecureRandom random = new SecureRandom();
+    private final SecureRandom random = getRandom();
 
     public JceRandom() {
         super();
     }
 
+    private static SecureRandom getRandom() {
+        try {
+            return SecureRandom.getInstanceStrong();
+        } catch (NoSuchAlgorithmException e) {
+            LOG.warn("No strong SecureRandom algorithm available; falling back to non-strong SecureRandom PRNG.");
+            return new SecureRandom();
+        }
+    }
+
     @Override
     public String getName() {
         return NAME;