Fix Predictable pseudorandom number generator security issue

components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/transport/TransportUtils.java

@@ -34,6 +34,8 @@ import java.net.ServerSocket;
 import java.net.SocketException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.HashMap;
@@ -172,27 +174,26 @@ public class TransportUtils {
      */
     public static synchronized int getAvailablePort(int randomAttempts) {
         ArrayList<Integer> failedPorts = new ArrayList<Integer>(randomAttempts);
-
-        Random randomNum = new Random();
-        int randomPort = MAX_PORT_NUMBER;
-
-        while (randomAttempts > 0) {
-            randomPort = randomNum.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER;
-
-            if (checkIfPortAvailable(randomPort)) {
-                return randomPort;
+        try {
+            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
+            int randomPort = MAX_PORT_NUMBER;
+            while (randomAttempts > 0) {
+                randomPort = secureRandom.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER;
+                if (checkIfPortAvailable(randomPort)) {
+                    return randomPort;
+                }
+                failedPorts.add(randomPort);
+                randomAttempts--;
             }
-            failedPorts.add(randomPort);
-            randomAttempts--;
-        }
-
-        randomPort = MAX_PORT_NUMBER;
-
-        while (true) {
-            if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) {
-                return randomPort;
+            randomPort = MAX_PORT_NUMBER;
+            while (true) {
+                if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) {
+                    return randomPort;
+                }
+                randomPort--;
             }
-            randomPort--;
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("SHA1PRNG algorithm could not be found.");
         }
     }
 

components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.advanced.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/advanced/virtual/VirtualHardwareManager.java

@@ -33,6 +33,8 @@ import javax.sound.sampled.Clip;
 import javax.swing.*;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 
 /**
  * This class use to emulate virtual hardware functionality
@@ -188,9 +190,12 @@ public class VirtualHardwareManager {
             double mn = current - offset;
             min = (mn < min) ? min : (int) Math.round(mn);
         }
-
-        double rnd = Math.random() * (max - min) + min;
-        return (int) Math.round(rnd);
+        try {
+            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
+            return secureRandom.nextInt(max - min) + min;
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("SHA1PRNG algorithm could not be found.");
+        }
 
     }
 

components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java

@@ -36,6 +36,8 @@ import java.net.ServerSocket;
 import java.net.SocketException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.HashMap;
@@ -173,27 +175,26 @@ public class TransportUtils {
 	 */
 	public static synchronized int getAvailablePort(int randomAttempts) {
 		ArrayList<Integer> failedPorts = new ArrayList<Integer>(randomAttempts);
-
-		Random randomNum = new Random();
-		int randomPort = MAX_PORT_NUMBER;
-
-		while (randomAttempts > 0) {
-			randomPort = randomNum.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER;
-
-			if (checkIfPortAvailable(randomPort)) {
-				return randomPort;
+		try {
+			SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
+			int randomPort = MAX_PORT_NUMBER;
+			while (randomAttempts > 0) {
+				randomPort = secureRandom.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER;
+				if (checkIfPortAvailable(randomPort)) {
+					return randomPort;
+				}
+				failedPorts.add(randomPort);
+				randomAttempts--;
 			}
-			failedPorts.add(randomPort);
-			randomAttempts--;
-		}
-
-		randomPort = MAX_PORT_NUMBER;
-
-		while (true) {
-			if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) {
-				return randomPort;
+			randomPort = MAX_PORT_NUMBER;
+			while (true) {
+				if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) {
+					return randomPort;
+				}
+				randomPort--;
 			}
-			randomPort--;
+		} catch (NoSuchAlgorithmException e) {
+			throw new RuntimeException("SHA1PRNG algorithm could not be found.");
 		}
 	}
 

components/device-types/virtual-fire-alarm-plugin/org.wso2.carbon.device.mgt.iot.virtualfirealarm.agent.impl/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java

@@ -33,6 +33,8 @@ import javax.sound.sampled.Clip;
 import javax.swing.*;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 
 /**
  * This class use to emulate virtual hardware functionality
@@ -174,19 +176,19 @@ public class VirtualHardwareManager {
     }
 
     private int getRandom(int max, int min, int current, boolean isSmoothed, int svf) {
-
         if (isSmoothed) {
             int offset = (max - min) * svf / 100;
             double mx = current + offset;
             max = (mx > max) ? max : (int) Math.round(mx);
-
             double mn = current - offset;
             min = (mn < min) ? min : (int) Math.round(mn);
         }
-
-        double rnd = Math.random() * (max - min) + min;
-        return (int) Math.round(rnd);
-
+        try {
+            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
+            return secureRandom.nextInt(max - min) + min;
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("SHA1PRNG algorithm could not be found.");
+        }
     }
 
     private void setAudioSequencer() {