projects / platform / upstream / curl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 62a26ec)
random: use Curl_rand() for proper random data
authorDaniel Stenberg <daniel@haxx.se>
Tue, 3 Jun 2014 16:25:48 +0000 (18:25 +0200)
committerDaniel Stenberg <daniel@haxx.se>
Tue, 3 Jun 2014 16:25:48 +0000 (18:25 +0200)
The SASL/Digest previously used the current time's seconds +
microseconds to add randomness but it is much better to instead get more
data from Curl_rand().

It will also allow us to easier "fake" that for debug builds on demand
in a future.

lib/curl_sasl.c patch | blob | history
lib/http_digest.c patch | blob | history

diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 164c329f810c9f5696feb19c9ffc00783b2f4109..b0ac9b6d5f1a61ba02a7a910dd62ff5e2d689f02 100644 (file)
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -423,9 +423,6 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
   unsigned int cnonce2 = 0;
   unsigned int cnonce3 = 0;
   unsigned int cnonce4 = 0;
-#ifndef DEBUGBUILD
-  struct timeval now;
-#endif
 
   char nonceCount[] = "00000001";
   char method[]     = "AUTHENTICATE";
@@ -457,9 +454,8 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
   /* Generate 16 bytes of random data */
   cnonce1 = Curl_rand(data);
   cnonce2 = Curl_rand(data);
-  now = Curl_tvnow();
-  cnonce3 = now.tv_sec;
-  cnonce4 = now.tv_usec;
+  cnonce3 = Curl_rand(data);
+  cnonce4 = Curl_rand(data);
 #endif
 
   /* Convert the random data into a 32 byte hex string */
diff --git a/lib/http_digest.c b/lib/http_digest.c
index ee5d637077d6b9eb4d5abdd2ba739c1fdcef3956..55f5108c9a3a6da245a2184ed2a8d84dcf4d492c 100644 (file)
--- a/lib/http_digest.c
+++ b/lib/http_digest.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -367,12 +367,9 @@ CURLcode Curl_output_digest(struct connectdata *conn,
     d->nc = 1;
 
   if(!d->cnonce) {
-    struct timeval now = Curl_tvnow();
     snprintf(cnoncebuf, sizeof(cnoncebuf), "%08x%08x%08x%08x",
              Curl_rand(data), Curl_rand(data),
-             (unsigned int)now.tv_sec,
-             (unsigned int)now.tv_usec);
-
+             Curl_rand(data), Curl_rand(data));
     rc = Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf),
                             &cnonce, &cnonce_sz);
     if(rc)
Domain: Network & Connectivity / Data Network;