On Mon, 2 Jun 2014, Daniel Stenberg wrote:
If we really want to add more "randomness", wouldn't it be better to call Curl_rand() two more times instead? It is getting "real" random data from the underlying TLS/crypto library and that is bound to be safer than adding the current time.
I suggest this simple patch - see attachment.It also has the added benefit that once I (finally) add my code that "fakes" Curl_rand() for debug builds we won't have to have any DEBUGBUILD conditionals in that code path - having the time/date involved would make that harder.
-- / daniel.haxx.se
From 4cbbe62c79b7e331e0ae797b1efdf8e2911b7cbd Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Mon, 2 Jun 2014 12:06:53 +0200 Subject: [PATCH] sasl: use Curl_rand() for random data No point in adding current time, it is just less random --- lib/curl_sasl.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c index 5edc0ef..7dc6a65 100644 --- a/lib/curl_sasl.c +++ b/lib/curl_sasl.c @@ -421,14 +421,10 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, char cnonce[33]; unsigned int cnonce1 = 0; unsigned int cnonce2 = 0; unsigned int cnonce3 = 0; unsigned int cnonce4 = 0; -#ifndef DEBUGBUILD - struct timeval now; -#endif - char nonceCount[] = "00000001"; char method[] = "AUTHENTICATE"; char qop[] = DIGEST_QOP_VALUE_STRING_AUTH; char uri[128]; @@ -455,13 +451,12 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, #ifndef DEBUGBUILD /* Generate 16 bytes of random data */ cnonce1 = Curl_rand(data); cnonce2 = Curl_rand(data); - now = Curl_tvnow(); - cnonce3 = now.tv_sec; - cnonce4 = now.tv_sec; + cnonce3 = Curl_rand(data); + cnonce4 = Curl_rand(data); #endif /* Convert the random data into a 32 byte hex string */ snprintf(cnonce, sizeof(cnonce), "%08x%08x%08x%08x", cnonce1, cnonce2, cnonce3, cnonce4); -- 2.0.0
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
