On Mon, 2 Jun 2014, Daniel Stenberg wrote:

If we really want to add more "randomness", wouldn't it be better to call Curl_rand() two more times instead? It is getting "real" random data from the underlying TLS/crypto library and that is bound to be safer than adding the current time.

I suggest this simple patch - see attachment.

It also has the added benefit that once I (finally) add my code that "fakes" Curl_rand() for debug builds we won't have to have any DEBUGBUILD conditionals in that code path - having the time/date involved would make that harder.

--

 / daniel.haxx.se
From 4cbbe62c79b7e331e0ae797b1efdf8e2911b7cbd Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Mon, 2 Jun 2014 12:06:53 +0200
Subject: [PATCH] sasl: use Curl_rand() for random data

No point in adding current time, it is just less random
---
 lib/curl_sasl.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 5edc0ef..7dc6a65 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -421,14 +421,10 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
   char cnonce[33];
   unsigned int cnonce1 = 0;
   unsigned int cnonce2 = 0;
   unsigned int cnonce3 = 0;
   unsigned int cnonce4 = 0;
-#ifndef DEBUGBUILD
-  struct timeval now;
-#endif
-
   char nonceCount[] = "00000001";
   char method[]     = "AUTHENTICATE";
   char qop[]        = DIGEST_QOP_VALUE_STRING_AUTH;
   char uri[128];
 
@@ -455,13 +451,12 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
 
 #ifndef DEBUGBUILD
   /* Generate 16 bytes of random data */
   cnonce1 = Curl_rand(data);
   cnonce2 = Curl_rand(data);
-  now = Curl_tvnow();
-  cnonce3 = now.tv_sec;
-  cnonce4 = now.tv_sec;
+  cnonce3 = Curl_rand(data);
+  cnonce4 = Curl_rand(data);
 #endif
 
   /* Convert the random data into a 32 byte hex string */
   snprintf(cnonce, sizeof(cnonce), "%08x%08x%08x%08x",
            cnonce1, cnonce2, cnonce3, cnonce4);
-- 
2.0.0

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to