diff options
| author | Steve Holme <steve_holme@hotmail.com> | 2014-06-01 11:11:08 +0100 |
|---|---|---|
| committer | Steve Holme <steve_holme@hotmail.com> | 2014-06-01 11:18:12 +0100 |
| commit | eefeb73af40aa407fe6f59eda0fd614d4163b251 (patch) | |
| tree | d4c0af6d37e28f80337b8e187ac2697a2262e341 /lib/curl_sasl.c | |
| parent | aa6be2ef13d68c69cddcd5af28d321ef4901ca2a (diff) | |
curl_sasl: Extended native DIGEST-MD5 cnonce to be a 32-byte hex string
Rather than use a short 8-byte hex string, extended the cnonce to be
32-bytes long, like Windows SSPI does.
Used a combination of random data as well as the current date and
time for the generation.
Diffstat (limited to 'lib/curl_sasl.c')
| -rw-r--r-- | lib/curl_sasl.c | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c index 8a6b52217..b7effcf87 100644 --- a/lib/curl_sasl.c +++ b/lib/curl_sasl.c @@ -403,9 +403,6 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, const char *service, char **outptr, size_t *outlen) { -#ifndef DEBUGBUILD - static const char table16[] = "0123456789abcdef"; -#endif CURLcode result = CURLE_OK; size_t i; MD5_context *ctxt; @@ -421,8 +418,14 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, char qop_options[64]; int qop_values; + char cnonce[33]; + unsigned int cnonce1 = 0; + unsigned int cnonce2 = 0; + unsigned int cnonce3 = 0; + unsigned int cnonce4 = 0; + struct timeval now; + char nonceCount[] = "00000001"; - char cnonce[] = "12345678"; /* will be changed */ char method[] = "AUTHENTICATE"; char qop[] = DIGEST_QOP_VALUE_STRING_AUTH; char uri[128]; @@ -449,11 +452,18 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, return CURLE_BAD_CONTENT_ENCODING; #ifndef DEBUGBUILD - /* Generate 64 bits of random data */ - for(i = 0; i < 8; i++) - cnonce[i] = table16[Curl_rand(data)%16]; + /* Generate 16 bytes of random data */ + cnonce1 = Curl_rand(data); + cnonce2 = Curl_rand(data); + now = Curl_tvnow(); + cnonce3 = now.tv_sec; + cnonce4 = now.tv_sec; #endif + /* Convert the random data into a 32 byte hex string */ + snprintf(cnonce, sizeof(cnonce), "%08x%08x%08x%08x", + cnonce1, cnonce2, cnonce3, cnonce4); + /* So far so good, now calculate A1 and H(A1) according to RFC 2831 */ ctxt = Curl_MD5_init(Curl_DIGEST_MD5); if(!ctxt) |