diff options
| author | Jay Satiro <raysatiro@yahoo.com> | 2017-05-08 23:23:28 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2017-05-08 23:24:29 +0200 |
| commit | 1cafede9f2b4a838dfc80423415e60704b3346f9 (patch) | |
| tree | d1c4fce4f046b820f51836747a09f6f227911c5b /lib/vauth/digest.c | |
| parent | 9e9509e46a9db909e4c0a2ce0ac1ef5c94fcb3a4 (diff) | |
rand: treat fake entropy the same regardless of endianness
When the random seed is purposely made predictable for testing purposes
by using the CURL_ENTROPY environment variable, process that data in an
endian agnostic way so the the initial random seed is the same
regardless of endianness.
- Change Curl_rand to write to a char array instead of int array.
- Add Curl_rand_hex to write random hex characters to a buffer.
Fixes #1315
Closes #1468
Co-authored-by: Daniel Stenberg
Reported-by: Michael Kaufmann
Diffstat (limited to 'lib/vauth/digest.c')
| -rw-r--r-- | lib/vauth/digest.c | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c index 268474c78..185098ed6 100644 --- a/lib/vauth/digest.c +++ b/lib/vauth/digest.c @@ -360,7 +360,6 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data, char qop_options[64]; int qop_values; char cnonce[33]; - unsigned int entropy[4]; char nonceCount[] = "00000001"; char method[] = "AUTHENTICATE"; char qop[] = DIGEST_QOP_VALUE_STRING_AUTH; @@ -387,15 +386,11 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data, if(!(qop_values & DIGEST_QOP_VALUE_AUTH)) return CURLE_BAD_CONTENT_ENCODING; - /* Generate 16 bytes of random data */ - result = Curl_rand(data, &entropy[0], 4); + /* Generate 32 random hex chars, 32 bytes + 1 zero termination */ + result = Curl_rand_hex(data, (unsigned char *)cnonce, sizeof(cnonce)); if(result) return result; - /* Convert the random data into a 32 byte hex string */ - snprintf(cnonce, sizeof(cnonce), "%08x%08x%08x%08x", - entropy[0], entropy[1], entropy[2], entropy[3]); - /* So far so good, now calculate A1 and H(A1) according to RFC 2831 */ ctxt = Curl_MD5_init(Curl_DIGEST_MD5); if(!ctxt) @@ -684,12 +679,10 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, digest->nc = 1; if(!digest->cnonce) { - unsigned int rnd[4]; - result = Curl_rand(data, &rnd[0], 4); + result = Curl_rand_hex(data, (unsigned char *)cnoncebuf, + sizeof(cnoncebuf)); if(result) return result; - snprintf(cnoncebuf, sizeof(cnoncebuf), "%08x%08x%08x%08x", - rnd[0], rnd[1], rnd[2], rnd[3]); result = Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf), &cnonce, &cnonce_sz); |