aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorSteve Holme <steve_holme@hotmail.com>2014-06-01 11:11:08 +0100
committerSteve Holme <steve_holme@hotmail.com>2014-06-01 11:18:12 +0100
commiteefeb73af40aa407fe6f59eda0fd614d4163b251 (patch)
treed4c0af6d37e28f80337b8e187ac2697a2262e341 /lib
parentaa6be2ef13d68c69cddcd5af28d321ef4901ca2a (diff)
curl_sasl: Extended native DIGEST-MD5 cnonce to be a 32-byte hex string
Rather than use a short 8-byte hex string, extended the cnonce to be 32-bytes long, like Windows SSPI does. Used a combination of random data as well as the current date and time for the generation.
Diffstat (limited to 'lib')
-rw-r--r--lib/curl_sasl.c24
1 files changed, 17 insertions, 7 deletions
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 8a6b52217..b7effcf87 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -403,9 +403,6 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
const char *service,
char **outptr, size_t *outlen)
{
-#ifndef DEBUGBUILD
- static const char table16[] = "0123456789abcdef";
-#endif
CURLcode result = CURLE_OK;
size_t i;
MD5_context *ctxt;
@@ -421,8 +418,14 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
char qop_options[64];
int qop_values;
+ char cnonce[33];
+ unsigned int cnonce1 = 0;
+ unsigned int cnonce2 = 0;
+ unsigned int cnonce3 = 0;
+ unsigned int cnonce4 = 0;
+ struct timeval now;
+
char nonceCount[] = "00000001";
- char cnonce[] = "12345678"; /* will be changed */
char method[] = "AUTHENTICATE";
char qop[] = DIGEST_QOP_VALUE_STRING_AUTH;
char uri[128];
@@ -449,11 +452,18 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
return CURLE_BAD_CONTENT_ENCODING;
#ifndef DEBUGBUILD
- /* Generate 64 bits of random data */
- for(i = 0; i < 8; i++)
- cnonce[i] = table16[Curl_rand(data)%16];
+ /* Generate 16 bytes of random data */
+ cnonce1 = Curl_rand(data);
+ cnonce2 = Curl_rand(data);
+ now = Curl_tvnow();
+ cnonce3 = now.tv_sec;
+ cnonce4 = now.tv_sec;
#endif
+ /* Convert the random data into a 32 byte hex string */
+ snprintf(cnonce, sizeof(cnonce), "%08x%08x%08x%08x",
+ cnonce1, cnonce2, cnonce3, cnonce4);
+
/* So far so good, now calculate A1 and H(A1) according to RFC 2831 */
ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
if(!ctxt)