From 365c5ba39591fab2e60bf4f0e67d9dcf79ecc506 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 24 Jun 2013 22:24:35 +0200 Subject: formpost: better random boundaries When doing multi-part formposts, libcurl used a pseudo-random value that was seeded with time(). This turns out to be bad for users who formpost data that is provided with users who then can guess how the boundary string will look like and then they can forge a different formpost part and trick the receiver. My advice to such implementors is (still even after this change) to not rely on the boundary strings being cryptographically strong. Fix your code and logic to not depend on them that much! I moved the Curl_rand() function into the sslgen.c source file now to be able to take advantage of the SSL library's random function if it provides one. If not, try to use the RANDOM_FILE for seeding and as a last resort keep the old logic, just modified to also add microseconds which makes it harder to properly guess the exact seed. The formboundary() function in formdata.c is now using 64 bit entropy for the boundary and therefore the string of dashes was reduced by 4 letters and there are 16 hex digits following it. The total length is thus still the same. Bug: http://curl.haxx.se/bug/view.cgi?id=1251 Reported-by: "Floris" --- lib/curl_darwinssl.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib/curl_darwinssl.h') diff --git a/lib/curl_darwinssl.h b/lib/curl_darwinssl.h index 4c0e53ff1..432d3d7ce 100644 --- a/lib/curl_darwinssl.h +++ b/lib/curl_darwinssl.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2012, Nick Zitzmann, . + * Copyright (C) 2012 - 2013, Nick Zitzmann, . * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -52,6 +52,10 @@ void Curl_darwinssl_md5sum(unsigned char *tmp, /* input */ unsigned char *md5sum, /* output */ size_t md5len); +/* this backend provides these functions: */ +#define have_curlssl_random 1 +#define have_curlssl_md5sum 1 + /* API setup for SecureTransport */ #define curlssl_init() (1) #define curlssl_cleanup() Curl_nop_stmt -- cgit v1.2.3