aboutsummaryrefslogtreecommitdiff
path: root/lib/vauth/digest.c
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2017-05-08 23:23:28 +0200
committerng0 <ng0@infotropique.org>2017-08-22 15:26:16 +0000
commit5821b69daea9c2fcf60e89b99ace717792b98d7f (patch)
tree2d213a1eb36167c38b677986d86bbd70baeac5c1 /lib/vauth/digest.c
parent8bb7ea7f301a5a07e4dfbe7075303a3d5f0c447b (diff)
downloadgnurl-5821b69daea9c2fcf60e89b99ace717792b98d7f.tar.gz
gnurl-5821b69daea9c2fcf60e89b99ace717792b98d7f.tar.bz2
gnurl-5821b69daea9c2fcf60e89b99ace717792b98d7f.zip
rand: treat fake entropy the same regardless of endianness
When the random seed is purposely made predictable for testing purposes by using the CURL_ENTROPY environment variable, process that data in an endian agnostic way so the the initial random seed is the same regardless of endianness. - Change Curl_rand to write to a char array instead of int array. - Add Curl_rand_hex to write random hex characters to a buffer. Fixes #1315 Closes #1468 Co-authored-by: Daniel Stenberg Reported-by: Michael Kaufmann
Diffstat (limited to 'lib/vauth/digest.c')
-rw-r--r--lib/vauth/digest.c15
1 files changed, 4 insertions, 11 deletions
diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c
index 268474c78..185098ed6 100644
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -360,7 +360,6 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data,
char qop_options[64];
int qop_values;
char cnonce[33];
- unsigned int entropy[4];
char nonceCount[] = "00000001";
char method[] = "AUTHENTICATE";
char qop[] = DIGEST_QOP_VALUE_STRING_AUTH;
@@ -387,15 +386,11 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data,
if(!(qop_values & DIGEST_QOP_VALUE_AUTH))
return CURLE_BAD_CONTENT_ENCODING;
- /* Generate 16 bytes of random data */
- result = Curl_rand(data, &entropy[0], 4);
+ /* Generate 32 random hex chars, 32 bytes + 1 zero termination */
+ result = Curl_rand_hex(data, (unsigned char *)cnonce, sizeof(cnonce));
if(result)
return result;
- /* Convert the random data into a 32 byte hex string */
- snprintf(cnonce, sizeof(cnonce), "%08x%08x%08x%08x",
- entropy[0], entropy[1], entropy[2], entropy[3]);
-
/* So far so good, now calculate A1 and H(A1) according to RFC 2831 */
ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
if(!ctxt)
@@ -684,12 +679,10 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
digest->nc = 1;
if(!digest->cnonce) {
- unsigned int rnd[4];
- result = Curl_rand(data, &rnd[0], 4);
+ result = Curl_rand_hex(data, (unsigned char *)cnoncebuf,
+ sizeof(cnoncebuf));
if(result)
return result;
- snprintf(cnoncebuf, sizeof(cnoncebuf), "%08x%08x%08x%08x",
- rnd[0], rnd[1], rnd[2], rnd[3]);
result = Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf),
&cnonce, &cnonce_sz);