cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: [PATCH] NTLM: use a fake entropy for debug builds

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Wed, 19 Mar 2014 22:13:38 +0000

Hi again,

On Wed, 19 Mar 2014, Daniel Stenberg wrote:

v2 patch attached.

Cool...

It looks pretty good to me - my only query is regarding the DIGEST-MD5 mod
and my apologies in advance if I have misunderstood this section of code, as
I'm extremely tired at the moment, although I don't think I can use that
excuse for the last two years of working in that area of code ;-)

> > * We should also address curl_sasl.c Line 372 at the same time as that
> > uses 64-bits of static data for debug builds, as well, as cnonce is
> > not changed unless it is a release build
>
> Hm. The comment and the code didn't match there. It says 64 bits of
> random, but it called Curl_rand() 8 times and uses 4 bits from each call
> and 8 x 4 = 32...

Are you sure about this? Bear in mind that the text isn't a hex
representation of the entropy.

RFC2831 it states that cnonce is:

> A client-specified data string which MUST be different each time a
> digest-response is sent as part of initial authentication. The
> cnonce-value is an opaque quoted string value provided by the
> client and used by both client and server to avoid chosen
> plaintext attacks, and to provide mutual authentication. The
> security of the implementation depends on a good choice. It is
> RECOMMENDED that it contain at least 64 bits of entropy. This
> directive is required and MUST be present exactly once; otherwise,
> authentication fails.

And then goes on to give the following as an example:

cnonce="OA9BSuZWMSpW8m"

which as you can see is 14 characters long and isn't hex encoded.

My understanding of the previous version of code was that it was adding an 8
byte string to the digest so 64-bits of data - however it was using hex only
characters ;-)

I don't know if there is any limit on the maximum string to send so I would
be a little nervous of changing it for a 16 character string.

Kind Regards

Steve
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-19

This message: [ Message body ]
Next message: Steve Holme: "RE: [PATCH] NTLM: use a fake entropy for debug builds"
Previous message: Daniel Stenberg: "RE: [PATCH] NTLM: use a fake entropy for debug builds"
In reply to: Daniel Stenberg: "RE: [PATCH] NTLM: use a fake entropy for debug builds"
Next in thread: Daniel Stenberg: "RE: [PATCH] NTLM: use a fake entropy for debug builds"
Reply: Daniel Stenberg: "RE: [PATCH] NTLM: use a fake entropy for debug builds"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]