cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [bagder/curl] eefeb7: curl_sasl: Extended native DIGEST-MD5 cnonce to be...

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 2 Jun 2014 11:41:28 +0200 (CEST)

On Sun, 1 Jun 2014, GitHub wrote:

> Rather than use a short 8-byte hex string, extended the cnonce to be
> 32-bytes long, like Windows SSPI does.
>
> Used a combination of random data as well as the current date and time for
> the generation.

Hi Steve,

If we really want to add more "randomness", wouldn't it be better to call
Curl_rand() two more times instead? It is getting "real" random data from the
underlying TLS/crypto library and that is bound to be safer than adding the
current time.

Also, you accidentally added tv_sec twice - I figured one of them at least
(curl_sasl.c line 462) was meant to be tv_usec ?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2014-06-02

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: [bagder/curl] eefeb7: curl_sasl: Extended native DIGEST-MD5 cnonce to be..."
Previous message: Steve Holme: "RE: Added SSPI support for DIGEST-MD5"
Next in thread: Daniel Stenberg: "Re: [bagder/curl] eefeb7: curl_sasl: Extended native DIGEST-MD5 cnonce to be..."
Reply: Daniel Stenberg: "Re: [bagder/curl] eefeb7: curl_sasl: Extended native DIGEST-MD5 cnonce to be..."
Reply: Steve Holme: "RE: [bagder/curl] eefeb7: curl_sasl: Extended native DIGEST-MD5 cnonce to be..."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]