On Mon, 17 Mar 2014, Daniel Stenberg wrote:

> I was reminded about the fixed string entropy we use in in the
> NTLM code for debug builds. I want debug-builds to still work
> if used against real world machines and this fixed string is then
> a security issue.
>
> I'm suggesting an approach like attached, that allows the test
> suite to set the random string to use for testing purposes but
> it will make curl work basically as usual outside of the test suite
> if used for real.
>
> Objections?

In principle no problem here - just a couple of comments though:

* I think Kamil pointed out that curl_ntlm_core.c Line 556 also needs
something similar so that it doesn't use a hard coded datetime of 01/01/1970
00:00:00.
* We should also address curl_sasl.c Line 372 at the same time as that uses
64-bits of static data for debug builds, as well, as cnonce is not changed
unless it is a release build
* I appreciate this is a unusual use-case but I think it is possible, with
your proposed fix, for the user to specify an entropy that is longer than
the entropy variable size of 8 bytes :(

Kind Regards

Steve
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-18