On Tue, 18 Mar 2014, Steve Holme wrote:

v2 patch attached.

> * I think Kamil pointed out that curl_ntlm_core.c Line 556 also needs
> something similar so that it doesn't use a hard coded datetime of 01/01/1970
> 00:00:00.

Fixed too now.

> * We should also address curl_sasl.c Line 372 at the same time as that uses
> 64-bits of static data for debug builds, as well, as cnonce is not changed
> unless it is a release build

Hm. The comment and the code didn't match there. It says 64 bits of random,
but it called Curl_rand() 8 times and uses 4 bits from each call and 8 x 4 =
32...

I modified this in my patch to do two calls to Curl_rand() and store all 64
bits for the nonce.

> * I appreciate this is a unusual use-case but I think it is possible, with
> your proposed fix, for the user to specify an entropy that is longer than
> the entropy variable size of 8 bytes :(

I modified my approach to now instead use that env variable to seed the random
with so it shouldn't overflow.

The attached patch does however make no less than 34 NTLM test cases to fail
because the random is different.

However, if we are going to be able to check for output in the cases that is
somehow using Curl_rand() we need to make those tests only run for debug
builds which is unfortunate.

-- 
  / daniel.haxx.se

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html