cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] NTLM: use a fake entropy for debug builds

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 18 Mar 2014 13:53:01 +0100

On Monday, March 17, 2014 22:32:47 Daniel Stenberg wrote:
> Hi,
>
> I was reminded about the fixed string entropy we use in in the NTLM code for
> debug builds. I want debug-builds to still work if used against real world
> machines and this fixed string is then a security issue.
>
> I'm suggesting an approach like attached, that allows the test suite to set
> the random string to use for testing purposes but it will make curl work
> basically as usual outside of the test suite if used for real.
>
> Objections?

I like the approach. Then we need to make the test-suite actually set the
CURL_ENTROPY environment variable in order not to break those tests.

Should not we check for the presence of $CURL_ENTROPY also here?

https://github.com/bagder/curl/blob/220bcba9/lib/curl_ntlm_core.c#L556

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-18

This message: [ Message body ]
Next message: Gaël PORTAY: "[PATCH 0/2] polarssl: achieve drop compatibily with polarssl 1.2."
Previous message: Daniel Stenberg: "Re: localhost problem on Mac?"
In reply to: Daniel Stenberg: "[PATCH] NTLM: use a fake entropy for debug builds"
Next in thread: Steve Holme: "RE: [PATCH] NTLM: use a fake entropy for debug builds"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]