random: use Curl_rand() for proper random data

The SASL/Digest previously used the current time's seconds + microseconds to add randomness but it is much better to instead get more data from Curl_rand(). It will also allow us to easier "fake" that for debug builds on demand in a future.
2014-06-03 18:25:48 +02:00
parent 62a26ec696
commit bbd3dc611e
2 changed files with 4 additions and 11 deletions
--- a/lib/http_digest.c
+++ b/lib/http_digest.c
@@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@@ -367,12 +367,9 @@ CURLcode Curl_output_digest(struct connectdata *conn,
    d->nc = 1;

  if(!d->cnonce) {
-    struct timeval now = Curl_tvnow();
    snprintf(cnoncebuf, sizeof(cnoncebuf), "%08x%08x%08x%08x",
             Curl_rand(data), Curl_rand(data),
-             (unsigned int)now.tv_sec,
-             (unsigned int)now.tv_usec);
-
+             Curl_rand(data), Curl_rand(data));
    rc = Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf),
                            &cnonce, &cnonce_sz);
    if(rc)