On Sun, 1 Jun 2014, GitHub wrote:
Rather than use a short 8-byte hex string, extended the cnonce to be
32-bytes long, like Windows SSPI does.
Used a combination of random data as well as the current date and time for
the generation.
Hi Steve,
If we really want to add more "randomness", wouldn't it be better to call
Curl_rand() two more times instead? It is getting "real" random data from the
underlying TLS/crypto library and that is bound to be safer than adding the
current time.
Also, you accidentally added tv_sec twice - I figured one of them at least
(curl_sasl.c line 462) was meant to be tv_usec ?
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
