View Issue Details

IDProjectCategoryView StatusLast Update
0000132easycwmpBugpublic2016-05-10 23:36
Reporternriedel Assigned Tomohamed.kallel  
Status resolvedResolutionno change required 
Summary0000132: Nonce private key not properly initialized
DescriptionIn the function http_digest_init_nonce_priv_key() in digestauth.c, the NONCE_PRIV_KEY[] array is initialized from /dev/urandom, but then the results are overwritten with what is effectively a fixed string:

    char *possible = STRING_POSSIBLE;
    int dev_random = open("/dev/urandom", O_RDONLY);
    int result = read(dev_random, NONCE_PRIV_KEY, sizeof(NONCE_PRIV_KEY) - 1);
    for(i = 0; i < (sizeof(NONCE_PRIV_KEY) - 1); i++) {
        NONCE_PRIV_KEY[i] = possible[NONCE_PRIV_KEY[i] % (sizeof(STRING_POSSIBLE) - 1)];

Should we check result here and execute the for loop only if the result indicates a failure?

Steps To ReproduceCode inspection.
TagsNo tags attached.



2016-05-03 12:55

administrator   ~0000428

No, the behaviour is correct.

The goal is to generate a NONCE_PRIV_KEY[] array containing only charchters from the following list "abcdefghijkl0123456789mnopqrstuvwxyz" (POSIIBLE_STRING).

The read(dev_random, NONCE_PRIV_KEY, sizeof(NONCE_PRIV_KEY) - 1) fill the array NONCE_PRIV_KEY[] with charachter out of "abcdefghijkl0123456789mnopqrstuvwxyz"

Issue History

Date Modified Username Field Change
2016-05-02 23:22 nriedel New Issue
2016-05-03 12:55 mohamed.kallel Note Added: 0000428
2016-05-10 23:36 mohamed.kallel Status new => resolved
2016-05-10 23:36 mohamed.kallel Resolution open => no change required
2016-05-10 23:36 mohamed.kallel Assigned To => mohamed.kallel