From c948971e83f8673342de28691b4e7b6fd9bd670d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 3 Dec 2024 07:52:48 +0100 Subject: [PATCH] digest: produce a shorter cnonce in Digest headers Other programs (Postman, Chrome, Python request) use a 16 byte cnonce and there are instances of server-side implementations that don't support the larger lengths curl used previously. Fixes #15653 Reported-by: Florian Eckert Closes #15670 --- lib/vauth/digest.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c index 0cc3da898f..0acfcace1d 100644 --- a/lib/vauth/digest.c +++ b/lib/vauth/digest.c @@ -709,13 +709,17 @@ static CURLcode auth_create_digest_http_message( digest->nc = 1; if(!digest->cnonce) { - char cnoncebuf[33]; - result = Curl_rand_hex(data, (unsigned char *)cnoncebuf, - sizeof(cnoncebuf)); + char cnoncebuf[12]; + result = Curl_rand_bytes(data, +#ifdef DEBUGBUILD + TRUE, +#endif + (unsigned char *)cnoncebuf, + sizeof(cnoncebuf)); if(result) return result; - result = Curl_base64_encode(cnoncebuf, strlen(cnoncebuf), + result = Curl_base64_encode(cnoncebuf, sizeof(cnoncebuf), &cnonce, &cnonce_sz); if(result) return result;