From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 Dec 2024 06:52:48 +0000 (+0100)
Subject: digest: produce a shorter cnonce in Digest headers
X-Git-Tag: curl-8_11_1~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c948971e83f8673342de28691b4e7b6fd9bd670d;p=thirdparty%2Fcurl.git

digest: produce a shorter cnonce in Digest headers

Other programs (Postman, Chrome, Python request) use a 16 byte cnonce
and there are instances of server-side implementations that don't
support the larger lengths curl used previously.

Fixes #15653
Reported-by: Florian Eckert
Closes #15670
---

diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c
index 0cc3da898f..0acfcace1d 100644
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -709,13 +709,17 @@ static CURLcode auth_create_digest_http_message(
     digest->nc = 1;
 
   if(!digest->cnonce) {
-    char cnoncebuf[33];
-    result = Curl_rand_hex(data, (unsigned char *)cnoncebuf,
-                           sizeof(cnoncebuf));
+    char cnoncebuf[12];
+    result = Curl_rand_bytes(data,
+#ifdef DEBUGBUILD
+                             TRUE,
+#endif
+                             (unsigned char *)cnoncebuf,
+                             sizeof(cnoncebuf));
     if(result)
       return result;
 
-    result = Curl_base64_encode(cnoncebuf, strlen(cnoncebuf),
+    result = Curl_base64_encode(cnoncebuf, sizeof(cnoncebuf),
                                 &cnonce, &cnonce_sz);
     if(result)
       return result;