From: Amos Jeffries Date: Sun, 8 Feb 2015 09:37:12 +0000 (-0800) Subject: Generate digest nonce random data with C++11 generator X-Git-Tag: merge-candidate-3-v1~109^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42df42096a53bafa3a2d678a502a1fe1bc2ce673;p=thirdparty%2Fsquid.git Generate digest nonce random data with C++11 generator This should also resolve the bug 3526 properly since the new generator is guaranteed to produce new random values every time with a higher quality of randomness than rand() which was being used indirectly before. --- diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc index beaf946e7d..ef5b5b350f 100644 --- a/src/auth/digest/Config.cc +++ b/src/auth/digest/Config.cc @@ -39,6 +39,8 @@ */ #include "mem/Pool.h" +#include + static AUTHSSTATS authenticateDigestStats; helper *digestauthenticators = NULL; @@ -147,30 +149,28 @@ authenticateDigestNonceNew(void) * component in the nonce allows us to loop to find a unique nonce. * We use H(nonce_data) so the nonce is meaningless to the reciever. * So our nonce looks like base64(H(timestamp,pointertohash,randomdata)) - * And even if our randomness is not very random (probably due to - * bad coding on my part) we don't really care - the timestamp and - * memory pointer also guarantee local uniqueness in the input to the hash - * function. + * And even if our randomness is not very random we don't really care + * - the timestamp and memory pointer also guarantee local uniqueness + * in the input to the hash function. */ + // NP: this will likely produce the same randomness sequences for each worker + // since they should all start within the 1-second resolution of seed value. + static std::mt19937 mt(static_cast(getCurrentTime() & 0xFFFFFFFF)); + static std::uniform_int_distribution newRandomData; /* create a new nonce */ newnonce->nc = 0; newnonce->flags.valid = true; newnonce->noncedata.self = newnonce; newnonce->noncedata.creationtime = current_time.tv_sec; - newnonce->noncedata.randomdata = squid_random(); + newnonce->noncedata.randomdata = newRandomData(mt); authDigestNonceEncode(newnonce); - /* - * loop until we get a unique nonce. The nonce creation must - * have a random factor - */ + // ensure temporal uniqueness by checking for existing nonce while (authenticateDigestNonceFindNonce((char const *) (newnonce->key))) { /* create a new nonce */ - newnonce->noncedata.randomdata = squid_random(); - /* Bug 3526 high performance fix: add 1 second to creationtime to avoid duplication */ - ++newnonce->noncedata.creationtime; + newnonce->noncedata.randomdata = newRandomData(mt); authDigestNonceEncode(newnonce); } diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h index 1bf696008b..383aa34a34 100644 --- a/src/auth/digest/Config.h +++ b/src/auth/digest/Config.h @@ -32,7 +32,7 @@ struct _digest_nonce_data { time_t creationtime; /* in memory address of the nonce struct (similar purpose to an ETag) */ digest_nonce_h *self; - long randomdata; + uint32_t randomdata; }; /* the nonce structure we'll pass around */