Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of insecure random number generation function rand() #30

Open
hannob opened this issue Dec 19, 2023 · 1 comment
Open

Use of insecure random number generation function rand() #30

hannob opened this issue Dec 19, 2023 · 1 comment

Comments

@hannob
Copy link

hannob commented Dec 19, 2023

The code uses the function rand() in HTTP/Request2/Adapter/Socket.php:

            $challenge['cnonce'] = 'Req2.' . rand();

This function does not produce secure random numbers, and it might be predictable in certain situations. It would therefore be better to avoid it.

One can get practically the same behavior using PHP's random_int. However, in this case, according to the RFC the cnonce value can contain any base64 characters. So maybe just use something like base64enc(random_bytes(15)). (The random_bytes() function generates cryptographically secure random numbers, usually that's wired to the operating system's random number generator.)
@hannob hannob changed the title Use of insecre random number generation function rand() Use of insecure random number generation function rand() Dec 19, 2023
@sad-spirit
Copy link
Member

Dunno whether it makes sense to fix Digest authentication at this point. Using that essentially requires storing unencrypted passwords, which is a lot more insecure than using a bad random number generator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hannob @sad-spirit