Hex value "f" is not used for "cnonce" calculation in nsHttpDigestAuth::GenerateCredentials




2 years ago
a year ago


(Reporter: chamal.desilva, Unassigned)


51 Branch

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [necko-would-take])


(1 attachment)



2 years ago
Created attachment 8837194 [details]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

1. Download and copy auth.php to local web server's root folder.
    Web server should support PHP. Otherwise it is necessary convert auth.php to a language that your web server supports.
2. Open Firefox and visit
3. auth.php will prompt for user name and password.
4. Enter any user name and password and press OK button.
5. Web page will display "Authorization" header of HTTP request.
   Note that cnonce value in "Authorization" header contains hex values from 0 to "e", but not "f".
6. Refresh this web page several times to check whether cnonce value contains hex value "f".

Actual results:

Hex value "f" is not present in cnonce.

Expected results:

Hex value "f" should be present in cnonce, unless it is the way intended.

Comment 1

2 years ago
Cause of Bug

This bug is in below mentioned lines of nsHttpDigestAuth::GenerateCredentials method in netwerk\protocol\http\nsHttpDigestAuth.cpp file.

nsAutoCString cnonce;
static const char hexChar[] = "0123456789abcdef";
for (int i=0; i<16; ++i) {
  cnonce.Append(hexChar[(int)(15.0 * rand()/(RAND_MAX + 1.0))]);

Above code calculates "cnonce" value which should be sent with HTTP "Authorization" header.
RAND_MAX = 32767 
So maximum value above formula can give is
(15.0 * rand()/(RAND_MAX + 1.0)) = (15.0 * 32767/(32767 + 1.0)) = 14.99954223632813
But casting above result(14.99954223632813) to integer makes it 14, since integer casting rounds towards 0.

So "f" hex value in hexChar[] array is never used since it is in 15th index.
OS: Unspecified → All
Hardware: Unspecified → All

Comment 2

2 years ago
Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1233337 seems to be related, since its crash signal also points to same place in code. I found this bug while looking in to that bug.


2 years ago
Attachment #8837194 - Attachment mime type: application/x-php → text/plain
Group: firefox-core-security → network-core-security
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
This does not look like a security issue.

cnonce are define as :
"The cnonce value is an opaque quoted ASCII-only string value provided by the client"

so it is just a string. This is implemented long time ago, I would just leave it as it is. So one element of that array is not used.
Group: network-core-security


2 years ago
Whiteboard: [necko-would-take]
You need to log in before you can comment on or make changes to this bug.