Generate 144-bit nonce to satisfy https://w3c.github.io/webappsec-csp/#security-nonces (although, I'm fairly sure the 128-bit number was pulled straight from someone's ass, and not based on research). Fixes issue #2.

Author: wyattoday

README.md

@@ -1,6 +1,6 @@
 # mod_cspnonce
 
-"mod_cspnonce" is an Apache2 module that makes it dead simple to add "nonce" values to the [CSP (`Content-Security-Policy`) headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
+"mod_cspnonce" is an Apache2 module that makes it dead simple to add cryptographically random "nonce" values to the [CSP (`Content-Security-Policy`) headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
 
 `nonce` values are a great way to enable CSP headers while still having dynamic scripts and styles in your web app. Here's an [example from MDN web docs showing a use of `nonce` with `script-src` CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src).
 

mod_cspnonce.c

@@ -52,12 +52,19 @@ typedef unsigned char byte;
 */
 const char * GenSecureCSPNonce(const request_rec * r)
 {
-    // Generate 9 random bytes. Any multiple of 3 will work
+    // Generate 18 random bytes (144-bits). Any multiple of 3 will work
     // well because the base64 string generated will not require
     // padding (i.e. useless characters).
     // If you modify this number you'll need to modify the string length
     // and null terminator below.
-    byte random_bytes[9];
+    byte random_bytes[18];
+
+    // This number is based on the seemlingly made-up number used in
+    // the W3C "webappsec-csp" document. It seems made-up (i.e. a number
+    // not based on either theoretical or real-world testing) because
+    // 128-bits cannot be divided evenly into a base64-encoded string.
+    // But, whatever, I'll let someone else fight that battle.
+    // Here is the nonsense source: https://w3c.github.io/webappsec-csp/#security-nonces
 
 #ifdef _WIN32
     BCRYPT_ALG_HANDLE Prov;
@@ -104,21 +111,30 @@ const char * GenSecureCSPNonce(const request_rec * r)
     h = random();
     memcpy(random_bytes + 4, &h, 4);
 
-    // fill up bytes 5,6,7,8
+    // fill up bytes 8,9,10,11
+    h = random();
+    memcpy(random_bytes + 8, &h, 4);
+
+    // fill up bytes 12,13,14,15
+    h = random();
+    memcpy(random_bytes + 12, &h, 4);
+
+    // fill up bytes 14,15,16,17
     // Yes, there's overlap.
     h = random();
-    memcpy(random_bytes + 5, &h, 4);
+    memcpy(random_bytes + 14, &h, 4);
+
 #endif
 
     char * cspNonce;
 
-    // Allocate 13 bytes for the base64 string + NULL.
+    // Allocate 25 bytes for the base64 string + NULL.
     // Base64 uses 4 ascii characters to encode 24-bits (3 bytes) of data
-    // Thus we need 12 characters + 1 NULL char to store 9 bytes of random data.
-    cspNonce = (char *)apr_palloc(r->pool, 13);
+    // Thus we need 24 characters + 1 NULL char to store 18 bytes of random data.
+    cspNonce = (char *)apr_palloc(r->pool, 25);
 
     // null terminate string
-    cspNonce[12] = '\0';
+    cspNonce[24] = '\0';
 
     apr_base64_encode(cspNonce, (const char *)random_bytes, sizeof(random_bytes));
 

mod_cspnonce.rc

@@ -1,6 +1,6 @@
 1 VERSIONINFO
-FILEVERSION 1, 2, 0, 0
-PRODUCTVERSION 1, 2, 0, 0
+FILEVERSION 1, 3, 0, 0
+PRODUCTVERSION 1, 3, 0, 0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@@ -17,12 +17,12 @@ BLOCK "040904b0"
 BEGIN
 VALUE "CompanyName", "wyDay, LLC"
 VALUE "FileDescription", "cspnonce_module for Apache"
-VALUE "FileVersion", "1.2"
+VALUE "FileVersion", "1.3"
 VALUE "InternalName", "mod_cspnonce.so"
 VALUE "LegalCopyright", "Copyright 2005-2020 wyDay, LLC"
 VALUE "OriginalFilename", "mod_cspnonce.so"
 VALUE "ProductName", "Apache HTTP Server"
-VALUE "ProductVersion", "1.2"
+VALUE "ProductVersion", "1.3"
 END
 END
 END