[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libmicrohttpd] 19/20: digestauth: updated the method of nonce generatio
From: |
gnunet |
Subject: |
[libmicrohttpd] 19/20: digestauth: updated the method of nonce generation in default mode |
Date: |
Mon, 15 Aug 2022 20:38:45 +0200 |
This is an automated email from the git hooks/post-receive script.
karlson2k pushed a commit to branch master
in repository libmicrohttpd.
commit 21d8f5461bc8b999cd2c6bfa8b8cacacb267b17f
Author: Evgeny Grin (Karlson2k) <k2k@narod.ru>
AuthorDate: Mon Aug 15 21:23:42 2022 +0300
digestauth: updated the method of nonce generation in default mode
---
src/include/microhttpd.h | 7 ++++---
src/microhttpd/digestauth.c | 19 +++++++++++++++++--
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index 83006001..d3765b6c 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -1562,6 +1562,9 @@ enum MHD_DAuthBindNonce
* for any request in the same "protection space".
* CPU is loaded less when this value is used when checking client's
* authorisation request.
+ * This mode gives MHD maximum flexibility for nonces generation and can
+ * prevent possible nonce collisions (and corresponding log warning messages)
+ * when clients' requests are intensive.
* This value cannot be combined with other values.
*/
MHD_DAUTH_BIND_NONCE_NONE = 0,
@@ -1596,9 +1599,6 @@ enum MHD_DAuthBindNonce
* jump from one IP to another (mobile or Wi-Fi handover, DHCP re-assignment,
* Multi-NAT, different proxy chain and other reasons), while IP address
* spoofing could be used relatively easily.
- * However, if server gets intensive requests with Digest Authentication
- * this value helps to generate unique nonces for several requests, received
- * exactly at the same time (within one millisecond) from different clients.
*/
MHD_DAUTH_BIND_NONCE_CLIENT_IP = 1 << 3
} _MHD_FLAGS_ENUM;
@@ -2014,6 +2014,7 @@ enum MHD_OPTION
* #MHD_digest_auth_check3() and similar functions.
* This option should be followed by an 'unsigned int` argument with value
* formed as bitwise OR combination of #MHD_DAuthBindNonce values.
+ * When not specified, default value #MHD_DAUTH_BIND_NONCE_NONE is used.
* @note Available since #MHD_VERSION 0x00097531
*/
MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE = 36
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
index eddfa937..bfedccf8 100644
--- a/src/microhttpd/digestauth.c
+++ b/src/microhttpd/digestauth.c
@@ -1380,6 +1380,16 @@ calculate_nonce (uint64_t nonce_time,
rnd_size);
digest_update_with_colon (da);
}
+ if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) &&
+ (0 != saddr_size) )
+ {
+ /* Use full client address including source port to make unique nonces
+ * for requests received exactly at the same time */
+ digest_update (da,
+ saddr,
+ saddr_size);
+ digest_update_with_colon (da);
+ }
if ( (0 != (bind_options & MHD_DAUTH_BIND_NONCE_CLIENT_IP)) &&
(0 != saddr_size) )
{
@@ -1395,7 +1405,8 @@ calculate_nonce (uint64_t nonce_time,
#endif /* HAVE_INET6 */
digest_update_with_colon (da);
}
- if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI))
+ if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) ||
+ (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI)))
{
if (MHD_HTTP_MTHD_OTHER != mthd_e)
{
@@ -1410,7 +1421,10 @@ calculate_nonce (uint64_t nonce_time,
}
else
digest_update_str (da, method);
+ }
+ if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI))
+ {
digest_update_with_colon (da);
digest_update (da,
@@ -1435,7 +1449,8 @@ calculate_nonce (uint64_t nonce_time,
}
digest_update_with_colon (da);
}
- if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_REALM))
+ if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) ||
+ (0 != (bind_options & MHD_DAUTH_BIND_NONCE_REALM)))
{
digest_update (da,
realm,
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [libmicrohttpd] 18/20: test_digestauth_concurrent: added debug print, (continued)
- [libmicrohttpd] 18/20: test_digestauth_concurrent: added debug print, gnunet, 2022/08/15
- [libmicrohttpd] 12/20: test_digestauth2: added testing with two requests, gnunet, 2022/08/15
- [libmicrohttpd] 08/20: digestauth: added log messages if realm is rejected due to its size, gnunet, 2022/08/15
- [libmicrohttpd] 03/20: daemon.c: cosmetics, gnunet, 2022/08/15
- [libmicrohttpd] 07/20: digestauth: do not use "algorithm" in response header in RFC2069 mode, gnunet, 2022/08/15
- [libmicrohttpd] 11/20: Added MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE to control how to generate and check nonces for Digest Auth, gnunet, 2022/08/15
- [libmicrohttpd] 10/20: daemon.c: fixed and simplified sockaddr alignment handling, gnunet, 2022/08/15
- [libmicrohttpd] 02/20: microhttpd: minor doxy improvement, gnunet, 2022/08/15
- [libmicrohttpd] 17/20: digestauth: minor comment correction, gnunet, 2022/08/15
- [libmicrohttpd] 15/20: test_digestauth2: added third request with new connection, gnunet, 2022/08/15
- [libmicrohttpd] 19/20: digestauth: updated the method of nonce generation in default mode,
gnunet <=
- [libmicrohttpd] 20/20: calculate_nonce(): added comments, minor code corrections, gnunet, 2022/08/15
- [libmicrohttpd] 09/20: mhd_str: added function for bin to hex without zero-termination, gnunet, 2022/08/15
- [libmicrohttpd] 14/20: test_digestauth2: reuse the same connection for the second request, gnunet, 2022/08/15
- [libmicrohttpd] 13/20: test_digestauth2: added testing of nonce bind options, gnunet, 2022/08/15