[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libmicrohttpd] Upgrade to digest authentication
From: |
Christian Grothoff |
Subject: |
Re: [libmicrohttpd] Upgrade to digest authentication |
Date: |
Wed, 11 Nov 2020 19:14:40 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 |
https://github.com/curl/curl/issues/3353 suggests curl had a bug there,
where curl failed to hash the params. Maybe your Onvif Device manager
uses that bad version of curl?
It looks like MHD does very much the right thing here: a client failing
to send a correct authentication challenge should fail authentication ;-)
-Christian
On 11/11/20 5:59 PM, DJM-Avalesta wrote:
> Hi Christian,
> You are right. The Client (Onvif Device Manager) is only hashing the
> url, without the params. It is telling us that with its uri field but we
> are ignoring it and hashing the whole url.
>
> Other clients eg Firefox or ONVIF Conformance tool, hash the complete
> url so it is not a problem.
>
> I can fix it for ODM by removing the params, but I really need the
> params so that the snapshot can select different images.
>
> Best regards
> David
>
>
> On 2020-11-11 2:18 pm, Christian Grothoff wrote:
>
>> On 11/11/20 3:02 PM, DJM-Avalesta wrote:
>>> Hi,
>>>
>>> I spoke too soon, I still have issues authenticating with certain
>>> clients.
>>>
>>> The attached wireshark shows, at the very end, it fails to authenticate
>>> an HTTP GET of an image file (/mjpg/image.cgi) when the username, nonce
>>> and realm all seem to be correct.
>>>
>>> It actually fails in digestauth.c with the message "Authentication
>>> failed, arguments do no match".
>>>
>>> Any ideas?
>>
>> I suspect the "?view=0" is somehow to blame. IIRC we had issues with
>> that in the past, where some include the "?view=0" in the URI when
>> hashing, and others do not. Also not that the "?view=0" is *NOT*
>> included in the "uri=/mjpeg/image.cgi" given by the client (TCP stream
>> #10).
>>
>> So if the client excluded "?view=0" from hashing, and MHD included
>> "?view=0" when hashing, this disagreement would result in exactly this
>> behavior.
>>
>> (I don't recall on the spot what the standard says, and also don't
>> recall if MHD even look a tthe "uri=" argument in the authorization
>> header -- I'd need more time to investigate this, so this is just my
>> hunch/idea here.)
>>
>> Happy hacking!
>>
>> Christian
>>
signature.asc
Description: OpenPGP digital signature