commit 0ecad853eda97d3512b78e3c65dc501544761118
parent 653376caa5d0b01456ec60a32485e11c80a8c60b
Author: Evgeny Grin (Karlson2k) <k2k@narod.ru>
Date: Tue, 26 Jul 2022 20:54:21 +0300
Added new MHD_OPTION_DIGEST_AUTH_RANDOM_COPY option
Diffstat:
3 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
@@ -96,7 +96,7 @@ extern "C"
* they are parsed as decimal numbers.
* Example: 0x01093001 = 1.9.30-1.
*/
-#define MHD_VERSION 0x00097528
+#define MHD_VERSION 0x00097529
/* If generic headers don't work on your platform, include headers
which define 'va_list', 'size_t', 'ssize_t', 'intptr_t', 'off_t',
@@ -1760,6 +1760,7 @@ enum MHD_OPTION
* Note that the application must ensure that the buffer of the
* second argument remains allocated and unmodified while the
* daemon is running.
+ * @sa #MHD_OPTION_DIGEST_AUTH_RANDOM_COPY
*/
MHD_OPTION_DIGEST_AUTH_RANDOM = 17,
@@ -1927,7 +1928,22 @@ enum MHD_OPTION
* This option should be followed by an `int` argument.
* @note Available since #MHD_VERSION 0x00097207
*/
- MHD_OPTION_TLS_NO_ALPN = 34
+ MHD_OPTION_TLS_NO_ALPN = 34,
+
+ /**
+ * Memory pointer for the random values to be used by the Digest
+ * Auth module. This option should be followed by two arguments.
+ * First an integer of type `size_t` which specifies the size
+ * of the buffer pointed to by the second argument in bytes.
+ * The recommended size is between 8 and 32. If size is four or less
+ * then security could be lowered. Sizes more then 32 (or, probably
+ * more than 16 - debatable) will not increase security.
+ * An internal copy of the buffer will be made, the data do not
+ * need to be static.
+ * @sa #MHD_OPTION_DIGEST_AUTH_RANDOM
+ * @note Available since #MHD_VERSION 0x00097529
+ */
+ MHD_OPTION_DIGEST_AUTH_RANDOM_COPY = 35
} _MHD_FIXED_ENUM;
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
@@ -6236,10 +6236,16 @@ parse_options_va (struct MHD_Daemon *daemon,
#endif /* HTTPS_SUPPORT */
#ifdef DAUTH_SUPPORT
case MHD_OPTION_DIGEST_AUTH_RANDOM:
+ case MHD_OPTION_DIGEST_AUTH_RANDOM_COPY:
daemon->digest_auth_rand_size = va_arg (ap,
size_t);
daemon->digest_auth_random = va_arg (ap,
const char *);
+ if (MHD_OPTION_DIGEST_AUTH_RANDOM_COPY == opt)
+ /* Set to some non-NULL value just to indicate that copy is required. */
+ daemon->digest_auth_random_copy = daemon;
+ else
+ daemon->digest_auth_random_copy = NULL;
break;
case MHD_OPTION_NONCE_NC_SIZE:
daemon->nonce_nc_size = va_arg (ap,
@@ -6440,6 +6446,7 @@ parse_options_va (struct MHD_Daemon *daemon,
break;
/* options taking size_t-number followed by pointer */
case MHD_OPTION_DIGEST_AUTH_RANDOM:
+ case MHD_OPTION_DIGEST_AUTH_RANDOM_COPY:
if (MHD_NO == parse_options (daemon,
servaddr,
opt,
@@ -6913,6 +6920,24 @@ MHD_start_daemon_va (unsigned int flags,
}
#ifdef DAUTH_SUPPORT
+ if (NULL != daemon->digest_auth_random_copy)
+ {
+ mhd_assert (daemon == daemon->digest_auth_random_copy);
+ daemon->digest_auth_random_copy = malloc (daemon->digest_auth_rand_size);
+ if (NULL == daemon->digest_auth_random_copy)
+ {
+#ifdef HTTPS_SUPPORT
+ if (0 != (*pflags & MHD_USE_TLS))
+ gnutls_priority_deinit (daemon->priority_cache);
+#endif /* HTTPS_SUPPORT */
+ free (daemon);
+ return NULL;
+ }
+ memcpy (daemon->digest_auth_random_copy,
+ daemon->digest_auth_random,
+ daemon->digest_auth_rand_size);
+ daemon->digest_auth_random = daemon->digest_auth_random_copy;
+ }
if (daemon->nonce_nc_size > 0)
{
if ( ( (size_t) (daemon->nonce_nc_size * sizeof (struct MHD_NonceNc)))
@@ -6926,6 +6951,7 @@ MHD_start_daemon_va (unsigned int flags,
if (0 != (*pflags & MHD_USE_TLS))
gnutls_priority_deinit (daemon->priority_cache);
#endif /* HTTPS_SUPPORT */
+ free (daemon->digest_auth_random_copy);
free (daemon);
return NULL;
}
@@ -6942,6 +6968,7 @@ MHD_start_daemon_va (unsigned int flags,
if (0 != (*pflags & MHD_USE_TLS))
gnutls_priority_deinit (daemon->priority_cache);
#endif /* HTTPS_SUPPORT */
+ free (daemon->digest_auth_random_copy);
free (daemon);
return NULL;
}
@@ -6958,6 +6985,7 @@ MHD_start_daemon_va (unsigned int flags,
if (0 != (*pflags & MHD_USE_TLS))
gnutls_priority_deinit (daemon->priority_cache);
#endif /* HTTPS_SUPPORT */
+ free (daemon->digest_auth_random_copy);
free (daemon->nnc);
free (daemon);
return NULL;
@@ -7586,6 +7614,7 @@ MHD_start_daemon_va (unsigned int flags,
#ifdef DAUTH_SUPPORT
d->nnc = NULL;
d->nonce_nc_size = 0;
+ d->digest_auth_random_copy = NULL;
#if defined(MHD_USE_THREADS)
memset (&d->nnc_lock, 1, sizeof(d->nnc_lock));
#endif /* MHD_USE_THREADS */
@@ -7706,6 +7735,7 @@ free_and_fail:
#endif /* HTTPS_SUPPORT && UPGRADE_SUPPORT */
#endif /* EPOLL_SUPPORT */
#ifdef DAUTH_SUPPORT
+ free (daemon->digest_auth_random_copy);
free (daemon->nnc);
#if defined(MHD_USE_POSIX_THREADS) || defined(MHD_USE_W32_THREADS)
MHD_mutex_destroy_chk_ (&daemon->nnc_lock);
@@ -8102,6 +8132,7 @@ MHD_stop_daemon (struct MHD_Daemon *daemon)
#endif /* HTTPS_SUPPORT */
#ifdef DAUTH_SUPPORT
+ free (daemon->digest_auth_random_copy);
free (daemon->nnc);
#if defined(MHD_USE_POSIX_THREADS) || defined(MHD_USE_W32_THREADS)
MHD_mutex_destroy_chk_ (&daemon->nnc_lock);
diff --git a/src/microhttpd/internal.h b/src/microhttpd/internal.h
@@ -2149,6 +2149,11 @@ struct MHD_Daemon
const char *digest_auth_random;
/**
+ * The malloc'ed copy of the @a digest_auth_random.
+ */
+ void *digest_auth_random_copy;
+
+ /**
* An array that contains the map nonce-nc.
*/
struct MHD_NonceNc *nnc;
