diff options
author | Evgeny Grin (Karlson2k) <k2k@narod.ru> | 2022-08-15 21:23:42 +0300 |
---|---|---|
committer | Evgeny Grin (Karlson2k) <k2k@narod.ru> | 2022-08-15 21:37:51 +0300 |
commit | 21d8f5461bc8b999cd2c6bfa8b8cacacb267b17f (patch) | |
tree | 693ca7eea4f1d1fa6855c37eea40a0144778065d | |
parent | e1d6b7635b9c5a37fb3be5e5748278db64ec1b8b (diff) | |
download | libmicrohttpd-21d8f5461bc8b999cd2c6bfa8b8cacacb267b17f.tar.gz libmicrohttpd-21d8f5461bc8b999cd2c6bfa8b8cacacb267b17f.zip |
digestauth: updated the method of nonce generation in default mode
-rw-r--r-- | src/include/microhttpd.h | 7 | ||||
-rw-r--r-- | src/microhttpd/digestauth.c | 19 |
2 files changed, 21 insertions, 5 deletions
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h index 83006001..d3765b6c 100644 --- a/src/include/microhttpd.h +++ b/src/include/microhttpd.h | |||
@@ -1562,6 +1562,9 @@ enum MHD_DAuthBindNonce | |||
1562 | * for any request in the same "protection space". | 1562 | * for any request in the same "protection space". |
1563 | * CPU is loaded less when this value is used when checking client's | 1563 | * CPU is loaded less when this value is used when checking client's |
1564 | * authorisation request. | 1564 | * authorisation request. |
1565 | * This mode gives MHD maximum flexibility for nonces generation and can | ||
1566 | * prevent possible nonce collisions (and corresponding log warning messages) | ||
1567 | * when clients' requests are intensive. | ||
1565 | * This value cannot be combined with other values. | 1568 | * This value cannot be combined with other values. |
1566 | */ | 1569 | */ |
1567 | MHD_DAUTH_BIND_NONCE_NONE = 0, | 1570 | MHD_DAUTH_BIND_NONCE_NONE = 0, |
@@ -1596,9 +1599,6 @@ enum MHD_DAuthBindNonce | |||
1596 | * jump from one IP to another (mobile or Wi-Fi handover, DHCP re-assignment, | 1599 | * jump from one IP to another (mobile or Wi-Fi handover, DHCP re-assignment, |
1597 | * Multi-NAT, different proxy chain and other reasons), while IP address | 1600 | * Multi-NAT, different proxy chain and other reasons), while IP address |
1598 | * spoofing could be used relatively easily. | 1601 | * spoofing could be used relatively easily. |
1599 | * However, if server gets intensive requests with Digest Authentication | ||
1600 | * this value helps to generate unique nonces for several requests, received | ||
1601 | * exactly at the same time (within one millisecond) from different clients. | ||
1602 | */ | 1602 | */ |
1603 | MHD_DAUTH_BIND_NONCE_CLIENT_IP = 1 << 3 | 1603 | MHD_DAUTH_BIND_NONCE_CLIENT_IP = 1 << 3 |
1604 | } _MHD_FLAGS_ENUM; | 1604 | } _MHD_FLAGS_ENUM; |
@@ -2014,6 +2014,7 @@ enum MHD_OPTION | |||
2014 | * #MHD_digest_auth_check3() and similar functions. | 2014 | * #MHD_digest_auth_check3() and similar functions. |
2015 | * This option should be followed by an 'unsigned int` argument with value | 2015 | * This option should be followed by an 'unsigned int` argument with value |
2016 | * formed as bitwise OR combination of #MHD_DAuthBindNonce values. | 2016 | * formed as bitwise OR combination of #MHD_DAuthBindNonce values. |
2017 | * When not specified, default value #MHD_DAUTH_BIND_NONCE_NONE is used. | ||
2017 | * @note Available since #MHD_VERSION 0x00097531 | 2018 | * @note Available since #MHD_VERSION 0x00097531 |
2018 | */ | 2019 | */ |
2019 | MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE = 36 | 2020 | MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE = 36 |
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c index eddfa937..bfedccf8 100644 --- a/src/microhttpd/digestauth.c +++ b/src/microhttpd/digestauth.c | |||
@@ -1380,6 +1380,16 @@ calculate_nonce (uint64_t nonce_time, | |||
1380 | rnd_size); | 1380 | rnd_size); |
1381 | digest_update_with_colon (da); | 1381 | digest_update_with_colon (da); |
1382 | } | 1382 | } |
1383 | if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) && | ||
1384 | (0 != saddr_size) ) | ||
1385 | { | ||
1386 | /* Use full client address including source port to make unique nonces | ||
1387 | * for requests received exactly at the same time */ | ||
1388 | digest_update (da, | ||
1389 | saddr, | ||
1390 | saddr_size); | ||
1391 | digest_update_with_colon (da); | ||
1392 | } | ||
1383 | if ( (0 != (bind_options & MHD_DAUTH_BIND_NONCE_CLIENT_IP)) && | 1393 | if ( (0 != (bind_options & MHD_DAUTH_BIND_NONCE_CLIENT_IP)) && |
1384 | (0 != saddr_size) ) | 1394 | (0 != saddr_size) ) |
1385 | { | 1395 | { |
@@ -1395,7 +1405,8 @@ calculate_nonce (uint64_t nonce_time, | |||
1395 | #endif /* HAVE_INET6 */ | 1405 | #endif /* HAVE_INET6 */ |
1396 | digest_update_with_colon (da); | 1406 | digest_update_with_colon (da); |
1397 | } | 1407 | } |
1398 | if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI)) | 1408 | if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) || |
1409 | (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI))) | ||
1399 | { | 1410 | { |
1400 | if (MHD_HTTP_MTHD_OTHER != mthd_e) | 1411 | if (MHD_HTTP_MTHD_OTHER != mthd_e) |
1401 | { | 1412 | { |
@@ -1410,7 +1421,10 @@ calculate_nonce (uint64_t nonce_time, | |||
1410 | } | 1421 | } |
1411 | else | 1422 | else |
1412 | digest_update_str (da, method); | 1423 | digest_update_str (da, method); |
1424 | } | ||
1413 | 1425 | ||
1426 | if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI)) | ||
1427 | { | ||
1414 | digest_update_with_colon (da); | 1428 | digest_update_with_colon (da); |
1415 | 1429 | ||
1416 | digest_update (da, | 1430 | digest_update (da, |
@@ -1435,7 +1449,8 @@ calculate_nonce (uint64_t nonce_time, | |||
1435 | } | 1449 | } |
1436 | digest_update_with_colon (da); | 1450 | digest_update_with_colon (da); |
1437 | } | 1451 | } |
1438 | if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_REALM)) | 1452 | if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) || |
1453 | (0 != (bind_options & MHD_DAUTH_BIND_NONCE_REALM))) | ||
1439 | { | 1454 | { |
1440 | digest_update (da, | 1455 | digest_update (da, |
1441 | realm, | 1456 | realm, |