aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEvgeny Grin (Karlson2k) <k2k@narod.ru>2022-08-15 21:23:42 +0300
committerEvgeny Grin (Karlson2k) <k2k@narod.ru>2022-08-15 21:37:51 +0300
commit21d8f5461bc8b999cd2c6bfa8b8cacacb267b17f (patch)
tree693ca7eea4f1d1fa6855c37eea40a0144778065d
parente1d6b7635b9c5a37fb3be5e5748278db64ec1b8b (diff)
downloadlibmicrohttpd-21d8f5461bc8b999cd2c6bfa8b8cacacb267b17f.tar.gz
libmicrohttpd-21d8f5461bc8b999cd2c6bfa8b8cacacb267b17f.zip
digestauth: updated the method of nonce generation in default mode
-rw-r--r--src/include/microhttpd.h7
-rw-r--r--src/microhttpd/digestauth.c19
2 files changed, 21 insertions, 5 deletions
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index 83006001..d3765b6c 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -1562,6 +1562,9 @@ enum MHD_DAuthBindNonce
1562 * for any request in the same "protection space". 1562 * for any request in the same "protection space".
1563 * CPU is loaded less when this value is used when checking client's 1563 * CPU is loaded less when this value is used when checking client's
1564 * authorisation request. 1564 * authorisation request.
1565 * This mode gives MHD maximum flexibility for nonces generation and can
1566 * prevent possible nonce collisions (and corresponding log warning messages)
1567 * when clients' requests are intensive.
1565 * This value cannot be combined with other values. 1568 * This value cannot be combined with other values.
1566 */ 1569 */
1567 MHD_DAUTH_BIND_NONCE_NONE = 0, 1570 MHD_DAUTH_BIND_NONCE_NONE = 0,
@@ -1596,9 +1599,6 @@ enum MHD_DAuthBindNonce
1596 * jump from one IP to another (mobile or Wi-Fi handover, DHCP re-assignment, 1599 * jump from one IP to another (mobile or Wi-Fi handover, DHCP re-assignment,
1597 * Multi-NAT, different proxy chain and other reasons), while IP address 1600 * Multi-NAT, different proxy chain and other reasons), while IP address
1598 * spoofing could be used relatively easily. 1601 * spoofing could be used relatively easily.
1599 * However, if server gets intensive requests with Digest Authentication
1600 * this value helps to generate unique nonces for several requests, received
1601 * exactly at the same time (within one millisecond) from different clients.
1602 */ 1602 */
1603 MHD_DAUTH_BIND_NONCE_CLIENT_IP = 1 << 3 1603 MHD_DAUTH_BIND_NONCE_CLIENT_IP = 1 << 3
1604} _MHD_FLAGS_ENUM; 1604} _MHD_FLAGS_ENUM;
@@ -2014,6 +2014,7 @@ enum MHD_OPTION
2014 * #MHD_digest_auth_check3() and similar functions. 2014 * #MHD_digest_auth_check3() and similar functions.
2015 * This option should be followed by an 'unsigned int` argument with value 2015 * This option should be followed by an 'unsigned int` argument with value
2016 * formed as bitwise OR combination of #MHD_DAuthBindNonce values. 2016 * formed as bitwise OR combination of #MHD_DAuthBindNonce values.
2017 * When not specified, default value #MHD_DAUTH_BIND_NONCE_NONE is used.
2017 * @note Available since #MHD_VERSION 0x00097531 2018 * @note Available since #MHD_VERSION 0x00097531
2018 */ 2019 */
2019 MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE = 36 2020 MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE = 36
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
index eddfa937..bfedccf8 100644
--- a/src/microhttpd/digestauth.c
+++ b/src/microhttpd/digestauth.c
@@ -1380,6 +1380,16 @@ calculate_nonce (uint64_t nonce_time,
1380 rnd_size); 1380 rnd_size);
1381 digest_update_with_colon (da); 1381 digest_update_with_colon (da);
1382 } 1382 }
1383 if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) &&
1384 (0 != saddr_size) )
1385 {
1386 /* Use full client address including source port to make unique nonces
1387 * for requests received exactly at the same time */
1388 digest_update (da,
1389 saddr,
1390 saddr_size);
1391 digest_update_with_colon (da);
1392 }
1383 if ( (0 != (bind_options & MHD_DAUTH_BIND_NONCE_CLIENT_IP)) && 1393 if ( (0 != (bind_options & MHD_DAUTH_BIND_NONCE_CLIENT_IP)) &&
1384 (0 != saddr_size) ) 1394 (0 != saddr_size) )
1385 { 1395 {
@@ -1395,7 +1405,8 @@ calculate_nonce (uint64_t nonce_time,
1395#endif /* HAVE_INET6 */ 1405#endif /* HAVE_INET6 */
1396 digest_update_with_colon (da); 1406 digest_update_with_colon (da);
1397 } 1407 }
1398 if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI)) 1408 if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) ||
1409 (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI)))
1399 { 1410 {
1400 if (MHD_HTTP_MTHD_OTHER != mthd_e) 1411 if (MHD_HTTP_MTHD_OTHER != mthd_e)
1401 { 1412 {
@@ -1410,7 +1421,10 @@ calculate_nonce (uint64_t nonce_time,
1410 } 1421 }
1411 else 1422 else
1412 digest_update_str (da, method); 1423 digest_update_str (da, method);
1424 }
1413 1425
1426 if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI))
1427 {
1414 digest_update_with_colon (da); 1428 digest_update_with_colon (da);
1415 1429
1416 digest_update (da, 1430 digest_update (da,
@@ -1435,7 +1449,8 @@ calculate_nonce (uint64_t nonce_time,
1435 } 1449 }
1436 digest_update_with_colon (da); 1450 digest_update_with_colon (da);
1437 } 1451 }
1438 if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_REALM)) 1452 if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) ||
1453 (0 != (bind_options & MHD_DAUTH_BIND_NONCE_REALM)))
1439 { 1454 {
1440 digest_update (da, 1455 digest_update (da,
1441 realm, 1456 realm,