diff options
author | Christian Grothoff <christian@grothoff.org> | 2018-12-08 22:54:33 +0100 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2018-12-08 22:54:33 +0100 |
commit | 2897bd23e57cf016a713876e551cd20b8a28427d (patch) | |
tree | 835d3e5972f83fd55eca47af047acdf3ce4eac23 /doc | |
parent | bcba3f58c5fc9b4a3776494d3edddceb244ab110 (diff) | |
download | libmicrohttpd-2897bd23e57cf016a713876e551cd20b8a28427d.tar.gz libmicrohttpd-2897bd23e57cf016a713876e551cd20b8a28427d.zip |
add test for RFC 7616 and document new API
Diffstat (limited to 'doc')
-rw-r--r-- | doc/libmicrohttpd.texi | 126 |
1 files changed, 111 insertions, 15 deletions
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi index 851f23cc..f2e3576c 100644 --- a/doc/libmicrohttpd.texi +++ b/doc/libmicrohttpd.texi | |||
@@ -2440,15 +2440,57 @@ client with a 401 HTTP status. | |||
2440 | @node microhttpd-dauth digest | 2440 | @node microhttpd-dauth digest |
2441 | @section Using Digest Authentication | 2441 | @section Using Digest Authentication |
2442 | 2442 | ||
2443 | MHD supports MD5 (deprecated by IETF) and SHA-256 hash algorithms | ||
2444 | for digest authentication. The @code{MHD_DigestAuthAlgorithm} enumeration | ||
2445 | is used to specify which algorithm should be used. | ||
2446 | |||
2447 | @deftp {Enumeration} MHD_DigestAuthAlgorithm | ||
2448 | Which digest algorithm should be used. Must be used consistently. | ||
2449 | |||
2450 | @table @code | ||
2451 | @item MHD_DIGEST_ALG_AUTO | ||
2452 | Have MHD pick an algorithm currently considered secure. For now defaults to SHA-256. | ||
2453 | |||
2454 | @item MHD_DIGEST_ALG_MD5 | ||
2455 | Force use of (deprecated, ancient, insecure) MD5. | ||
2456 | |||
2457 | @item MHD_DIGEST_ALG_SHA256 | ||
2458 | Force use of SHA-256. | ||
2459 | |||
2460 | @end table | ||
2461 | @end deftp | ||
2462 | |||
2463 | |||
2443 | @deftypefun {char *} MHD_digest_auth_get_username (struct MHD_Connection *connection) | 2464 | @deftypefun {char *} MHD_digest_auth_get_username (struct MHD_Connection *connection) |
2444 | Find and return a pointer to the username value from the request header. | 2465 | Find and return a pointer to the username value from the request header. |
2445 | Return @code{NULL} if the value is not found or header does not exist. | 2466 | Return @code{NULL} if the value is not found or header does not exist. |
2446 | If returned value is not @code{NULL}, the value must be @code{MHD_free()}'ed. | 2467 | If returned value is not @code{NULL}, the value must be @code{MHD_free()}'ed. |
2447 | @end deftypefun | 2468 | @end deftypefun |
2448 | 2469 | ||
2470 | @deftypefun int MHD_digest_auth_check2 (struct MHD_Connection *connection, const char *realm, const char *username, const char *password, unsigned int nonce_timeout, enum MHD_DigestAuthAlgorithm algo) | ||
2471 | Checks if the provided values in the WWW-Authenticate header are valid | ||
2472 | and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}. | ||
2473 | |||
2474 | @var{realm} must reference to a zero-terminated string representing the realm. | ||
2475 | |||
2476 | @var{username} must reference to a zero-terminated string representing the username, | ||
2477 | it is usually the returned value from MHD_digest_auth_get_username. | ||
2478 | |||
2479 | @var{password} must reference to a zero-terminated string representing the password, | ||
2480 | most probably it will be the result of a lookup of the username against a local database. | ||
2481 | |||
2482 | @var{nonce_timeout} is the amount of time in seconds for a nonce to be invalid. | ||
2483 | Most of the time it is sound to specify 300 seconds as its values. | ||
2484 | |||
2485 | @var{algo} which digest algorithm should we use. | ||
2486 | @end deftypefun | ||
2487 | |||
2488 | |||
2449 | @deftypefun int MHD_digest_auth_check (struct MHD_Connection *connection, const char *realm, const char *username, const char *password, unsigned int nonce_timeout) | 2489 | @deftypefun int MHD_digest_auth_check (struct MHD_Connection *connection, const char *realm, const char *username, const char *password, unsigned int nonce_timeout) |
2450 | Checks if the provided values in the WWW-Authenticate header are valid | 2490 | Checks if the provided values in the WWW-Authenticate header are valid |
2451 | and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}. | 2491 | and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}. |
2492 | Deprecated, use @code{MHD_digest_auth_check2} instead. | ||
2493 | |||
2452 | 2494 | ||
2453 | @var{realm} must reference to a zero-terminated string representing the realm. | 2495 | @var{realm} must reference to a zero-terminated string representing the realm. |
2454 | 2496 | ||
@@ -2462,9 +2504,29 @@ most probably it will be the result of a lookup of the username against a local | |||
2462 | Most of the time it is sound to specify 300 seconds as its values. | 2504 | Most of the time it is sound to specify 300 seconds as its values. |
2463 | @end deftypefun | 2505 | @end deftypefun |
2464 | 2506 | ||
2507 | |||
2508 | |||
2509 | @deftypefun int MHD_digest_auth_check_digest2 (struct MHD_Connection *connection, const char *realm, const char *username, const uint8_t *digest, unsigned int nonce_timeout, enum MHD_DigestAuthAlgorithm algo) | ||
2510 | Checks if the provided values in the WWW-Authenticate header are valid | ||
2511 | and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}. | ||
2512 | |||
2513 | @var{realm} must reference to a zero-terminated string representing the realm. | ||
2514 | |||
2515 | @var{username} must reference to a zero-terminated string representing the username, | ||
2516 | it is usually the returned value from MHD_digest_auth_get_username. | ||
2517 | |||
2518 | @var{digest} pointer to the binary MD5 sum for the precalculated hash value ``userame:realm:password''. The size must match the selected @var{algo}! | ||
2519 | |||
2520 | @var{nonce_timeout} is the amount of time in seconds for a nonce to be invalid. | ||
2521 | Most of the time it is sound to specify 300 seconds as its values. | ||
2522 | |||
2523 | @var{algo} digest authentication algorithm to use. | ||
2524 | @end deftypefun | ||
2525 | |||
2465 | @deftypefun int MHD_digest_auth_check_digest (struct MHD_Connection *connection, const char *realm, const char *username, const unsigned char digest[MHD_MD5_DIGEST_SIZE], unsigned int nonce_timeout) | 2526 | @deftypefun int MHD_digest_auth_check_digest (struct MHD_Connection *connection, const char *realm, const char *username, const unsigned char digest[MHD_MD5_DIGEST_SIZE], unsigned int nonce_timeout) |
2466 | Checks if the provided values in the WWW-Authenticate header are valid | 2527 | Checks if the provided values in the WWW-Authenticate header are valid |
2467 | and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}. | 2528 | and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}. |
2529 | Deprecated, use @code{MHD_digest_auth_check_digest2} instead. | ||
2468 | 2530 | ||
2469 | @var{realm} must reference to a zero-terminated string representing the realm. | 2531 | @var{realm} must reference to a zero-terminated string representing the realm. |
2470 | 2532 | ||
@@ -2477,6 +2539,31 @@ it is usually the returned value from MHD_digest_auth_get_username. | |||
2477 | Most of the time it is sound to specify 300 seconds as its values. | 2539 | Most of the time it is sound to specify 300 seconds as its values. |
2478 | @end deftypefun | 2540 | @end deftypefun |
2479 | 2541 | ||
2542 | |||
2543 | @deftypefun int MHD_queue_auth_fail_response2 (struct MHD_Connection *connection, const char *realm, const char *opaque, struct MHD_Response *response, int signal_stale, enum MHD_DigestAuthAlgorithm algo) | ||
2544 | Queues a response to request authentication from the client, | ||
2545 | return @code{MHD_YES} if successful, otherwise @code{MHD_NO}. | ||
2546 | |||
2547 | @var{realm} must reference to a zero-terminated string representing the realm. | ||
2548 | |||
2549 | @var{opaque} must reference to a zero-terminated string representing a value | ||
2550 | that gets passed to the client and expected to be passed again to the server | ||
2551 | as-is. This value can be a hexadecimal or base64 string. | ||
2552 | |||
2553 | @var{response} a response structure to specify what shall be presented to the | ||
2554 | client with a 401 HTTP status. | ||
2555 | |||
2556 | @var{signal_stale} a value that signals "stale=true" in the response header to | ||
2557 | indicate the invalidity of the nonce and no need to ask for authentication | ||
2558 | parameters and only a new nonce gets generated. @code{MHD_YES} to generate a new | ||
2559 | nonce, @code{MHD_NO} to ask for authentication parameters. | ||
2560 | |||
2561 | @var{algo} which digest algorithm should we use. The same algorithm | ||
2562 | must then be selected when checking digests received from clients! | ||
2563 | |||
2564 | @end deftypefun | ||
2565 | |||
2566 | |||
2480 | @deftypefun int MHD_queue_auth_fail_response (struct MHD_Connection *connection, const char *realm, const char *opaque, struct MHD_Response *response, int signal_stale) | 2567 | @deftypefun int MHD_queue_auth_fail_response (struct MHD_Connection *connection, const char *realm, const char *opaque, struct MHD_Response *response, int signal_stale) |
2481 | Queues a response to request authentication from the client, | 2568 | Queues a response to request authentication from the client, |
2482 | return @code{MHD_YES} if successful, otherwise @code{MHD_NO}. | 2569 | return @code{MHD_YES} if successful, otherwise @code{MHD_NO}. |
@@ -2517,23 +2604,27 @@ ahc_echo (void *cls, | |||
2517 | const char *realm = "test@@example.com"; | 2604 | const char *realm = "test@@example.com"; |
2518 | int ret; | 2605 | int ret; |
2519 | 2606 | ||
2520 | username = MHD_digest_auth_get_username(connection); | 2607 | username = MHD_digest_auth_get_username (connection); |
2521 | if (username == NULL) | 2608 | if (username == NULL) |
2522 | @{ | 2609 | @{ |
2523 | response = MHD_create_response_from_buffer(strlen (DENIED), | 2610 | response = MHD_create_response_from_buffer(strlen (DENIED), |
2524 | DENIED, | 2611 | DENIED, |
2525 | MHD_RESPMEM_PERSISTENT); | 2612 | MHD_RESPMEM_PERSISTENT); |
2526 | ret = MHD_queue_auth_fail_response(connection, realm, | 2613 | ret = MHD_queue_auth_fail_response2 (connection, |
2527 | OPAQUE, | 2614 | realm, |
2528 | response, | 2615 | OPAQUE, |
2529 | MHD_NO); | 2616 | response, |
2617 | MHD_NO, | ||
2618 | MHD_DIGEST_ALG_SHA256); | ||
2530 | MHD_destroy_response(response); | 2619 | MHD_destroy_response(response); |
2531 | return ret; | 2620 | return ret; |
2532 | @} | 2621 | @} |
2533 | ret = MHD_digest_auth_check(connection, realm, | 2622 | ret = MHD_digest_auth_check2 (connection, |
2534 | username, | 2623 | realm, |
2535 | password, | 2624 | username, |
2536 | 300); | 2625 | password, |
2626 | 300, | ||
2627 | MHD_DIGEST_ALG_SHA256); | ||
2537 | free(username); | 2628 | free(username); |
2538 | if ( (ret == MHD_INVALID_NONCE) || | 2629 | if ( (ret == MHD_INVALID_NONCE) || |
2539 | (ret == MHD_NO) ) | 2630 | (ret == MHD_NO) ) |
@@ -2543,16 +2634,21 @@ ahc_echo (void *cls, | |||
2543 | MHD_RESPMEM_PERSISTENT); | 2634 | MHD_RESPMEM_PERSISTENT); |
2544 | if (NULL == response) | 2635 | if (NULL == response) |
2545 | return MHD_NO; | 2636 | return MHD_NO; |
2546 | ret = MHD_queue_auth_fail_response(connection, realm, | 2637 | ret = MHD_queue_auth_fail_response2 (connection, |
2547 | OPAQUE, | 2638 | realm, |
2548 | response, | 2639 | OPAQUE, |
2549 | (ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO); | 2640 | response, |
2641 | (ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO, | ||
2642 | MHD_DIGEST_ALG_SHA256); | ||
2550 | MHD_destroy_response(response); | 2643 | MHD_destroy_response(response); |
2551 | return ret; | 2644 | return ret; |
2552 | @} | 2645 | @} |
2553 | response = MHD_create_response_from_buffer (strlen(PAGE), PAGE, | 2646 | response = MHD_create_response_from_buffer (strlen(PAGE), |
2647 | PAGE, | ||
2554 | MHD_RESPMEM_PERSISTENT); | 2648 | MHD_RESPMEM_PERSISTENT); |
2555 | ret = MHD_queue_response(connection, MHD_HTTP_OK, response); | 2649 | ret = MHD_queue_response (connection, |
2650 | MHD_HTTP_OK, | ||
2651 | response); | ||
2556 | MHD_destroy_response(response); | 2652 | MHD_destroy_response(response); |
2557 | return ret; | 2653 | return ret; |
2558 | @} | 2654 | @} |