add test for RFC 7616 and document new API

author: Christian Grothoff <christian@grothoff.org> 2018-12-08 22:54:33 +0100
committer: Christian Grothoff <christian@grothoff.org> 2018-12-08 22:54:33 +0100
commit: 2897bd23e57cf016a713876e551cd20b8a28427d (patch)
tree: 835d3e5972f83fd55eca47af047acdf3ce4eac23 /doc
parent: bcba3f58c5fc9b4a3776494d3edddceb244ab110 (diff)
download: libmicrohttpd-2897bd23e57cf016a713876e551cd20b8a28427d.tar.gz
libmicrohttpd-2897bd23e57cf016a713876e551cd20b8a28427d.zip
1 files changed, 111 insertions, 15 deletions
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi
index 851f23cc..f2e3576c 100644
--- a/doc/libmicrohttpd.texi
+++ b/doc/libmicrohttpd.texi
@@ -2440,15 +2440,57 @@ client with a 401 HTTP status.
 @node microhttpd-dauth digest
 @section Using Digest Authentication
+MHD supports MD5 (deprecated by IETF) and SHA-256 hash algorithms
+for digest authentication. The @code{MHD_DigestAuthAlgorithm} enumeration
+is used to specify which algorithm should be used.
+@deftp {Enumeration} MHD_DigestAuthAlgorithm
+Which digest algorithm should be used. Must be used consistently.
+@table @code
+@item MHD_DIGEST_ALG_AUTO
+Have MHD pick an algorithm currently considered secure.  For now defaults to SHA-256.
+@item MHD_DIGEST_ALG_MD5
+Force use of (deprecated, ancient, insecure) MD5.
+@item MHD_DIGEST_ALG_SHA256
+Force use of SHA-256.
+@end table
+@end deftp
 @deftypefun {char *} MHD_digest_auth_get_username (struct MHD_Connection *connection)
 Find and return a pointer to the username value from the request header.
 Return @code{NULL} if the value is not found or header does not exist.
 If returned value is not @code{NULL}, the value must be @code{MHD_free()}'ed.
 @end deftypefun
+@deftypefun int MHD_digest_auth_check2 (struct MHD_Connection *connection, const char *realm, const char *username, const char *password, unsigned int nonce_timeout, enum MHD_DigestAuthAlgorithm algo)
+Checks if the provided values in the WWW-Authenticate header are valid
+and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.
+@var{realm} must reference to a zero-terminated string representing the realm.
+@var{username} must reference to a zero-terminated string representing the username,
+it is usually the returned value from MHD_digest_auth_get_username.
+@var{password} must reference to a zero-terminated string representing the password,
+most probably it will be the result of a lookup of the username against a local database.
+@var{nonce_timeout} is the amount of time in seconds for a nonce to be invalid.
+Most of the time it is sound to specify 300 seconds as its values.
+@var{algo} which digest algorithm should we use.
+@end deftypefun
 @deftypefun int MHD_digest_auth_check (struct MHD_Connection *connection, const char *realm, const char *username, const char *password, unsigned int nonce_timeout)
 Checks if the provided values in the WWW-Authenticate header are valid
 and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.
+Deprecated, use @code{MHD_digest_auth_check2} instead.
 @var{realm} must reference to a zero-terminated string representing the realm.
@@ -2462,9 +2504,29 @@ most probably it will be the result of a lookup of the username against a local
 Most of the time it is sound to specify 300 seconds as its values.
 @end deftypefun
+@deftypefun int MHD_digest_auth_check_digest2 (struct MHD_Connection *connection, const char *realm, const char *username, const uint8_t *digest, unsigned int nonce_timeout, enum MHD_DigestAuthAlgorithm algo)
+Checks if the provided values in the WWW-Authenticate header are valid
+and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.
+@var{realm} must reference to a zero-terminated string representing the realm.
+@var{username} must reference to a zero-terminated string representing the username,
+it is usually the returned value from MHD_digest_auth_get_username.
+@var{digest} pointer to the binary MD5 sum for the precalculated hash value ``userame:realm:password''. The size must match the selected @var{algo}!
+@var{nonce_timeout} is the amount of time in seconds for a nonce to be invalid.
+Most of the time it is sound to specify 300 seconds as its values.
+@var{algo} digest authentication algorithm to use.
+@end deftypefun
 @deftypefun int MHD_digest_auth_check_digest (struct MHD_Connection *connection, const char *realm, const char *username, const unsigned char digest[MHD_MD5_DIGEST_SIZE], unsigned int nonce_timeout)
 Checks if the provided values in the WWW-Authenticate header are valid
 and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.
+Deprecated, use @code{MHD_digest_auth_check_digest2} instead.
 @var{realm} must reference to a zero-terminated string representing the realm.
@@ -2477,6 +2539,31 @@ it is usually the returned value from MHD_digest_auth_get_username.
 Most of the time it is sound to specify 300 seconds as its values.
 @end deftypefun
+@deftypefun int MHD_queue_auth_fail_response2 (struct MHD_Connection *connection, const char *realm, const char *opaque, struct MHD_Response *response, int signal_stale, enum MHD_DigestAuthAlgorithm algo)
+Queues a response to request authentication from the client,
+return @code{MHD_YES} if successful, otherwise @code{MHD_NO}.
+@var{realm} must reference to a zero-terminated string representing the realm.
+@var{opaque} must reference to a zero-terminated string representing a value
+that gets passed to the client and expected to be passed again to the server
+as-is. This value can be a hexadecimal or base64 string.
+@var{response} a response structure to specify what shall be presented to the
+client with a 401 HTTP status.
+@var{signal_stale} a value that signals "stale=true" in the response header to
+indicate the invalidity of the nonce and no need to ask for authentication
+parameters and only a new nonce gets generated. @code{MHD_YES} to generate a new
+nonce, @code{MHD_NO} to ask for authentication parameters.
+@var{algo} which digest algorithm should we use.  The same algorithm
+must then be selected when checking digests received from clients!
+@end deftypefun
 @deftypefun int MHD_queue_auth_fail_response (struct MHD_Connection *connection, const char *realm, const char *opaque, struct MHD_Response *response, int signal_stale)
 Queues a response to request authentication from the client,
 return @code{MHD_YES} if successful, otherwise @code{MHD_NO}.
@@ -2517,23 +2604,27 @@ ahc_echo (void *cls,
  const char *realm = "test@@example.com";
  int ret;
-  username = MHD_digest_auth_get_username(connection);
+  username = MHD_digest_auth_get_username (connection);
  if (username == NULL)
    @{
      response = MHD_create_response_from_buffer(strlen (DENIED),
                                                 DENIED,
                                                 MHD_RESPMEM_PERSISTENT);
-      ret = MHD_queue_auth_fail_response(connection, realm,
+      ret = MHD_queue_auth_fail_response2 (connection,
-                                         OPAQUE,
+                                           realm,
-                                         response,
+                                           OPAQUE,
-                                         MHD_NO);
+                                           response,
+                                           MHD_NO,
+                                           MHD_DIGEST_ALG_SHA256);
      MHD_destroy_response(response);
      return ret;
    @}
-  ret = MHD_digest_auth_check(connection, realm,
+  ret = MHD_digest_auth_check2 (connection,
-                              username,
+                                realm,
-                              password,
+                                username,
-                              300);
+                                password,
+                                300,
+                                MHD_DIGEST_ALG_SHA256);
  free(username);
  if ( (ret == MHD_INVALID_NONCE) ||
       (ret == MHD_NO) )
@@ -2543,16 +2634,21 @@ ahc_echo (void *cls,
                                                 MHD_RESPMEM_PERSISTENT);
      if (NULL == response)
        return MHD_NO;
-      ret = MHD_queue_auth_fail_response(connection, realm,
+      ret = MHD_queue_auth_fail_response2 (connection,
-                                         OPAQUE,
+                                           realm,
-                                         response,
+                                           OPAQUE,
-                                         (ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO);
+                                           response,
+                                           (ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO,
+                                           MHD_DIGEST_ALG_SHA256);
      MHD_destroy_response(response);
      return ret;
    @}
-  response = MHD_create_response_from_buffer (strlen(PAGE), PAGE,
+  response = MHD_create_response_from_buffer (strlen(PAGE),
+                                              PAGE,
                                              MHD_RESPMEM_PERSISTENT);
-  ret = MHD_queue_response(connection, MHD_HTTP_OK, response);
+  ret = MHD_queue_response (connection,
+                            MHD_HTTP_OK,
+                            response);
  MHD_destroy_response(response);
  return ret;
 @}
author	Christian Grothoff <christian@grothoff.org>	2018-12-08 22:54:33 +0100
committer	Christian Grothoff <christian@grothoff.org>	2018-12-08 22:54:33 +0100
commit	2897bd23e57cf016a713876e551cd20b8a28427d (patch)
tree	835d3e5972f83fd55eca47af047acdf3ce4eac23 /doc
parent	bcba3f58c5fc9b4a3776494d3edddceb244ab110 (diff)
download	libmicrohttpd-2897bd23e57cf016a713876e551cd20b8a28427d.tar.gz libmicrohttpd-2897bd23e57cf016a713876e551cd20b8a28427d.zip

diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi index 851f23cc..f2e3576c 100644 --- a/doc/libmicrohttpd.texi +++ b/doc/libmicrohttpd.texi
@@ -2440,15 +2440,57 @@ client with a 401 HTTP status.
2440	@node microhttpd-dauth digest	2440	@node microhttpd-dauth digest
2441	@section Using Digest Authentication	2441	@section Using Digest Authentication
2442		2442
		2443	MHD supports MD5 (deprecated by IETF) and SHA-256 hash algorithms
		2444	for digest authentication. The @code{MHD_DigestAuthAlgorithm} enumeration
		2445	is used to specify which algorithm should be used.
		2446
		2447	@deftp {Enumeration} MHD_DigestAuthAlgorithm
		2448	Which digest algorithm should be used. Must be used consistently.
		2449
		2450	@table @code
		2451	@item MHD_DIGEST_ALG_AUTO
		2452	Have MHD pick an algorithm currently considered secure. For now defaults to SHA-256.
		2453
		2454	@item MHD_DIGEST_ALG_MD5
		2455	Force use of (deprecated, ancient, insecure) MD5.
		2456
		2457	@item MHD_DIGEST_ALG_SHA256
		2458	Force use of SHA-256.
		2459
		2460	@end table
		2461	@end deftp
		2462
		2463
2443	@deftypefun {char } MHD_digest_auth_get_username (struct MHD_Connection connection)	2464	@deftypefun {char } MHD_digest_auth_get_username (struct MHD_Connection connection)
2444	Find and return a pointer to the username value from the request header.	2465	Find and return a pointer to the username value from the request header.
2445	Return @code{NULL} if the value is not found or header does not exist.	2466	Return @code{NULL} if the value is not found or header does not exist.
2446	If returned value is not @code{NULL}, the value must be @code{MHD_free()}'ed.	2467	If returned value is not @code{NULL}, the value must be @code{MHD_free()}'ed.
2447	@end deftypefun	2468	@end deftypefun
2448		2469
		2470	@deftypefun int MHD_digest_auth_check2 (struct MHD_Connection connection, const char realm, const char username, const char password, unsigned int nonce_timeout, enum MHD_DigestAuthAlgorithm algo)
		2471	Checks if the provided values in the WWW-Authenticate header are valid
		2472	and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.
		2473
		2474	@var{realm} must reference to a zero-terminated string representing the realm.
		2475
		2476	@var{username} must reference to a zero-terminated string representing the username,
		2477	it is usually the returned value from MHD_digest_auth_get_username.
		2478
		2479	@var{password} must reference to a zero-terminated string representing the password,
		2480	most probably it will be the result of a lookup of the username against a local database.
		2481
		2482	@var{nonce_timeout} is the amount of time in seconds for a nonce to be invalid.
		2483	Most of the time it is sound to specify 300 seconds as its values.
		2484
		2485	@var{algo} which digest algorithm should we use.
		2486	@end deftypefun
		2487
		2488
2449	@deftypefun int MHD_digest_auth_check (struct MHD_Connection connection, const char realm, const char username, const char password, unsigned int nonce_timeout)	2489	@deftypefun int MHD_digest_auth_check (struct MHD_Connection connection, const char realm, const char username, const char password, unsigned int nonce_timeout)
2450	Checks if the provided values in the WWW-Authenticate header are valid	2490	Checks if the provided values in the WWW-Authenticate header are valid
2451	and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.	2491	and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.
		2492	Deprecated, use @code{MHD_digest_auth_check2} instead.
		2493
2452		2494
2453	@var{realm} must reference to a zero-terminated string representing the realm.	2495	@var{realm} must reference to a zero-terminated string representing the realm.
2454		2496
@@ -2462,9 +2504,29 @@ most probably it will be the result of a lookup of the username against a local
2462	Most of the time it is sound to specify 300 seconds as its values.	2504	Most of the time it is sound to specify 300 seconds as its values.
2463	@end deftypefun	2505	@end deftypefun
2464		2506
		2507
		2508
		2509	@deftypefun int MHD_digest_auth_check_digest2 (struct MHD_Connection connection, const char realm, const char username, const uint8_t digest, unsigned int nonce_timeout, enum MHD_DigestAuthAlgorithm algo)
		2510	Checks if the provided values in the WWW-Authenticate header are valid
		2511	and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.
		2512
		2513	@var{realm} must reference to a zero-terminated string representing the realm.
		2514
		2515	@var{username} must reference to a zero-terminated string representing the username,
		2516	it is usually the returned value from MHD_digest_auth_get_username.
		2517
		2518	@var{digest} pointer to the binary MD5 sum for the precalculated hash value ``userame:realm:password''. The size must match the selected @var{algo}!
		2519
		2520	@var{nonce_timeout} is the amount of time in seconds for a nonce to be invalid.
		2521	Most of the time it is sound to specify 300 seconds as its values.
		2522
		2523	@var{algo} digest authentication algorithm to use.
		2524	@end deftypefun
		2525
2465	@deftypefun int MHD_digest_auth_check_digest (struct MHD_Connection connection, const char realm, const char *username, const unsigned char digest[MHD_MD5_DIGEST_SIZE], unsigned int nonce_timeout)	2526	@deftypefun int MHD_digest_auth_check_digest (struct MHD_Connection connection, const char realm, const char *username, const unsigned char digest[MHD_MD5_DIGEST_SIZE], unsigned int nonce_timeout)
2466	Checks if the provided values in the WWW-Authenticate header are valid	2527	Checks if the provided values in the WWW-Authenticate header are valid
2467	and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.	2528	and sound according to RFC2716. If valid return @code{MHD_YES}, otherwise return @code{MHD_NO}.
		2529	Deprecated, use @code{MHD_digest_auth_check_digest2} instead.
2468		2530
2469	@var{realm} must reference to a zero-terminated string representing the realm.	2531	@var{realm} must reference to a zero-terminated string representing the realm.
2470		2532
@@ -2477,6 +2539,31 @@ it is usually the returned value from MHD_digest_auth_get_username.
2477	Most of the time it is sound to specify 300 seconds as its values.	2539	Most of the time it is sound to specify 300 seconds as its values.
2478	@end deftypefun	2540	@end deftypefun
2479		2541
		2542
		2543	@deftypefun int MHD_queue_auth_fail_response2 (struct MHD_Connection connection, const char realm, const char opaque, struct MHD_Response response, int signal_stale, enum MHD_DigestAuthAlgorithm algo)
		2544	Queues a response to request authentication from the client,
		2545	return @code{MHD_YES} if successful, otherwise @code{MHD_NO}.
		2546
		2547	@var{realm} must reference to a zero-terminated string representing the realm.
		2548
		2549	@var{opaque} must reference to a zero-terminated string representing a value
		2550	that gets passed to the client and expected to be passed again to the server
		2551	as-is. This value can be a hexadecimal or base64 string.
		2552
		2553	@var{response} a response structure to specify what shall be presented to the
		2554	client with a 401 HTTP status.
		2555
		2556	@var{signal_stale} a value that signals "stale=true" in the response header to
		2557	indicate the invalidity of the nonce and no need to ask for authentication
		2558	parameters and only a new nonce gets generated. @code{MHD_YES} to generate a new
		2559	nonce, @code{MHD_NO} to ask for authentication parameters.
		2560
		2561	@var{algo} which digest algorithm should we use. The same algorithm
		2562	must then be selected when checking digests received from clients!
		2563
		2564	@end deftypefun
		2565
		2566
2480	@deftypefun int MHD_queue_auth_fail_response (struct MHD_Connection connection, const char realm, const char opaque, struct MHD_Response response, int signal_stale)	2567	@deftypefun int MHD_queue_auth_fail_response (struct MHD_Connection connection, const char realm, const char opaque, struct MHD_Response response, int signal_stale)
2481	Queues a response to request authentication from the client,	2568	Queues a response to request authentication from the client,
2482	return @code{MHD_YES} if successful, otherwise @code{MHD_NO}.	2569	return @code{MHD_YES} if successful, otherwise @code{MHD_NO}.
@@ -2517,23 +2604,27 @@ ahc_echo (void *cls,
2517	const char *realm = "test@@example.com";	2604	const char *realm = "test@@example.com";
2518	int ret;	2605	int ret;
2519		2606
2520	username = MHD_digest_auth_get_username(connection);	2607	username = MHD_digest_auth_get_username (connection);
2521	if (username == NULL)	2608	if (username == NULL)
2522	@{	2609	@{
2523	response = MHD_create_response_from_buffer(strlen (DENIED),	2610	response = MHD_create_response_from_buffer(strlen (DENIED),
2524	DENIED,	2611	DENIED,
2525	MHD_RESPMEM_PERSISTENT);	2612	MHD_RESPMEM_PERSISTENT);
2526	ret = MHD_queue_auth_fail_response(connection, realm,	2613	ret = MHD_queue_auth_fail_response2 (connection,
2527	OPAQUE,	2614	realm,
2528	response,	2615	OPAQUE,
2529	MHD_NO);	2616	response,
		2617	MHD_NO,
		2618	MHD_DIGEST_ALG_SHA256);
2530	MHD_destroy_response(response);	2619	MHD_destroy_response(response);
2531	return ret;	2620	return ret;
2532	@}	2621	@}
2533	ret = MHD_digest_auth_check(connection, realm,	2622	ret = MHD_digest_auth_check2 (connection,
2534	username,	2623	realm,
2535	password,	2624	username,
2536	300);	2625	password,
		2626	300,
		2627	MHD_DIGEST_ALG_SHA256);
2537	free(username);	2628	free(username);
2538	if ( (ret == MHD_INVALID_NONCE) \|\|	2629	if ( (ret == MHD_INVALID_NONCE) \|\|
2539	(ret == MHD_NO) )	2630	(ret == MHD_NO) )
@@ -2543,16 +2634,21 @@ ahc_echo (void *cls,
2543	MHD_RESPMEM_PERSISTENT);	2634	MHD_RESPMEM_PERSISTENT);
2544	if (NULL == response)	2635	if (NULL == response)
2545	return MHD_NO;	2636	return MHD_NO;
2546	ret = MHD_queue_auth_fail_response(connection, realm,	2637	ret = MHD_queue_auth_fail_response2 (connection,
2547	OPAQUE,	2638	realm,
2548	response,	2639	OPAQUE,
2549	(ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO);	2640	response,
		2641	(ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO,
		2642	MHD_DIGEST_ALG_SHA256);
2550	MHD_destroy_response(response);	2643	MHD_destroy_response(response);
2551	return ret;	2644	return ret;
2552	@}	2645	@}
2553	response = MHD_create_response_from_buffer (strlen(PAGE), PAGE,	2646	response = MHD_create_response_from_buffer (strlen(PAGE),
		2647	PAGE,
2554	MHD_RESPMEM_PERSISTENT);	2648	MHD_RESPMEM_PERSISTENT);
2555	ret = MHD_queue_response(connection, MHD_HTTP_OK, response);	2649	ret = MHD_queue_response (connection,
		2650	MHD_HTTP_OK,
		2651	response);
2556	MHD_destroy_response(response);	2652	MHD_destroy_response(response);
2557	return ret;	2653	return ret;
2558	@}	2654	@}