3 files changed, 54 insertions, 2 deletions
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index d469b64d..44b5fe3e 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -96,7 +96,7 @@ extern "C"
 * they are parsed as decimal numbers.
 * Example: 0x01093001 = 1.9.30-1.
 */
-#define MHD_VERSION 0x00097528
+#define MHD_VERSION 0x00097529
 /* If generic headers don't work on your platform, include headers
   which define 'va_list', 'size_t', 'ssize_t', 'intptr_t', 'off_t',
@@ -1760,6 +1760,7 @@ enum MHD_OPTION
   * Note that the application must ensure that the buffer of the
   * second argument remains allocated and unmodified while the
   * daemon is running.
+   * @sa #MHD_OPTION_DIGEST_AUTH_RANDOM_COPY
   */
  MHD_OPTION_DIGEST_AUTH_RANDOM = 17,
@@ -1927,7 +1928,22 @@ enum MHD_OPTION
   * This option should be followed by an `int` argument.
   * @note Available since #MHD_VERSION 0x00097207
   */
-  MHD_OPTION_TLS_NO_ALPN = 34
+  MHD_OPTION_TLS_NO_ALPN = 34,
+  /**
+   * Memory pointer for the random values to be used by the Digest
+   * Auth module. This option should be followed by two arguments.
+   * First an integer of type `size_t` which specifies the size
+   * of the buffer pointed to by the second argument in bytes.
+   * The recommended size is between 8 and 32. If size is four or less
+   * then security could be lowered. Sizes more then 32 (or, probably
+   * more than 16 - debatable) will not increase security.
+   * An internal copy of the buffer will be made, the data do not
+   * need to be static.
+   * @sa #MHD_OPTION_DIGEST_AUTH_RANDOM
+   * @note Available since #MHD_VERSION 0x00097529
+   */
+  MHD_OPTION_DIGEST_AUTH_RANDOM_COPY = 35
 } _MHD_FIXED_ENUM;
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index 2f868bfb..cd89fa94 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -6236,10 +6236,16 @@ parse_options_va (struct MHD_Daemon *daemon,
 #endif /* HTTPS_SUPPORT */
 #ifdef DAUTH_SUPPORT
    case MHD_OPTION_DIGEST_AUTH_RANDOM:
+    case MHD_OPTION_DIGEST_AUTH_RANDOM_COPY:
      daemon->digest_auth_rand_size = va_arg (ap,
                                              size_t);
      daemon->digest_auth_random = va_arg (ap,
                                           const char *);
+      if (MHD_OPTION_DIGEST_AUTH_RANDOM_COPY == opt)
+        /* Set to some non-NULL value just to indicate that copy is required. */
+        daemon->digest_auth_random_copy = daemon;
+      else
+        daemon->digest_auth_random_copy = NULL;
      break;
    case MHD_OPTION_NONCE_NC_SIZE:
      daemon->nonce_nc_size = va_arg (ap,
@@ -6440,6 +6446,7 @@ parse_options_va (struct MHD_Daemon *daemon,
          break;
        /* options taking size_t-number followed by pointer */
        case MHD_OPTION_DIGEST_AUTH_RANDOM:
+        case MHD_OPTION_DIGEST_AUTH_RANDOM_COPY:
          if (MHD_NO == parse_options (daemon,
                                       servaddr,
                                       opt,
@@ -6913,6 +6920,24 @@ MHD_start_daemon_va (unsigned int flags,
  }
 #ifdef DAUTH_SUPPORT
+  if (NULL != daemon->digest_auth_random_copy)
+  {
+    mhd_assert (daemon == daemon->digest_auth_random_copy);
+    daemon->digest_auth_random_copy = malloc (daemon->digest_auth_rand_size);
+    if (NULL == daemon->digest_auth_random_copy)
+    {
+#ifdef HTTPS_SUPPORT
+      if (0 != (*pflags & MHD_USE_TLS))
+        gnutls_priority_deinit (daemon->priority_cache);
+#endif /* HTTPS_SUPPORT */
+      free (daemon);
+      return NULL;
+    }
+    memcpy (daemon->digest_auth_random_copy,
+            daemon->digest_auth_random,
+            daemon->digest_auth_rand_size);
+    daemon->digest_auth_random = daemon->digest_auth_random_copy;
+  }
  if (daemon->nonce_nc_size > 0)
  {
    if ( ( (size_t) (daemon->nonce_nc_size * sizeof (struct MHD_NonceNc)))
@@ -6926,6 +6951,7 @@ MHD_start_daemon_va (unsigned int flags,
      if (0 != (*pflags & MHD_USE_TLS))
        gnutls_priority_deinit (daemon->priority_cache);
 #endif /* HTTPS_SUPPORT */
+      free (daemon->digest_auth_random_copy);
      free (daemon);
      return NULL;
    }
@@ -6942,6 +6968,7 @@ MHD_start_daemon_va (unsigned int flags,
      if (0 != (*pflags & MHD_USE_TLS))
        gnutls_priority_deinit (daemon->priority_cache);
 #endif /* HTTPS_SUPPORT */
+      free (daemon->digest_auth_random_copy);
      free (daemon);
      return NULL;
    }
@@ -6958,6 +6985,7 @@ MHD_start_daemon_va (unsigned int flags,
    if (0 != (*pflags & MHD_USE_TLS))
      gnutls_priority_deinit (daemon->priority_cache);
 #endif /* HTTPS_SUPPORT */
+    free (daemon->digest_auth_random_copy);
    free (daemon->nnc);
    free (daemon);
    return NULL;
@@ -7586,6 +7614,7 @@ MHD_start_daemon_va (unsigned int flags,
 #ifdef DAUTH_SUPPORT
        d->nnc = NULL;
        d->nonce_nc_size = 0;
+        d->digest_auth_random_copy = NULL;
 #if defined(MHD_USE_THREADS)
        memset (&d->nnc_lock, 1, sizeof(d->nnc_lock));
 #endif /* MHD_USE_THREADS */
@@ -7706,6 +7735,7 @@ free_and_fail:
 #endif /* HTTPS_SUPPORT && UPGRADE_SUPPORT */
 #endif /* EPOLL_SUPPORT */
 #ifdef DAUTH_SUPPORT
+  free (daemon->digest_auth_random_copy);
  free (daemon->nnc);
 #if defined(MHD_USE_POSIX_THREADS) || defined(MHD_USE_W32_THREADS)
  MHD_mutex_destroy_chk_ (&daemon->nnc_lock);
@@ -8102,6 +8132,7 @@ MHD_stop_daemon (struct MHD_Daemon *daemon)
 #endif /* HTTPS_SUPPORT */
 #ifdef DAUTH_SUPPORT
+    free (daemon->digest_auth_random_copy);
    free (daemon->nnc);
 #if defined(MHD_USE_POSIX_THREADS) || defined(MHD_USE_W32_THREADS)
    MHD_mutex_destroy_chk_ (&daemon->nnc_lock);
diff --git a/src/microhttpd/internal.h b/src/microhttpd/internal.h
index 6906e1bb..fa243a34 100644
--- a/src/microhttpd/internal.h
+++ b/src/microhttpd/internal.h
@@ -2149,6 +2149,11 @@ struct MHD_Daemon
  const char *digest_auth_random;
  /**
+   * The malloc'ed copy of the @a digest_auth_random.
+   */
+  void *digest_auth_random_copy;
+  /**
   * An array that contains the map nonce-nc.
   */
  struct MHD_NonceNc *nnc;