aboutsummaryrefslogtreecommitdiff
path: root/src/include/microhttpd.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/include/microhttpd.h')
-rw-r--r--src/include/microhttpd.h93
1 files changed, 90 insertions, 3 deletions
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index 78a31f29..83006001 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -96,7 +96,7 @@ extern "C"
96 * they are parsed as decimal numbers. 96 * they are parsed as decimal numbers.
97 * Example: 0x01093001 = 1.9.30-1. 97 * Example: 0x01093001 = 1.9.30-1.
98 */ 98 */
99#define MHD_VERSION 0x00097530 99#define MHD_VERSION 0x00097531
100 100
101/* If generic headers don't work on your platform, include headers 101/* If generic headers don't work on your platform, include headers
102 which define 'va_list', 'size_t', 'ssize_t', 'intptr_t', 'off_t', 102 which define 'va_list', 'size_t', 'ssize_t', 'intptr_t', 'off_t',
@@ -1541,6 +1541,69 @@ typedef int
1541 size_t *psk_size); 1541 size_t *psk_size);
1542 1542
1543/** 1543/**
1544 * Values for #MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE.
1545 *
1546 * These values can limit the scope of validity of MHD-generated nonces.
1547 * Values can be combined with bitwise OR.
1548 * Any value, except #MHD_DAUTH_BIND_NONCE_NONE, enforce function
1549 * #MHD_digest_auth_check3() (and similar) to check nonce by re-generating
1550 * it again with the same parameters, which is CPU-intensive operation.
1551 * @note Available since #MHD_VERSION 0x00097531
1552 */
1553enum MHD_DAuthBindNonce
1554{
1555 /**
1556 * Generated nonces are valid for any request from any client until expired.
1557 * This is default and recommended value.
1558 * #MHD_digest_auth_check3() (and similar function) would check only whether
1559 * the nonce value that is used by client has been generated by MHD and not
1560 * expired yet.
1561 * It is recommended because RFC 7616 allows clients to use the same nonce
1562 * for any request in the same "protection space".
1563 * CPU is loaded less when this value is used when checking client's
1564 * authorisation request.
1565 * This value cannot be combined with other values.
1566 */
1567 MHD_DAUTH_BIND_NONCE_NONE = 0,
1568
1569 /**
1570 * Generated nonces are valid only for the same realm.
1571 */
1572 MHD_DAUTH_BIND_NONCE_REALM = 1 << 0,
1573
1574 /**
1575 * Generated nonces are valid only for the same URI (excluding parameters
1576 * after '?' in URI) and request method (GET, POST etc).
1577 * Not recommended unless "protection space" is limited to a single URI as
1578 * RFC 7616 allows clients to re-use server-generated nonces for any URI
1579 * in the same "protection space" which is by default consists of all server
1580 * URIs.
1581 * This was default (and only supported) value before #MHD_VERSION 0x00097518
1582 */
1583 MHD_DAUTH_BIND_NONCE_URI = 1 << 1,
1584
1585 /**
1586 * Generated nonces are valid only for the same URI including URI parameters
1587 * and request method (GET, POST etc).
1588 * This value implies #MHD_DAUTH_BIND_NONCE_URI.
1589 * Not recommended for that same reasons as #MHD_DAUTH_BIND_NONCE_URI.
1590 */
1591 MHD_DAUTH_BIND_NONCE_URI_PARAMS = 1 << 2,
1592
1593 /**
1594 * Generated nonces are valid only for the single client's IP.
1595 * While it looks like security improvement, in practice the same client may
1596 * jump from one IP to another (mobile or Wi-Fi handover, DHCP re-assignment,
1597 * Multi-NAT, different proxy chain and other reasons), while IP address
1598 * spoofing could be used relatively easily.
1599 * However, if server gets intensive requests with Digest Authentication
1600 * this value helps to generate unique nonces for several requests, received
1601 * exactly at the same time (within one millisecond) from different clients.
1602 */
1603 MHD_DAUTH_BIND_NONCE_CLIENT_IP = 1 << 3
1604} _MHD_FLAGS_ENUM;
1605
1606/**
1544 * @brief MHD options. 1607 * @brief MHD options.
1545 * 1608 *
1546 * Passed in the varargs portion of #MHD_start_daemon. 1609 * Passed in the varargs portion of #MHD_start_daemon.
@@ -1943,7 +2006,17 @@ enum MHD_OPTION
1943 * @sa #MHD_OPTION_DIGEST_AUTH_RANDOM 2006 * @sa #MHD_OPTION_DIGEST_AUTH_RANDOM
1944 * @note Available since #MHD_VERSION 0x00097529 2007 * @note Available since #MHD_VERSION 0x00097529
1945 */ 2008 */
1946 MHD_OPTION_DIGEST_AUTH_RANDOM_COPY = 35 2009 MHD_OPTION_DIGEST_AUTH_RANDOM_COPY = 35,
2010
2011 /**
2012 * Allow to controls the scope of validity of MHD-generated nonces.
2013 * This regulates how "nonces" are generated and how "nonces" are checked by
2014 * #MHD_digest_auth_check3() and similar functions.
2015 * This option should be followed by an 'unsigned int` argument with value
2016 * formed as bitwise OR combination of #MHD_DAuthBindNonce values.
2017 * @note Available since #MHD_VERSION 0x00097531
2018 */
2019 MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE = 36
1947} _MHD_FIXED_ENUM; 2020} _MHD_FIXED_ENUM;
1948 2021
1949 2022
@@ -4906,7 +4979,7 @@ MHD_digest_auth_get_username3 (struct MHD_Connection *connection);
4906 * 4979 *
4907 * All error values are zero or negative. 4980 * All error values are zero or negative.
4908 * 4981 *
4909 * @note Available since #MHD_VERSION 0x00097521 4982 * @note Available since #MHD_VERSION 0x00097531
4910 */ 4983 */
4911enum MHD_DigestAuthResult 4984enum MHD_DigestAuthResult
4912{ 4985{
@@ -4968,6 +5041,20 @@ enum MHD_DigestAuthResult
4968 MHD_DAUTH_NONCE_STALE = -17, 5041 MHD_DAUTH_NONCE_STALE = -17,
4969 5042
4970 /** 5043 /**
5044 * The 'nonce' was generated by MHD for other conditions.
5045 * This value is only returned if #MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE
5046 * is set to anything other than #MHD_DAUTH_BIND_NONCE_NONE.
5047 * The interpretation of this code could be different. For example, if
5048 * #MHD_DAUTH_BIND_NONCE_URI is set and client just used the same 'nonce' for
5049 * another URI, the code could be handled as #MHD_DAUTH_NONCE_STALE as
5050 * it is allowed to re-use nonces for other URIs in the same "protection
5051 * space". However, if only #MHD_DAUTH_BIND_NONCE_CLIENT_IP bit is set and
5052 * it is know that clients have fixed IP addresses, this return code could
5053 * be handled like #MHD_DAUTH_NONCE_WRONG.
5054 */
5055 MHD_DAUTH_NONCE_OTHER_COND = -18,
5056
5057 /**
4971 * The 'nonce' is wrong. May indicate an attack attempt. 5058 * The 'nonce' is wrong. May indicate an attack attempt.
4972 */ 5059 */
4973 MHD_DAUTH_NONCE_WRONG = -33, 5060 MHD_DAUTH_NONCE_WRONG = -33,