aboutsummaryrefslogtreecommitdiff
path: root/src/microhttpd/digestauth.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/microhttpd/digestauth.c')
-rw-r--r--src/microhttpd/digestauth.c24
1 files changed, 15 insertions, 9 deletions
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
index bfedccf8..1061512d 100644
--- a/src/microhttpd/digestauth.c
+++ b/src/microhttpd/digestauth.c
@@ -1313,7 +1313,7 @@ MHD_digest_auth_get_username (struct MHD_Connection *connection)
1313/** 1313/**
1314 * Calculate the server nonce so that it mitigates replay attacks 1314 * Calculate the server nonce so that it mitigates replay attacks
1315 * The current format of the nonce is ... 1315 * The current format of the nonce is ...
1316 * H(timestamp ":" method ":" random ":" uri ":" realm) + Hex(timestamp) 1316 * H(various parameters) + Hex(timestamp)
1317 * 1317 *
1318 * @param nonce_time The amount of time in seconds for a nonce to be invalid 1318 * @param nonce_time The amount of time in seconds for a nonce to be invalid
1319 * @param mthd_e HTTP method as enum value 1319 * @param mthd_e HTTP method as enum value
@@ -1353,6 +1353,7 @@ calculate_nonce (uint64_t nonce_time,
1353 digest_init (da); 1353 digest_init (da);
1354 if (1) 1354 if (1)
1355 { 1355 {
1356 /* Add the timestamp to the hash calculation */
1356 uint8_t timestamp[TIMESTAMP_BIN_SIZE]; 1357 uint8_t timestamp[TIMESTAMP_BIN_SIZE];
1357 /* If the nonce_time is milliseconds, then the same 48 bit value will repeat 1358 /* If the nonce_time is milliseconds, then the same 48 bit value will repeat
1358 * every 8 919 years, which is more than enough to mitigate a replay attack */ 1359 * every 8 919 years, which is more than enough to mitigate a replay attack */
@@ -1371,28 +1372,30 @@ calculate_nonce (uint64_t nonce_time,
1371 digest_update (da, 1372 digest_update (da,
1372 timestamp, 1373 timestamp,
1373 sizeof (timestamp)); 1374 sizeof (timestamp));
1374 digest_update_with_colon (da);
1375 } 1375 }
1376 if (rnd_size > 0) 1376 if (rnd_size > 0)
1377 { 1377 {
1378 /* Add the unique random value to the hash calculation */
1379 digest_update_with_colon (da);
1378 digest_update (da, 1380 digest_update (da,
1379 rnd, 1381 rnd,
1380 rnd_size); 1382 rnd_size);
1381 digest_update_with_colon (da);
1382 } 1383 }
1383 if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) && 1384 if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) &&
1384 (0 != saddr_size) ) 1385 (0 != saddr_size) )
1385 { 1386 {
1386 /* Use full client address including source port to make unique nonces 1387 /* Add full client address including source port to make unique nonces
1387 * for requests received exactly at the same time */ 1388 * for requests received exactly at the same time */
1389 digest_update_with_colon (da);
1388 digest_update (da, 1390 digest_update (da,
1389 saddr, 1391 saddr,
1390 saddr_size); 1392 saddr_size);
1391 digest_update_with_colon (da);
1392 } 1393 }
1393 if ( (0 != (bind_options & MHD_DAUTH_BIND_NONCE_CLIENT_IP)) && 1394 if ( (0 != (bind_options & MHD_DAUTH_BIND_NONCE_CLIENT_IP)) &&
1394 (0 != saddr_size) ) 1395 (0 != saddr_size) )
1395 { 1396 {
1397 /* Add the client's IP address to the hash calculation */
1398 digest_update_with_colon (da);
1396 if (AF_INET == saddr->ss_family) 1399 if (AF_INET == saddr->ss_family)
1397 digest_update (da, 1400 digest_update (da,
1398 &((const struct sockaddr_in *) saddr)->sin_addr, 1401 &((const struct sockaddr_in *) saddr)->sin_addr,
@@ -1403,11 +1406,12 @@ calculate_nonce (uint64_t nonce_time,
1403 &((const struct sockaddr_in6 *) saddr)->sin6_addr, 1406 &((const struct sockaddr_in6 *) saddr)->sin6_addr,
1404 sizeof(((const struct sockaddr_in6 *) saddr)->sin6_addr)); 1407 sizeof(((const struct sockaddr_in6 *) saddr)->sin6_addr));
1405#endif /* HAVE_INET6 */ 1408#endif /* HAVE_INET6 */
1406 digest_update_with_colon (da);
1407 } 1409 }
1408 if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) || 1410 if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) ||
1409 (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI))) 1411 (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI)))
1410 { 1412 {
1413 /* Add the request method to the hash calculation */
1414 digest_update_with_colon (da);
1411 if (MHD_HTTP_MTHD_OTHER != mthd_e) 1415 if (MHD_HTTP_MTHD_OTHER != mthd_e)
1412 { 1416 {
1413 uint8_t mthd_for_hash; 1417 uint8_t mthd_for_hash;
@@ -1425,17 +1429,19 @@ calculate_nonce (uint64_t nonce_time,
1425 1429
1426 if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI)) 1430 if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI))
1427 { 1431 {
1432 /* Add the request URI to the hash calculation */
1428 digest_update_with_colon (da); 1433 digest_update_with_colon (da);
1429 1434
1430 digest_update (da, 1435 digest_update (da,
1431 uri, 1436 uri,
1432 uri_len); 1437 uri_len);
1433 digest_update_with_colon (da);
1434 } 1438 }
1435 if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI_PARAMS)) 1439 if (0 != (bind_options & MHD_DAUTH_BIND_NONCE_URI_PARAMS))
1436 { 1440 {
1441 /* Add the request URI parameters to the hash calculation */
1437 const struct MHD_HTTP_Req_Header *h; 1442 const struct MHD_HTTP_Req_Header *h;
1438 1443
1444 digest_update_with_colon (da);
1439 for (h = first_header; NULL != h; h = h->next) 1445 for (h = first_header; NULL != h; h = h->next)
1440 { 1446 {
1441 if (MHD_GET_ARGUMENT_KIND != h->kind) 1447 if (MHD_GET_ARGUMENT_KIND != h->kind)
@@ -1447,15 +1453,15 @@ calculate_nonce (uint64_t nonce_time,
1447 if (0 != h->value_size) 1453 if (0 != h->value_size)
1448 digest_update (da, h->value, h->value_size); 1454 digest_update (da, h->value, h->value_size);
1449 } 1455 }
1450 digest_update_with_colon (da);
1451 } 1456 }
1452 if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) || 1457 if ( (MHD_DAUTH_BIND_NONCE_NONE == bind_options) ||
1453 (0 != (bind_options & MHD_DAUTH_BIND_NONCE_REALM))) 1458 (0 != (bind_options & MHD_DAUTH_BIND_NONCE_REALM)))
1454 { 1459 {
1460 /* Add the realm to the hash calculation */
1461 digest_update_with_colon (da);
1455 digest_update (da, 1462 digest_update (da,
1456 realm, 1463 realm,
1457 realm_len); 1464 realm_len);
1458 digest_update_with_colon (da);
1459 } 1465 }
1460 if (1) 1466 if (1)
1461 { 1467 {