[libmicrohttpd] Possible bug in http digest

[Manuel Argüelles]

Hello,

I'm having a problem with digest authentication. I'm using
libmicrohttpd version 0.9.37.

I'm trying to use digest authentication for post method, followed the
examples but got a weird behavior; in the request handler I check if
it is a post message (not using auth for get), if so, try to
authenticate and then handle it to the post_processor.

On the first run MHD_digest_auth_get_username() returns null, the
response is successfully added with MHD_queue_auth_fail_response() and
MHD_YES is returned.

On the second run, MHD_digest_auth_get_username() returns the user
name, MHD_digest_auth_check() returns MHD_YES and post processor is
created with MHD_create_post_processor() and MHD_YES is returned.

At this point and based on curl output with -v, client gets a 100
continue.

Client continues, MHD_digest_auth_get_username() returns the user but
now MHD_digest_auth_check() returns MHD_NO with debug message:

"Stale nonce received.  If this happens a lot, you should probably
increase the size of the nonce array."

And MHD_queue_auth_fail_response() returns MHD_NO as well, which
leaves me with nothing for the client: "Empty reply from server".

I have MHD_OPTION_NONCE_NC_SIZE set to 60000, but to me it looks like
if everything (digest related) gets cleared up after the second run
(when I create the post processor and return MHD_YES) so it fails
because there isn't an initial MHD_queue_auth_fail_response()...

Does this looks plausible? If so, is it a bug or an expected behavior?
am I doing something wrong?

Or, should I keep track of the authenticated connections? Because if I
only try to authenticate when *con_cls is null then everything works
fine, but I'm not sure if this is the correct way.

Regards