Re: [libmicrohttpd] Some questions about the example "digest_auth_example.c"

[Christian Grothoff]

On 03/03/2016 03:03 AM, silvioprog wrote:
> Hello,
> 
> I'm making some high level classes for handling a12n with MHD, but I
> have some questions about the example digest_auth_example.c
> <https://gnunet.org/svn/libmicrohttpd/src/examples/digest_auth_example.c>,
> that implements the digest a12n and I'm unsing this one to understand
> how MHD handles a12n. Questions:
> 
> 1. Does opaque string need to be static?
> 
> #define MY_OPAQUE_STR "11733b200778ce33060f31c9af70a870ba96ddd4"

No, see:

http://security.stackexchange.com/questions/24425/what-is-the-opaque-field-in-http-digest-access-authentication-used-for

> The value above seems a md5 hash, but I don't know what was hashed.

Doesn't matter.

> 2. Do I always need to use MHD_OPTION_DIGEST_AUTH_RANDOM and
> MHD_OPTION_NONCE_NC_SIZE?

MHD_OPTION_NONCE_NC_SIZE is optional, the value will default to 4 if you
specify none. Note that 4 may be a bit small for real uses.

You can technically also leave out MHD_OPTION_DIGEST_AUTH_RANDOM, but
then you're reducing the security of your authentication as you are no
longer using salted hashes.

> I commented the lines:
> 
> MHD_OPTION_DIGEST_AUTH_RANDOM, sizeof(rnd), rnd,
> MHD_OPTION_NONCE_NC_SIZE, 300,
> 
> and the demo still working. So, what really does this lines?

Provide a cryptographic salt, and the size of a buffer to manage nonces.

> 3. Can I use any hash for the random string?

The hash certainly doesn't matter, it is _recommended_ (by RFC 2069) to
use base64 or HEX encoding.

> The example uses the "/dev/urandom" feature, but I need to make a
> cross-platform solution, so can I use a hash like a UUID (I can generate
> it using a own function) instead of using urandom?

For the opaque, sure.  For the salt, you may want to make it vary each
time the program runs.

Happy hacking!

Christian

0xE29FC3CC.asc
Description: application/pgp-keys

signature.asc
Description: OpenPGP digital signature