Re: [libmicrohttpd] Possible bug in http digest

libmicrohttpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] Possible bug in http digest

From:	Manuel Argüelles
Subject:	Re: [libmicrohttpd] Possible bug in http digest
Date:	Mon, 4 Aug 2014 14:06:33 -0500
User-agent:	Mutt/1.5.23 (2014-03-12)

Hello Christian,

Thanks for taking the time to clarify things for me, everything makes
perfect sense now :)

Cheers,


On Sat, Aug 02, 2014 at 09:57:03PM +0200, Christian Grothoff wrote:
> Hi!
> 
> The failure is intentional, as this is the logic that
> protects against replay attacks (nonce = number used once,
> so if you call the authentication logic *twice* using the
> same login information from the client, it MUST fail).
> 
> Your suggestion to not check for authentication a second
> time after 100 CONTINUE is the correct answer: if you
> have already checked (i.e. *con_cls no longer NULL),
> you MUST NOT check again.  As MHD guarantees you that
> this request is from the same TCP connection (or hopefully
> SSL session), the previous authentication is still valid
> by design.
> 
> Happy hacking!
> 
> Christian
> 
> On 08/01/2014 01:31 AM, Manuel Argüelles wrote:
> > Hello,
> > 
> > I'm having a problem with digest authentication. I'm using
> > libmicrohttpd version 0.9.37.
> > 
> > I'm trying to use digest authentication for post method, followed the
> > examples but got a weird behavior; in the request handler I check if
> > it is a post message (not using auth for get), if so, try to
> > authenticate and then handle it to the post_processor.
> > 
> > On the first run MHD_digest_auth_get_username() returns null, the
> > response is successfully added with MHD_queue_auth_fail_response() and
> > MHD_YES is returned.
> > 
> > On the second run, MHD_digest_auth_get_username() returns the user
> > name, MHD_digest_auth_check() returns MHD_YES and post processor is
> > created with MHD_create_post_processor() and MHD_YES is returned.
> > 
> > At this point and based on curl output with -v, client gets a 100
> > continue.
> > 
> > Client continues, MHD_digest_auth_get_username() returns the user but
> > now MHD_digest_auth_check() returns MHD_NO with debug message:
> > 
> > "Stale nonce received.  If this happens a lot, you should probably
> > increase the size of the nonce array."
> > 
> > And MHD_queue_auth_fail_response() returns MHD_NO as well, which
> > leaves me with nothing for the client: "Empty reply from server".
> > 
> > I have MHD_OPTION_NONCE_NC_SIZE set to 60000, but to me it looks like
> > if everything (digest related) gets cleared up after the second run
> > (when I create the post processor and return MHD_YES) so it fails
> > because there isn't an initial MHD_queue_auth_fail_response()...
> > 
> > Does this looks plausible? If so, is it a bug or an expected behavior?
> > am I doing something wrong?
> > 
> > Or, should I keep track of the authenticated connections? Because if I
> > only try to authenticate when *con_cls is null then everything works
> > fine, but I'm not sure if this is the correct way.
> > 
> > Regards
> > 
> > 
>

[Prev in Thread]

Current Thread

[Next in Thread]

[libmicrohttpd] Possible bug in http digest, Manuel Argüelles, 2014/08/01
- Re: [libmicrohttpd] Possible bug in http digest, Christian Grothoff, 2014/08/02
  - Re: [libmicrohttpd] Possible bug in http digest, Manuel Argüelles <=

Prev by Date: [libmicrohttpd] Connection doesn't close after AccessHandlerCallback function returns MHD_NO
Next by Date: Re: [libmicrohttpd] Connection doesn't close after AccessHandlerCallback function returns MHD_NO
Previous by thread: Re: [libmicrohttpd] Possible bug in http digest
Next by thread: [libmicrohttpd] Connection doesn't close after AccessHandlerCallback function returns MHD_NO
Index(es):
- Date
- Thread