GNU libmicrohttpd
0.9.72
|
Implements HTTP digest authentication. More...
#include "platform.h"
#include "mhd_limits.h"
#include "internal.h"
#include "md5.h"
#include "sha256.h"
#include "mhd_mono_clock.h"
#include "mhd_str.h"
#include "mhd_compat.h"
#include "mhd_assert.h"
Go to the source code of this file.
Macros | |
#define | TIMESTAMP_BIN_SIZE 4 |
#define | NONCE_STD_LEN(digest_size) ((digest_size) * 2 + TIMESTAMP_BIN_SIZE * 2) |
#define | MAX_DIGEST SHA256_DIGEST_SIZE |
#define | VLA_ARRAY_LEN_DIGEST(n) (n) |
#define | VLA_CHECK_LEN_DIGEST(n) |
#define | _BASE "Digest " |
#define | MAX_USERNAME_LENGTH 128 |
#define | MAX_REALM_LENGTH 256 |
#define | MAX_AUTH_RESPONSE_LENGTH 256 |
#define | SETUP_DA(algo, da) |
Functions | |
static void | cvthex (const unsigned char *bin, size_t len, char *hex) |
static void | digest_calc_ha1_from_digest (const char *alg, struct DigestAlgorithm *da, const uint8_t *digest, const char *nonce, const char *cnonce) |
static void | digest_calc_ha1_from_user (const char *alg, const char *username, const char *realm, const char *password, const char *nonce, const char *cnonce, struct DigestAlgorithm *da) |
static void | digest_calc_response (const char *ha1, const char *nonce, const char *noncecount, const char *cnonce, const char *qop, const char *method, const char *uri, const char *hentity, struct DigestAlgorithm *da) |
static size_t | lookup_sub_value (char *dest, size_t size, const char *data, const char *key) |
static enum MHD_Result | check_nonce_nc (struct MHD_Connection *connection, const char *nonce, uint64_t nc) |
_MHD_EXTERN char * | MHD_digest_auth_get_username (struct MHD_Connection *connection) |
static void | calculate_nonce (uint32_t nonce_time, const char *method, const char *rnd, size_t rnd_size, const char *uri, const char *realm, struct DigestAlgorithm *da, char *nonce) |
static enum MHD_Result | test_header (struct MHD_Connection *connection, const char *key, size_t key_size, const char *value, size_t value_size, enum MHD_ValueKind kind) |
static enum MHD_Result | check_argument_match (struct MHD_Connection *connection, const char *args) |
static int | digest_auth_check_all (struct MHD_Connection *connection, struct DigestAlgorithm *da, const char *realm, const char *username, const char *password, const uint8_t *digest, unsigned int nonce_timeout) |
_MHD_EXTERN int | MHD_digest_auth_check (struct MHD_Connection *connection, const char *realm, const char *username, const char *password, unsigned int nonce_timeout) |
_MHD_EXTERN int | MHD_digest_auth_check2 (struct MHD_Connection *connection, const char *realm, const char *username, const char *password, unsigned int nonce_timeout, enum MHD_DigestAuthAlgorithm algo) |
_MHD_EXTERN int | MHD_digest_auth_check_digest2 (struct MHD_Connection *connection, const char *realm, const char *username, const uint8_t *digest, size_t digest_size, unsigned int nonce_timeout, enum MHD_DigestAuthAlgorithm algo) |
_MHD_EXTERN int | MHD_digest_auth_check_digest (struct MHD_Connection *connection, const char *realm, const char *username, const uint8_t digest[MHD_MD5_DIGEST_SIZE], unsigned int nonce_timeout) |
_MHD_EXTERN enum MHD_Result | MHD_queue_auth_fail_response2 (struct MHD_Connection *connection, const char *realm, const char *opaque, struct MHD_Response *response, int signal_stale, enum MHD_DigestAuthAlgorithm algo) |
_MHD_EXTERN enum MHD_Result | MHD_queue_auth_fail_response (struct MHD_Connection *connection, const char *realm, const char *opaque, struct MHD_Response *response, int signal_stale) |
Implements HTTP digest authentication.
Definition in file digestauth.c.
#define _BASE "Digest " |
Beginning string for any valid Digest authentication header.
Definition at line 94 of file digestauth.c.
#define MAX_AUTH_RESPONSE_LENGTH 256 |
Maximum length of the response in digest authentication.
Definition at line 109 of file digestauth.c.
#define MAX_DIGEST SHA256_DIGEST_SIZE |
Maximum size of any digest hash supported by MHD. (SHA-256 > MD5).
Definition at line 61 of file digestauth.c.
#define MAX_REALM_LENGTH 256 |
Maximum length of a realm for digest authentication.
Definition at line 104 of file digestauth.c.
#define MAX_USERNAME_LENGTH 128 |
Maximum length of a username for digest authentication.
Definition at line 99 of file digestauth.c.
#define NONCE_STD_LEN | ( | digest_size | ) | ((digest_size) * 2 + TIMESTAMP_BIN_SIZE * 2) |
Standard server nonce length, not including terminating null,
digest_size | digest size |
Definition at line 53 of file digestauth.c.
#define SETUP_DA | ( | algo, | |
da | |||
) |
Setup digest authentication data structures (on the stack, hence must be done inline!). Initializes a "struct DigestAlgorithm da" for algorithm algo.
algo | digest algorithm to provide |
da | data structure to setup |
Definition at line 1185 of file digestauth.c.
#define TIMESTAMP_BIN_SIZE 4 |
32 bit value is 4 bytes
Definition at line 46 of file digestauth.c.
#define VLA_ARRAY_LEN_DIGEST | ( | n | ) | (n) |
Macro to avoid using VLAs if the compiler does not support them. Return n.
n | length of the digest to be used for a VLA |
Definition at line 80 of file digestauth.c.
#define VLA_CHECK_LEN_DIGEST | ( | n | ) |
Check that n is below #MAX_NONCE
Definition at line 86 of file digestauth.c.
|
static |
Calculate the server nonce so that it mitigates replay attacks The current format of the nonce is ... H(timestamp ":" method ":" random ":" uri ":" realm) + Hex(timestamp)
nonce_time | The amount of time in seconds for a nonce to be invalid | |
method | HTTP method | |
rnd | A pointer to a character array for the random seed | |
rnd_size | The size of the random seed array rnd | |
uri | HTTP URI (in MHD, without the arguments ("?k=v") | |
realm | A string of characters that describes the realm of auth. | |
da | digest algorithm to use | |
[out] | nonce | A pointer to a character array for the nonce to put in, must provide NONCE_STD_LEN(da->digest_size)+1 bytes |
Definition at line 674 of file digestauth.c.
References cvthex(), MHD_NonceNc::nonce, TIMESTAMP_BIN_SIZE, VLA_ARRAY_LEN_DIGEST, and VLA_CHECK_LEN_DIGEST.
Referenced by digest_auth_check_all().
|
static |
Check that the arguments given by the client as part of the authentication header match the arguments we got as part of the HTTP request URI.
connection | connections with headers to compare against |
args | argument URI string (after "?" in URI) |
Definition at line 674 of file digestauth.c.
Referenced by digest_auth_check_all().
|
static |
Check nonce-nc map array with either new nonce counter or a whole new nonce.
connection | The MHD connection structure |
nonce | A pointer that referenced a zero-terminated array of nonce |
nc | The nonce counter, zero to add the nonce to the array |
Definition at line 433 of file digestauth.c.
References data, MHD_str_equal_caseless_n_(), and NULL.
Referenced by digest_auth_check_all().
|
static |
convert bin to hex
bin | binary data |
len | number of bytes in bin |
hex | pointer to len*2+1 bytes |
Definition at line 179 of file digestauth.c.
Referenced by calculate_nonce(), digest_calc_ha1_from_digest(), and digest_calc_response().
|
static |
calculate H(A1) from given hash as per RFC2617 spec and store the * result in 'sessionkey'.
alg | The hash algorithm used, can be "md5" or "md5-sess" or "sha-256" or "sha-256-sess" Note that the rest of the code does not support the the "-sess" variants! | |
[in,out] | da | digest implementation, must match alg; the da->sessionkey will be initialized to the digest in HEX |
digest | An ‘unsigned char *’ pointer to the binary MD5 sum for the precalculated hash value "username:realm:password" of MHD_MD5_DIGEST_SIZE or #MHD_SHA256_DIGEST_SIZE bytes | |
nonce | A ‘char *’ pointer to the nonce value | |
cnonce | A ‘char *’ pointer to the cnonce value |
Definition at line 213 of file digestauth.c.
References cvthex(), MHD_MD5_DIGEST_SIZE, MHD_str_equal_caseless_(), VLA_ARRAY_LEN_DIGEST, and VLA_CHECK_LEN_DIGEST.
Referenced by digest_auth_check_all(), and digest_calc_ha1_from_user().
|
static |
calculate H(A1) from username, realm and password as per RFC2617 spec and store the result in 'sessionkey'.
alg | The hash algorithm used, can be "md5" or "md5-sess" or "sha-256" or "sha-256-sess" | |
username | A ‘char *’ pointer to the username value | |
realm | A ‘char *’ pointer to the realm value | |
password | A ‘char *’ pointer to the password value | |
nonce | A ‘char *’ pointer to the nonce value | |
cnonce | A ‘char *’ pointer to the cnonce value | |
[in,out] | da | digest algorithm to use, and where to write the sessionkey to |
Definition at line 273 of file digestauth.c.
References digest_calc_ha1_from_digest(), VLA_ARRAY_LEN_DIGEST, and VLA_CHECK_LEN_DIGEST.
Referenced by digest_auth_check_all().
|
static |
Calculate request-digest/response-digest as per RFC2617 / RFC7616 spec.
ha1 | H(A1), twice the da->digest_size + 1 bytes (0-terminated), MUST NOT be aliased with da->sessionkey ! | |
nonce | nonce from server | |
noncecount | 8 hex digits | |
cnonce | client nonce | |
qop | qop-value: "", "auth" or "auth-int" (NOTE: only 'auth' is supported today.) | |
method | method from request | |
uri | requested URL | |
hentity | H(entity body) if qop="auth-int" | |
[in,out] | da | digest algorithm to use, also we write da->sessionkey (set to response request-digest or response-digest) |
Definition at line 327 of file digestauth.c.
References cvthex(), NULL, VLA_ARRAY_LEN_DIGEST, and VLA_CHECK_LEN_DIGEST.
Referenced by digest_auth_check_all().
|
static |
Lookup subvalue off of the HTTP Authorization header.
A description of the input format for 'data' is at http://en.wikipedia.org/wiki/Digest_access_authentication
dest | where to store the result (possibly truncated if the buffer is not big enough). |
size | size of dest |
data | pointer to the Authorization header |
key | key to look up in data |
Definition at line 433 of file digestauth.c.
Referenced by digest_auth_check_all(), and MHD_digest_auth_get_username().
|
static |
Test if the given key-value pair is in the headers for the given connection.
connection | the connection |
key | the key |
key_size | number of bytes in key |
value | the value, can be NULL |
value_size | number of bytes in value |
kind | type of the header |
Definition at line 674 of file digestauth.c.