On 03/03/2016 03:03 AM, silvioprog wrote: > Hello, > > I'm making some high level classes for handling a12n with MHD, but I > have some questions about the example digest_auth_example.c > <https://gnunet.org/svn/libmicrohttpd/src/examples/digest_auth_example.c>, > that implements the digest a12n and I'm unsing this one to understand > how MHD handles a12n. Questions: > > 1. Does opaque string need to be static? > > #define MY_OPAQUE_STR "11733b200778ce33060f31c9af70a870ba96ddd4"
No, see: http://security.stackexchange.com/questions/24425/what-is-the-opaque-field-in-http-digest-access-authentication-used-for > The value above seems a md5 hash, but I don't know what was hashed. Doesn't matter. > 2. Do I always need to use MHD_OPTION_DIGEST_AUTH_RANDOM and > MHD_OPTION_NONCE_NC_SIZE? MHD_OPTION_NONCE_NC_SIZE is optional, the value will default to 4 if you specify none. Note that 4 may be a bit small for real uses. You can technically also leave out MHD_OPTION_DIGEST_AUTH_RANDOM, but then you're reducing the security of your authentication as you are no longer using salted hashes. > I commented the lines: > > MHD_OPTION_DIGEST_AUTH_RANDOM, sizeof(rnd), rnd, > MHD_OPTION_NONCE_NC_SIZE, 300, > > and the demo still working. So, what really does this lines? Provide a cryptographic salt, and the size of a buffer to manage nonces. > 3. Can I use any hash for the random string? The hash certainly doesn't matter, it is _recommended_ (by RFC 2069) to use base64 or HEX encoding. > The example uses the "/dev/urandom" feature, but I need to make a > cross-platform solution, so can I use a hash like a UUID (I can generate > it using a own function) instead of using urandom? For the opaque, sure. For the salt, you may want to make it vary each time the program runs. Happy hacking! Christian
0xE29FC3CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
