Very good explanations. I'll comment some of them and make a new question at the bottom.
On Thu, Mar 3, 2016 at 5:06 AM, Christian Grothoff <[email protected]> wrote: > No, see: > > > http://security.stackexchange.com/questions/24425/what-is-the-opaque-field-in-http-digest-access-authentication-used-for If I understood, I just need to do something like "opaqueStr = generate_md5(generate_uuid())" generating a unique opaque for each request and use it instead of the static MY_OPAQUE_STR. MHD_OPTION_NONCE_NC_SIZE is optional, the value will default to 4 if you > specify none. Note that 4 may be a bit small for real uses. You can technically also leave out MHD_OPTION_DIGEST_AUTH_RANDOM, but > then you're reducing the security of your authentication as you are no > longer using salted hashes. I'll use that. If I understood, I can use these two flags in Digest and X.509 auths. Does the timeout passed to MHD_digest_auth_check() need to be the same passed in the MHD_OPTION_NONCE_NC_SIZE? Provide a cryptographic salt, and the size of a buffer to manage nonces. The size of "rnd" on memory or the length of characteres in the "rnd"? > The example uses the "/dev/urandom" feature, but I need to make a > > cross-platform solution, so can I use a hash like a UUID (I can generate > > it using a own function) instead of using urandom? > > For the opaque, sure. For the salt, you may want to make it vary each > time the program runs. Just to check if I understood: - instead of using the static MY_OPAQUE_STR, I need to generate a hash for each request, something like a md5 from a UUID; - the timeout of the MY_OPAQUE_STR need be same of the MHD_OPTION_NONCE_NC_SIZE; - MHD_OPTION_DIGEST_AUTH_RANDOM needs a hash for each server startup, something like a md5 of the server startup time; - MHD_OPTION_NONCE_NC_SIZE specify the timeout for the nonce (salt) specified in the MHD_OPTION_DIGEST_AUTH_RANDOM; And now the new question: is this example validating the user name? I just put any username and it allows the login, checking only the password. -- Silvio Clécio
