Many thanks, Christian,
As you say, I had the rnd array allocated on the stack. I moved it to
global storage and voila, it works. I should have read the manual more
closely.
On the con_cls issue, I guess I'm completing each request so the handler
never gets called with a non-zero value.
Best regards
David
On 2020-11-08 5:14 pm, Christian Grothoff wrote:
Hi David,
Looking at the pcap, it seems the 'nonce' of the server keeps changing,
which it must not. I don't know what you are doing, maybe you called
MHD_OPTION_DIGEST_AUTH_RANDOM with a pointer to a location in RAM that
keeps changing.
Anyway, to debug this, I would begin by looking
at the digestauth.c::calculate_nonce() function. Check in particular if
the arguments 'rnd'/rnd_size, or 'uri' or 'realm' change between calls,
they should not (at least not for the same page!).
Again, without reference code from you exhibiting the problematic
behavior, diagnosis help is difficult...
Happy hacking!
-Christian
On 2020-11-07 1:24 pm, DJM-Avalesta wrote:
Hi,
I desperately need to solve issue this for a Client, I attach a wireshark capture of the problem but basically, I have two problems:-
1. Around 50% of the calls to MHD_digest_auth_check() fail returning INVALID_NONCE. This seems to be random, sometimes it passes and sometimes not. Some clients (eg ONVIF Conformance Tool) don't seem to re-send the response with a different nonce when they receive a MHD_queue_auth_fail_response().
2. The *con_cls parameter to the access handler is always null, even though I change it when I get an authentication pass. This means that I'm authenticating every call into the access handler which does not seem right.
I must be doing something wrong as I'm sure this has been tested many times over.
Best regards
David
On 2020-10-31 5:36 pm, Christian Grothoff wrote:
Hi David,
I don't see anything _obviously_ wrong with the snippet you provided. I
would suggest you to use wireshark to log a transcript of the
interaction and/or to provide a stand-alone minimal C implementation
based on your code for testing by others.
Happy hacking!
Christian
On 2020-10-29 4:10 pm, DJM-Avalesta wrote:
Hi,
I'm trying to update my 8 year old code to use digest authentication where previously it only supported basic.
I'm trying to use *con_cls (*ptr in my code) to determine when to authenticate but it's not working, *con_cls always seems to be null, even after I've set it, so it's authenticating every time.
I mostly get MHD_digest_auth_check() failures returning INVALID_NONCE and the Client never stops asking for credentials even when the authentication passes, which it does occasionally.
I'm missing something crucial but I can't see it.
The authentication part of my access_handler is shown below
Many thanks
David
static int aptr;
if (bDigestAuth)
{
printf("URL:%s, con_cls:%p\r\n", url, *ptr);
//HACK to see if digest authentication works and allows ONVIF snapshorUri test
to pass
//Only works for Admin-Admin
if (&aptr != *ptr)
{
/* Only authenticate on first call of session*/
char *username;
const char *password = "Admin";
g_CameraData->GetRealmName(g_szRealm, sizeof(g_szRealm));
username = MHD_digest_auth_get_username(connection);
if (username == NULL)
{
response = MHD_create_response_from_data (strlen (NOTAUTH_RESPONSE),
(void *) NOTAUTH_RESPONSE,
MHD_NO, MHD_NO);
ret = MHD_queue_auth_fail_response(connection, g_szRealm,
OPAQUE,
response,
MHD_NO);
MHD_destroy_response(response);
pthread_mutex_unlock (&m_AuthMutex); //unlock after authorization
// printf("Failed digest auth, no username\r\n");
return ret;
}
printf("Applying digest auth to user: %s, realm:%s, con_cls:%p\r\n", username,
g_szRealm, *ptr);
*ptr = &aptr; //set this for session
ret = MHD_digest_auth_check(connection, g_szRealm,
username,
password,
300);
printf("Checking digest auth for username: %s, password: %s, realm:%s\r\n",
username, password, g_szRealm);
free(username);
if ( (ret == MHD_INVALID_NONCE) ||
(ret == MHD_NO) )
{
printf("Failed digest auth, invalid nonce, ret:%d\r\n", ret);
response = MHD_create_response_from_data (strlen (NOTAUTH_RESPONSE),
(void *) NOTAUTH_RESPONSE,
MHD_NO, MHD_NO);
if (NULL == response)
return MHD_NO;
ret = MHD_queue_auth_fail_response(connection, g_szRealm,
OPAQUE,
response,
(ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO);
MHD_destroy_response(response);
pthread_mutex_unlock (&m_AuthMutex); //unlock after authorization
return ret;
}
//PASSED
printf("PASSED digest auth\r\n");
}
else
{
printf("No digest auth required\r\n");
}
}
