Hi Evgeny,
Simple setup to reproduce the nonce generation issue is available at
https://github.com/akermen/digest-nonce-test
<https://github.com/akermen/digest-nonce-test>. Hoping this helps to easily
identify the issue and can be used for testing.
To make values unique, I experimented with basic "mutex wrapped counter
mechanism" which appears to working for very limited test scope, but not sure
about performance and effect on other parts of the library:
/* global scope */
static int make_digest_unique = 1;
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/* at "MHD_queue_auth_fail_response" function */
/*…*/
pthread_mutex_lock(&mutex);
make_digest_unique = make_digest_unique + 1;
pthread_mutex_unlock(&mutex);
/*…*/
calculate_nonce ((uint32_t) MHD_monotonic_sec_counter() + make_digest_unique,
connection->method,
connection->daemon->digest_auth_random,
connection->daemon->digest_auth_rand_size,
connection->url,
realm,
nonce);
/*…*/
Best regards,
Ahmet Kermen
> On 13 Jan 2022, at 20:43, Evgeny Grin <k...@yandex.ru> wrote:
>
> Hi Ahmet,
>
> Thank for the report.
> I see some mistakes in our example (related to API complexity that should be
> improved soon), but these mistakes shouldn't break the example.
> nonce should be unique and it will be fixed.
>
> I'll check it deeper.
>
> In the meantime, any additional information and patches are welcome. :)
>
> --
> Evgeny
>
> On 10.01.2022 18:56, Ahmet Kermen wrote:
>> Hi all,
>> Trying to implement digest authentication by following the sample code
>> “digest_auth_example.c” from
>> "https://git.gnunet.org/libmicrohttpd.git/tree/src/examples/digest_auth_example.c
>>
>> <https://git.gnunet.org/libmicrohttpd.git/tree/src/examples/digest_auth_example.c>”.
>> For simple requests everything works fine without any issue.
>> When I try to send requests concurrently, some of them always fail, even two
>> concurrent requests.
>> Still not sure exact reason why concurrent handling is not working, but at
>> this point only clue I have for the issue appears to be “nonce” value of the
>> authentication header being not unqiue for each (independent) request. This
>> behaviour seems to be not compliant with RFC2617
>> https://datatracker.ietf.org/doc/html/rfc2617#section-3.2.1
>> <https://datatracker.ietf.org/doc/html/rfc2617#section-3.2.1> and RFC7616
>> https://datatracker.ietf.org/doc/html/rfc7616#section-3.2
>> <https://datatracker.ietf.org/doc/html/rfc7616#section-3.2> both state
>> “nonce" values should be uniquely generated each time a 401 response is made
>> while the values generated by libmicrohttpd are only unique for each second
>> (by the “MHD_monotonic_sec_counter" function).
>> By the way the NONCE_NC_SIZE value is set to very large value to eliminate
>> hash collisions.
>> When same concurrent test run with digest authentication implementation for
>> popular frameworks (for Flask from
>> https://flask-httpauth.readthedocs.io/en/latest
>> <https://flask-httpauth.readthedocs.io/en/latest>, for Node.js from
>> https://www.npmjs.com/package/http-auth
>> <https://www.npmjs.com/package/http-auth>, for httbin from
>> https://hub.docker.com/r/kennethreitz/httpbin
>> <https://hub.docker.com/r/kennethreitz/httpbin>) they all seem to produce
>> unique “nonce” values and handle concurrent requests wihtout any issue.
>> Please correct me If I’m wrong and missing something about the "nonce” value
>> handling or it being source of the isssue.
>> Best regards,
>> Ahmet Kermen
