[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libmicrohttpd] Some questions about the example "digest_auth_exampl
Re: [libmicrohttpd] Some questions about the example "digest_auth_example.c"
Thu, 3 Mar 2016 09:06:56 +0100
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.6.0
On 03/03/2016 03:03 AM, silvioprog wrote:
> I'm making some high level classes for handling a12n with MHD, but I
> have some questions about the example digest_auth_example.c
> that implements the digest a12n and I'm unsing this one to understand
> how MHD handles a12n. Questions:
> 1. Does opaque string need to be static?
> #define MY_OPAQUE_STR "11733b200778ce33060f31c9af70a870ba96ddd4"
> The value above seems a md5 hash, but I don't know what was hashed.
> 2. Do I always need to use MHD_OPTION_DIGEST_AUTH_RANDOM and
MHD_OPTION_NONCE_NC_SIZE is optional, the value will default to 4 if you
specify none. Note that 4 may be a bit small for real uses.
You can technically also leave out MHD_OPTION_DIGEST_AUTH_RANDOM, but
then you're reducing the security of your authentication as you are no
longer using salted hashes.
> I commented the lines:
> MHD_OPTION_DIGEST_AUTH_RANDOM, sizeof(rnd), rnd,
> MHD_OPTION_NONCE_NC_SIZE, 300,
> and the demo still working. So, what really does this lines?
Provide a cryptographic salt, and the size of a buffer to manage nonces.
> 3. Can I use any hash for the random string?
The hash certainly doesn't matter, it is _recommended_ (by RFC 2069) to
use base64 or HEX encoding.
> The example uses the "/dev/urandom" feature, but I need to make a
> cross-platform solution, so can I use a hash like a UUID (I can generate
> it using a own function) instead of using urandom?
For the opaque, sure. For the salt, you may want to make it vary each
time the program runs.
Description: OpenPGP digital signature