[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libmicrohttpd] Some questions about the example "digest_auth_exampl
From: |
Christian Grothoff |
Subject: |
Re: [libmicrohttpd] Some questions about the example "digest_auth_example.c" |
Date: |
Thu, 3 Mar 2016 09:06:56 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.6.0 |
On 03/03/2016 03:03 AM, silvioprog wrote:
> Hello,
>
> I'm making some high level classes for handling a12n with MHD, but I
> have some questions about the example digest_auth_example.c
> <https://gnunet.org/svn/libmicrohttpd/src/examples/digest_auth_example.c>,
> that implements the digest a12n and I'm unsing this one to understand
> how MHD handles a12n. Questions:
>
> 1. Does opaque string need to be static?
>
> #define MY_OPAQUE_STR "11733b200778ce33060f31c9af70a870ba96ddd4"
No, see:
http://security.stackexchange.com/questions/24425/what-is-the-opaque-field-in-http-digest-access-authentication-used-for
> The value above seems a md5 hash, but I don't know what was hashed.
Doesn't matter.
> 2. Do I always need to use MHD_OPTION_DIGEST_AUTH_RANDOM and
> MHD_OPTION_NONCE_NC_SIZE?
MHD_OPTION_NONCE_NC_SIZE is optional, the value will default to 4 if you
specify none. Note that 4 may be a bit small for real uses.
You can technically also leave out MHD_OPTION_DIGEST_AUTH_RANDOM, but
then you're reducing the security of your authentication as you are no
longer using salted hashes.
> I commented the lines:
>
> MHD_OPTION_DIGEST_AUTH_RANDOM, sizeof(rnd), rnd,
> MHD_OPTION_NONCE_NC_SIZE, 300,
>
> and the demo still working. So, what really does this lines?
Provide a cryptographic salt, and the size of a buffer to manage nonces.
> 3. Can I use any hash for the random string?
The hash certainly doesn't matter, it is _recommended_ (by RFC 2069) to
use base64 or HEX encoding.
> The example uses the "/dev/urandom" feature, but I need to make a
> cross-platform solution, so can I use a hash like a UUID (I can generate
> it using a own function) instead of using urandom?
For the opaque, sure. For the salt, you may want to make it vary each
time the program runs.
Happy hacking!
Christian
0xE29FC3CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature