Many thanks, Christian,
As you say, I had the rnd array allocated on the stack. I moved it to global storage and voila, it works. I should have read the manual more closely.
On the con_cls issue, I guess I'm completing each request so the handler never gets called with a non-zero value.
Best regards
David
On 2020-11-08 5:14 pm, Christian Grothoff wrote:
Hi David,
Looking at the pcap, it seems the 'nonce' of the server keeps changing, which it must not. I don't know what you are doing, maybe you called MHD_OPTION_DIGEST_AUTH_RANDOM with a pointer to a location in RAM that keeps changing.
Anyway, to debug this, I would begin by looking at the digestauth.c::calculate_nonce() function. Check in particular if the arguments 'rnd'/rnd_size, or 'uri' or 'realm' change between calls, they should not (at least not for the same page!).
Again, without reference code from you exhibiting the problematic behavior, diagnosis help is difficult...
Happy hacking!
-Christian
On 2020-11-07 1:24 pm, DJM-Avalesta wrote:
Hi,
I desperately need to solve issue this for a Client, I attach a wireshark capture of the problem but basically, I have two problems:-
1. Around 50% of the calls to MHD_digest_auth_check() fail returning INVALID_NONCE. This seems to be random, sometimes it passes and sometimes not. Some clients (eg ONVIF Conformance Tool) don't seem to re-send the response with a different nonce when they receive a MHD_queue_auth_fail_response().
2. The *con_cls parameter to the access handler is always null, even though I change it when I get an authentication pass. This means that I'm authenticating every call into the access handler which does not seem right.
I must be doing something wrong as I'm sure this has been tested many times over.
Best regards
David
On 2020-10-31 5:36 pm, Christian Grothoff wrote:
Hi David,
I don't see anything _obviously_ wrong with the snippet you provided. I would suggest you to use wireshark to log a transcript of the interaction and/or to provide a stand-alone minimal C implementation based on your code for testing by others.
Happy hacking!
Christian
On 2020-10-29 4:10 pm, DJM-Avalesta wrote:
Hi,
I'm trying to update my 8 year old code to use digest authentication where previously it only supported basic.
I'm trying to use *con_cls (*ptr in my code) to determine when to authenticate but it's not working, *con_cls always seems to be null, even after I've set it, so it's authenticating every time.
I mostly get MHD_digest_auth_check() failures returning INVALID_NONCE and the Client never stops asking for credentials even when the authentication passes, which it does occasionally.
I'm missing something crucial but I can't see it.
The authentication part of my access_handler is shown below
Many thanks
David
static int aptr; if (bDigestAuth) { printf("URL:%s, con_cls:%p\r\n", url, *ptr); //HACK to see if digest authentication works and allows ONVIF snapshorUri test to pass //Only works for Admin-Admin if (&aptr != *ptr) { /* Only authenticate on first call of session*/ char *username; const char *password = "Admin";
g_CameraData->GetRealmName(g_szRealm, sizeof(g_szRealm));
username = MHD_digest_auth_get_username(connection); if (username == NULL) { response = MHD_create_response_from_data (strlen (NOTAUTH_RESPONSE), (void *) NOTAUTH_RESPONSE, MHD_NO, MHD_NO); ret = MHD_queue_auth_fail_response(connection, g_szRealm, OPAQUE, response, MHD_NO); MHD_destroy_response(response); pthread_mutex_unlock (&m_AuthMutex); //unlock after authorization // printf("Failed digest auth, no username\r\n"); return ret; } printf("Applying digest auth to user: %s, realm:%s, con_cls:%p\r\n", username, g_szRealm, *ptr); *ptr = &aptr; //set this for session ret = MHD_digest_auth_check(connection, g_szRealm, username, password, 300); printf("Checking digest auth for username: %s, password: %s, realm:%s\r\n", username, password, g_szRealm); free(username); if ( (ret == MHD_INVALID_NONCE) || (ret == MHD_NO) ) { printf("Failed digest auth, invalid nonce, ret:%d\r\n", ret); response = MHD_create_response_from_data (strlen (NOTAUTH_RESPONSE), (void *) NOTAUTH_RESPONSE, MHD_NO, MHD_NO); if (NULL == response) return MHD_NO; ret = MHD_queue_auth_fail_response(connection, g_szRealm, OPAQUE, response, (ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO); MHD_destroy_response(response); pthread_mutex_unlock (&m_AuthMutex); //unlock after authorization return ret; } //PASSED printf("PASSED digest auth\r\n"); } else { printf("No digest auth required\r\n"); } }
|