Re: [libmicrohttpd] Upgrade to digest authentication

[DJM-Avalesta]

Hi Christian,

You are right. The Client (Onvif Device Manager) is only hashing the url, without the params. It is telling us that with its uri field but we are ignoring it and hashing the whole url.

 

Other clients eg Firefox or ONVIF Conformance tool, hash the complete url so it is not a problem.

 

I can fix it for ODM by removing the params, but I really need the params so that the snapshot can select different images.

 

Best regards

David

On 2020-11-11 2:18 pm, Christian Grothoff wrote:

On 11/11/20 3:02 PM, DJM-Avalesta wrote:

Hi,

I spoke too soon, I still have issues authenticating with certain clients.

The attached wireshark shows, at the very end, it fails to authenticate
an HTTP GET of an image file (/mjpg/image.cgi) when the username, nonce
and realm all seem to be correct.

It actually fails in digestauth.c with the message "Authentication
failed, arguments do no match".

Any ideas?

I suspect the "?view=0" is somehow to blame. IIRC we had issues with
that in the past, where some include the "?view=0" in the URI when
hashing, and others do not. Also not that the "?view=0" is *NOT*
included in the "uri=/mjpeg/image.cgi" given by the client (TCP stream
#10).

So if the client excluded "?view=0" from hashing, and MHD included
"?view=0" when hashing, this disagreement would result in exactly this
behavior.

(I don't recall on the spot what the standard says, and also don't
recall if MHD even look a tthe "uri=" argument in the authorization
header -- I'd need more time to investigate this, so this is just my
hunch/idea here.)

Happy hacking!

Christian