Digest authentication doesn't work like expected
When I try to access server that using HTTP digest authentication, it doesn't pass the authentication process and return 401 unauthorized access.
How to reproduce:
Create web service use MHD (I took from MHD/src/examples):
#include "platform.h"
#include <microhttpd.h>
#include <stdlib.h>
#define PAGE "<html><head><title>libmicrohttpd demo</title></head><body>Access granted</body></html>"
#define DENIED "<html><head><title>libmicrohttpd demo</title></head><body>Access denied</body></html>"
#define MY_OPAQUE_STR "11733b200778ce33060f31c9af70a870ba96ddd4"
static int
ahc_echo (void *cls,
struct MHD_Connection *connection,
const char *url,
const char *method,
const char *version,
const char *upload_data, size_t *upload_data_size, void **ptr)
{
struct MHD_Response *response;
char *username;
const char *password = "testpass";
const char *realm = "test@example.com";
int ret;
username = MHD_digest_auth_get_username(connection);
if (username == NULL)
{
response = MHD_create_response_from_buffer(strlen (DENIED),
DENIED,
MHD_RESPMEM_PERSISTENT);
ret = MHD_queue_auth_fail_response(connection, realm,
MY_OPAQUE_STR,
response,
MHD_NO);
MHD_destroy_response(response);
return ret;
}
ret = MHD_digest_auth_check(connection, realm,
username,
password,
300);
free(username);
if ( (ret == MHD_INVALID_NONCE) ||
(ret == MHD_NO) )
{
response = MHD_create_response_from_buffer(strlen (DENIED),
DENIED,
MHD_RESPMEM_PERSISTENT);
if (NULL == response)
return MHD_NO;
ret = MHD_queue_auth_fail_response(connection, realm,
MY_OPAQUE_STR,
response,
(ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO);
MHD_destroy_response(response);
return ret;
}
response = MHD_create_response_from_buffer(strlen(PAGE), PAGE,
MHD_RESPMEM_PERSISTENT);
ret = MHD_queue_response(connection, MHD_HTTP_OK, response);
MHD_destroy_response(response);
return ret;
}
int
main (int argc, char *const *argv)
{
int fd;
char rnd[8];
ssize_t len;
size_t off;
struct MHD_Daemon *d;
if (argc != 2)
{
printf ("%s PORT\n", argv[0]);
return 1;
}
fd = open("/dev/urandom", O_RDONLY);
if (-1 == fd)
{
fprintf (stderr, "Failed to open `%s': %s\n",
"/dev/urandom",
strerror (errno));
return 1;
}
off = 0;
while (off < 8)
{
len = read(fd, rnd, 8);
if (len == -1)
{
fprintf (stderr, "Failed to read `%s': %s\n",
"/dev/urandom",
strerror (errno));
(void) close (fd);
return 1;
}
off += len;
}
(void) close(fd);
d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
atoi (argv[1]),
NULL, NULL, &ahc_echo, PAGE,
MHD_OPTION_DIGEST_AUTH_RANDOM, sizeof(rnd), rnd,
MHD_OPTION_NONCE_NC_SIZE, 300,
MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 120,
MHD_OPTION_END);
if (d == NULL)
return 1;
(void) getc (stdin);
MHD_stop_daemon (d);
return 0;
}
gcc digest_auth_example.c -o digest_auth_example
./digest_auth_examle 8000
Then I run wget2:
wget2 -d --user=username --password=testpass http://localhost:8000/
22.141812.552 name=user value=username invert=0
22.141812.552 name=password value=testpass invert=0
22.141812.553 name=user value=username invert=0
22.141812.553 name=password value=testpass invert=0
22.141812.553 Local URI encoding = 'UTF-8'
22.141812.553 Input URI encoding = 'UTF-8'
22.141812.553 add HSTS codeload.github.com:443 (maxage=31536000, includeSubDomains=0)
22.141812.553 add HSTS linux.com:443 (maxage=16070400, includeSubDomains=0)
22.141812.553 add HSTS duckduckgo.com:443 (maxage=31536000, includeSubDomains=0)
22.141812.553 add HSTS raw.githubusercontent.com:443 (maxage=31536000, includeSubDomains=0)
22.141812.553 add HSTS www.gnu.org:443 (maxage=63072000, includeSubDomains=0)
22.141812.553 add HSTS gitlab.com:443 (maxage=31536000, includeSubDomains=0)
22.141812.553 add HSTS github.com:443 (maxage=31536000, includeSubDomains=1)
22.141812.553 Fetched HSTS data from '/home/didik/.wget-hsts'
22.141812.553 add HPKP github.com (maxage=5184000, includeSubDomains=1)
22.141812.553 Fetched HPKP data from '/home/didik/.wget-hpkp'
22.141812.553 Fetched TLS session data from '/home/didik/.wget-session'
22.141812.553 Fetched OCSP hosts from '/home/didik/.wget-ocsp_hosts'
22.141812.553 Fetched OCSP fingerprints from '/home/didik/.wget-ocsp'
22.141812.553 *url = http://localhost:8000/
22.141812.553 *3 http://localhost:8000/
22.141812.553 local filename = 'index.html'
22.141812.553 host_add_job: job fname index.html
22.141812.553 host_add_job: 0x60d00000caa0 http://localhost:8000/
22.141812.553 host_add_job: qsize 1 host-qsize=1
22.141812.553 queue_size: qsize=1
22.141812.553 queue_size: qsize=1
22.141812.553 queue_size: qsize=1
22.141812.554 [0] action=1 pending=0 host=0x0
22.141812.554 qsize=1 blocked=0
22.141812.554 pause=-1500707892554
22.141812.554 dequeue job http://localhost:8000/
22.141812.554 resolving localhost:8000...
22.141812.554 has 127.0.0.1:8000
22.141812.554 Add dns cache entry localhost:8000
22.141812.554 trying 127.0.0.1:8000...
22.141812.554 established connection localhost
22.141812.554 cookie_create_request_header for host=localhost path=
22.141812.554 # sent 210 bytes:
GET / HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, bzip2, xz, lzma, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: wget2/1.0.0
Connection: keep-alive
22.141812.554 [0] action=2 pending=1 host=0x60700000ddf0
22.141812.554 ### req 0x61500002fb00 pending requests = 1
22.141812.554 nbytes 271 nread 0 102400
22.141812.554 # got header 267 bytes:
HTTP/1.1 401 Unauthorized
Connection: Keep-Alive
Content-Length: 85
WWW-Authenticate: Digest realm="test@example.com",qop="auth",nonce="79f06050f4ff58fb0b03eb3fd76fc34b000008db",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"
Date: Sat, 22 Jul 2017 07:18:12 GMT
22.141812.554 method 2
22.141812.554 nbytes 85 total 85/85
22.141812.554 keep_alive=1
22.141812.554 [0] action=1 pending=0 host=0x60700000ddf0
22.141812.554 qsize=1 blocked=0
22.141812.554 pause=-1500707892554
22.141812.554 dequeue job http://localhost:8000/
22.141812.554 main: wake up
22.141812.554 reuse connection localhost
22.141812.554 queue_size: qsize=1
Unsupported algorithm '(null)'.
22.141812.554 cookie_create_request_header for host=localhost path=
22.141812.554 # sent 210 bytes:
GET / HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, bzip2, xz, lzma, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: wget2/1.0.0
Connection: keep-alive
22.141812.554 [0] action=2 pending=1 host=0x60700000ddf0
22.141812.554 ### req 0x61500002f880 pending requests = 1
22.141812.554 nbytes 356 nread 0 102400
22.141812.554 # got header 267 bytes:
HTTP/1.1 401 Unauthorized
Connection: Keep-Alive
Content-Length: 85
WWW-Authenticate: Digest realm="test@example.com",qop="auth",nonce="79f06050f4ff58fb0b03eb3fd76fc34b000008db",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"
Date: Sat, 22 Jul 2017 07:18:12 GMT
22.141812.555 method 2
22.141812.555 keep_alive=1
22.141812.555 host_remove_job: 0x60d00000caa0
22.141812.555 host_remove_job: qsize=0 host->qsize=0
22.141812.555 [0] action=1 pending=0 host=0x60700000ddf0
22.141812.555 qsize=0 blocked=0
22.141812.555 pause=-1500707892555
22.141812.555 closing connection
22.141812.555 [0] action=1 pending=0 host=0x0
22.141812.555 qsize=0 blocked=0
22.141812.555 pause=-1500707892555
22.141812.555 main: wake up
22.141812.555 main: done
22.141812.555 Successfully updated '/home/didik/.wget-ocsp_hosts'.
22.141812.555 Saved OCSP hosts to '/home/didik/.wget-ocsp_hosts'
22.141812.555 Successfully updated '/home/didik/.wget-ocsp'.
22.141812.555 Saved OCSP fingerprints to '/home/didik/.wget-ocsp'
22.141812.555 blacklist http://localhost:8000/
[0] Downloading 'http://localhost:8000/' ...
HTTP ERROR response 401 Unauthorized [http://localhost:8000/]
[0] Downloading 'http://localhost:8000/' ...
HTTP ERROR response 401 Unauthorized [http://localhost:8000/]
Different result when I use another client:
wget -d --user=username --password=testpass http://localhost:8000/
Setting --user (user) to username
Setting --password (password) to testpass
DEBUG output created by Wget 1.19.1 on linux-gnu.
Reading HSTS entries from /home/didik/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-07-22 14:18:47-- http://localhost:8000/
Host ‘localhost’ has not issued a general basic challenge.
Resolving localhost (localhost)... 127.0.0.1
Caching localhost => 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8000... connected.
Created socket 4.
Releasing 0x0000000001d3dde0 (new refcount 1).
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.19.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: localhost:8000
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 401 Unauthorized
Connection: Keep-Alive
Content-Length: 85
WWW-Authenticate: Digest realm="test@example.com",qop="auth",nonce="e38127867affe37748a84ccb1f838a51000008fe",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"
Date: Sat, 22 Jul 2017 07:18:47 GMT
---response end---
401 Unauthorized
Registered socket 4 for persistent reuse.
Skipping 85 bytes of body: [<html><head><title>libmicrohttpd demo</title></head><body>Access denied</body></html>] done.
Auth scheme found 'Digest'
Auth param list ' realm="test@example.com",qop="auth",nonce="e38127867affe37748a84ccb1f838a51000008fe",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"'
Auth param realm=test@example.com
Auth param qop=auth
Auth param nonce=e38127867affe37748a84ccb1f838a51000008fe
Auth param opaque=11733b200778ce33060f31c9af70a870ba96ddd4
Authentication selected: Digest realm="test@example.com",qop="auth",nonce="e38127867affe37748a84ccb1f838a51000008fe",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"
Reusing existing connection to localhost:8000.
Reusing fd 4.
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.19.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: localhost:8000
Connection: Keep-Alive
Authorization: Digest username="username", realm="test@example.com", nonce="e38127867affe37748a84ccb1f838a51000008fe", uri="/", response="128b8f6b0f35e451ce1590028454d882", qop=auth, nc=00000001, cnonce="132049e5", opaque="11733b200778ce33060f31c9af70a870ba96ddd4"
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 86
Date: Sat, 22 Jul 2017 07:18:47 GMT
---response end---
200 OK
Length: 86
Saving to: ‘index.html.5’
0K 100% 4.35M=0s
2017-07-22 14:18:47 (4.35 MB/s) - ‘index.html.5’ saved [86/86]
Is it intended behaviour? Or did I missed something?