Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
  • Sign in / Register
  • W wget2
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 147
    • Issues 147
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 7
    • Merge requests 7
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

GitLab 15.0 has launched! Please visit Breaking changes in 15.0 and 15.0 Removals to see which breaking changes may impact your workflow.

  • Wget
  • wget2
  • Issues
  • #237
Closed
Open
Created Jul 22, 2017 by Didik Setiawan@dstwDeveloper

Digest authentication doesn't work like expected

When I try to access server that using HTTP digest authentication, it doesn't pass the authentication process and return 401 unauthorized access.
How to reproduce:

Create web service use MHD (I took from MHD/src/examples):

#include "platform.h"
#include <microhttpd.h>
#include <stdlib.h>

#define PAGE "<html><head><title>libmicrohttpd demo</title></head><body>Access granted</body></html>"
#define DENIED "<html><head><title>libmicrohttpd demo</title></head><body>Access denied</body></html>"
#define MY_OPAQUE_STR "11733b200778ce33060f31c9af70a870ba96ddd4"

static int
ahc_echo (void *cls,
          struct MHD_Connection *connection,
          const char *url,
          const char *method,
          const char *version,
          const char *upload_data, size_t *upload_data_size, void **ptr)
{
  struct MHD_Response *response;
  char *username;
  const char *password = "testpass";
  const char *realm = "test@example.com";
  int ret;

  username = MHD_digest_auth_get_username(connection);
  if (username == NULL)
    {
      response = MHD_create_response_from_buffer(strlen (DENIED),
						 DENIED,
						 MHD_RESPMEM_PERSISTENT);
      ret = MHD_queue_auth_fail_response(connection, realm,
					 MY_OPAQUE_STR,
					 response,
					 MHD_NO);
      MHD_destroy_response(response);
      return ret;
    }
  ret = MHD_digest_auth_check(connection, realm,
			      username,
			      password,
			      300);
  free(username);
  if ( (ret == MHD_INVALID_NONCE) ||
       (ret == MHD_NO) )
    {
      response = MHD_create_response_from_buffer(strlen (DENIED),
						 DENIED,
						 MHD_RESPMEM_PERSISTENT);
      if (NULL == response)
	return MHD_NO;
      ret = MHD_queue_auth_fail_response(connection, realm,
					 MY_OPAQUE_STR,
					 response,
					 (ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO);
      MHD_destroy_response(response);
      return ret;
    }
  response = MHD_create_response_from_buffer(strlen(PAGE), PAGE,
					     MHD_RESPMEM_PERSISTENT);
  ret = MHD_queue_response(connection, MHD_HTTP_OK, response);
  MHD_destroy_response(response);
  return ret;
}

int
main (int argc, char *const *argv)
{
  int fd;
  char rnd[8];
  ssize_t len;
  size_t off;
  struct MHD_Daemon *d;

  if (argc != 2)
    {
      printf ("%s PORT\n", argv[0]);
      return 1;
    }
  fd = open("/dev/urandom", O_RDONLY);
  if (-1 == fd)
    {
      fprintf (stderr, "Failed to open `%s': %s\n",
	       "/dev/urandom",
	       strerror (errno));
      return 1;
    }
  off = 0;
  while (off < 8)
    {
      len = read(fd, rnd, 8);
      if (len == -1)
	{
	  fprintf (stderr, "Failed to read `%s': %s\n",
		   "/dev/urandom",
		   strerror (errno));
	  (void) close (fd);
	  return 1;
	}
      off += len;
    }
  (void) close(fd);
  d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
                        atoi (argv[1]),
                        NULL, NULL, &ahc_echo, PAGE,
			MHD_OPTION_DIGEST_AUTH_RANDOM, sizeof(rnd), rnd,
			MHD_OPTION_NONCE_NC_SIZE, 300,
			MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 120,
			MHD_OPTION_END);
  if (d == NULL)
    return 1;
  (void) getc (stdin);
  MHD_stop_daemon (d);
  return 0;
}
gcc digest_auth_example.c -o digest_auth_example
./digest_auth_examle 8000

Then I run wget2:

wget2 -d --user=username --password=testpass http://localhost:8000/

22.141812.552 name=user value=username invert=0
22.141812.552 name=password value=testpass invert=0
22.141812.553 name=user value=username invert=0
22.141812.553 name=password value=testpass invert=0
22.141812.553 Local URI encoding = 'UTF-8'
22.141812.553 Input URI encoding = 'UTF-8'
22.141812.553 add HSTS codeload.github.com:443 (maxage=31536000, includeSubDomains=0)
22.141812.553 add HSTS linux.com:443 (maxage=16070400, includeSubDomains=0)
22.141812.553 add HSTS duckduckgo.com:443 (maxage=31536000, includeSubDomains=0)
22.141812.553 add HSTS raw.githubusercontent.com:443 (maxage=31536000, includeSubDomains=0)
22.141812.553 add HSTS www.gnu.org:443 (maxage=63072000, includeSubDomains=0)
22.141812.553 add HSTS gitlab.com:443 (maxage=31536000, includeSubDomains=0)
22.141812.553 add HSTS github.com:443 (maxage=31536000, includeSubDomains=1)
22.141812.553 Fetched HSTS data from '/home/didik/.wget-hsts'
22.141812.553 add HPKP github.com (maxage=5184000, includeSubDomains=1)
22.141812.553 Fetched HPKP data from '/home/didik/.wget-hpkp'
22.141812.553 Fetched TLS session data from '/home/didik/.wget-session'
22.141812.553 Fetched OCSP hosts from '/home/didik/.wget-ocsp_hosts'
22.141812.553 Fetched OCSP fingerprints from '/home/didik/.wget-ocsp'
22.141812.553 *url = http://localhost:8000/
22.141812.553 *3 http://localhost:8000/
22.141812.553 local filename = 'index.html'
22.141812.553 host_add_job: job fname index.html
22.141812.553 host_add_job: 0x60d00000caa0 http://localhost:8000/
22.141812.553 host_add_job: qsize 1 host-qsize=1
22.141812.553 queue_size: qsize=1
22.141812.553 queue_size: qsize=1
22.141812.553 queue_size: qsize=1
22.141812.554 [0] action=1 pending=0 host=0x0
22.141812.554 qsize=1 blocked=0
22.141812.554 pause=-1500707892554
22.141812.554 dequeue job http://localhost:8000/
22.141812.554 resolving localhost:8000...
22.141812.554 has 127.0.0.1:8000
22.141812.554 Add dns cache entry localhost:8000
22.141812.554 trying 127.0.0.1:8000...
22.141812.554 established connection localhost
22.141812.554 cookie_create_request_header for host=localhost path=
22.141812.554 # sent 210 bytes:
GET / HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, bzip2, xz, lzma, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: wget2/1.0.0
Connection: keep-alive

22.141812.554 [0] action=2 pending=1 host=0x60700000ddf0
22.141812.554 ### req 0x61500002fb00 pending requests = 1
22.141812.554 nbytes 271 nread 0 102400
22.141812.554 # got header 267 bytes:
HTTP/1.1 401 Unauthorized
Connection: Keep-Alive
Content-Length: 85
WWW-Authenticate: Digest realm="test@example.com",qop="auth",nonce="79f06050f4ff58fb0b03eb3fd76fc34b000008db",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"
Date: Sat, 22 Jul 2017 07:18:12 GMT

22.141812.554 method 2
22.141812.554 nbytes 85 total 85/85
22.141812.554 keep_alive=1
22.141812.554 [0] action=1 pending=0 host=0x60700000ddf0
22.141812.554 qsize=1 blocked=0
22.141812.554 pause=-1500707892554
22.141812.554 dequeue job http://localhost:8000/
22.141812.554 main: wake up
22.141812.554 reuse connection localhost
22.141812.554 queue_size: qsize=1
Unsupported algorithm '(null)'.
22.141812.554 cookie_create_request_header for host=localhost path=
22.141812.554 # sent 210 bytes:
GET / HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, bzip2, xz, lzma, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: wget2/1.0.0
Connection: keep-alive

22.141812.554 [0] action=2 pending=1 host=0x60700000ddf0
22.141812.554 ### req 0x61500002f880 pending requests = 1
22.141812.554 nbytes 356 nread 0 102400
22.141812.554 # got header 267 bytes:
HTTP/1.1 401 Unauthorized
Connection: Keep-Alive
Content-Length: 85
WWW-Authenticate: Digest realm="test@example.com",qop="auth",nonce="79f06050f4ff58fb0b03eb3fd76fc34b000008db",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"
Date: Sat, 22 Jul 2017 07:18:12 GMT

22.141812.555 method 2
22.141812.555 keep_alive=1
22.141812.555 host_remove_job: 0x60d00000caa0
22.141812.555 host_remove_job: qsize=0 host->qsize=0
22.141812.555 [0] action=1 pending=0 host=0x60700000ddf0
22.141812.555 qsize=0 blocked=0
22.141812.555 pause=-1500707892555
22.141812.555 closing connection
22.141812.555 [0] action=1 pending=0 host=0x0
22.141812.555 qsize=0 blocked=0
22.141812.555 pause=-1500707892555
22.141812.555 main: wake up
22.141812.555 main: done
22.141812.555 Successfully updated '/home/didik/.wget-ocsp_hosts'.
22.141812.555 Saved OCSP hosts to '/home/didik/.wget-ocsp_hosts'
22.141812.555 Successfully updated '/home/didik/.wget-ocsp'.
22.141812.555 Saved OCSP fingerprints to '/home/didik/.wget-ocsp'
22.141812.555 blacklist http://localhost:8000/
[0] Downloading 'http://localhost:8000/' ...
HTTP ERROR response 401 Unauthorized [http://localhost:8000/]
[0] Downloading 'http://localhost:8000/' ...
HTTP ERROR response 401 Unauthorized [http://localhost:8000/]

Different result when I use another client:

wget -d --user=username --password=testpass http://localhost:8000/

Setting --user (user) to username
Setting --password (password) to testpass
DEBUG output created by Wget 1.19.1 on linux-gnu.

Reading HSTS entries from /home/didik/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-07-22 14:18:47--  http://localhost:8000/
Host ‘localhost’ has not issued a general basic challenge.
Resolving localhost (localhost)... 127.0.0.1
Caching localhost => 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8000... connected.
Created socket 4.
Releasing 0x0000000001d3dde0 (new refcount 1).

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.19.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: localhost:8000
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 401 Unauthorized
Connection: Keep-Alive
Content-Length: 85
WWW-Authenticate: Digest realm="test@example.com",qop="auth",nonce="e38127867affe37748a84ccb1f838a51000008fe",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"
Date: Sat, 22 Jul 2017 07:18:47 GMT

---response end---
401 Unauthorized
Registered socket 4 for persistent reuse.
Skipping 85 bytes of body: [<html><head><title>libmicrohttpd demo</title></head><body>Access denied</body></html>] done.
Auth scheme found 'Digest'
Auth param list ' realm="test@example.com",qop="auth",nonce="e38127867affe37748a84ccb1f838a51000008fe",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"'
Auth param realm=test@example.com
Auth param qop=auth
Auth param nonce=e38127867affe37748a84ccb1f838a51000008fe
Auth param opaque=11733b200778ce33060f31c9af70a870ba96ddd4
Authentication selected: Digest realm="test@example.com",qop="auth",nonce="e38127867affe37748a84ccb1f838a51000008fe",opaque="11733b200778ce33060f31c9af70a870ba96ddd4"
Reusing existing connection to localhost:8000.
Reusing fd 4.

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.19.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: localhost:8000
Connection: Keep-Alive
Authorization: Digest username="username", realm="test@example.com", nonce="e38127867affe37748a84ccb1f838a51000008fe", uri="/", response="128b8f6b0f35e451ce1590028454d882", qop=auth, nc=00000001, cnonce="132049e5", opaque="11733b200778ce33060f31c9af70a870ba96ddd4"

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 86
Date: Sat, 22 Jul 2017 07:18:47 GMT

---response end---
200 OK
Length: 86
Saving to: ‘index.html.5’

     0K                                                       100% 4.35M=0s

2017-07-22 14:18:47 (4.35 MB/s) - ‘index.html.5’ saved [86/86]

Is it intended behaviour? Or did I missed something?

Assignee
Assign to
Time tracking