Description
Basic Infos
- This issue complies with the issue POLICY doc.
- I have read the documentation at readthedocs and the issue is not addressed there.
- I have tested that the issue is present in current master branch (aka latest git).
- I have searched the issue tracker for a similar issue.
- If there is a stack dump, I have decoded it.
- I have filled out all fields below.
Platform
- Hardware: [All]
- Core Version: [2.4.1]
- Development Env: [Arduino IDE]
- Operating System: [All]
Settings in IDE
Irrelevant
Problem Description
I have built a web server using the ESP8266WebServer library and have come across an issue accessing the site via Apple products. I have tried using two different iPhone models (one 2 years old and one 3 years old) and two different iPad models (one 6 months old and one 3 years old) and all four devices indicate the same issues.
Problem Overview
If establishing a web site with NO authentication, everything works fine regardless of the browser or device being used
If establishing a web site with BASIC_AUTH authentication, everything works fine regardless of the browser or device being used
Establishing a web site with DIGEST_AUTH authentication does not function correctly. I have tried setting the authentications using:
requestAuthentication(DIGEST_AUTH); // use default realm and fail msg
requestAuthentication(DIGEST_AUTH, "realm"); // use programmed realm and default fail msg
requestAuthentication(DIGEST_AUTH, "realm", "Message text"); // customise all parameters
For each of the three techniques above I have:
- Successfully accessed the website from a desktop PC/laptop using the Chrome browser
- Successfully accessed the website from an Android phone when ESP8266 running in STA mode
- Successfully accessed the website from an Android phone when ESP8266 running in AP mode
- Unable to access the website from an iPad/iPhone when ESP8266 running in STA mode
- Unable to access the website from an iPad/iPhone when ESP8266 running in AP mode
Apple products fail regardless of whether device is in AP or STA mode, the error message provided by HTTP_SERVER debugging is always that the hash response is incorrect
Apple products fail regardless of whether the iPhone/iPad is using the default Safari browser or the Chrome browser (although it appears that the Apple Chrome browser still uses the Safari libraries to submit qeb queries)
Code Evaluation
There is obviously an incorrect branch code that is taken based on the response Apple devices. Given the debug messages, it appears that the Digest_Auth branch of authenticate() in ESP8266WebServer.cpp IS being taken, however the incorrect response hash is being calculated.
Looking at the code, two possible options are being calculated
MD5("H1:nonce:nc:cnonce:auth:H2)
or
MD5(H1:nonce:H2)
However, the standard implies that the value of qop (which the library hard-codes to "auth") should be either "auth" or "auth-int"
The standard also implies that there are two possible calculations for H1 and H2 of:
H1
MD5(username:realm:password)
or
MD5(MD5(username:realm:password):nonce:cnonce)
H2
MD5(method:uri)
or
MD5(method:uri:MD5(entityBody))
Whereas the existing code only calculates the first possibility of either H1 or H2
It appears that perhaps Apple devices are requiring one of the three currently not coded options in the DIGEST authentication library and that the code needs to be modified to support this.
Potential Fixes
Supporting auth or auth-int in final response hash
Supporting "auth" or "auth-int" appears to require an extra check in line 194 and modifying line 195 to use the actual parameter value rather than the hardcoded ":auth:"
Supporting alternate H1 Calculation
Supporing the more complex H1 requires (after line 172) checking if the algorithm directive is "MD5-sess" and then:
- appending ":nonce:cnonce" to the original calculated H1
- running MD5 again
Supporting alternate H2 Calculation
Supporting the more complex H2 requires more thought. It appears the current code does not extract "entityBody" and so will have to be modified to support this
Conclusion
I am unsure which of these three changes are required to fix Apple brokenness
I note that if the issue is that the qop directive sent by Apple products is auth-int, then the solution will probably involve both fixing the H2 calculation AND modifying the code to calculate the final response hash
Given its current state, it is impossible to support digest authentcation on ESP8266WebServer for Apple devices accessing web sites