Skip to content

Modified ESP8266WebServer to allow for authentication with H(A1). #6020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 23, 2019
Merged

Modified ESP8266WebServer to allow for authentication with H(A1). #6020

merged 3 commits into from
May 23, 2019

Conversation

overtone1000
Copy link
Contributor

RFC 2617 4.13 discusses storing credentials as the username and H(A1) rather than the username and password, but this isn't possible with the current implementation of Digest authentication in the ESP8266WebServer class because the authenticate function takes username and password as arguments. This limitation is addressed in this branch, which contains four modifications:

  1. Exposes a function in ESP8266WebServer that performs HTTP Digest authentication with username and H(A1) as the arguments.
  2. Preserves the HTTP authentication function in ESP8266WebServer with username and password as arguments but modifies it to call the new function where appropriate.
  3. Adds a public static function to ESP8266WebServer for generating H(A1) from the username, realm, and password.
  4. Adds an example of how to use this new feature, which is called HttpHashCredAuth.ino and is in the appropriate folder. This example uses the ESP8266WebServerSecure class to present a web interface where the user can change the HTTP credentials. These are saved in SPIFFS as the username and H(A1). The plain text password is never stored in the program or the file system.

@overtone1000
Copy link
Contributor Author

This branch was tested with the new example as well as with the HttpAdvancedAuth.ino and HttpBasicAuth.ino examples to make sure no existing functionality was disrupted. All three examples compiled and functioned as expected.

@overtone1000
Copy link
Contributor Author

overtone1000 commented Apr 28, 2019
edited
Loading

I have only found one issue (#4392) that asked a related question about digest authentication, but this was closed as the question was about the security of the transmission, not about its storage. This issue was quickly closed.

I have found two pull requests (#3328 and #4404) that address a similar issue with basic authentication.

@overtone1000 overtone1000 mentioned this pull request Apr 28, 2019
Closed
6 tasks
earlephilhower
earlephilhower reviewed Apr 28, 2019
View reviewed changes
Copy link
Collaborator

@earlephilhower earlephilhower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine to me, with the prior comments. Not sure if it's going to give much more security (especially since raw user/real/passwords are still stored in 8266 flash...ugh), but I don't think it affects anything negatively.

@overtone1000
Copy link
Contributor Author

especially since raw user/real/passwords are still stored in 8266 flash...ugh

My goal for the example (HttpHashCredAuth.ino) was to show how to avoid this. The credentials are initialized to something generic, but once they are changed through the web interface, only the user name and hash of user/real/password should be in flash. What did I miss?

@overtone1000
Modified ESP8266WebServer
092f9a2 
-Expose HTTP Digest authentication with H1 hash as the argument
-Preserved HTTP authentication with username/password arguments
-Added a public  static function for generating the H1 hash
-Created an example of how to use this called HttpHashCredAuth.ino
@earlephilhower
Copy link
Collaborator

Ah, did not catch you were only writing the hash in SPIFFS. Looks good to me, we'll see what CI thinks of it. Thanks!
-EFP3

earlephilhower
earlephilhower approved these changes Apr 29, 2019
View reviewed changes
Copy link
Collaborator

@earlephilhower earlephilhower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now!

@earlephilhower earlephilhower added this to the 2.6.0 milestone May 1, 2019
@earlephilhower earlephilhower merged commit 6191fbb into esp8266:master May 23, 2019
@earlephilhower
Copy link
Collaborator

Thanks for the contribution, @overtone1000! 2.5.2 just came out so we can start adding feature updates like this.

@overtone1000
Copy link
Contributor Author

I'm very appreciative of the work you all do on this project. This is my first ever PR, so thank you for helping me!

@twinclouds
Copy link

Got the following error:
'class BearSSL::ESP8266WebServerSecure' has no member named 'authenticateDigest'.
How to fix?

@overtone1000
Copy link
Contributor Author

@twinclouds, which version of the core are you using? This has been merged into the master branch but isn't yet part of the current release (2.5.2). If you need this feature now you'll need to use the current git version as described in the readme file in the root of this repositoty.

@overtone1000 overtone1000 deleted the auth-hash branch June 21, 2019 05:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@earlephilhower earlephilhower earlephilhower approved these changes

@d-a-v d-a-v d-a-v approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.6.0
Development

Successfully merging this pull request may close these issues.
4 participants
@overtone1000 @earlephilhower @twinclouds @d-a-v