IPv6 Crash

Question

IPv6 Crash

Opened this issue a year ago · 6 comments

Hi, I have issues using IPv6 authentication. It works in IPv4.

It initially crashed the workers, seen no similar issues opened or closed but then I realized it's in the ongoing pending 2019 PR #34. I then tried the patch compiling from the Debian 11 Nginx 1.18.0-6.1+deb11u3 source. Saw the warnings but it didn't error out as mentioned in the PR, so I proceed using it.

However after a few refresh, albeit successful authentication, it will eventually end up with a error 401. It's also being logged with 'ignoring authentication request - in evasion period' which I guess it never clears the auth_digest_maxtries counters despite successful authentication due to the warnings during the build.

I'm not very familiar with coding hoping this can be fixed soon, Thank you.

Answer 1 · 2023-04-08T21:09:48.000Z

I somewhat got it working with IPv6.

Instead of using sockaddr_storage as mentioned in this pending 2019 PR #34, I made all the ngx_memcpy occurrences for the source size to use the destination size if it's larger, idea sourced from https://stackoverflow.com/questions/1184291/creating-a-wrapper-for-strncpy-to-insert-terminating-null.

Tested with both IPv4 and IPv6 in evasive mode and it works as expected. However honestly I'm not sure of the implications by using a smaller size for the IPv6 evasive mode or this is even the correct approach solving this issue as I'm not well versed in C.

Anyone can advise?

Answer 2 · 2023-04-08T21:12:26.000Z

static size_t ngx_http_auth_digest_get_copy_size(size_t source_size, size_t dest_size) {
  return (dest_size <= source_size ? dest_size : source_size);
}
...
  ngx_memcpy(&testnode.src_addr, r->connection->sockaddr,
            ngx_http_auth_digest_get_copy_size(sizeof(r->connection->sockaddr), sizeof(&testnode)));
...
    ngx_memcpy(&node->src_addr, r->connection->sockaddr,
               ngx_http_auth_digest_get_copy_size(sizeof(r->connection->sockaddr), sizeof(&node)));
...
  ngx_memcpy(&testnode.src_addr, r->connection->sockaddr,
             ngx_http_auth_digest_get_copy_size(sizeof(r->connection->sockaddr), sizeof(&testnode)));

Answer 3 · 2023-04-08T21:45:20.000Z

Created a fork master...Nazar78:nginx-http-auth-digest:master.

Answer 4 · 2023-04-15T11:45:21.000Z

I think that there are more places where addresses are used that need to be updated to fit ipv6. I'm afraid that I currently don't use this module anymore and don't have the time to look into this.

Answer 5 · 2023-04-15T19:28:27.000Z

Thank you for the reply. Just a question, do you happen to know which is the latest fork still being maintained?

Answer 6 · 2023-04-17T12:22:28.000Z

That is this one as far as I know.