Add option to use a variable cnonce length on digest authentication

[feckert]

I wanted to establish an https connection to an embedded system to retrieve data.
In order to retrieve the data, I have to make an digest authentication against this system with username and password.
This did not work even though the password and the username was correct.
A debug session has shown that it is due to the long cnonce length. The embedded system can only process a cnonce length of 16 for whatever reason!

If I change the following length from 33 to 17 , the connection works.

curl/lib/vauth/digest.c

Line 712 in 96f7547

char cnoncebuf[33];

curl/lib/vauth/digest.c

Line 355 in 96f7547

char cnonce[33];

Now my question:
Could we make the length of the cnonce configurable and not fix at compile time?

[bagder]

I think having such a niche thing configurable at run-time would be overkill. In particular since this sounds like a broken implementation. 32 hex characters is 128 bits of random, which incidentally seems to often be the minimum recommended size for a nonce.

[empwilli]

We indeed do have such a niche situation with a (faulty) embedded device that only accepts up to 16 characters.

As far as I understand it, the specification does not stipulate a specific length (or limit). Incidentally, however, 16 characters is what other clients (Postman, Chrome, Python requests) appear to use.

Out of interest: would you be open to PRs to make the cnonce lengths runtime (or compile time) configurable? If not, can you assess whether adjusting the lengths for cnoncebuf and cnonce to 17 would be a safe modification?

[bagder]

The fact that those other implementations you mention use a 16 byte nonce is of course a pretty convincing argument that curl should perhaps also just rather switch to that - in the name of better compliance with silly implementations such as the ones you work with...

[jay]

@feckert would you be up to submitting a PR to address this issue?

[feckert]

Yes, I can do that.

[feckert]

@jay done via #15665