http_digest.c 5.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
  26. #include "urldata.h"
  27. #include "strcase.h"
  28. #include "vauth/vauth.h"
  29. #include "http_digest.h"
  30. /* The last 3 #include files should be in this order */
  31. #include "curl_printf.h"
  32. #include "curl_memory.h"
  33. #include "memdebug.h"
  34. /* Test example headers:
  35. WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
  36. Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"
  37. */
  38. CURLcode Curl_input_digest(struct Curl_easy *data,
  39. bool proxy,
  40. const char *header) /* rest of the *-authenticate:
  41. header */
  42. {
  43. /* Point to the correct struct with this */
  44. struct digestdata *digest;
  45. if(proxy) {
  46. digest = &data->state.proxydigest;
  47. }
  48. else {
  49. digest = &data->state.digest;
  50. }
  51. if(!checkprefix("Digest", header) || !ISBLANK(header[6]))
  52. return CURLE_BAD_CONTENT_ENCODING;
  53. header += strlen("Digest");
  54. while(*header && ISBLANK(*header))
  55. header++;
  56. return Curl_auth_decode_digest_http_message(header, digest);
  57. }
  58. CURLcode Curl_output_digest(struct Curl_easy *data,
  59. bool proxy,
  60. const unsigned char *request,
  61. const unsigned char *uripath)
  62. {
  63. CURLcode result;
  64. unsigned char *path = NULL;
  65. char *tmp = NULL;
  66. char *response;
  67. size_t len;
  68. bool have_chlg;
  69. /* Point to the address of the pointer that holds the string to send to the
  70. server, which is for a plain host or for an HTTP proxy */
  71. char **allocuserpwd;
  72. /* Point to the name and password for this */
  73. const char *userp;
  74. const char *passwdp;
  75. /* Point to the correct struct with this */
  76. struct digestdata *digest;
  77. struct auth *authp;
  78. if(proxy) {
  79. #ifdef CURL_DISABLE_PROXY
  80. return CURLE_NOT_BUILT_IN;
  81. #else
  82. digest = &data->state.proxydigest;
  83. allocuserpwd = &data->state.aptr.proxyuserpwd;
  84. userp = data->state.aptr.proxyuser;
  85. passwdp = data->state.aptr.proxypasswd;
  86. authp = &data->state.authproxy;
  87. #endif
  88. }
  89. else {
  90. digest = &data->state.digest;
  91. allocuserpwd = &data->state.aptr.userpwd;
  92. userp = data->state.aptr.user;
  93. passwdp = data->state.aptr.passwd;
  94. authp = &data->state.authhost;
  95. }
  96. Curl_safefree(*allocuserpwd);
  97. /* not set means empty */
  98. if(!userp)
  99. userp = "";
  100. if(!passwdp)
  101. passwdp = "";
  102. #if defined(USE_WINDOWS_SSPI)
  103. have_chlg = !!digest->input_token;
  104. #else
  105. have_chlg = !!digest->nonce;
  106. #endif
  107. if(!have_chlg) {
  108. authp->done = FALSE;
  109. return CURLE_OK;
  110. }
  111. /* So IE browsers < v7 cut off the URI part at the query part when they
  112. evaluate the MD5 and some (IIS?) servers work with them so we may need to
  113. do the Digest IE-style. Note that the different ways cause different MD5
  114. sums to get sent.
  115. Apache servers can be set to do the Digest IE-style automatically using
  116. the BrowserMatch feature:
  117. https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
  118. Further details on Digest implementation differences:
  119. http://www.fngtps.com/2006/09/http-authentication
  120. */
  121. if(authp->iestyle) {
  122. tmp = strchr((char *)uripath, '?');
  123. if(tmp) {
  124. size_t urilen = tmp - (char *)uripath;
  125. /* typecast is fine here since the value is always less than 32 bits */
  126. path = (unsigned char *) aprintf("%.*s", (int)urilen, uripath);
  127. }
  128. }
  129. if(!tmp)
  130. path = (unsigned char *) strdup((char *) uripath);
  131. if(!path)
  132. return CURLE_OUT_OF_MEMORY;
  133. result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
  134. path, digest, &response, &len);
  135. free(path);
  136. if(result)
  137. return result;
  138. *allocuserpwd = aprintf("%sAuthorization: Digest %s\r\n",
  139. proxy ? "Proxy-" : "",
  140. response);
  141. free(response);
  142. if(!*allocuserpwd)
  143. return CURLE_OUT_OF_MEMORY;
  144. authp->done = TRUE;
  145. return CURLE_OK;
  146. }
  147. void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
  148. {
  149. Curl_auth_digest_cleanup(&data->state.digest);
  150. Curl_auth_digest_cleanup(&data->state.proxydigest);
  151. }
  152. #endif