1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25 #include "curl_setup.h"
26
27 #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
28
29 #include "urldata.h"
30 #include "strcase.h"
31 #include "vauth/vauth.h"
32 #include "http_digest.h"
33
34 /* The last 3 #include files should be in this order */
35 #include "curl_printf.h"
36 #include "curl_memory.h"
37 #include "memdebug.h"
38
39 /* Test example headers:
40
41 WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
42 Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"
43
44 */
45
Curl_input_digest(struct Curl_easy * data,bool proxy,const char * header)46 CURLcode Curl_input_digest(struct Curl_easy *data,
47 bool proxy,
48 const char *header) /* rest of the *-authenticate:
49 header */
50 {
51 /* Point to the correct struct with this */
52 struct digestdata *digest;
53
54 if(proxy) {
55 digest = &data->state.proxydigest;
56 }
57 else {
58 digest = &data->state.digest;
59 }
60
61 if(!checkprefix("Digest", header) || !ISBLANK(header[6]))
62 return CURLE_BAD_CONTENT_ENCODING;
63
64 header += strlen("Digest");
65 while(*header && ISBLANK(*header))
66 header++;
67
68 return Curl_auth_decode_digest_http_message(header, digest);
69 }
70
Curl_output_digest(struct Curl_easy * data,bool proxy,const unsigned char * request,const unsigned char * uripath)71 CURLcode Curl_output_digest(struct Curl_easy *data,
72 bool proxy,
73 const unsigned char *request,
74 const unsigned char *uripath)
75 {
76 CURLcode result;
77 unsigned char *path = NULL;
78 char *tmp = NULL;
79 char *response;
80 size_t len;
81 bool have_chlg;
82
83 /* Point to the address of the pointer that holds the string to send to the
84 server, which is for a plain host or for an HTTP proxy */
85 char **allocuserpwd;
86
87 /* Point to the name and password for this */
88 const char *userp;
89 const char *passwdp;
90
91 /* Point to the correct struct with this */
92 struct digestdata *digest;
93 struct auth *authp;
94
95 if(proxy) {
96 #ifdef CURL_DISABLE_PROXY
97 return CURLE_NOT_BUILT_IN;
98 #else
99 digest = &data->state.proxydigest;
100 allocuserpwd = &data->state.aptr.proxyuserpwd;
101 userp = data->state.aptr.proxyuser;
102 passwdp = data->state.aptr.proxypasswd;
103 authp = &data->state.authproxy;
104 #endif
105 }
106 else {
107 digest = &data->state.digest;
108 allocuserpwd = &data->state.aptr.userpwd;
109 userp = data->state.aptr.user;
110 passwdp = data->state.aptr.passwd;
111 authp = &data->state.authhost;
112 }
113
114 Curl_safefree(*allocuserpwd);
115
116 /* not set means empty */
117 if(!userp)
118 userp = "";
119
120 if(!passwdp)
121 passwdp = "";
122
123 #if defined(USE_WINDOWS_SSPI)
124 have_chlg = !!digest->input_token;
125 #else
126 have_chlg = !!digest->nonce;
127 #endif
128
129 if(!have_chlg) {
130 authp->done = FALSE;
131 return CURLE_OK;
132 }
133
134 /* So IE browsers < v7 cut off the URI part at the query part when they
135 evaluate the MD5 and some (IIS?) servers work with them so we may need to
136 do the Digest IE-style. Note that the different ways cause different MD5
137 sums to get sent.
138
139 Apache servers can be set to do the Digest IE-style automatically using
140 the BrowserMatch feature:
141 https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
142
143 Further details on Digest implementation differences:
144 http://www.fngtps.com/2006/09/http-authentication
145 */
146
147 if(authp->iestyle) {
148 tmp = strchr((char *)uripath, '?');
149 if(tmp) {
150 size_t urilen = tmp - (char *)uripath;
151 /* typecast is fine here since the value is always less than 32 bits */
152 path = (unsigned char *) aprintf("%.*s", (int)urilen, uripath);
153 }
154 }
155 if(!tmp)
156 path = (unsigned char *) strdup((char *) uripath);
157
158 if(!path)
159 return CURLE_OUT_OF_MEMORY;
160
161 result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
162 path, digest, &response, &len);
163 free(path);
164 if(result)
165 return result;
166
167 *allocuserpwd = aprintf("%sAuthorization: Digest %s\r\n",
168 proxy ? "Proxy-" : "",
169 response);
170 free(response);
171 if(!*allocuserpwd)
172 return CURLE_OUT_OF_MEMORY;
173
174 authp->done = TRUE;
175
176 return CURLE_OK;
177 }
178
Curl_http_auth_cleanup_digest(struct Curl_easy * data)179 void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
180 {
181 Curl_auth_digest_cleanup(&data->state.digest);
182 Curl_auth_digest_cleanup(&data->state.proxydigest);
183 }
184
185 #endif
186