CURLcode Curl_output_digest(struct connectdata *conn,
bool proxy,
const unsigned char *request,
const unsigned char *uripath)
{
/* We have a Digest setup for this, use it! Now, to get all the details for
this sorted out, I must urge you dear friend to read up on the RFC2617
section 3.2.2, */
size_t urilen;
unsigned char md5buf[16]; /* 16 bytes/128 bits */
unsigned char request_digest[33];
unsigned char *md5this;
unsigned char ha1[33];/* 32 digits and 1 zero byte */
unsigned char ha2[33];/* 32 digits and 1 zero byte */
char cnoncebuf[33];
char *cnonce = NULL;
size_t cnonce_sz = 0;
char *tmp = NULL;
char **allocuserpwd;
size_t userlen;
const char *userp;
char *userp_quoted;
const char *passwdp;
struct auth *authp;
struct SessionHandle *data = conn->data;
struct digestdata *d;
CURLcode result;
/* The CURL_OUTPUT_DIGEST_CONV macro below is for non-ASCII machines.
It converts digest text to ASCII so the MD5 will be correct for
what ultimately goes over the network.
*/
#define CURL_OUTPUT_DIGEST_CONV(a, b) \
result = Curl_convert_to_network(a, (char *)b, strlen((const char*)b)); \
if(result) { \
free(b); \
return result; \
}
if(proxy) {
d = &data->state.proxydigest;
allocuserpwd = &conn->allocptr.proxyuserpwd;
userp = conn->proxyuser;
passwdp = conn->proxypasswd;
authp = &data->state.authproxy;
}
else {
d = &data->state.digest;
allocuserpwd = &conn->allocptr.userpwd;
userp = conn->user;
passwdp = conn->passwd;
authp = &data->state.authhost;
}
Curl_safefree(*allocuserpwd);
/* not set means empty */
if(!userp)
userp="";
if(!passwdp)
passwdp="";
if(!d->nonce) {
authp->done = FALSE;
return CURLE_OK;
}
authp->done = TRUE;
if(!d->nc)
d->nc = 1;
if(!d->cnonce) {
snprintf(cnoncebuf, sizeof(cnoncebuf), "%08x%08x%08x%08x",
Curl_rand(data), Curl_rand(data),
Curl_rand(data), Curl_rand(data));
result = Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf),
&cnonce, &cnonce_sz);
if(result)
return result;
d->cnonce = cnonce;
}
/*
if the algorithm is "MD5" or unspecified (which then defaults to MD5):
A1 = unq(username-value) ":" unq(realm-value) ":" passwd
if the algorithm is "MD5-sess" then:
A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd )
":" unq(nonce-value) ":" unq(cnonce-value)
*/
md5this = (unsigned char *)
aprintf("%s:%s:%s", userp, d->realm, passwdp);
if(!md5this)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, md5this); /* convert on non-ASCII machines */
Curl_md5it(md5buf, md5this);
Curl_safefree(md5this);
md5_to_ascii(md5buf, ha1);
if(d->algo == CURLDIGESTALGO_MD5SESS) {
/* nonce and cnonce are OUTSIDE the hash */
tmp = aprintf("%s:%s:%s", ha1, d->nonce, d->cnonce);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, tmp); /* convert on non-ASCII machines */
Curl_md5it(md5buf, (unsigned char *)tmp);
Curl_safefree(tmp);
md5_to_ascii(md5buf, ha1);
}
/*
If the "qop" directive's value is "auth" or is unspecified, then A2 is:
A2 = Method ":" digest-uri-value
If the "qop" value is "auth-int", then A2 is:
A2 = Method ":" digest-uri-value ":" H(entity-body)
(The "Method" value is the HTTP request method as specified in section
5.1.1 of RFC 2616)
*/
/* So IE browsers < v7 cut off the URI part at the query part when they
evaluate the MD5 and some (IIS?) servers work with them so we may need to
do the Digest IE-style. Note that the different ways cause different MD5
sums to get sent.
Apache servers can be set to do the Digest IE-style automatically using
the BrowserMatch feature:
http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
Further details on Digest implementation differences:
http://www.fngtps.com/2006/09/http-authentication
*/
if(authp->iestyle && ((tmp = strchr((char *)uripath, '?')) != NULL))
urilen = tmp - (char *)uripath;
else
urilen = strlen((char *)uripath);
md5this = (unsigned char *)aprintf("%s:%.*s", request, urilen, uripath);
if(d->qop && Curl_raw_equal(d->qop, "auth-int")) {
/* We don't support auth-int for PUT or POST at the moment.
TODO: replace md5 of empty string with entity-body for PUT/POST */
unsigned char *md5this2 = (unsigned char *)
aprintf("%s:%s", md5this, "d41d8cd98f00b204e9800998ecf8427e");
Curl_safefree(md5this);
md5this = md5this2;
}
if(!md5this)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, md5this); /* convert on non-ASCII machines */
Curl_md5it(md5buf, md5this);
Curl_safefree(md5this);
md5_to_ascii(md5buf, ha2);
if(d->qop) {
md5this = (unsigned char *)aprintf("%s:%s:%08x:%s:%s:%s",
ha1,
d->nonce,
d->nc,
d->cnonce,
d->qop,
ha2);
}
else {
md5this = (unsigned char *)aprintf("%s:%s:%s",
ha1,
d->nonce,
ha2);
}
if(!md5this)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, md5this); /* convert on non-ASCII machines */
Curl_md5it(md5buf, md5this);
Curl_safefree(md5this);
md5_to_ascii(md5buf, request_digest);
/* for test case 64 (snooped from a Mozilla 1.3a request)
Authorization: Digest username="******", realm="testrealm", \
nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca"
Digest parameters are all quoted strings. Username which is provided by
the user will need double quotes and backslashes within it escaped. For
the other fields, this shouldn't be an issue. realm, nonce, and opaque
are copied as is from the server, escapes and all. cnonce is generated
with web-safe characters. uri is already percent encoded. nc is 8 hex
characters. algorithm and qop with standard values only contain web-safe
chracters.
*/
userp_quoted = string_quoted(userp);
if(!userp_quoted)
return CURLE_OUT_OF_MEMORY;
if(d->qop) {
*allocuserpwd =
aprintf( "%sAuthorization: Digest "
"username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%.*s\", "
"cnonce=\"%s\", "
"nc=%08x, "
"qop=%s, "
"response=\"%s\"",
proxy?"Proxy-":"",
userp_quoted,
d->realm,
d->nonce,
urilen, uripath, /* this is the PATH part of the URL */
d->cnonce,
d->nc,
d->qop,
request_digest);
if(Curl_raw_equal(d->qop, "auth"))
d->nc++; /* The nc (from RFC) has to be a 8 hex digit number 0 padded
which tells to the server how many times you are using the
same nonce in the qop=auth mode. */
}
else {
*allocuserpwd =
aprintf( "%sAuthorization: Digest "
"username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%.*s\", "
"response=\"%s\"",
proxy?"Proxy-":"",
userp_quoted,
d->realm,
d->nonce,
urilen, uripath, /* this is the PATH part of the URL */
request_digest);
}
Curl_safefree(userp_quoted);
if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY;
/* Add optional fields */
if(d->opaque) {
/* append opaque */
tmp = aprintf("%s, opaque=\"%s\"", *allocuserpwd, d->opaque);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
free(*allocuserpwd);
*allocuserpwd = tmp;
}
if(d->algorithm) {
/* append algorithm */
tmp = aprintf("%s, algorithm=\"%s\"", *allocuserpwd, d->algorithm);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
free(*allocuserpwd);
*allocuserpwd = tmp;
}
/* append CRLF + zero (3 bytes) to the userpwd header */
userlen = strlen(*allocuserpwd);
tmp = realloc(*allocuserpwd, userlen + 3);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
strcpy(&tmp[userlen], "\r\n"); /* append the data */
*allocuserpwd = tmp;
return CURLE_OK;
}
CURLcode Curl_output_digest(struct connectdata *conn,
bool proxy,
const unsigned char *request,
const unsigned char *uripath)
{
/* We have a Digest setup for this, use it! Now, to get all the details for
this sorted out, I must urge you dear friend to read up on the RFC2617
section 3.2.2, */
unsigned char md5buf[16]; /* 16 bytes/128 bits */
unsigned char request_digest[33];
unsigned char *md5this;
unsigned char *ha1;
unsigned char ha2[33];/* 32 digits and 1 zero byte */
char cnoncebuf[7];
char *cnonce;
char *tmp = NULL;
struct timeval now;
char **allocuserpwd;
const char *userp;
const char *passwdp;
struct auth *authp;
struct SessionHandle *data = conn->data;
struct digestdata *d;
#ifdef CURL_DOES_CONVERSIONS
CURLcode rc;
/* The CURL_OUTPUT_DIGEST_CONV macro below is for non-ASCII machines.
It converts digest text to ASCII so the MD5 will be correct for
what ultimately goes over the network.
*/
#define CURL_OUTPUT_DIGEST_CONV(a, b) \
rc = Curl_convert_to_network(a, (char *)b, strlen((const char*)b)); \
if(rc != CURLE_OK) { \
free(b); \
return rc; \
}
#else
#define CURL_OUTPUT_DIGEST_CONV(a, b)
#endif /* CURL_DOES_CONVERSIONS */
if(proxy) {
d = &data->state.proxydigest;
allocuserpwd = &conn->allocptr.proxyuserpwd;
userp = conn->proxyuser;
passwdp = conn->proxypasswd;
authp = &data->state.authproxy;
}
else {
d = &data->state.digest;
allocuserpwd = &conn->allocptr.userpwd;
userp = conn->user;
passwdp = conn->passwd;
authp = &data->state.authhost;
}
if(*allocuserpwd) {
Curl_safefree(*allocuserpwd);
*allocuserpwd = NULL;
}
/* not set means empty */
if(!userp)
userp="";
if(!passwdp)
passwdp="";
if(!d->nonce) {
authp->done = FALSE;
return CURLE_OK;
}
authp->done = TRUE;
if(!d->nc)
d->nc = 1;
if(!d->cnonce) {
/* Generate a cnonce */
now = Curl_tvnow();
snprintf(cnoncebuf, sizeof(cnoncebuf), "%06ld", (long)now.tv_sec);
if(Curl_base64_encode(data, cnoncebuf, strlen(cnoncebuf), &cnonce))
d->cnonce = cnonce;
else
return CURLE_OUT_OF_MEMORY;
}
/*
if the algorithm is "MD5" or unspecified (which then defaults to MD5):
A1 = unq(username-value) ":" unq(realm-value) ":" passwd
if the algorithm is "MD5-sess" then:
A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd )
":" unq(nonce-value) ":" unq(cnonce-value)
*/
md5this = (unsigned char *)
aprintf("%s:%s:%s", userp, d->realm, passwdp);
if(!md5this)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, md5this); /* convert on non-ASCII machines */
Curl_md5it(md5buf, md5this);
free(md5this); /* free this again */
ha1 = malloc(33); /* 32 digits and 1 zero byte */
if(!ha1)
return CURLE_OUT_OF_MEMORY;
md5_to_ascii(md5buf, ha1);
if(d->algo == CURLDIGESTALGO_MD5SESS) {
/* nonce and cnonce are OUTSIDE the hash */
tmp = aprintf("%s:%s:%s", ha1, d->nonce, d->cnonce);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, tmp); /* convert on non-ASCII machines */
Curl_md5it(md5buf, (unsigned char *)tmp);
free(tmp); /* free this again */
md5_to_ascii(md5buf, ha1);
}
/*
If the "qop" directive's value is "auth" or is unspecified, then A2 is:
A2 = Method ":" digest-uri-value
If the "qop" value is "auth-int", then A2 is:
A2 = Method ":" digest-uri-value ":" H(entity-body)
(The "Method" value is the HTTP request method as specified in section
5.1.1 of RFC 2616)
*/
/* So IE browsers < v7 cut off the URI part at the query part when they
evaluate the MD5 and some (IIS?) servers work with them so we may need to
do the Digest IE-style. Note that the different ways cause different MD5
sums to get sent.
Apache servers can be set to do the Digest IE-style automatically using
the BrowserMatch feature:
http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
Further details on Digest implementation differences:
http://www.fngtps.com/2006/09/http-authentication
*/
if(authp->iestyle && ((tmp = strchr((char *)uripath, '?')) != NULL)) {
md5this = (unsigned char *)aprintf("%s:%.*s", request,
(int)(tmp - (char *)uripath), uripath);
}
else
md5this = (unsigned char *)aprintf("%s:%s", request, uripath);
if(!md5this) {
free(ha1);
return CURLE_OUT_OF_MEMORY;
}
if(d->qop && Curl_raw_equal(d->qop, "auth-int")) {
/* We don't support auth-int at the moment. I can't see a easy way to get
entity-body here */
/* TODO: Append H(entity-body)*/
}
CURL_OUTPUT_DIGEST_CONV(data, md5this); /* convert on non-ASCII machines */
Curl_md5it(md5buf, md5this);
free(md5this); /* free this again */
md5_to_ascii(md5buf, ha2);
if(d->qop) {
md5this = (unsigned char *)aprintf("%s:%s:%08x:%s:%s:%s",
ha1,
d->nonce,
d->nc,
d->cnonce,
d->qop,
ha2);
}
else {
md5this = (unsigned char *)aprintf("%s:%s:%s",
ha1,
d->nonce,
ha2);
}
free(ha1);
if(!md5this)
return CURLE_OUT_OF_MEMORY;
CURL_OUTPUT_DIGEST_CONV(data, md5this); /* convert on non-ASCII machines */
Curl_md5it(md5buf, md5this);
free(md5this); /* free this again */
md5_to_ascii(md5buf, request_digest);
/* for test case 64 (snooped from a Mozilla 1.3a request)
Authorization: Digest username="******", realm="testrealm", \
nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca"
*/
if(d->qop) {
*allocuserpwd =
aprintf( "%sAuthorization: Digest "
"username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%s\", "
"cnonce=\"%s\", "
"nc=%08x, "
"qop=\"%s\", "
"response=\"%s\"",
proxy?"Proxy-":"",
userp,
d->realm,
d->nonce,
uripath, /* this is the PATH part of the URL */
d->cnonce,
d->nc,
d->qop,
request_digest);
if(Curl_raw_equal(d->qop, "auth"))
d->nc++; /* The nc (from RFC) has to be a 8 hex digit number 0 padded
which tells to the server how many times you are using the
same nonce in the qop=auth mode. */
}
else {
*allocuserpwd =
aprintf( "%sAuthorization: Digest "
"username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%s\", "
"response=\"%s\"",
proxy?"Proxy-":"",
userp,
d->realm,
d->nonce,
uripath, /* this is the PATH part of the URL */
request_digest);
}
if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY;
/* Add optional fields */
if(d->opaque) {
/* append opaque */
tmp = aprintf("%s, opaque=\"%s\"", *allocuserpwd, d->opaque);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
free(*allocuserpwd);
*allocuserpwd = tmp;
}
if(d->algorithm) {
/* append algorithm */
tmp = aprintf("%s, algorithm=\"%s\"", *allocuserpwd, d->algorithm);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
free(*allocuserpwd);
*allocuserpwd = tmp;
}
/* append CRLF + zero (3 bytes) to the userpwd header */
tmp = realloc(*allocuserpwd, strlen(*allocuserpwd) + 3);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
strcat(tmp, "\r\n");
*allocuserpwd = tmp;
return CURLE_OK;
}
CURLcode Curl_output_digest(struct connectdata *conn,
unsigned char *request,
unsigned char *uripath)
{
/* We have a Digest setup for this, use it! Now, to get all the details for
this sorted out, I must urge you dear friend to read up on the RFC2617
section 3.2.2, */
unsigned char md5buf[16]; /* 16 bytes/128 bits */
unsigned char ha1[33]; /* 32 digits and 1 zero byte */
unsigned char ha2[33];
unsigned char request_digest[33];
unsigned char *md5this;
struct SessionHandle *data = conn->data;
/*
if the algorithm is "MD5" or unspecified (which then defaults to MD5):
A1 = unq(username-value) ":" unq(realm-value) ":" passwd
if the algorithm is "MD5-sess" then:
A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd )
":" unq(nonce-value) ":" unq(cnonce-value)
*/
if(data->state.digest.algo == CURLDIGESTALGO_MD5SESS) {
md5this = (unsigned char *)
aprintf("%s:%s:%s:%s:%s",
conn->user,
data->state.digest.realm,
conn->passwd,
data->state.digest.nonce,
data->state.digest.cnonce);
}
else {
md5this = (unsigned char *)
aprintf("%s:%s:%s",
conn->user,
data->state.digest.realm,
conn->passwd);
}
Curl_md5it(md5buf, md5this);
free(md5this); /* free this again */
md5_to_ascii(md5buf, ha1);
/*
A2 = Method ":" digest-uri-value
(The "Method" value is the HTTP request method as specified in section
5.1.1 of RFC 2616)
*/
md5this = (unsigned char *)aprintf("%s:%s", request, uripath);
Curl_md5it(md5buf, md5this);
free(md5this); /* free this again */
md5_to_ascii(md5buf, ha2);
md5this = (unsigned char *)aprintf("%s:%s:%s", ha1, data->state.digest.nonce,
ha2);
Curl_md5it(md5buf, md5this);
free(md5this); /* free this again */
md5_to_ascii(md5buf, request_digest);
/* for test case 64 (snooped from a Mozilla 1.3a request)
Authorization: Digest username="******", realm="testrealm", \
nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca"
*/
conn->allocptr.userpwd =
aprintf( "Authorization: Digest "
"username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%s\", "
"response=\"%s\"\r\n",
conn->user,
data->state.digest.realm,
data->state.digest.nonce,
uripath, /* this is the PATH part of the URL */
request_digest );
return CURLE_OK;
}
CURLcode Curl_output_digest(struct connectdata *conn,
bool proxy,
unsigned char *request,
unsigned char *uripath)
{
/* We have a Digest setup for this, use it! Now, to get all the details for
this sorted out, I must urge you dear friend to read up on the RFC2617
section 3.2.2, */
unsigned char md5buf[16]; /* 16 bytes/128 bits */
unsigned char request_digest[33];
unsigned char *md5this;
unsigned char *ha1;
unsigned char ha2[33];/* 32 digits and 1 zero byte */
char cnoncebuf[7];
char *cnonce;
char *tmp = NULL;
struct timeval now;
char **allocuserpwd;
char *userp;
char *passwdp;
struct auth *authp;
struct SessionHandle *data = conn->data;
struct digestdata *d;
if(proxy) {
d = &data->state.proxydigest;
allocuserpwd = &conn->allocptr.proxyuserpwd;
userp = conn->proxyuser;
passwdp = conn->proxypasswd;
authp = &data->state.authproxy;
}
else {
d = &data->state.digest;
allocuserpwd = &conn->allocptr.userpwd;
userp = conn->user;
passwdp = conn->passwd;
authp = &data->state.authhost;
}
/* not set means empty */
if(!userp)
userp=(char *)"";
if(!passwdp)
passwdp=(char *)"";
if(!d->nonce) {
authp->done = FALSE;
return CURLE_OK;
}
authp->done = TRUE;
if(!d->nc)
d->nc = 1;
if(!d->cnonce) {
/* Generate a cnonce */
now = Curl_tvnow();
snprintf(cnoncebuf, sizeof(cnoncebuf), "%06ld", now.tv_sec);
if(Curl_base64_encode(cnoncebuf, strlen(cnoncebuf), &cnonce))
d->cnonce = cnonce;
else
return CURLE_OUT_OF_MEMORY;
}
/*
if the algorithm is "MD5" or unspecified (which then defaults to MD5):
A1 = unq(username-value) ":" unq(realm-value) ":" passwd
if the algorithm is "MD5-sess" then:
A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd )
":" unq(nonce-value) ":" unq(cnonce-value)
*/
md5this = (unsigned char *)
aprintf("%s:%s:%s", userp, d->realm, passwdp);
if(!md5this)
return CURLE_OUT_OF_MEMORY;
Curl_md5it(md5buf, md5this);
free(md5this); /* free this again */
ha1 = (unsigned char *)malloc(33); /* 32 digits and 1 zero byte */
if(!ha1)
return CURLE_OUT_OF_MEMORY;
md5_to_ascii(md5buf, ha1);
if(d->algo == CURLDIGESTALGO_MD5SESS) {
/* nonce and cnonce are OUTSIDE the hash */
tmp = aprintf("%s:%s:%s", ha1, d->nonce, d->cnonce);
free(ha1);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
ha1 = (unsigned char *)tmp;
}
/*
If the "qop" directive's value is "auth" or is unspecified, then A2 is:
A2 = Method ":" digest-uri-value
If the "qop" value is "auth-int", then A2 is:
A2 = Method ":" digest-uri-value ":" H(entity-body)
(The "Method" value is the HTTP request method as specified in section
5.1.1 of RFC 2616)
*/
md5this = (unsigned char *)aprintf("%s:%s", request, uripath);
if(!md5this) {
free(ha1);
return CURLE_OUT_OF_MEMORY;
}
if (d->qop && strequal(d->qop, "auth-int")) {
/* We don't support auth-int at the moment. I can't see a easy way to get
entity-body here */
/* TODO: Append H(entity-body)*/
}
Curl_md5it(md5buf, md5this);
free(md5this); /* free this again */
md5_to_ascii(md5buf, ha2);
if (d->qop) {
md5this = (unsigned char *)aprintf("%s:%s:%08x:%s:%s:%s",
ha1,
d->nonce,
d->nc,
d->cnonce,
d->qop,
ha2);
}
else {
md5this = (unsigned char *)aprintf("%s:%s:%s",
ha1,
d->nonce,
ha2);
}
free(ha1);
if(!md5this)
return CURLE_OUT_OF_MEMORY;
Curl_md5it(md5buf, md5this);
free(md5this); /* free this again */
md5_to_ascii(md5buf, request_digest);
/* for test case 64 (snooped from a Mozilla 1.3a request)
Authorization: Digest username="******", realm="testrealm", \
nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca"
*/
Curl_safefree(*allocuserpwd);
if (d->qop) {
*allocuserpwd =
aprintf( "%sAuthorization: Digest "
"username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%s\", "
"cnonce=\"%s\", "
"nc=%08x, "
"qop=\"%s\", "
"response=\"%s\"",
proxy?"Proxy-":"",
userp,
d->realm,
d->nonce,
uripath, /* this is the PATH part of the URL */
d->cnonce,
d->nc,
d->qop,
request_digest);
if(strequal(d->qop, "auth"))
d->nc++; /* The nc (from RFC) has to be a 8 hex digit number 0 padded
which tells to the server how many times you are using the
same nonce in the qop=auth mode. */
}
else {
*allocuserpwd =
aprintf( "%sAuthorization: Digest "
"username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%s\", "
"response=\"%s\"",
proxy?"Proxy-":"",
userp,
d->realm,
d->nonce,
uripath, /* this is the PATH part of the URL */
request_digest);
}
if(!*allocuserpwd)
return CURLE_OUT_OF_MEMORY;
/* Add optional fields */
if(d->opaque) {
/* append opaque */
tmp = aprintf("%s, opaque=\"%s\"", *allocuserpwd, d->opaque);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
free(*allocuserpwd);
*allocuserpwd = tmp;
}
if(d->algorithm) {
/* append algorithm */
tmp = aprintf("%s, algorithm=\"%s\"", *allocuserpwd, d->algorithm);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
free(*allocuserpwd);
*allocuserpwd = tmp;
}
/* append CRLF to the userpwd header */
tmp = (char*) realloc(*allocuserpwd, strlen(*allocuserpwd) + 3 + 1);
if(!tmp)
return CURLE_OUT_OF_MEMORY;
strcat(tmp, "\r\n");
*allocuserpwd = tmp;
return CURLE_OK;
}
/* Pass this the value of the 'Authentication-Info:' header field, if
* one is received.
* Returns:
* 0 if it gives a valid authentication for the server
* non-zero otherwise (don't believe the response in this case!).
*/
int http_auth_verify_response(http_auth_session *sess, const char *value)
{
char **pairs;
http_auth_qop qop = http_auth_qop_none;
char *nextnonce = NULL, /* for the nextnonce= value */
*rspauth = NULL, /* for the rspauth= value */
*cnonce = NULL, /* for the cnonce= value */
*nc = NULL, /* for the nc= value */
*unquoted, *qop_value = NULL;
int n, nonce_count, okay;
if (!sess->will_handle) {
/* Ignore it */
return 0;
}
if (sess->scheme != http_auth_scheme_digest) {
DEBUG(DEBUG_HTTPAUTH, "Found Auth-Info header not in response to Digest credentials - dodgy.\n");
return -1;
}
DEBUG (DEBUG_HTTPAUTH, "Auth-Info header: %s\n", value);
pairs = pair_string(value, ',', '=', HTTP_QUOTES, HTTP_WHITESPACE);
for (n = 0; pairs[n]!=NULL; n+=2) {
unquoted = shave_string(pairs[n+1], '"');
if (strcasecmp(pairs[n], "qop") == 0) {
qop_value = ne_strdup(pairs[n+1]);
if (strcasecmp(pairs[n+1], "auth-int") == 0) {
qop = http_auth_qop_auth_int;
} else if (strcasecmp(pairs[n+1], "auth") == 0) {
qop = http_auth_qop_auth;
} else {
qop = http_auth_qop_none;
}
} else if (strcasecmp(pairs[n], "nextnonce") == 0) {
nextnonce = ne_strdup(unquoted);
} else if (strcasecmp(pairs[n], "rspauth") == 0) {
rspauth = ne_strdup(unquoted);
} else if (strcasecmp(pairs[n], "cnonce") == 0) {
cnonce = ne_strdup(unquoted);
} else if (strcasecmp(pairs[n], "nc") == 0) {
nc = ne_strdup(pairs[n]);
if (sscanf(pairs[n+1], "%x", &nonce_count) != 1) {
DEBUG(DEBUG_HTTPAUTH, "Couldn't scan [%s] for nonce count.\n",
pairs[n+1]);
} else {
DEBUG(DEBUG_HTTPAUTH, "Got nonce_count: %d\n", nonce_count);
}
}
free(unquoted);
}
pair_string_free(pairs);
/* Presume the worst */
okay = -1;
if ((qop != http_auth_qop_none) && (qop_value != NULL)) {
if ((rspauth == NULL) || (cnonce == NULL) || (nc == NULL)) {
DEBUG(DEBUG_HTTPAUTH, "Missing rspauth, cnonce or nc with qop.\n");
} else { /* Have got rspauth, cnonce and nc */
if (strcmp(cnonce, sess->unq_cnonce) != 0) {
DEBUG(DEBUG_HTTPAUTH, "Response cnonce doesn't match.\n");
} else if (nonce_count != sess->nonce_count) {
DEBUG(DEBUG_HTTPAUTH, "Response nonce count doesn't match.\n");
} else {
/* Calculate and check the response-digest value.
* joe: IMO the spec is slightly ambiguous as to whether
* we use the qop which WE sent, or the qop which THEY
* sent... */
struct md5_ctx a2;
unsigned char a2_md5[16], rdig_md5[16];
char a2_md5_ascii[33], rdig_md5_ascii[33];
DEBUG(DEBUG_HTTPAUTH, "Calculating response-digest.\n");
/* First off, H(A2) again. */
md5_init_ctx(&a2);
md5_process_bytes(":", 1, &a2);
md5_process_bytes(sess->uri, strlen(sess->uri), &a2);
if (qop == http_auth_qop_auth_int) {
unsigned char heb_md5[16];
char heb_md5_ascii[33];
/* Add on ":" H(entity-body) */
md5_finish_ctx(&sess->response_body, heb_md5);
md5_to_ascii(heb_md5, heb_md5_ascii);
md5_process_bytes(":", 1, &a2);
md5_process_bytes(heb_md5_ascii, 32, &a2);
DEBUG(DEBUG_HTTPAUTH, "Digested [:%s]\n", heb_md5_ascii);
}
md5_finish_ctx(&a2, a2_md5);
md5_to_ascii(a2_md5, a2_md5_ascii);
/* We have the stored digest-so-far of
* H(A1) ":" unq(nonce-value)
* [ ":" nc-value ":" unq(cnonce-value) ] for qop
* in sess->stored_rdig, to save digesting them again.
*
*/
if (qop != http_auth_qop_none) {
/* Add in qop-value */
DEBUG(DEBUG_HTTPAUTH, "Digesting qop-value [%s:].\n",
qop_value);
md5_process_bytes(qop_value, strlen(qop_value),
&sess->stored_rdig);
md5_process_bytes(":", 1, &sess->stored_rdig);
}
/* Digest ":" H(A2) */
md5_process_bytes(a2_md5_ascii, 32, &sess->stored_rdig);
/* All done */
md5_finish_ctx(&sess->stored_rdig, rdig_md5);
md5_to_ascii(rdig_md5, rdig_md5_ascii);
DEBUG(DEBUG_HTTPAUTH, "Calculated response-digest of: [%s]\n",
rdig_md5_ascii);
DEBUG(DEBUG_HTTPAUTH, "Given response-digest of: [%s]\n",
rspauth);
/* And... do they match? */
okay = (strcasecmp(rdig_md5_ascii, rspauth) == 0)?0:-1;
DEBUG(DEBUG_HTTPAUTH, "Matched: %s\n", okay?"nope":"YES!");
}
free(rspauth);
free(cnonce);
free(nc);
}
free(qop_value);
} else {
DEBUG(DEBUG_HTTPAUTH, "No qop directive, auth okay.\n");
okay = 0;
}
/* Check for a nextnonce */
if (nextnonce != NULL) {
DEBUG(DEBUG_HTTPAUTH, "Found nextnonce of [%s].\n", nextnonce);
if (sess->unq_nonce != NULL)
free(sess->unq_nonce);
sess->unq_nonce = nextnonce;
}
return okay;
}
/* Return Digest authentication credentials header value for the given
* session. */
static char *request_digest(http_auth_session *sess)
{
struct md5_ctx a2, rdig;
unsigned char a2_md5[16], rdig_md5[16];
char a2_md5_ascii[33], rdig_md5_ascii[33];
char nc_value[9] = {0}, *ret;
const char *qop_value; /* qop-value */
size_t retlen;
/* Increase the nonce-count */
if (sess->qop != http_auth_qop_none) {
sess->nonce_count++;
snprintf(nc_value, 9, "%08x", sess->nonce_count);
DEBUG(DEBUG_HTTPAUTH, "Nonce count is %d, nc is [%s]\n",
sess->nonce_count, nc_value);
}
qop_value = qop_values[sess->qop];
/* Calculate H(A2). */
md5_init_ctx(&a2);
md5_process_bytes(sess->method, strlen(sess->method), &a2);
md5_process_bytes(":", 1, &a2);
md5_process_bytes(sess->uri, strlen(sess->uri), &a2);
if (sess->qop == http_auth_qop_auth_int) {
/* Calculate H(entity-body) */
if (sess->got_body) {
char tmp_md5_ascii[33];
unsigned char tmp_md5[16];
if (sess->body_stream != NULL) {
DEBUG(DEBUG_HTTPAUTH, "Digesting body stream.\n");
md5_stream(sess->body_stream, tmp_md5);
rewind(sess->body_stream); /* leave it at the beginning */
} else if (sess->body_buffer) {
DEBUG(DEBUG_HTTPAUTH, "Digesting body buffer.\n");
md5_buffer(sess->body_buffer, strlen(sess->body_buffer),
tmp_md5);
}
md5_to_ascii(tmp_md5, tmp_md5_ascii);
DEBUG(DEBUG_HTTPAUTH, "H(entity-body) is [%s]\n", tmp_md5_ascii);
/* Append to A2 */
md5_process_bytes(":", 1, &a2);
md5_process_bytes(tmp_md5_ascii, 32, &a2);
} else {
/* No entity-body. */
DEBUG(DEBUG_HTTPAUTH, "Digesting empty entity-body.\n");
md5_process_bytes(":" DIGEST_MD5_EMPTY, 33, &a2);
}
}
md5_finish_ctx(&a2, a2_md5);
md5_to_ascii(a2_md5, a2_md5_ascii);
DEBUG(DEBUG_HTTPAUTH, "H(A2): %s\n", a2_md5_ascii);
DEBUG(DEBUG_HTTPAUTH, "Calculating Request-Digest.\n");
/* Now, calculation of the Request-Digest.
* The first section is the regardless of qop value
* H(A1) ":" unq(nonce-value) ":" */
md5_init_ctx(&rdig);
/* Use the calculated H(A1) */
md5_process_bytes(sess->h_a1, 32, &rdig);
md5_process_bytes(":", 1, &rdig);
md5_process_bytes(sess->unq_nonce, strlen(sess->unq_nonce), &rdig);
md5_process_bytes(":", 1, &rdig);
if (sess->qop != http_auth_qop_none) {
/* Add on:
* nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":"
*/
DEBUG(DEBUG_HTTPAUTH, "Have qop directive, digesting: [%s:%s:%s]\n",
nc_value, sess->unq_cnonce, qop_value);
md5_process_bytes(nc_value, 8, &rdig);
md5_process_bytes(":", 1, &rdig);
md5_process_bytes(sess->unq_cnonce, strlen(sess->unq_cnonce), &rdig);
md5_process_bytes(":", 1, &rdig);
/* Store a copy of this structure (see note below) */
sess->stored_rdig = rdig;
md5_process_bytes(qop_value, strlen(qop_value), &rdig);
md5_process_bytes(":", 1, &rdig);
} else {
/* Store a copy of this structure... we do this because the
* calculation of the rspauth= field in the Auth-Info header
* is the same as this digest, up to this point. */
sess->stored_rdig = rdig;
}
/* And finally, H(A2) */
md5_process_bytes(a2_md5_ascii, 32, &rdig);
md5_finish_ctx(&rdig, rdig_md5);
md5_to_ascii(rdig_md5, rdig_md5_ascii);
/* Buffer size calculation. */
retlen =
6 /* Digest */
+ 1 + 8 + 1 + 2 + strlen(sess->username) /* username="******" */
+ 2 + 5 + 1 + 2 + strlen(sess->unq_realm) /* , realm="..." */
+ 2 + 5 + 1 + 2 + strlen(sess->unq_nonce) /* , nonce="..." */
+ 2 + 3 + 1 + 2 + strlen(sess->uri) /* , uri="..." */
+ 2 + 8 + 1 + 2 + 32 /* , response="..." */
+ 2 + 9 + 1 + 2 + strlen(algorithm_names[sess->alg]) /*
, algorithm="..." */
;
if (sess->opaque != NULL)
retlen += 2 + 6 + 1 + strlen(sess->opaque); /* , opaque=... */
if (sess->qop != http_auth_qop_none)
retlen +=
2 + 6 + 2 + 1 + strlen(sess->unq_cnonce) + /* , cnonce="..." */
2 + 2 + 1 + 8 + /* , nc=... */
2 + 3 + 1 + 2 + strlen(qop_values[sess->qop]) /* , qop="..." */
;
retlen += 2; /* \r\n */
DEBUG(DEBUG_HTTPAUTH, "Calculated length of buffer: %d\n", retlen);
ret = ne_calloc(retlen + 1);
sprintf(ret,
"Digest username=\"%s\", realm=\"%s\""
", nonce=\"%s\", uri=\"%s\", response=\"%s\""
", algorithm=\"%s\"",
sess->username, sess->unq_realm,
sess->unq_nonce, sess->uri, rdig_md5_ascii,
algorithm_names[sess->alg]);
if (sess->opaque != NULL) {
/* We never unquote it, so it's still quoted here */
strcat(ret, ", opaque=");
strcat(ret, sess->opaque);
}
if (sess->qop != http_auth_qop_none) {
/* Add in cnonce and nc-value fields */
strcat(ret, ", cnonce=\"");
strcat(ret, sess->unq_cnonce);
strcat(ret, "\", nc=");
strcat(ret, nc_value);
strcat(ret, ", qop=\"");
strcat(ret, qop_values[sess->qop]);
strcat(ret, "\"");
}
DEBUG(DEBUG_HTTPAUTH, "Digest header field value:\n%s\n", ret);
strcat(ret, "\r\n");
DEBUG(DEBUG_HTTPAUTH, "Calculated length: %d, actual length: %d\n",
retlen, strlen(ret));
return ret;
}
/* Examine a digest challenge: return 0 if it is a valid Digest challenge,
* else non-zero. */
static int digest_challenge(http_auth_session *sess,
struct http_auth_chall *parms)
{
struct md5_ctx tmp;
unsigned char tmp_md5[16];
char *password;
/* Do we understand this challenge? */
if (parms->alg == http_auth_alg_unknown) {
DEBUG(DEBUG_HTTPAUTH, "Unknown algorithm.\n");
return -1;
}
if ((parms->alg == http_auth_alg_md5_sess) &&
!(parms->qop_auth || parms->qop_auth_int)) {
DEBUG(DEBUG_HTTPAUTH, "Server did not give qop with MD5-session alg.\n");
return -1;
}
if ((parms->realm==NULL) || (parms->nonce==NULL)) {
DEBUG(DEBUG_HTTPAUTH, "Challenge missing nonce or realm.\n");
return -1;
}
if (parms->stale) {
/* Just a stale response, don't need to get a new username/password */
DEBUG(DEBUG_HTTPAUTH, "Stale digest challenge.\n");
} else {
/* Forget the old session details */
DEBUG(DEBUG_HTTPAUTH, "In digest challenge.\n");
clean_session(sess);
sess->unq_realm = shave_string(parms->realm, '"');
/* Not a stale response: really need user authentication */
if (get_credentials(sess, &password)) {
/* Failed to get credentials */
HTTP_FREE(sess->unq_realm);
return -1;
}
}
sess->alg = parms->alg;
sess->scheme = http_auth_scheme_digest;
sess->unq_nonce = shave_string(parms->nonce, '"');
sess->unq_cnonce = get_cnonce();
if (parms->domain) {
if (parse_domain(sess, parms->domain)) {
/* TODO: Handle the error? */
}
} else {
sess->domain = NULL;
sess->domain_count = 0;
}
if (parms->opaque != NULL) {
sess->opaque = ne_strdup(parms->opaque); /* don't strip the quotes */
}
if (parms->got_qop) {
/* What type of qop are we to apply to the message? */
DEBUG(DEBUG_HTTPAUTH, "Got qop directive.\n");
sess->nonce_count = 0;
if (parms->qop_auth_int) {
sess->qop = http_auth_qop_auth_int;
} else {
sess->qop = http_auth_qop_auth;
}
} else {
/* No qop at all/ */
sess->qop = http_auth_qop_none;
}
if (!parms->stale) {
/* Calculate H(A1).
* tmp = H(unq(username-value) ":" unq(realm-value) ":" passwd)
*/
DEBUG(DEBUG_HTTPAUTH, "Calculating H(A1).\n");
md5_init_ctx(&tmp);
md5_process_bytes(sess->username, strlen(sess->username), &tmp);
md5_process_bytes(":", 1, &tmp);
md5_process_bytes(sess->unq_realm, strlen(sess->unq_realm), &tmp);
md5_process_bytes(":", 1, &tmp);
if (password != NULL)
md5_process_bytes(password, strlen(password), &tmp);
md5_finish_ctx(&tmp, tmp_md5);
if (sess->alg == http_auth_alg_md5_sess) {
unsigned char a1_md5[16];
struct md5_ctx a1;
char tmp_md5_ascii[33];
/* Now we calculate the SESSION H(A1)
* A1 = H(...above...) ":" unq(nonce-value) ":" unq(cnonce-value)
*/
md5_to_ascii(tmp_md5, tmp_md5_ascii);
md5_init_ctx(&a1);
md5_process_bytes(tmp_md5_ascii, 32, &a1);
md5_process_bytes(":", 1, &a1);
md5_process_bytes(sess->unq_nonce, strlen(sess->unq_nonce), &a1);
md5_process_bytes(":", 1, &a1);
md5_process_bytes(sess->unq_cnonce, strlen(sess->unq_cnonce), &a1);
md5_finish_ctx(&a1, a1_md5);
md5_to_ascii(a1_md5, sess->h_a1);
DEBUG(DEBUG_HTTPAUTH, "Session H(A1) is [%s]\n", sess->h_a1);
} else {
md5_to_ascii(tmp_md5, sess->h_a1);
DEBUG(DEBUG_HTTPAUTH, "H(A1) is [%s]\n", sess->h_a1);
}
HTTP_FREE(password);
}
DEBUG(DEBUG_HTTPAUTH, "I like this Digest challenge.\n");
return 0;
}
