Coverage Report

Created: 2026-03-12 06:35

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/CMake/Utilities/cmcurl/lib/http_digest.c
Line
Count
Source
1
/***************************************************************************
2
 *                                  _   _ ____  _
3
 *  Project                     ___| | | |  _ \| |
4
 *                             / __| | | | |_) | |
5
 *                            | (__| |_| |  _ <| |___
6
 *                             \___|\___/|_| \_\_____|
7
 *
8
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9
 *
10
 * This software is licensed as described in the file COPYING, which
11
 * you should have received as part of this distribution. The terms
12
 * are also available at https://curl.se/docs/copyright.html.
13
 *
14
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15
 * copies of the Software, and permit persons to whom the Software is
16
 * furnished to do so, under the terms of the COPYING file.
17
 *
18
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19
 * KIND, either express or implied.
20
 *
21
 * SPDX-License-Identifier: curl
22
 *
23
 ***************************************************************************/
24
#include "curl_setup.h"
25
26
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
27
28
#include "urldata.h"
29
#include "strcase.h"
30
#include "vauth/vauth.h"
31
#include "http_digest.h"
32
#include "curlx/strparse.h"
33
34
/* Test example headers:
35
36
WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
37
Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"
38
39
*/
40
41
CURLcode Curl_input_digest(struct Curl_easy *data,
42
                           bool proxy,
43
                           const char *header) /* rest of the *-authenticate:
44
                                                  header */
45
0
{
46
  /* Point to the correct struct with this */
47
0
  struct digestdata *digest;
48
49
0
  if(proxy) {
50
0
    digest = &data->state.proxydigest;
51
0
  }
52
0
  else {
53
0
    digest = &data->state.digest;
54
0
  }
55
56
0
  if(!checkprefix("Digest", header) || !ISBLANK(header[6]))
57
0
    return CURLE_BAD_CONTENT_ENCODING;
58
59
0
  header += strlen("Digest");
60
0
  curlx_str_passblanks(&header);
61
62
0
  return Curl_auth_decode_digest_http_message(header, digest);
63
0
}
64
65
CURLcode Curl_output_digest(struct Curl_easy *data,
66
                            bool proxy,
67
                            const unsigned char *request,
68
                            const unsigned char *uripath)
69
0
{
70
0
  CURLcode result;
71
0
  unsigned char *path = NULL;
72
0
  char *tmp = NULL;
73
0
  char *response;
74
0
  size_t len;
75
0
  bool have_chlg;
76
77
  /* Point to the address of the pointer that holds the string to send to the
78
     server, which is for a plain host or for an HTTP proxy */
79
0
  char **allocuserpwd;
80
81
  /* Point to the name and password for this */
82
0
  const char *userp;
83
0
  const char *passwdp;
84
85
  /* Point to the correct struct with this */
86
0
  struct digestdata *digest;
87
0
  struct auth *authp;
88
89
0
  if(proxy) {
90
#ifdef CURL_DISABLE_PROXY
91
    return CURLE_NOT_BUILT_IN;
92
#else
93
0
    digest = &data->state.proxydigest;
94
0
    allocuserpwd = &data->state.aptr.proxyuserpwd;
95
0
    userp = data->state.aptr.proxyuser;
96
0
    passwdp = data->state.aptr.proxypasswd;
97
0
    authp = &data->state.authproxy;
98
0
#endif
99
0
  }
100
0
  else {
101
0
    digest = &data->state.digest;
102
0
    allocuserpwd = &data->state.aptr.userpwd;
103
0
    userp = data->state.aptr.user;
104
0
    passwdp = data->state.aptr.passwd;
105
0
    authp = &data->state.authhost;
106
0
  }
107
108
0
  Curl_safefree(*allocuserpwd);
109
110
  /* not set means empty */
111
0
  if(!userp)
112
0
    userp = "";
113
114
0
  if(!passwdp)
115
0
    passwdp = "";
116
117
#ifdef USE_WINDOWS_SSPI
118
  have_chlg = !!digest->input_token;
119
#else
120
0
  have_chlg = !!digest->nonce;
121
0
#endif
122
123
0
  if(!have_chlg) {
124
0
    authp->done = FALSE;
125
0
    return CURLE_OK;
126
0
  }
127
128
  /* So IE browsers < v7 cut off the URI part at the query part when they
129
     evaluate the MD5 and some (IIS?) servers work with them so we may need to
130
     do the Digest IE-style. Note that the different ways cause different MD5
131
     sums to get sent.
132
133
     Apache servers can be set to do the Digest IE-style automatically using
134
     the BrowserMatch feature:
135
     https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
136
137
     Further details on Digest implementation differences:
138
     https://web.archive.org/web/2009/fngtps.com/2006/09/http-authentication
139
  */
140
141
0
  if(authp->iestyle) {
142
0
    tmp = strchr((const char *)uripath, '?');
143
0
    if(tmp) {
144
0
      size_t urilen = tmp - (const char *)uripath;
145
      /* typecast is fine here since the value is always less than 32 bits */
146
0
      path = (unsigned char *)curl_maprintf("%.*s", (int)urilen, uripath);
147
0
    }
148
0
  }
149
0
  if(!tmp)
150
0
    path = (unsigned char *)curlx_strdup((const char *)uripath);
151
152
0
  if(!path)
153
0
    return CURLE_OUT_OF_MEMORY;
154
155
0
  result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
156
0
                                                path, digest, &response, &len);
157
0
  curlx_free(path);
158
0
  if(result)
159
0
    return result;
160
161
0
  *allocuserpwd = curl_maprintf("%sAuthorization: Digest %s\r\n",
162
0
                                proxy ? "Proxy-" : "", response);
163
0
  curlx_free(response);
164
0
  if(!*allocuserpwd)
165
0
    return CURLE_OUT_OF_MEMORY;
166
167
0
  authp->done = TRUE;
168
169
0
  return CURLE_OK;
170
0
}
171
172
void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
173
0
{
174
0
  Curl_auth_digest_cleanup(&data->state.digest);
175
0
  Curl_auth_digest_cleanup(&data->state.proxydigest);
176
0
}
177
178
#endif