/src/curl/lib/http_digest.c

Source
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * SPDX-License-Identifier: curl
 *
 ***************************************************************************/
#include "curl_setup.h"

#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)

#include "urldata.h"
#include "strcase.h"
#include "vauth/vauth.h"
#include "http_digest.h"
#include "curlx/strparse.h"

/* Test example headers:

WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"

*/

CURLcode Curl_input_digest(struct Curl_easy *data,
                           bool proxy,
                           const char *header) /* rest of the *-authenticate:
                                                  header */
{
  /* Point to the correct struct with this */
  struct digestdata *digest;

  if(proxy) {
    digest = &data->state.proxydigest;
  }
  else {
    digest = &data->state.digest;
  }

  if(!checkprefix("Digest", header) || !ISBLANK(header[6]))
    return CURLE_BAD_CONTENT_ENCODING;

  header += strlen("Digest");
  curlx_str_passblanks(&header);

  return Curl_auth_decode_digest_http_message(header, digest);
}

CURLcode Curl_output_digest(struct Curl_easy *data,
                            bool proxy,
                            const unsigned char *request,
                            const unsigned char *uripath)
{
  CURLcode result;
  unsigned char *path = NULL;
  const char *tmp = NULL;
  char *response;
  size_t len;
  bool have_chlg;

  /* Point to the address of the pointer that holds the string to send to the
     server, which is for a plain host or for an HTTP proxy */
  char **allocuserpwd;

  /* Point to the name and password for this */
  const char *userp;
  const char *passwdp;

  /* Point to the correct struct with this */
  struct digestdata *digest;
  struct auth *authp;

  if(proxy) {
#ifdef CURL_DISABLE_PROXY
    return CURLE_NOT_BUILT_IN;
#else
    digest = &data->state.proxydigest;
    allocuserpwd = &data->state.aptr.proxyuserpwd;
    userp = data->state.aptr.proxyuser;
    passwdp = data->state.aptr.proxypasswd;
    authp = &data->state.authproxy;
#endif
  }
  else {
    digest = &data->state.digest;
    allocuserpwd = &data->state.aptr.userpwd;
    userp = data->state.aptr.user;
    passwdp = data->state.aptr.passwd;
    authp = &data->state.authhost;
  }

  Curl_safefree(*allocuserpwd);

  /* not set means empty */
  if(!userp)
    userp = "";

  if(!passwdp)
    passwdp = "";

#ifdef USE_WINDOWS_SSPI
  have_chlg = !!digest->input_token;
#else
  have_chlg = !!digest->nonce;
#endif

  if(!have_chlg) {
    authp->done = FALSE;
    return CURLE_OK;
  }

  /* So IE browsers < v7 cut off the URI part at the query part when they
     evaluate the MD5 and some (IIS?) servers work with them so we may need to
     do the Digest IE-style. Note that the different ways cause different MD5
     sums to get sent.

     Apache servers can be set to do the Digest IE-style automatically using
     the BrowserMatch feature:
     https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie

     Further details on Digest implementation differences:
     https://web.archive.org/web/2009/fngtps.com/2006/09/http-authentication
  */

  if(authp->iestyle) {
    tmp = strchr((const char *)uripath, '?');
    if(tmp) {
      size_t urilen = tmp - (const char *)uripath;
      /* typecast is fine here since the value is always less than 32 bits */
      path = (unsigned char *)curl_maprintf("%.*s", (int)urilen, uripath);
    }
  }
  if(!tmp)
    path = (unsigned char *)curlx_strdup((const char *)uripath);

  if(!path)
    return CURLE_OUT_OF_MEMORY;

  result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
                                                path, digest, &response, &len);
  curlx_free(path);
  if(result)
    return result;

  *allocuserpwd = curl_maprintf("%sAuthorization: Digest %s\r\n",
                                proxy ? "Proxy-" : "", response);
  curlx_free(response);
  if(!*allocuserpwd)
    return CURLE_OUT_OF_MEMORY;

  authp->done = TRUE;

  return CURLE_OK;
}

void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
{
  Curl_auth_digest_cleanup(&data->state.digest);
  Curl_auth_digest_cleanup(&data->state.proxydigest);
}

#endif

Line	Count	Source
1		/***************************************************************************
2		* _ _ ____ _
3		* Project ___\| \| \| \| _ \\| \|
4		* / __\| \| \| \| \|_) \| \|
5		* \| (__\| \|_\| \| _ <\| \|___
6		* \___\|\___/\|_\| \_\_____\|
7		*
8		* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9		*
10		* This software is licensed as described in the file COPYING, which
11		* you should have received as part of this distribution. The terms
12		* are also available at https://curl.se/docs/copyright.html.
13		*
14		* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15		* copies of the Software, and permit persons to whom the Software is
16		* furnished to do so, under the terms of the COPYING file.
17		*
18		* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19		* KIND, either express or implied.
20		*
21		* SPDX-License-Identifier: curl
22		*
23		***************************************************************************/
24		#include "curl_setup.h"
25
26		#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
27
28		#include "urldata.h"
29		#include "strcase.h"
30		#include "vauth/vauth.h"
31		#include "http_digest.h"
32		#include "curlx/strparse.h"
33
34		/* Test example headers:
35
36		WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
37		Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"
38
39		*/
40
41		CURLcode Curl_input_digest(struct Curl_easy *data,
42		bool proxy,
43		const char header) / rest of the *-authenticate:
44		header */
45	21.6k	{
46		/* Point to the correct struct with this */
47	21.6k	struct digestdata *digest;
48
49	21.6k	if(proxy) {
50	1.34k	digest = &data->state.proxydigest;
51	1.34k	}
52	20.3k	else {
53	20.3k	digest = &data->state.digest;
54	20.3k	}
55
56	21.6k	if(!checkprefix("Digest", header) \|\| !ISBLANK(header[6]))
57	4.78k	return CURLE_BAD_CONTENT_ENCODING;
58
59	16.8k	header += strlen("Digest");
60	16.8k	curlx_str_passblanks(&header);
61
62	16.8k	return Curl_auth_decode_digest_http_message(header, digest);
63	21.6k	}
64
65		CURLcode Curl_output_digest(struct Curl_easy *data,
66		bool proxy,
67		const unsigned char *request,
68		const unsigned char *uripath)
69	1.17k	{
70	1.17k	CURLcode result;
71	1.17k	unsigned char *path = NULL;
72	1.17k	const char *tmp = NULL;
73	1.17k	char *response;
74	1.17k	size_t len;
75	1.17k	bool have_chlg;
76
77		/* Point to the address of the pointer that holds the string to send to the
78		server, which is for a plain host or for an HTTP proxy */
79	1.17k	char **allocuserpwd;
80
81		/* Point to the name and password for this */
82	1.17k	const char *userp;
83	1.17k	const char *passwdp;
84
85		/* Point to the correct struct with this */
86	1.17k	struct digestdata *digest;
87	1.17k	struct auth *authp;
88
89	1.17k	if(proxy) {
90		#ifdef CURL_DISABLE_PROXY
91		return CURLE_NOT_BUILT_IN;
92		#else
93	210	digest = &data->state.proxydigest;
94	210	allocuserpwd = &data->state.aptr.proxyuserpwd;
95	210	userp = data->state.aptr.proxyuser;
96	210	passwdp = data->state.aptr.proxypasswd;
97	210	authp = &data->state.authproxy;
98	210	#endif
99	210	}
100	965	else {
101	965	digest = &data->state.digest;
102	965	allocuserpwd = &data->state.aptr.userpwd;
103	965	userp = data->state.aptr.user;
104	965	passwdp = data->state.aptr.passwd;
105	965	authp = &data->state.authhost;
106	965	}
107
108	1.17k	Curl_safefree(*allocuserpwd);
109
110		/* not set means empty */
111	1.17k	if(!userp)
112	520	userp = "";
113
114	1.17k	if(!passwdp)
115	509	passwdp = "";
116
117		#ifdef USE_WINDOWS_SSPI
118		have_chlg = !!digest->input_token;
119		#else
120	1.17k	have_chlg = !!digest->nonce;
121	1.17k	#endif
122
123	1.17k	if(!have_chlg) {
124	471	authp->done = FALSE;
125	471	return CURLE_OK;
126	471	}
127
128		/* So IE browsers < v7 cut off the URI part at the query part when they
129		evaluate the MD5 and some (IIS?) servers work with them so we may need to
130		do the Digest IE-style. Note that the different ways cause different MD5
131		sums to get sent.
132
133		Apache servers can be set to do the Digest IE-style automatically using
134		the BrowserMatch feature:
135		https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
136
137		Further details on Digest implementation differences:
138		https://web.archive.org/web/2009/fngtps.com/2006/09/http-authentication
139		*/
140
141	704	if(authp->iestyle) {
142	271	tmp = strchr((const char *)uripath, '?');
143	271	if(tmp) {
144	8	size_t urilen = tmp - (const char *)uripath;
145		/* typecast is fine here since the value is always less than 32 bits */
146	8	path = (unsigned char )curl_maprintf("%.s", (int)urilen, uripath);
147	8	}
148	271	}
149	704	if(!tmp)
150	696	path = (unsigned char )curlx_strdup((const char )uripath);
151
152	704	if(!path)
153	0	return CURLE_OUT_OF_MEMORY;
154
155	704	result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
156	704	path, digest, &response, &len);
157	704	curlx_free(path);
158	704	if(result)
159	0	return result;
160
161	704	*allocuserpwd = curl_maprintf("%sAuthorization: Digest %s\r\n",
162	704	proxy ? "Proxy-" : "", response);
163	704	curlx_free(response);
164	704	if(!*allocuserpwd)
165	0	return CURLE_OUT_OF_MEMORY;
166
167	704	authp->done = TRUE;
168
169	704	return CURLE_OK;
170	704	}
171
172		void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
173	356k	{
174	356k	Curl_auth_digest_cleanup(&data->state.digest);
175	356k	Curl_auth_digest_cleanup(&data->state.proxydigest);
176	356k	}
177
178		#endif

Coverage Report

Created: 2026-03-11 07:23