/src/PROJ/curl/lib/http_digest.c

Source
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * SPDX-License-Identifier: curl
 *
 ***************************************************************************/

#include "curl_setup.h"

#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)

#include "urldata.h"
#include "strcase.h"
#include "vauth/vauth.h"
#include "http_digest.h"
#include "curlx/strparse.h"

/* The last 2 #include files should be in this order */
#include "curl_memory.h"
#include "memdebug.h"

/* Test example headers:

WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"

*/

CURLcode Curl_input_digest(struct Curl_easy *data,
                           bool proxy,
                           const char *header) /* rest of the *-authenticate:
                                                  header */
{
  /* Point to the correct struct with this */
  struct digestdata *digest;

  if(proxy) {
    digest = &data->state.proxydigest;
  }
  else {
    digest = &data->state.digest;
  }

  if(!checkprefix("Digest", header) || !ISBLANK(header[6]))
    return CURLE_BAD_CONTENT_ENCODING;

  header += strlen("Digest");
  curlx_str_passblanks(&header);

  return Curl_auth_decode_digest_http_message(header, digest);
}

CURLcode Curl_output_digest(struct Curl_easy *data,
                            bool proxy,
                            const unsigned char *request,
                            const unsigned char *uripath)
{
  CURLcode result;
  unsigned char *path = NULL;
  char *tmp = NULL;
  char *response;
  size_t len;
  bool have_chlg;

  /* Point to the address of the pointer that holds the string to send to the
     server, which is for a plain host or for an HTTP proxy */
  char **allocuserpwd;

  /* Point to the name and password for this */
  const char *userp;
  const char *passwdp;

  /* Point to the correct struct with this */
  struct digestdata *digest;
  struct auth *authp;

  if(proxy) {
#ifdef CURL_DISABLE_PROXY
    return CURLE_NOT_BUILT_IN;
#else
    digest = &data->state.proxydigest;
    allocuserpwd = &data->state.aptr.proxyuserpwd;
    userp = data->state.aptr.proxyuser;
    passwdp = data->state.aptr.proxypasswd;
    authp = &data->state.authproxy;
#endif
  }
  else {
    digest = &data->state.digest;
    allocuserpwd = &data->state.aptr.userpwd;
    userp = data->state.aptr.user;
    passwdp = data->state.aptr.passwd;
    authp = &data->state.authhost;
  }

  Curl_safefree(*allocuserpwd);

  /* not set means empty */
  if(!userp)
    userp = "";

  if(!passwdp)
    passwdp = "";

#ifdef USE_WINDOWS_SSPI
  have_chlg = !!digest->input_token;
#else
  have_chlg = !!digest->nonce;
#endif

  if(!have_chlg) {
    authp->done = FALSE;
    return CURLE_OK;
  }

  /* So IE browsers < v7 cut off the URI part at the query part when they
     evaluate the MD5 and some (IIS?) servers work with them so we may need to
     do the Digest IE-style. Note that the different ways cause different MD5
     sums to get sent.

     Apache servers can be set to do the Digest IE-style automatically using
     the BrowserMatch feature:
     https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie

     Further details on Digest implementation differences:
     https://web.archive.org/web/2009/fngtps.com/2006/09/http-authentication
  */

  if(authp->iestyle) {
    tmp = strchr((const char *)uripath, '?');
    if(tmp) {
      size_t urilen = tmp - (const char *)uripath;
      /* typecast is fine here since the value is always less than 32 bits */
      path = (unsigned char *)curl_maprintf("%.*s", (int)urilen, uripath);
    }
  }
  if(!tmp)
    path = (unsigned char *)strdup((const char *) uripath);

  if(!path)
    return CURLE_OUT_OF_MEMORY;

  result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
                                                path, digest, &response, &len);
  free(path);
  if(result)
    return result;

  *allocuserpwd = curl_maprintf("%sAuthorization: Digest %s\r\n",
                                proxy ? "Proxy-" : "", response);
  free(response);
  if(!*allocuserpwd)
    return CURLE_OUT_OF_MEMORY;

  authp->done = TRUE;

  return CURLE_OK;
}

void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
{
  Curl_auth_digest_cleanup(&data->state.digest);
  Curl_auth_digest_cleanup(&data->state.proxydigest);
}

#endif

Line	Count	Source
1		/***************************************************************************
2		* _ _ ____ _
3		* Project ___\| \| \| \| _ \\| \|
4		* / __\| \| \| \| \|_) \| \|
5		* \| (__\| \|_\| \| _ <\| \|___
6		* \___\|\___/\|_\| \_\_____\|
7		*
8		* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9		*
10		* This software is licensed as described in the file COPYING, which
11		* you should have received as part of this distribution. The terms
12		* are also available at https://curl.se/docs/copyright.html.
13		*
14		* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15		* copies of the Software, and permit persons to whom the Software is
16		* furnished to do so, under the terms of the COPYING file.
17		*
18		* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19		* KIND, either express or implied.
20		*
21		* SPDX-License-Identifier: curl
22		*
23		***************************************************************************/
24
25		#include "curl_setup.h"
26
27		#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
28
29		#include "urldata.h"
30		#include "strcase.h"
31		#include "vauth/vauth.h"
32		#include "http_digest.h"
33		#include "curlx/strparse.h"
34
35		/* The last 2 #include files should be in this order */
36		#include "curl_memory.h"
37		#include "memdebug.h"
38
39		/* Test example headers:
40
41		WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
42		Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"
43
44		*/
45
46		CURLcode Curl_input_digest(struct Curl_easy *data,
47		bool proxy,
48		const char header) / rest of the *-authenticate:
49		header */
50	0	{
51		/* Point to the correct struct with this */
52	0	struct digestdata *digest;
53
54	0	if(proxy) {
55	0	digest = &data->state.proxydigest;
56	0	}
57	0	else {
58	0	digest = &data->state.digest;
59	0	}
60
61	0	if(!checkprefix("Digest", header) \|\| !ISBLANK(header[6]))
62	0	return CURLE_BAD_CONTENT_ENCODING;
63
64	0	header += strlen("Digest");
65	0	curlx_str_passblanks(&header);
66
67	0	return Curl_auth_decode_digest_http_message(header, digest);
68	0	}
69
70		CURLcode Curl_output_digest(struct Curl_easy *data,
71		bool proxy,
72		const unsigned char *request,
73		const unsigned char *uripath)
74	0	{
75	0	CURLcode result;
76	0	unsigned char *path = NULL;
77	0	char *tmp = NULL;
78	0	char *response;
79	0	size_t len;
80	0	bool have_chlg;
81
82		/* Point to the address of the pointer that holds the string to send to the
83		server, which is for a plain host or for an HTTP proxy */
84	0	char **allocuserpwd;
85
86		/* Point to the name and password for this */
87	0	const char *userp;
88	0	const char *passwdp;
89
90		/* Point to the correct struct with this */
91	0	struct digestdata *digest;
92	0	struct auth *authp;
93
94	0	if(proxy) {
95		#ifdef CURL_DISABLE_PROXY
96		return CURLE_NOT_BUILT_IN;
97		#else
98	0	digest = &data->state.proxydigest;
99	0	allocuserpwd = &data->state.aptr.proxyuserpwd;
100	0	userp = data->state.aptr.proxyuser;
101	0	passwdp = data->state.aptr.proxypasswd;
102	0	authp = &data->state.authproxy;
103	0	#endif
104	0	}
105	0	else {
106	0	digest = &data->state.digest;
107	0	allocuserpwd = &data->state.aptr.userpwd;
108	0	userp = data->state.aptr.user;
109	0	passwdp = data->state.aptr.passwd;
110	0	authp = &data->state.authhost;
111	0	}
112
113	0	Curl_safefree(*allocuserpwd);
114
115		/* not set means empty */
116	0	if(!userp)
117	0	userp = "";
118
119	0	if(!passwdp)
120	0	passwdp = "";
121
122		#ifdef USE_WINDOWS_SSPI
123		have_chlg = !!digest->input_token;
124		#else
125	0	have_chlg = !!digest->nonce;
126	0	#endif
127
128	0	if(!have_chlg) {
129	0	authp->done = FALSE;
130	0	return CURLE_OK;
131	0	}
132
133		/* So IE browsers < v7 cut off the URI part at the query part when they
134		evaluate the MD5 and some (IIS?) servers work with them so we may need to
135		do the Digest IE-style. Note that the different ways cause different MD5
136		sums to get sent.
137
138		Apache servers can be set to do the Digest IE-style automatically using
139		the BrowserMatch feature:
140		https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
141
142		Further details on Digest implementation differences:
143		https://web.archive.org/web/2009/fngtps.com/2006/09/http-authentication
144		*/
145
146	0	if(authp->iestyle) {
147	0	tmp = strchr((const char *)uripath, '?');
148	0	if(tmp) {
149	0	size_t urilen = tmp - (const char *)uripath;
150		/* typecast is fine here since the value is always less than 32 bits */
151	0	path = (unsigned char )curl_maprintf("%.s", (int)urilen, uripath);
152	0	}
153	0	}
154	0	if(!tmp)
155	0	path = (unsigned char )strdup((const char ) uripath);
156
157	0	if(!path)
158	0	return CURLE_OUT_OF_MEMORY;
159
160	0	result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
161	0	path, digest, &response, &len);
162	0	free(path);
163	0	if(result)
164	0	return result;
165
166	0	*allocuserpwd = curl_maprintf("%sAuthorization: Digest %s\r\n",
167	0	proxy ? "Proxy-" : "", response);
168	0	free(response);
169	0	if(!*allocuserpwd)
170	0	return CURLE_OUT_OF_MEMORY;
171
172	0	authp->done = TRUE;
173
174	0	return CURLE_OK;
175	0	}
176
177		void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
178	0	{
179	0	Curl_auth_digest_cleanup(&data->state.digest);
180	0	Curl_auth_digest_cleanup(&data->state.proxydigest);
181	0	}
182
183		#endif

Coverage Report

Created: 2025-10-10 06:31