1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ***************************************************************************/
23 #include "curl_setup.h"
25 #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
29 #include "vauth/vauth.h"
30 #include "http_digest.h"
32 /* The last 3 #include files should be in this order */
33 #include "curl_printf.h"
34 #include "curl_memory.h"
37 /* Test example headers:
39 WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
40 Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"
44 CURLcode Curl_input_digest(struct Curl_easy *data,
46 const char *header) /* rest of the *-authenticate:
49 /* Point to the correct struct with this */
50 struct digestdata *digest;
53 digest = &data->state.proxydigest;
56 digest = &data->state.digest;
59 if(!checkprefix("Digest", header) || !ISSPACE(header[6]))
60 return CURLE_BAD_CONTENT_ENCODING;
62 header += strlen("Digest");
63 while(*header && ISSPACE(*header))
66 return Curl_auth_decode_digest_http_message(header, digest);
69 CURLcode Curl_output_digest(struct Curl_easy *data,
71 const unsigned char *request,
72 const unsigned char *uripath)
75 unsigned char *path = NULL;
81 /* Point to the address of the pointer that holds the string to send to the
82 server, which is for a plain host or for a HTTP proxy */
85 /* Point to the name and password for this */
89 /* Point to the correct struct with this */
90 struct digestdata *digest;
94 #ifdef CURL_DISABLE_PROXY
95 return CURLE_NOT_BUILT_IN;
97 digest = &data->state.proxydigest;
98 allocuserpwd = &data->state.aptr.proxyuserpwd;
99 userp = data->state.aptr.proxyuser;
100 passwdp = data->state.aptr.proxypasswd;
101 authp = &data->state.authproxy;
105 digest = &data->state.digest;
106 allocuserpwd = &data->state.aptr.userpwd;
107 userp = data->state.aptr.user;
108 passwdp = data->state.aptr.passwd;
109 authp = &data->state.authhost;
112 Curl_safefree(*allocuserpwd);
114 /* not set means empty */
121 #if defined(USE_WINDOWS_SSPI)
122 have_chlg = digest->input_token ? TRUE : FALSE;
124 have_chlg = digest->nonce ? TRUE : FALSE;
132 /* So IE browsers < v7 cut off the URI part at the query part when they
133 evaluate the MD5 and some (IIS?) servers work with them so we may need to
134 do the Digest IE-style. Note that the different ways cause different MD5
137 Apache servers can be set to do the Digest IE-style automatically using
138 the BrowserMatch feature:
139 https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
141 Further details on Digest implementation differences:
142 http://www.fngtps.com/2006/09/http-authentication
146 tmp = strchr((char *)uripath, '?');
148 size_t urilen = tmp - (char *)uripath;
149 /* typecast is fine here since the value is always less than 32 bits */
150 path = (unsigned char *) aprintf("%.*s", (int)urilen, uripath);
154 path = (unsigned char *) strdup((char *) uripath);
157 return CURLE_OUT_OF_MEMORY;
159 result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
160 path, digest, &response, &len);
165 *allocuserpwd = aprintf("%sAuthorization: Digest %s\r\n",
166 proxy ? "Proxy-" : "",
170 return CURLE_OUT_OF_MEMORY;
177 void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
179 Curl_auth_digest_cleanup(&data->state.digest);
180 Curl_auth_digest_cleanup(&data->state.proxydigest);