xref: /aosp_15_r20/external/curl/lib/http_digest.c (revision 6236dae45794135f37c4eb022389c904c8b0090d) 
1*6236dae4SAndroid Build Coastguard Worker /***************************************************************************
2*6236dae4SAndroid Build Coastguard Worker  *                                  _   _ ____  _
3*6236dae4SAndroid Build Coastguard Worker  *  Project                     ___| | | |  _ \| |
4*6236dae4SAndroid Build Coastguard Worker  *                             / __| | | | |_) | |
5*6236dae4SAndroid Build Coastguard Worker  *                            | (__| |_| |  _ <| |___
6*6236dae4SAndroid Build Coastguard Worker  *                             \___|\___/|_| \_\_____|
7*6236dae4SAndroid Build Coastguard Worker  *
8*6236dae4SAndroid Build Coastguard Worker  * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
9*6236dae4SAndroid Build Coastguard Worker  *
10*6236dae4SAndroid Build Coastguard Worker  * This software is licensed as described in the file COPYING, which
11*6236dae4SAndroid Build Coastguard Worker  * you should have received as part of this distribution. The terms
12*6236dae4SAndroid Build Coastguard Worker  * are also available at https://curl.se/docs/copyright.html.
13*6236dae4SAndroid Build Coastguard Worker  *
14*6236dae4SAndroid Build Coastguard Worker  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15*6236dae4SAndroid Build Coastguard Worker  * copies of the Software, and permit persons to whom the Software is
16*6236dae4SAndroid Build Coastguard Worker  * furnished to do so, under the terms of the COPYING file.
17*6236dae4SAndroid Build Coastguard Worker  *
18*6236dae4SAndroid Build Coastguard Worker  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19*6236dae4SAndroid Build Coastguard Worker  * KIND, either express or implied.
20*6236dae4SAndroid Build Coastguard Worker  *
21*6236dae4SAndroid Build Coastguard Worker  * SPDX-License-Identifier: curl
22*6236dae4SAndroid Build Coastguard Worker  *
23*6236dae4SAndroid Build Coastguard Worker  ***************************************************************************/
24*6236dae4SAndroid Build Coastguard Worker 
25*6236dae4SAndroid Build Coastguard Worker #include "curl_setup.h"
26*6236dae4SAndroid Build Coastguard Worker 
27*6236dae4SAndroid Build Coastguard Worker #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
28*6236dae4SAndroid Build Coastguard Worker 
29*6236dae4SAndroid Build Coastguard Worker #include "urldata.h"
30*6236dae4SAndroid Build Coastguard Worker #include "strcase.h"
31*6236dae4SAndroid Build Coastguard Worker #include "vauth/vauth.h"
32*6236dae4SAndroid Build Coastguard Worker #include "http_digest.h"
33*6236dae4SAndroid Build Coastguard Worker 
34*6236dae4SAndroid Build Coastguard Worker /* The last 3 #include files should be in this order */
35*6236dae4SAndroid Build Coastguard Worker #include "curl_printf.h"
36*6236dae4SAndroid Build Coastguard Worker #include "curl_memory.h"
37*6236dae4SAndroid Build Coastguard Worker #include "memdebug.h"
38*6236dae4SAndroid Build Coastguard Worker 
39*6236dae4SAndroid Build Coastguard Worker /* Test example headers:
40*6236dae4SAndroid Build Coastguard Worker 
41*6236dae4SAndroid Build Coastguard Worker WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
42*6236dae4SAndroid Build Coastguard Worker Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"
43*6236dae4SAndroid Build Coastguard Worker 
44*6236dae4SAndroid Build Coastguard Worker */
45*6236dae4SAndroid Build Coastguard Worker 
Curl_input_digest(struct Curl_easy * data,bool proxy,const char * header)46*6236dae4SAndroid Build Coastguard Worker CURLcode Curl_input_digest(struct Curl_easy *data,
47*6236dae4SAndroid Build Coastguard Worker                            bool proxy,
48*6236dae4SAndroid Build Coastguard Worker                            const char *header) /* rest of the *-authenticate:
49*6236dae4SAndroid Build Coastguard Worker                                                   header */
50*6236dae4SAndroid Build Coastguard Worker {
51*6236dae4SAndroid Build Coastguard Worker   /* Point to the correct struct with this */
52*6236dae4SAndroid Build Coastguard Worker   struct digestdata *digest;
53*6236dae4SAndroid Build Coastguard Worker 
54*6236dae4SAndroid Build Coastguard Worker   if(proxy) {
55*6236dae4SAndroid Build Coastguard Worker     digest = &data->state.proxydigest;
56*6236dae4SAndroid Build Coastguard Worker   }
57*6236dae4SAndroid Build Coastguard Worker   else {
58*6236dae4SAndroid Build Coastguard Worker     digest = &data->state.digest;
59*6236dae4SAndroid Build Coastguard Worker   }
60*6236dae4SAndroid Build Coastguard Worker 
61*6236dae4SAndroid Build Coastguard Worker   if(!checkprefix("Digest", header) || !ISBLANK(header[6]))
62*6236dae4SAndroid Build Coastguard Worker     return CURLE_BAD_CONTENT_ENCODING;
63*6236dae4SAndroid Build Coastguard Worker 
64*6236dae4SAndroid Build Coastguard Worker   header += strlen("Digest");
65*6236dae4SAndroid Build Coastguard Worker   while(*header && ISBLANK(*header))
66*6236dae4SAndroid Build Coastguard Worker     header++;
67*6236dae4SAndroid Build Coastguard Worker 
68*6236dae4SAndroid Build Coastguard Worker   return Curl_auth_decode_digest_http_message(header, digest);
69*6236dae4SAndroid Build Coastguard Worker }
70*6236dae4SAndroid Build Coastguard Worker 
Curl_output_digest(struct Curl_easy * data,bool proxy,const unsigned char * request,const unsigned char * uripath)71*6236dae4SAndroid Build Coastguard Worker CURLcode Curl_output_digest(struct Curl_easy *data,
72*6236dae4SAndroid Build Coastguard Worker                             bool proxy,
73*6236dae4SAndroid Build Coastguard Worker                             const unsigned char *request,
74*6236dae4SAndroid Build Coastguard Worker                             const unsigned char *uripath)
75*6236dae4SAndroid Build Coastguard Worker {
76*6236dae4SAndroid Build Coastguard Worker   CURLcode result;
77*6236dae4SAndroid Build Coastguard Worker   unsigned char *path = NULL;
78*6236dae4SAndroid Build Coastguard Worker   char *tmp = NULL;
79*6236dae4SAndroid Build Coastguard Worker   char *response;
80*6236dae4SAndroid Build Coastguard Worker   size_t len;
81*6236dae4SAndroid Build Coastguard Worker   bool have_chlg;
82*6236dae4SAndroid Build Coastguard Worker 
83*6236dae4SAndroid Build Coastguard Worker   /* Point to the address of the pointer that holds the string to send to the
84*6236dae4SAndroid Build Coastguard Worker      server, which is for a plain host or for an HTTP proxy */
85*6236dae4SAndroid Build Coastguard Worker   char **allocuserpwd;
86*6236dae4SAndroid Build Coastguard Worker 
87*6236dae4SAndroid Build Coastguard Worker   /* Point to the name and password for this */
88*6236dae4SAndroid Build Coastguard Worker   const char *userp;
89*6236dae4SAndroid Build Coastguard Worker   const char *passwdp;
90*6236dae4SAndroid Build Coastguard Worker 
91*6236dae4SAndroid Build Coastguard Worker   /* Point to the correct struct with this */
92*6236dae4SAndroid Build Coastguard Worker   struct digestdata *digest;
93*6236dae4SAndroid Build Coastguard Worker   struct auth *authp;
94*6236dae4SAndroid Build Coastguard Worker 
95*6236dae4SAndroid Build Coastguard Worker   if(proxy) {
96*6236dae4SAndroid Build Coastguard Worker #ifdef CURL_DISABLE_PROXY
97*6236dae4SAndroid Build Coastguard Worker     return CURLE_NOT_BUILT_IN;
98*6236dae4SAndroid Build Coastguard Worker #else
99*6236dae4SAndroid Build Coastguard Worker     digest = &data->state.proxydigest;
100*6236dae4SAndroid Build Coastguard Worker     allocuserpwd = &data->state.aptr.proxyuserpwd;
101*6236dae4SAndroid Build Coastguard Worker     userp = data->state.aptr.proxyuser;
102*6236dae4SAndroid Build Coastguard Worker     passwdp = data->state.aptr.proxypasswd;
103*6236dae4SAndroid Build Coastguard Worker     authp = &data->state.authproxy;
104*6236dae4SAndroid Build Coastguard Worker #endif
105*6236dae4SAndroid Build Coastguard Worker   }
106*6236dae4SAndroid Build Coastguard Worker   else {
107*6236dae4SAndroid Build Coastguard Worker     digest = &data->state.digest;
108*6236dae4SAndroid Build Coastguard Worker     allocuserpwd = &data->state.aptr.userpwd;
109*6236dae4SAndroid Build Coastguard Worker     userp = data->state.aptr.user;
110*6236dae4SAndroid Build Coastguard Worker     passwdp = data->state.aptr.passwd;
111*6236dae4SAndroid Build Coastguard Worker     authp = &data->state.authhost;
112*6236dae4SAndroid Build Coastguard Worker   }
113*6236dae4SAndroid Build Coastguard Worker 
114*6236dae4SAndroid Build Coastguard Worker   Curl_safefree(*allocuserpwd);
115*6236dae4SAndroid Build Coastguard Worker 
116*6236dae4SAndroid Build Coastguard Worker   /* not set means empty */
117*6236dae4SAndroid Build Coastguard Worker   if(!userp)
118*6236dae4SAndroid Build Coastguard Worker     userp = "";
119*6236dae4SAndroid Build Coastguard Worker 
120*6236dae4SAndroid Build Coastguard Worker   if(!passwdp)
121*6236dae4SAndroid Build Coastguard Worker     passwdp = "";
122*6236dae4SAndroid Build Coastguard Worker 
123*6236dae4SAndroid Build Coastguard Worker #if defined(USE_WINDOWS_SSPI)
124*6236dae4SAndroid Build Coastguard Worker   have_chlg = !!digest->input_token;
125*6236dae4SAndroid Build Coastguard Worker #else
126*6236dae4SAndroid Build Coastguard Worker   have_chlg = !!digest->nonce;
127*6236dae4SAndroid Build Coastguard Worker #endif
128*6236dae4SAndroid Build Coastguard Worker 
129*6236dae4SAndroid Build Coastguard Worker   if(!have_chlg) {
130*6236dae4SAndroid Build Coastguard Worker     authp->done = FALSE;
131*6236dae4SAndroid Build Coastguard Worker     return CURLE_OK;
132*6236dae4SAndroid Build Coastguard Worker   }
133*6236dae4SAndroid Build Coastguard Worker 
134*6236dae4SAndroid Build Coastguard Worker   /* So IE browsers < v7 cut off the URI part at the query part when they
135*6236dae4SAndroid Build Coastguard Worker      evaluate the MD5 and some (IIS?) servers work with them so we may need to
136*6236dae4SAndroid Build Coastguard Worker      do the Digest IE-style. Note that the different ways cause different MD5
137*6236dae4SAndroid Build Coastguard Worker      sums to get sent.
138*6236dae4SAndroid Build Coastguard Worker 
139*6236dae4SAndroid Build Coastguard Worker      Apache servers can be set to do the Digest IE-style automatically using
140*6236dae4SAndroid Build Coastguard Worker      the BrowserMatch feature:
141*6236dae4SAndroid Build Coastguard Worker      https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
142*6236dae4SAndroid Build Coastguard Worker 
143*6236dae4SAndroid Build Coastguard Worker      Further details on Digest implementation differences:
144*6236dae4SAndroid Build Coastguard Worker      http://www.fngtps.com/2006/09/http-authentication
145*6236dae4SAndroid Build Coastguard Worker   */
146*6236dae4SAndroid Build Coastguard Worker 
147*6236dae4SAndroid Build Coastguard Worker   if(authp->iestyle) {
148*6236dae4SAndroid Build Coastguard Worker     tmp = strchr((char *)uripath, '?');
149*6236dae4SAndroid Build Coastguard Worker     if(tmp) {
150*6236dae4SAndroid Build Coastguard Worker       size_t urilen = tmp - (char *)uripath;
151*6236dae4SAndroid Build Coastguard Worker       /* typecast is fine here since the value is always less than 32 bits */
152*6236dae4SAndroid Build Coastguard Worker       path = (unsigned char *) aprintf("%.*s", (int)urilen, uripath);
153*6236dae4SAndroid Build Coastguard Worker     }
154*6236dae4SAndroid Build Coastguard Worker   }
155*6236dae4SAndroid Build Coastguard Worker   if(!tmp)
156*6236dae4SAndroid Build Coastguard Worker     path = (unsigned char *) strdup((char *) uripath);
157*6236dae4SAndroid Build Coastguard Worker 
158*6236dae4SAndroid Build Coastguard Worker   if(!path)
159*6236dae4SAndroid Build Coastguard Worker     return CURLE_OUT_OF_MEMORY;
160*6236dae4SAndroid Build Coastguard Worker 
161*6236dae4SAndroid Build Coastguard Worker   result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
162*6236dae4SAndroid Build Coastguard Worker                                                 path, digest, &response, &len);
163*6236dae4SAndroid Build Coastguard Worker   free(path);
164*6236dae4SAndroid Build Coastguard Worker   if(result)
165*6236dae4SAndroid Build Coastguard Worker     return result;
166*6236dae4SAndroid Build Coastguard Worker 
167*6236dae4SAndroid Build Coastguard Worker   *allocuserpwd = aprintf("%sAuthorization: Digest %s\r\n",
168*6236dae4SAndroid Build Coastguard Worker                           proxy ? "Proxy-" : "",
169*6236dae4SAndroid Build Coastguard Worker                           response);
170*6236dae4SAndroid Build Coastguard Worker   free(response);
171*6236dae4SAndroid Build Coastguard Worker   if(!*allocuserpwd)
172*6236dae4SAndroid Build Coastguard Worker     return CURLE_OUT_OF_MEMORY;
173*6236dae4SAndroid Build Coastguard Worker 
174*6236dae4SAndroid Build Coastguard Worker   authp->done = TRUE;
175*6236dae4SAndroid Build Coastguard Worker 
176*6236dae4SAndroid Build Coastguard Worker   return CURLE_OK;
177*6236dae4SAndroid Build Coastguard Worker }
178*6236dae4SAndroid Build Coastguard Worker 
Curl_http_auth_cleanup_digest(struct Curl_easy * data)179*6236dae4SAndroid Build Coastguard Worker void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
180*6236dae4SAndroid Build Coastguard Worker {
181*6236dae4SAndroid Build Coastguard Worker   Curl_auth_digest_cleanup(&data->state.digest);
182*6236dae4SAndroid Build Coastguard Worker   Curl_auth_digest_cleanup(&data->state.proxydigest);
183*6236dae4SAndroid Build Coastguard Worker }
184*6236dae4SAndroid Build Coastguard Worker 
185*6236dae4SAndroid Build Coastguard Worker #endif
186