commit 5aa16f7e31e888ff197f7517b78598af4b2dcaa8
parent 9eb7b4de6447f4821b2e47ce31a8243c85e5bc96
Author: Evgeny Grin (Karlson2k) <k2k@narod.ru>
Date: Tue, 26 Jul 2022 14:17:53 +0300
digestauth: added dynamic detection and use of the algo specified by client
Diffstat:
2 files changed, 45 insertions(+), 31 deletions(-)
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
@@ -96,7 +96,7 @@ extern "C"
* they are parsed as decimal numbers.
* Example: 0x01093001 = 1.9.30-1.
*/
-#define MHD_VERSION 0x00097527
+#define MHD_VERSION 0x00097528
/* If generic headers don't work on your platform, include headers
which define 'va_list', 'size_t', 'ssize_t', 'intptr_t', 'off_t',
@@ -5002,11 +5002,11 @@ enum MHD_DigestAuthResult
* zero for no limit
* @param mqop the QOP to use, currently the only allowed value is
* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 digest algorithm to use, if several algorithms are specified
- * then MD5 is used (if allowed)
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
+ * by the client is not allowed by this parameter
* @return #MHD_DAUTH_OK if authenticated,
* the error code otherwise
- * @note Available since #MHD_VERSION 0x00097526
+ * @note Available since #MHD_VERSION 0x00097528
* @ingroup authentication
*/
_MHD_EXTERN enum MHD_DigestAuthResult
@@ -5040,12 +5040,14 @@ MHD_digest_auth_check3 (struct MHD_Connection *connection,
* zero for no limit
* @param mqop the QOP to use, currently the only allowed value is
* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 the digest algorithms to use; both MD5-based and SHA-256-based
- * algorithms cannot be used at the same time for this function
- * as @a userdigest_size must match specified algorithm
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
+ * by the client is not allowed by this parameter;
+ * both MD5-based and SHA-256-based algorithms cannot be used at
+ * the same time for this function as @a userdigest_size must
+ * match specified algorithm
* @return #MHD_DAUTH_OK if authenticated,
* the error code otherwise
- * @note Available since #MHD_VERSION 0x00097526
+ * @note Available since #MHD_VERSION 0x00097528
* @ingroup authentication
*/
_MHD_EXTERN enum MHD_DigestAuthResult
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
@@ -1996,8 +1996,8 @@ is_param_equal_caseless (const struct MHD_RqDAuthParam *param,
* zero for no limit
* @param mqop the QOP to use, currently the only allowed value is
* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 digest algorithms to use, if several algorithms are specified
- * then MD5 is used (if allowed)
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
+ * by the client is not allowed by this parameter
* @param[out] pbuf the pointer to pointer to internally malloc'ed buffer,
* to be free if not NULL upon return
* @return #MHD_DAUTH_OK if authenticated,
@@ -2017,7 +2017,7 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
char **pbuf)
{
struct MHD_Daemon *daemon = MHD_get_master (connection->daemon);
- enum MHD_DigestAuthAlgo3 s_algo; /**< Selected algorithm */
+ enum MHD_DigestAuthAlgo3 c_algo; /**< Client's algorithm */
struct DigestAlgorithm da;
unsigned int digest_size;
uint8_t hash1_bin[MAX_DIGEST];
@@ -2047,10 +2047,14 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
return MHD_DAUTH_WRONG_HEADER;
/* ** Initial parameters checks and setup ** */
- if (MHD_DIGEST_AUTH_MULT_QOP_AUTH != mqop)
- MHD_PANIC (_ ("Wrong 'mqop' value, API violation"));
-
- if (0 != (((unsigned int) malgo3) & MHD_DIGEST_AUTH_ALGO3_SESSION))
+ /* Get client's algorithm */
+ c_algo = get_rq_algo (params);
+ /* Check whether client's algorithm is allowed by function parameter */
+ if (((unsigned int) c_algo) !=
+ (((unsigned int) c_algo) & ((unsigned int) malgo3)))
+ return MHD_DAUTH_WRONG_ALGO;
+ /* Check whether client's algorithm is supported */
+ if (0 != (((unsigned int) c_algo) & MHD_DIGEST_AUTH_ALGO3_SESSION))
{
#ifdef HAVE_MESSAGES
MHD_DLOG (connection->daemon,
@@ -2058,14 +2062,20 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
#endif /* HAVE_MESSAGES */
return MHD_DAUTH_WRONG_ALGO;
}
- if (0 != (((unsigned int) malgo3) & MHD_DIGEST_BASE_ALGO_MD5))
- s_algo = MHD_DIGEST_AUTH_ALGO3_MD5;
- else if (0 != (((unsigned int) malgo3) & MHD_DIGEST_BASE_ALGO_SHA256))
- s_algo = MHD_DIGEST_AUTH_ALGO3_SHA256;
- else
- MHD_PANIC (_ ("Wrong 'malgo3' value, API violation"));
- if (! digest_setup (&da, get_base_digest_algo (s_algo)))
+ if (0 != (((unsigned int) c_algo) & MHD_DIGEST_BASE_ALGO_SHA512_256))
+ {
+#ifdef HAVE_MESSAGES
+ MHD_DLOG (connection->daemon,
+ _ ("The SHA-512/256 algorithm is not supported.\n"));
+#endif /* HAVE_MESSAGES */
+ return MHD_DAUTH_WRONG_ALGO;
+ }
+ if (! digest_setup (&da, get_base_digest_algo (c_algo)))
MHD_PANIC (_ ("Wrong 'malgo3' value, API violation"));
+ /* Check 'mqop' value */
+ if (MHD_DIGEST_AUTH_MULT_QOP_AUTH != mqop)
+ MHD_PANIC (_ ("Wrong 'mqop' value, API violation"));
+
digest_size = digest_get_size (&da);
/* ** A quick check for presence of all required parameters ** */
@@ -2438,8 +2448,8 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
* zero for no limit
* @param mqop the QOP to use, currently the only allowed value is
* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 digest algorithms to use, if several algorithms are specified
- * then MD5 is used (if allowed)
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
+ * by the client is not allowed by this parameter
* @return #MHD_DAUTH_OK if authenticated,
* error code otherwise.
* @ingroup authentication
@@ -2519,11 +2529,11 @@ MHD_digest_auth_check (struct MHD_Connection *connection,
* zero for no limit
* @param mqop the QOP to use, currently the only allowed value is
* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 digest algorithm to use, if several algorithms are specified
- * then MD5 is used (if allowed)
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
+ * by the client is not allowed by this parameter
* @return #MHD_DAUTH_OK if authenticated,
* the error code otherwise
- * @note Available since #MHD_VERSION 0x00097526
+ * @note Available since #MHD_VERSION 0x00097528
* @ingroup authentication
*/
_MHD_EXTERN enum MHD_DigestAuthResult
@@ -2570,12 +2580,14 @@ MHD_digest_auth_check3 (struct MHD_Connection *connection,
* zero for no limit
* @param mqop the QOP to use, currently the only allowed value is
* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 the digest algorithms to use; both MD5-based and SHA-256-based
- * algorithms cannot be used at the same time for this function
- * as @a userdigest_size must match specified algorithm
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
+ * by the client is not allowed by this parameter;
+ * both MD5-based and SHA-256-based algorithms cannot be used at
+ * the same time for this function as @a userdigest_size must
+ * match specified algorithm
* @return #MHD_DAUTH_OK if authenticated,
* the error code otherwise
- * @note Available since #MHD_VERSION 0x00097526
+ * @note Available since #MHD_VERSION 0x00097528
* @ingroup authentication
*/
_MHD_EXTERN enum MHD_DigestAuthResult
