digestauth: added dynamic detection and use of the algo specified by client

author: Evgeny Grin (Karlson2k) <k2k@narod.ru> 2022-07-26 14:17:53 +0300
committer: Evgeny Grin (Karlson2k) <k2k@narod.ru> 2022-07-30 22:28:41 +0300
commit: 5aa16f7e31e888ff197f7517b78598af4b2dcaa8 (patch)
tree: 22f87546c565a4db0e8bc177e32eab7be6fe54d7 /src/microhttpd
parent: 9eb7b4de6447f4821b2e47ce31a8243c85e5bc96 (diff)
download: libmicrohttpd-5aa16f7e31e888ff197f7517b78598af4b2dcaa8.tar.gz
libmicrohttpd-5aa16f7e31e888ff197f7517b78598af4b2dcaa8.zip
1 files changed, 35 insertions, 23 deletions
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
index f8f06d6d..00901943 100644
--- a/src/microhttpd/digestauth.c
+++ b/src/microhttpd/digestauth.c
@@ -1996,8 +1996,8 @@ is_param_equal_caseless (const struct MHD_RqDAuthParam *param,
 *               zero for no limit
 * @param mqop the QOP to use, currently the only allowed value is
 *            #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 digest algorithms to use, if several algorithms are specified
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
- *               then MD5 is used (if allowed)
+ *               by the client is not allowed by this parameter
 * @param[out] pbuf the pointer to pointer to internally malloc'ed buffer,
 *                  to be free if not NULL upon return
 * @return #MHD_DAUTH_OK if authenticated,
@@ -2017,7 +2017,7 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
                             char **pbuf)
 {
  struct MHD_Daemon *daemon = MHD_get_master (connection->daemon);
-  enum MHD_DigestAuthAlgo3 s_algo; /**< Selected algorithm */
+  enum MHD_DigestAuthAlgo3 c_algo; /**< Client's algorithm */
  struct DigestAlgorithm da;
  unsigned int digest_size;
  uint8_t hash1_bin[MAX_DIGEST];
@@ -2047,10 +2047,14 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
    return MHD_DAUTH_WRONG_HEADER;
  /* ** Initial parameters checks and setup ** */
-  if (MHD_DIGEST_AUTH_MULT_QOP_AUTH != mqop)
+  /* Get client's algorithm */
-    MHD_PANIC (_ ("Wrong 'mqop' value, API violation"));
+  c_algo = get_rq_algo (params);
+  /* Check whether client's algorithm is allowed by function parameter */
-  if (0 != (((unsigned int) malgo3) & MHD_DIGEST_AUTH_ALGO3_SESSION))
+  if (((unsigned int) c_algo) !=
+      (((unsigned int) c_algo) & ((unsigned int) malgo3)))
+    return MHD_DAUTH_WRONG_ALGO;
+  /* Check whether client's algorithm is supported */
+  if (0 != (((unsigned int) c_algo) & MHD_DIGEST_AUTH_ALGO3_SESSION))
  {
 #ifdef HAVE_MESSAGES
    MHD_DLOG (connection->daemon,
@@ -2058,14 +2062,20 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
 #endif /* HAVE_MESSAGES */
    return MHD_DAUTH_WRONG_ALGO;
  }
-  if (0 != (((unsigned int) malgo3) & MHD_DIGEST_BASE_ALGO_MD5))
+  if (0 != (((unsigned int) c_algo) & MHD_DIGEST_BASE_ALGO_SHA512_256))
-    s_algo = MHD_DIGEST_AUTH_ALGO3_MD5;
+  {
-  else if (0 != (((unsigned int) malgo3) & MHD_DIGEST_BASE_ALGO_SHA256))
+#ifdef HAVE_MESSAGES
-    s_algo = MHD_DIGEST_AUTH_ALGO3_SHA256;
+    MHD_DLOG (connection->daemon,
-  else
+              _ ("The SHA-512/256 algorithm is not supported.\n"));
-    MHD_PANIC (_ ("Wrong 'malgo3' value, API violation"));
+#endif /* HAVE_MESSAGES */
-  if (! digest_setup (&da, get_base_digest_algo (s_algo)))
+    return MHD_DAUTH_WRONG_ALGO;
+  }
+  if (! digest_setup (&da, get_base_digest_algo (c_algo)))
    MHD_PANIC (_ ("Wrong 'malgo3' value, API violation"));
+  /* Check 'mqop' value */
+  if (MHD_DIGEST_AUTH_MULT_QOP_AUTH != mqop)
+    MHD_PANIC (_ ("Wrong 'mqop' value, API violation"));
  digest_size = digest_get_size (&da);
  /* ** A quick check for presence of all required parameters ** */
@@ -2438,8 +2448,8 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
 *               zero for no limit
 * @param mqop the QOP to use, currently the only allowed value is
 *            #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 digest algorithms to use, if several algorithms are specified
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
- *               then MD5 is used (if allowed)
+ *               by the client is not allowed by this parameter
 * @return #MHD_DAUTH_OK if authenticated,
 *         error code otherwise.
 * @ingroup authentication
@@ -2519,11 +2529,11 @@ MHD_digest_auth_check (struct MHD_Connection *connection,
 *               zero for no limit
 * @param mqop the QOP to use, currently the only allowed value is
 *             #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 digest algorithm to use, if several algorithms are specified
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
- *               then MD5 is used (if allowed)
+ *               by the client is not allowed by this parameter
 * @return #MHD_DAUTH_OK if authenticated,
 *         the error code otherwise
- * @note Available since #MHD_VERSION 0x00097526
+ * @note Available since #MHD_VERSION 0x00097528
 * @ingroup authentication
 */
 _MHD_EXTERN enum MHD_DigestAuthResult
@@ -2570,12 +2580,14 @@ MHD_digest_auth_check3 (struct MHD_Connection *connection,
 *               zero for no limit
 * @param mqop the QOP to use, currently the only allowed value is
 *             #MHD_DIGEST_AUTH_MULT_QOP_AUTH
- * @param malgo3 the digest algorithms to use; both MD5-based and SHA-256-based
+ * @param malgo3 digest algorithms allowed to use, fail if algorithm specified
- *               algorithms cannot be used at the same time for this function
+ *               by the client is not allowed by this parameter;
- *               as @a userdigest_size must match specified algorithm
+ *               both MD5-based and SHA-256-based algorithms cannot be used at
+ *               the same time for this function as @a userdigest_size must
+ *               match specified algorithm
 * @return #MHD_DAUTH_OK if authenticated,
 *         the error code otherwise
- * @note Available since #MHD_VERSION 0x00097526
+ * @note Available since #MHD_VERSION 0x00097528
 * @ingroup authentication
 */
 _MHD_EXTERN enum MHD_DigestAuthResult
author	Evgeny Grin (Karlson2k) <k2k@narod.ru>	2022-07-26 14:17:53 +0300
committer	Evgeny Grin (Karlson2k) <k2k@narod.ru>	2022-07-30 22:28:41 +0300
commit	5aa16f7e31e888ff197f7517b78598af4b2dcaa8 (patch)
tree	22f87546c565a4db0e8bc177e32eab7be6fe54d7 /src/microhttpd
parent	9eb7b4de6447f4821b2e47ce31a8243c85e5bc96 (diff)
download	libmicrohttpd-5aa16f7e31e888ff197f7517b78598af4b2dcaa8.tar.gz libmicrohttpd-5aa16f7e31e888ff197f7517b78598af4b2dcaa8.zip

diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c index f8f06d6d..00901943 100644 --- a/src/microhttpd/digestauth.c +++ b/src/microhttpd/digestauth.c
@@ -1996,8 +1996,8 @@ is_param_equal_caseless (const struct MHD_RqDAuthParam *param,
1996	* zero for no limit	1996	* zero for no limit
1997	* @param mqop the QOP to use, currently the only allowed value is	1997	* @param mqop the QOP to use, currently the only allowed value is
1998	* #MHD_DIGEST_AUTH_MULT_QOP_AUTH	1998	* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
1999	* @param malgo3 digest algorithms to use, if several algorithms are specified	1999	* @param malgo3 digest algorithms allowed to use, fail if algorithm specified
2000	* then MD5 is used (if allowed)	2000	* by the client is not allowed by this parameter
2001	* @param[out] pbuf the pointer to pointer to internally malloc'ed buffer,	2001	* @param[out] pbuf the pointer to pointer to internally malloc'ed buffer,
2002	* to be free if not NULL upon return	2002	* to be free if not NULL upon return
2003	* @return #MHD_DAUTH_OK if authenticated,	2003	* @return #MHD_DAUTH_OK if authenticated,
@@ -2017,7 +2017,7 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
2017	char **pbuf)	2017	char **pbuf)
2018	{	2018	{
2019	struct MHD_Daemon *daemon = MHD_get_master (connection->daemon);	2019	struct MHD_Daemon *daemon = MHD_get_master (connection->daemon);
2020	enum MHD_DigestAuthAlgo3 s_algo; /*< Selected algorithm /	2020	enum MHD_DigestAuthAlgo3 c_algo; /*< Client's algorithm /
2021	struct DigestAlgorithm da;	2021	struct DigestAlgorithm da;
2022	unsigned int digest_size;	2022	unsigned int digest_size;
2023	uint8_t hash1_bin[MAX_DIGEST];	2023	uint8_t hash1_bin[MAX_DIGEST];
@@ -2047,10 +2047,14 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
2047	return MHD_DAUTH_WRONG_HEADER;	2047	return MHD_DAUTH_WRONG_HEADER;
2048		2048
2049	/* Initial parameters checks and setup */	2049	/* Initial parameters checks and setup */
2050	if (MHD_DIGEST_AUTH_MULT_QOP_AUTH != mqop)	2050	/* Get client's algorithm */
2051	MHD_PANIC (_ ("Wrong 'mqop' value, API violation"));	2051	c_algo = get_rq_algo (params);
2052		2052	/* Check whether client's algorithm is allowed by function parameter */
2053	if (0 != (((unsigned int) malgo3) & MHD_DIGEST_AUTH_ALGO3_SESSION))	2053	if (((unsigned int) c_algo) !=
		2054	(((unsigned int) c_algo) & ((unsigned int) malgo3)))
		2055	return MHD_DAUTH_WRONG_ALGO;
		2056	/* Check whether client's algorithm is supported */
		2057	if (0 != (((unsigned int) c_algo) & MHD_DIGEST_AUTH_ALGO3_SESSION))
2054	{	2058	{
2055	#ifdef HAVE_MESSAGES	2059	#ifdef HAVE_MESSAGES
2056	MHD_DLOG (connection->daemon,	2060	MHD_DLOG (connection->daemon,
@@ -2058,14 +2062,20 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
2058	#endif /* HAVE_MESSAGES */	2062	#endif /* HAVE_MESSAGES */
2059	return MHD_DAUTH_WRONG_ALGO;	2063	return MHD_DAUTH_WRONG_ALGO;
2060	}	2064	}
2061	if (0 != (((unsigned int) malgo3) & MHD_DIGEST_BASE_ALGO_MD5))	2065	if (0 != (((unsigned int) c_algo) & MHD_DIGEST_BASE_ALGO_SHA512_256))
2062	s_algo = MHD_DIGEST_AUTH_ALGO3_MD5;	2066	{
2063	else if (0 != (((unsigned int) malgo3) & MHD_DIGEST_BASE_ALGO_SHA256))	2067	#ifdef HAVE_MESSAGES
2064	s_algo = MHD_DIGEST_AUTH_ALGO3_SHA256;	2068	MHD_DLOG (connection->daemon,
2065	else	2069	_ ("The SHA-512/256 algorithm is not supported.\n"));
2066	MHD_PANIC (_ ("Wrong 'malgo3' value, API violation"));	2070	#endif /* HAVE_MESSAGES */
2067	if (! digest_setup (&da, get_base_digest_algo (s_algo)))	2071	return MHD_DAUTH_WRONG_ALGO;
		2072	}
		2073	if (! digest_setup (&da, get_base_digest_algo (c_algo)))
2068	MHD_PANIC (_ ("Wrong 'malgo3' value, API violation"));	2074	MHD_PANIC (_ ("Wrong 'malgo3' value, API violation"));
		2075	/* Check 'mqop' value */
		2076	if (MHD_DIGEST_AUTH_MULT_QOP_AUTH != mqop)
		2077	MHD_PANIC (_ ("Wrong 'mqop' value, API violation"));
		2078
2069	digest_size = digest_get_size (&da);	2079	digest_size = digest_get_size (&da);
2070		2080
2071	/* A quick check for presence of all required parameters */	2081	/* A quick check for presence of all required parameters */
@@ -2438,8 +2448,8 @@ digest_auth_check_all_inner (struct MHD_Connection *connection,
2438	* zero for no limit	2448	* zero for no limit
2439	* @param mqop the QOP to use, currently the only allowed value is	2449	* @param mqop the QOP to use, currently the only allowed value is
2440	* #MHD_DIGEST_AUTH_MULT_QOP_AUTH	2450	* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
2441	* @param malgo3 digest algorithms to use, if several algorithms are specified	2451	* @param malgo3 digest algorithms allowed to use, fail if algorithm specified
2442	* then MD5 is used (if allowed)	2452	* by the client is not allowed by this parameter
2443	* @return #MHD_DAUTH_OK if authenticated,	2453	* @return #MHD_DAUTH_OK if authenticated,
2444	* error code otherwise.	2454	* error code otherwise.
2445	* @ingroup authentication	2455	* @ingroup authentication
@@ -2519,11 +2529,11 @@ MHD_digest_auth_check (struct MHD_Connection *connection,
2519	* zero for no limit	2529	* zero for no limit
2520	* @param mqop the QOP to use, currently the only allowed value is	2530	* @param mqop the QOP to use, currently the only allowed value is
2521	* #MHD_DIGEST_AUTH_MULT_QOP_AUTH	2531	* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
2522	* @param malgo3 digest algorithm to use, if several algorithms are specified	2532	* @param malgo3 digest algorithms allowed to use, fail if algorithm specified
2523	* then MD5 is used (if allowed)	2533	* by the client is not allowed by this parameter
2524	* @return #MHD_DAUTH_OK if authenticated,	2534	* @return #MHD_DAUTH_OK if authenticated,
2525	* the error code otherwise	2535	* the error code otherwise
2526	* @note Available since #MHD_VERSION 0x00097526	2536	* @note Available since #MHD_VERSION 0x00097528
2527	* @ingroup authentication	2537	* @ingroup authentication
2528	*/	2538	*/
2529	_MHD_EXTERN enum MHD_DigestAuthResult	2539	_MHD_EXTERN enum MHD_DigestAuthResult
@@ -2570,12 +2580,14 @@ MHD_digest_auth_check3 (struct MHD_Connection *connection,
2570	* zero for no limit	2580	* zero for no limit
2571	* @param mqop the QOP to use, currently the only allowed value is	2581	* @param mqop the QOP to use, currently the only allowed value is
2572	* #MHD_DIGEST_AUTH_MULT_QOP_AUTH	2582	* #MHD_DIGEST_AUTH_MULT_QOP_AUTH
2573	* @param malgo3 the digest algorithms to use; both MD5-based and SHA-256-based	2583	* @param malgo3 digest algorithms allowed to use, fail if algorithm specified
2574	* algorithms cannot be used at the same time for this function	2584	* by the client is not allowed by this parameter;
2575	* as @a userdigest_size must match specified algorithm	2585	* both MD5-based and SHA-256-based algorithms cannot be used at
		2586	* the same time for this function as @a userdigest_size must
		2587	* match specified algorithm
2576	* @return #MHD_DAUTH_OK if authenticated,	2588	* @return #MHD_DAUTH_OK if authenticated,
2577	* the error code otherwise	2589	* the error code otherwise
2578	* @note Available since #MHD_VERSION 0x00097526	2590	* @note Available since #MHD_VERSION 0x00097528
2579	* @ingroup authentication	2591	* @ingroup authentication
2580	*/	2592	*/
2581	_MHD_EXTERN enum MHD_DigestAuthResult	2593	_MHD_EXTERN enum MHD_DigestAuthResult