From: Chris Talbot <chris@talbothome.com>
Date: Thu, 29 Jun 2023 16:27:48 +0000 (-0400)
Subject: digest: Use hostname to generate spn instead of realm
X-Git-Tag: curl-8_3_0~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7703ca7f8673470b4e647bc97c0659e8473a3390;p=thirdparty%2Fcurl.git

digest: Use hostname to generate spn instead of realm

In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2

digest-uri-value should be serv-type "/" host , where host is:

      The DNS host name or IP address for the service requested.  The
      DNS host name must be the fully-qualified canonical name of the
      host. The DNS host name is the preferred form; see notes on server
      processing of the digest-uri.

Realm may not be the host, so we must specify the host explicitly.

Note this change only affects the non-SSPI digest code. The digest code
used by SSPI builds already uses the hostname to generate the spn.

Ref: https://github.com/curl/curl/issues/11369

Closes https://github.com/curl/curl/pull/11395
---

diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c
index 1983d03c77..12c6f7dd5b 100644
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -420,7 +420,7 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data,
     msnprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);
 
   /* Generate our SPN */
-  spn = Curl_auth_build_spn(service, realm, NULL);
+  spn = Curl_auth_build_spn(service, data->conn->host.name, NULL);
   if(!spn)
     return CURLE_OUT_OF_MEMORY;
 
diff --git a/tests/data/test823 b/tests/data/test823
index b179a1807b..affb6772d6 100644
--- a/tests/data/test823
+++ b/tests/data/test823
@@ -14,7 +14,7 @@ RFC2831
 <servercmd>
 AUTH DIGEST-MD5
 REPLY AUTHENTICATE + cmVhbG09ImN1cmwiLG5vbmNlPSI1MzAwZDE3YTFkNjk1YmQ0MTFlNGNkZjk2Zjk1NDhjMjNjZWQ2MTc1IixhbGdvcml0aG09bWQ1LXNlc3MscW9wPSJhdXRoIg==
-REPLY dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJpbWFwL2N1cmwiLHJlc3BvbnNlPTVlNzk5N2ZhZDZjMzNiZWJmZjk3OWJkY2I4ZmU3MTZiLHFvcD1hdXRo +
+REPLY dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJpbWFwLzEyNy4wLjAuMSIscmVzcG9uc2U9YmU2MzgyNDkzNjJkN2FhMGUzNTM4NTA3Njc1MWFiNDgscW9wPWF1dGg= + cnNwYXV0aD04MWY5MDNlYjQ4MjNhZTkyMmRiNWYwNGNiNThjY2RlYg==
 REPLY  A002 OK AUTHENTICATE completed
 </servercmd>
 <data>
@@ -53,7 +53,7 @@ IMAP DIGEST-MD5 authentication
 <protocol>
 A001 CAPABILITY
 A002 AUTHENTICATE DIGEST-MD5
-dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJpbWFwL2N1cmwiLHJlc3BvbnNlPTVlNzk5N2ZhZDZjMzNiZWJmZjk3OWJkY2I4ZmU3MTZiLHFvcD1hdXRo
+dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJpbWFwLzEyNy4wLjAuMSIscmVzcG9uc2U9YmU2MzgyNDkzNjJkN2FhMGUzNTM4NTA3Njc1MWFiNDgscW9wPWF1dGg=
 
 A003 SELECT %TESTNUMBER
 A004 FETCH 1 BODY[]
diff --git a/tests/data/test869 b/tests/data/test869
index 96d8c837a2..0613e2f513 100644
--- a/tests/data/test869
+++ b/tests/data/test869
@@ -16,7 +16,7 @@ RFC5034
 <servercmd>
 AUTH DIGEST-MD5
 REPLY AUTH + cmVhbG09ImN1cmwiLG5vbmNlPSI1MzAwZDE3YTFkNjk1YmQ0MTFlNGNkZjk2Zjk1NDhjMjNjZWQ2MTc1IixhbGdvcml0aG09bWQ1LXNlc3MscW9wPSJhdXRoIg==
-REPLY dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJwb3AvY3VybCIscmVzcG9uc2U9YzNhMGFiZTc5NDYyNTIyNGY5Njg3YTYzMTc3ZmRhNWIscW9wPWF1dGg= +
+REPLY dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJwb3AvMTI3LjAuMC4xIixyZXNwb25zZT0xODMxNTU0OGM3ZjNhMzdlNzE2ZmE4ZTkwZGZhYjliNixxb3A9YXV0aA== + cnNwYXV0aD1mZWNiMzZiNzA4NmUwYjk1ZDkwNjQ1OWVmYThjYzI5ZQ==
 REPLY  +OK Login successful
 </servercmd>
 <data>
@@ -55,7 +55,7 @@ pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret
 <protocol>
 CAPA
 AUTH DIGEST-MD5
-dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJwb3AvY3VybCIscmVzcG9uc2U9YzNhMGFiZTc5NDYyNTIyNGY5Njg3YTYzMTc3ZmRhNWIscW9wPWF1dGg=
+dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJwb3AvMTI3LjAuMC4xIixyZXNwb25zZT0xODMxNTU0OGM3ZjNhMzdlNzE2ZmE4ZTkwZGZhYjliNixxb3A9YXV0aA==
 
 RETR %TESTNUMBER
 QUIT
diff --git a/tests/data/test907 b/tests/data/test907
index b2af26b23d..0ce464c694 100644
--- a/tests/data/test907
+++ b/tests/data/test907
@@ -15,7 +15,7 @@ RFC4954
 <servercmd>
 AUTH DIGEST-MD5
 REPLY AUTH 334 cmVhbG09ImN1cmwiLG5vbmNlPSI1MzAwZDE3YTFkNjk1YmQ0MTFlNGNkZjk2Zjk1NDhjMjNjZWQ2MTc1IixhbGdvcml0aG09bWQ1LXNlc3MscW9wPSJhdXRoIg==
-REPLY dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJzbXRwL2N1cmwiLHJlc3BvbnNlPTk0M2YxNjk1OWYxY2M2ZjA3ZTZmMDk0ZjVkYmQ0NzNlLHFvcD1hdXRo 334
+REPLY dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJzbXRwLzEyNy4wLjAuMSIscmVzcG9uc2U9YTI3YzQzOTVmMzM4Njc0M2JlMTIyMDdiN2QxMTIxYzUscW9wPWF1dGg= 334 cnNwYXV0aD05ZWE4NTljYjlkOTBjMzdjYTMwZDQ5ZDM1Mzc4NjMwYw==
 REPLY  235 Authenticated
 </servercmd>
 </reply>
@@ -48,7 +48,7 @@ smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-fr
 <protocol>
 EHLO %TESTNUMBER
 AUTH DIGEST-MD5
-dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJzbXRwL2N1cmwiLHJlc3BvbnNlPTk0M2YxNjk1OWYxY2M2ZjA3ZTZmMDk0ZjVkYmQ0NzNlLHFvcD1hdXRo
+dXNlcm5hbWU9InVzZXIiLHJlYWxtPSJjdXJsIixub25jZT0iNTMwMGQxN2ExZDY5NWJkNDExZTRjZGY5NmY5NTQ4YzIzY2VkNjE3NSIsY25vbmNlPSIzNDMzMzIzMTM1MzMzMjMxMzYzMzMyMzEzNzMzMzIzMSIsbmM9IjAwMDAwMDAxIixkaWdlc3QtdXJpPSJzbXRwLzEyNy4wLjAuMSIscmVzcG9uc2U9YTI3YzQzOTVmMzM4Njc0M2JlMTIyMDdiN2QxMTIxYzUscW9wPWF1dGg=
 
 MAIL FROM:<sender@example.com>
 RCPT TO:<recipient@example.com>