From: Michael R Sweet Date: Sun, 10 Sep 2023 23:05:54 +0000 (-0400) Subject: Merge branch 'master' into http_auth_with_qop X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F260%2Fhead;p=thirdparty%2Fcups.git Merge branch 'master' into http_auth_with_qop --- 5123875323da63a123d90c55489979944a790a86 diff --cc cups/http-support.c index 7544258318,d54c4a1179..47f2723b0e --- a/cups/http-support.c +++ b/cups/http-support.c @@@ -1305,33 -1131,31 +1131,31 @@@ httpSeparateURI } - /* - * '_httpSetDigestAuthString()' - Calculate a Digest authentication response - * using the appropriate RFC 2068/2617/7616 - * algorithm. - */ + // + // '_httpSetDigestAuthString()' - Calculate a Digest authentication response using the appropriate RFC 2068/2617/7616 algorithm. + // - int /* O - 1 on success, 0 on failure */ + int // O - 1 on success, 0 on failure _httpSetDigestAuthString( - http_t *http, /* I - HTTP connection */ - const char *nonce, /* I - Nonce value */ - const char *method, /* I - HTTP method */ - const char *resource) /* I - HTTP resource path */ + http_t *http, // I - HTTP connection + const char *nonce, // I - Nonce value + const char *method, // I - HTTP method + const char *resource) // I - HTTP resource path { - char kd[65], /* Final MD5/SHA-256 digest */ - ha1[65], /* Hash of username:realm:password */ - ha2[65], /* Hash of method:request-uri */ + char kd[65], // Final MD5/SHA-256 digest + ha1[65], // Hash of username:realm:password + ha2[65], // Hash of method:request-uri username[HTTP_MAX_VALUE], - /* username:password */ - *password, /* Pointer to password */ - temp[1024], /* Temporary string */ - digest[1024]; /* Digest auth data */ - unsigned char hash[32]; /* Hash buffer */ - size_t hashsize; /* Size of hash */ - _cups_globals_t *cg = _cupsGlobals(); /* Per-thread globals */ + // username:password + *password, // Pointer to password + temp[1024], // Temporary string + digest[1024]; // Digest auth data + unsigned char hash[32]; // Hash buffer + size_t hashsize; // Size of hash + _cups_globals_t *cg = _cupsGlobals(); // Per-thread globals - DEBUG_printf(("2_httpSetDigestAuthString(http=%p, nonce=\"%s\", method=\"%s\", resource=\"%s\", qop=\"%s\")", (void *)http, nonce, method, resource,(http->qop[0]?http->qop:""))); - DEBUG_printf("2_httpSetDigestAuthString(http=%p, nonce=\"%s\", method=\"%s\", resource=\"%s\")", (void *)http, nonce, method, resource); ++ DEBUG_printf("2_httpSetDigestAuthString(http=%p, nonce=\"%s\", method=\"%s\", resource=\"%s\", qop=\"%s\")", (void *)http, nonce, method, resource, http->qop); if (nonce && *nonce && strcmp(nonce, http->nonce)) { @@@ -1351,46 -1177,20 +1177,40 @@@ else return (0); - if (http->algorithm[0]) + if (http->qop[0]) { - /* - * Follow RFC 2617/7616... - */ - + // Follow RFC 2617/7616... - int i; // Looping var - char cnonce[65]; // cnonce value - const char *hashalg; // Hashing algorithm + int i; /* Looping var */ + char cnonce[65]; /* cnonce value */ + const char *hashalg; /* Hashing algorithm */ + const char *qop; /* quality of protection */ + + DEBUG_puts("3_httpSetDigestAuthString: Follow RFC 2617/7616..."); for (i = 0; i < 64; i ++) cnonce[i] = "0123456789ABCDEF"[CUPS_RAND() & 15]; cnonce[64] = '\0'; + if (!_cups_strcasecmp(http->qop, "auth")) + { + /* + * RFC 2617: "auth" | "auth-int" | token + */ + + qop = "auth"; + } + else + { + /* + * Some other qop we don't support, skip this one... + */ + + return (0); + } + if (!_cups_strcasecmp(http->algorithm, "MD5")) { - /* - * RFC 2617 Digest with MD5 - */ - + // RFC 2617 Digest with MD5 if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5) { DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled."); @@@ -1430,29 -1222,27 +1242,29 @@@ hashsize = (size_t)cupsHashData(hashalg, (unsigned char *)temp, strlen(temp), hash, sizeof(hash)); cupsHashString(hash, hashsize, ha2, sizeof(ha2)); - /* KD = H(H(A1):nonce:nc:cnonce:qop:H(A2)) */ + // KD = H(H(A1):nonce:nc:cnonce:qop:H(A2)) - snprintf(temp, sizeof(temp), "%s:%s:%08x:%s:%s:%s", ha1, http->nonce, http->nonce_count, cnonce, "auth", ha2); + snprintf(temp, sizeof(temp), "%s:%s:%08x:%s:%s:%s", ha1, http->nonce, http->nonce_count, cnonce, qop, ha2); hashsize = (size_t)cupsHashData(hashalg, (unsigned char *)temp, strlen(temp), hash, sizeof(hash)); cupsHashString(hash, hashsize, kd, sizeof(kd)); - /* - * Pass the RFC 2617/7616 WWW-Authenticate header... - */ - + // Pass the RFC 2617/7616 WWW-Authenticate header... if (http->opaque[0]) - snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=auth, opaque=\"%s\", cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", cupsGetUser(), http->realm, http->nonce, http->algorithm, http->opaque, cnonce, http->nonce_count, resource, kd); + snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=%s, opaque=\"%s\", cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", cupsUser(), http->realm, http->nonce, http->algorithm, qop, http->opaque, cnonce, http->nonce_count, resource, kd); else - snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=auth, cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", username, http->realm, http->nonce, http->algorithm, cnonce, http->nonce_count, resource, kd); + snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=%s, cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", username, http->realm, http->nonce, http->algorithm, qop, cnonce, http->nonce_count, resource, kd); } else { - /* - * Use old RFC 2069 Digest method... - */ + // Use old RFC 2069 Digest method... + if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5) + { + DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled."); + return (0); + } + DEBUG_puts("3_httpSetDigestAuthString: Use old RFC 2069 Digest method..."); + - /* H(A1) = H(username:realm:password) */ + // H(A1) = H(username:realm:password) snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password); hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash)); cupsHashString(hash, hashsize, ha1, sizeof(ha1));