digest: compute user:realm:pass digest w/o userhash

author Glenn Strauss <gstrauss@gluelogic.com>

Sun, 28 Nov 2021 07:22:40 +0000 (02:22 -0500)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 30 Nov 2021 12:57:46 +0000 (13:57 +0100)
author Glenn Strauss <gstrauss@gluelogic.com>
Sun, 28 Nov 2021 07:22:40 +0000 (02:22 -0500)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 30 Nov 2021 12:57:46 +0000 (13:57 +0100)
diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c

index a04ffab6fb38e791165a0eee58f51092ea0c58b0..52179c265dee705cec0389f1354b5a008e0d864a 100644 (file)
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -722,8 +722,7 @@ static CURLcode auth_create_digest_http_message(
             unq(nonce-value) ":" unq(cnonce-value)
    */
  
-  hashthis = aprintf("%s:%s:%s", digest->userhash ? userh : userp,
-                                 digest->realm, passwdp);
+  hashthis = aprintf("%s:%s:%s", userp, digest->realm, passwdp);
    if(!hashthis)
      return CURLE_OUT_OF_MEMORY;
  
diff --git a/tests/data/test2059 b/tests/data/test2059

index 7ce80a3844e141e285ec0df57381bcf507ab1b84..0bf160c7d2ec57b395fe9a3b53cfbddf90bf02f4 100644 (file)
--- a/tests/data/test2059
+++ b/tests/data/test2059
@@ -21,7 +21,7 @@ X-Powered-By: ASP.NET
  \r
  HTTP/1.1 401 authentication please swsbounce\r
  Server: Microsoft-IIS/6.0\r
-WWW-Authenticate: Digest realm="testrealm", algorithm="SHA-512-256", nonce="1053604144", userhash=true\r
+WWW-Authenticate: Digest realm="testrealm", algorithm="SHA-256", nonce="1053604144", userhash=true\r
  Content-Type: text/html; charset=iso-8859-1\r
  Content-Length: 0\r
  \r
@@ -43,7 +43,7 @@ X-Powered-By: ASP.NET
  \r
  HTTP/1.1 401 authentication please swsbounce\r
  Server: Microsoft-IIS/6.0\r
-WWW-Authenticate: Digest realm="testrealm", algorithm="SHA-512-256", nonce="1053604144", userhash=true\r
+WWW-Authenticate: Digest realm="testrealm", algorithm="SHA-256", nonce="1053604144", userhash=true\r
  Content-Type: text/html; charset=iso-8859-1\r
  Content-Length: 0\r
  \r
@@ -69,7 +69,7 @@ crypto
  proxy
  </features>
   <name>
-HTTP POST --digest with PUT, resumed upload, modified method, SHA-512-256 and userhash=true
+HTTP POST --digest with PUT, resumed upload, modified method, SHA-256 and userhash=true
   </name>
   <command>
  http://%HOSTIP:%HTTPPORT/%TESTNUMBER -u auser:apasswd --digest -T log/%TESTNUMBER -x  http://%HOSTIP:%HTTPPORT -C 2 -X GET
@@ -92,7 +92,7 @@ Content-Length: 0
  \r
  GET http://%HOSTIP:%HTTPPORT/%TESTNUMBER HTTP/1.1\r
  Host: %HOSTIP:%HTTPPORT\r
-Authorization: Digest username="fddc3bc7b753b73ab0848fd83cb20cbbca971258eb8d20c941dd5e0b010d66be", realm="testrealm", nonce="1053604144", uri="/%TESTNUMBER", response="fc09be8192851e284e73e8b719b32a2f6f91cca0594e68713da8c49dc2c1656e", algorithm=SHA-512-256, userhash=true\r
+Authorization: Digest username="fddc3bc7b753b73ab0848fd83cb20cbbca971258eb8d20c941dd5e0b010d66be", realm="testrealm", nonce="1053604144", uri="/%TESTNUMBER", response="22d200df1fd02a9d3a7269ef5bbb5bf8f16f184a74907df9b64a3755489c0b42", algorithm=SHA-256, userhash=true\r
  Content-Range: bytes 2-4/5\r
  User-Agent: curl/%VERSION\r
  Accept: */*\r
diff --git a/tests/data/test2063 b/tests/data/test2063

index 0854c8061043ad4a4ef789e811e7c058e97527d1..986a6ef6ab96f5dafc1c081426e6edcee28a997d 100644 (file)
--- a/tests/data/test2063
+++ b/tests/data/test2063
@@ -11,7 +11,7 @@ HTTP Digest auth
  <data>
  HTTP/1.1 401 Authorization Required swsclose\r
  Server: Apache/1.3.27 (Darwin) PHP/4.1.2\r
-WWW-Authenticate: Digest realm="testrealm", nonce="1053604145", algorithm="SHA-512-256", userhash=true\r
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145", algorithm="SHA-256", userhash=true\r
  Content-Type: text/html; charset=iso-8859-1\r
  Content-Length: 26\r
  \r
@@ -32,7 +32,7 @@ This IS the real page!
  <datacheck>
  HTTP/1.1 401 Authorization Required swsclose\r
  Server: Apache/1.3.27 (Darwin) PHP/4.1.2\r
-WWW-Authenticate: Digest realm="testrealm", nonce="1053604145", algorithm="SHA-512-256", userhash=true\r
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145", algorithm="SHA-256", userhash=true\r
  Content-Type: text/html; charset=iso-8859-1\r
  Content-Length: 26\r
  \r
@@ -56,7 +56,7 @@ http
  crypto
  </features>
   <name>
-HTTP with RFC7616 SHA-512-256 Digest authorization and userhash=true
+HTTP with RFC7616 SHA-256 Digest authorization and userhash=true
   </name>
   <command>
  http://%HOSTIP:%HTTPPORT/%TESTNUMBER -u testuser:testpass --digest
@@ -73,7 +73,7 @@ Accept: */*
  \r
  GET /%TESTNUMBER HTTP/1.1\r
  Host: %HOSTIP:%HTTPPORT\r
-Authorization: Digest username="75af8a3500f771e58a52093a25e7905d6e428a511285c12ea1420c73078dfd61", realm="testrealm", nonce="1053604145", uri="/%TESTNUMBER", response="43f7ab531dff687b5dc75617daa59d1fd67d648341d6d2655ca65ef5064cfb51", algorithm=SHA-512-256, userhash=true\r
+Authorization: Digest username="75af8a3500f771e58a52093a25e7905d6e428a511285c12ea1420c73078dfd61", realm="testrealm", nonce="1053604145", uri="/%TESTNUMBER", response="6c470aec384ab1d4e12d3ce1f5b08303d8cad177e52ebe50ec1a3e141adb0cdc", algorithm=SHA-256, userhash=true\r
  User-Agent: curl/%VERSION\r
  Accept: */*\r
  \r
diff --git a/tests/data/test2066 b/tests/data/test2066

index 1f8d1982dc9dded7a3680fc3eb31f8c46cf8b2eb..4352afaf35e5fcccce9ac2439df3eeeb57b6c2dc 100644 (file)
--- a/tests/data/test2066
+++ b/tests/data/test2066
@@ -11,7 +11,7 @@ HTTP Digest auth
  <data>
  HTTP/1.1 401 Authorization Required\r
  Server: Apache/1.3.27 (Darwin) PHP/4.1.2\r
-WWW-Authenticate: Digest realm="testrealm", nonce="2053604145", algorithm="SHA-512-256", userhash=true\r
+WWW-Authenticate: Digest realm="testrealm", nonce="2053604145", algorithm="SHA-256", userhash=true\r
  Content-Type: text/html; charset=iso-8859-1\r
  Content-Length: 26\r
  \r
@@ -32,7 +32,7 @@ This is not the real page either
  <datacheck>
  HTTP/1.1 401 Authorization Required\r
  Server: Apache/1.3.27 (Darwin) PHP/4.1.2\r
-WWW-Authenticate: Digest realm="testrealm", nonce="2053604145", algorithm="SHA-512-256", userhash=true\r
+WWW-Authenticate: Digest realm="testrealm", nonce="2053604145", algorithm="SHA-256", userhash=true\r
  Content-Type: text/html; charset=iso-8859-1\r
  Content-Length: 26\r
  \r
@@ -56,7 +56,7 @@ http
  crypto
  </features>
   <name>
-HTTP with RFC7616 Digest authorization with bad password, SHA-512-256 and userhash=true
+HTTP with RFC7616 Digest authorization with bad password, SHA-256 and userhash=true
   </name>
   <command>
  http://%HOSTIP:%HTTPPORT/%TESTNUMBER -u testuser:test2pass --digest
@@ -73,7 +73,7 @@ Accept: */*
  \r
  GET /%TESTNUMBER HTTP/1.1\r
  Host: %HOSTIP:%HTTPPORT\r
-Authorization: Digest username="75af8a3500f771e58a52093a25e7905d6e428a511285c12ea1420c73078dfd61", realm="testrealm", nonce="2053604145", uri="/%TESTNUMBER", response="a2e2ae589f575fb132991d6f550ef14bf7ef697d2fef1242d2498f07eafc77dc", algorithm=SHA-512-256, userhash=true\r
+Authorization: Digest username="75af8a3500f771e58a52093a25e7905d6e428a511285c12ea1420c73078dfd61", realm="testrealm", nonce="2053604145", uri="/%TESTNUMBER", response="374a35326cc09e7d1ec3165aee9de01cae46daac33d8999aa1f483fa7882b86c", algorithm=SHA-256, userhash=true\r
  User-Agent: curl/%VERSION\r
  Accept: */*\r
  \r
diff --git a/tests/data/test2069 b/tests/data/test2069

index 41a0c744d423704507a29680adbcfafd71efe46c..74d719fd3e9dc3730f79e333e35c9ca403ea551a 100644 (file)
--- a/tests/data/test2069
+++ b/tests/data/test2069
@@ -12,7 +12,7 @@ HTTP Digest auth
  <data>
  HTTP/1.1 401 authentication please swsbounce\r
  Server: Microsoft-IIS/6.0\r
-WWW-Authenticate: Digest realm="testrealm", nonce="1053604144", algorithm="SHA-512-256", userhash=true\r
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604144", algorithm="SHA-256", userhash=true\r
  Content-Type: text/html; charset=iso-8859-1\r
  Content-Length: 0\r
  \r
@@ -29,7 +29,7 @@ ok
  <datacheck>
  HTTP/1.1 401 authentication please swsbounce\r
  Server: Microsoft-IIS/6.0\r
-WWW-Authenticate: Digest realm="testrealm", nonce="1053604144", algorithm="SHA-512-256", userhash=true\r
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604144", algorithm="SHA-256", userhash=true\r
  Content-Type: text/html; charset=iso-8859-1\r
  Content-Length: 0\r
  \r
@@ -54,7 +54,7 @@ http
  crypto
  </features>
  <name>
-HTTP POST --digest with SHA-512-256, userhash=true and user-specified Content-Length header
+HTTP POST --digest with SHA-256, userhash=true and user-specified Content-Length header
  </name>
  # This test is to ensure 'Content-Length: 0' is sent while negotiating auth
  # even when there is a user-specified Content-Length header.
@@ -76,7 +76,7 @@ Content-Type: application/x-www-form-urlencoded
  \r
  POST /%TESTNUMBER HTTP/1.1\r
  Host: %HOSTIP:%HTTPPORT\r
-Authorization: Digest username="fddc3bc7b753b73ab0848fd83cb20cbbca971258eb8d20c941dd5e0b010d66be", realm="testrealm", nonce="1053604144", uri="/%TESTNUMBER", response="ff13d977110a471f30de75e747976e4de78d7a3d2425cd23ff46e67f4bc9ead7", algorithm=SHA-512-256, userhash=true\r
+Authorization: Digest username="fddc3bc7b753b73ab0848fd83cb20cbbca971258eb8d20c941dd5e0b010d66be", realm="testrealm", nonce="1053604144", uri="/%TESTNUMBER", response="9a29f1dab407e62daa7121185f9f12db6177415e03f35d9a881550095a83378d", algorithm=SHA-256, userhash=true\r
  User-Agent: curl/%VERSION\r
  Accept: */*\r
  Content-Length: 11\r
author	Glenn Strauss <gstrauss@gluelogic.com>
	Sun, 28 Nov 2021 07:22:40 +0000 (02:22 -0500)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 30 Nov 2021 12:57:46 +0000 (13:57 +0100)
lib/vauth/digest.c		patch \| blob \| blame \| history
tests/data/test2059		patch \| blob \| blame \| history
tests/data/test2063		patch \| blob \| blame \| history
tests/data/test2066		patch \| blob \| blame \| history
tests/data/test2069		patch \| blob \| blame \| history