Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use http->qop insted of http->algorithm to decide RFC 2617/7616 or RFC 2069 Digest response #260

Merged
merged 2 commits into from
Sep 10, 2023
Merged

use http->qop insted of http->algorithm to decide RFC 2617/7616 or RFC 2069 Digest response #260

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5f98700
use http->qop insted of http->algorithm to decide RFC 2617/7616 or RF…
Sep 26, 2021
5123875
Merge branch 'master' into http_auth_with_qop
michaelrsweet Sep 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cups/auth.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,7 @@ cupsDoAuthentication(

cups_auth_param(schemedata, "algorithm", http->algorithm, sizeof(http->algorithm));
cups_auth_param(schemedata, "opaque", http->opaque, sizeof(http->opaque));
cups_auth_param(schemedata, "qop", http->qop, sizeof(http->qop));
cups_auth_param(schemedata, "nonce", nonce, sizeof(nonce));
cups_auth_param(schemedata, "realm", http->realm, sizeof(http->realm));

Expand Down
2 changes: 2 additions & 0 deletions cups/http-private.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,8 @@ struct _http_s /**** HTTP connection structure ****/
/* Next nonce value from Authentication-Info */
opaque[HTTP_MAX_VALUE],
/* Opaque value from WWW-Authenticate */
qop[HTTP_MAX_VALUE],
/* qop value from WWW-Authenticate */
realm[HTTP_MAX_VALUE];
/* Realm from WWW-Authenticate */

Expand Down
32 changes: 27 additions & 5 deletions cups/http-support.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1331,7 +1331,7 @@ _httpSetDigestAuthString(
_cups_globals_t *cg = _cupsGlobals(); /* Per-thread globals */


DEBUG_printf(("2_httpSetDigestAuthString(http=%p, nonce=\"%s\", method=\"%s\", resource=\"%s\")", (void *)http, nonce, method, resource));
DEBUG_printf(("2_httpSetDigestAuthString(http=%p, nonce=\"%s\", method=\"%s\", resource=\"%s\", qop=\"%s\")", (void *)http, nonce, method, resource,(http->qop[0]?http->qop:"")));

if (nonce && *nonce && strcmp(nonce, http->nonce))
{
Expand All @@ -1351,7 +1351,7 @@ _httpSetDigestAuthString(
else
return (0);

if (http->algorithm[0])
if (http->qop[0])
{
/*
* Follow RFC 2617/7616...
Expand All @@ -1360,11 +1360,31 @@ _httpSetDigestAuthString(
int i; /* Looping var */
char cnonce[65]; /* cnonce value */
const char *hashalg; /* Hashing algorithm */
const char *qop; /* quality of protection */

DEBUG_puts("3_httpSetDigestAuthString: Follow RFC 2617/7616...");

for (i = 0; i < 64; i ++)
cnonce[i] = "0123456789ABCDEF"[CUPS_RAND() & 15];
cnonce[64] = '\0';

if (!_cups_strcasecmp(http->qop, "auth"))
{
/*
* RFC 2617: "auth" | "auth-int" | token
*/

qop = "auth";
}
else
{
/*
* Some other qop we don't support, skip this one...
*/

return (0);
}

if (!_cups_strcasecmp(http->algorithm, "MD5"))
{
/*
Expand Down Expand Up @@ -1411,7 +1431,7 @@ _httpSetDigestAuthString(
cupsHashString(hash, hashsize, ha2, sizeof(ha2));

/* KD = H(H(A1):nonce:nc:cnonce:qop:H(A2)) */
snprintf(temp, sizeof(temp), "%s:%s:%08x:%s:%s:%s", ha1, http->nonce, http->nonce_count, cnonce, "auth", ha2);
snprintf(temp, sizeof(temp), "%s:%s:%08x:%s:%s:%s", ha1, http->nonce, http->nonce_count, cnonce, qop, ha2);
hashsize = (size_t)cupsHashData(hashalg, (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
cupsHashString(hash, hashsize, kd, sizeof(kd));

Expand All @@ -1420,16 +1440,18 @@ _httpSetDigestAuthString(
*/

if (http->opaque[0])
snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=auth, opaque=\"%s\", cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", cupsUser(), http->realm, http->nonce, http->algorithm, http->opaque, cnonce, http->nonce_count, resource, kd);
snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=%s, opaque=\"%s\", cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", cupsUser(), http->realm, http->nonce, http->algorithm, qop, http->opaque, cnonce, http->nonce_count, resource, kd);
else
snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=auth, cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", username, http->realm, http->nonce, http->algorithm, cnonce, http->nonce_count, resource, kd);
snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=%s, cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", username, http->realm, http->nonce, http->algorithm, qop, cnonce, http->nonce_count, resource, kd);
}
else
{
/*
* Use old RFC 2069 Digest method...
*/

DEBUG_puts("3_httpSetDigestAuthString: Use old RFC 2069 Digest method...");

/* H(A1) = H(username:realm:password) */
snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
Expand Down