mirror of https://github.com/ipxe/ipxe.git
235 lines
6.7 KiB
C
235 lines
6.7 KiB
C
/*
|
|
* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation; either version 2 of the
|
|
* License, or any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*
|
|
* You can also choose to distribute this program under the terms of
|
|
* the Unmodified Binary Distribution Licence (as given in the file
|
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
|
*/
|
|
|
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
|
|
|
/**
|
|
* @file
|
|
*
|
|
* Hyper Text Transfer Protocol (HTTP) Digest authentication
|
|
*
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <errno.h>
|
|
#include <strings.h>
|
|
#include <ipxe/uri.h>
|
|
#include <ipxe/md5.h>
|
|
#include <ipxe/base16.h>
|
|
#include <ipxe/vsprintf.h>
|
|
#include <ipxe/http.h>
|
|
|
|
/* Disambiguate the various error causes */
|
|
#define EACCES_USERNAME __einfo_error ( EINFO_EACCES_USERNAME )
|
|
#define EINFO_EACCES_USERNAME \
|
|
__einfo_uniqify ( EINFO_EACCES, 0x01, \
|
|
"No username available for Digest authentication" )
|
|
|
|
/**
|
|
* Initialise HTTP Digest
|
|
*
|
|
* @v ctx Digest context
|
|
* @v string Initial string
|
|
*/
|
|
static void http_digest_init ( struct md5_context *ctx ) {
|
|
|
|
/* Initialise MD5 digest */
|
|
digest_init ( &md5_algorithm, ctx );
|
|
}
|
|
|
|
/**
|
|
* Update HTTP Digest with new data
|
|
*
|
|
* @v ctx Digest context
|
|
* @v string String to append
|
|
*/
|
|
static void http_digest_update ( struct md5_context *ctx, const char *string ) {
|
|
static const char colon = ':';
|
|
|
|
/* Add (possibly colon-separated) field to MD5 digest */
|
|
if ( ctx->len )
|
|
digest_update ( &md5_algorithm, ctx, &colon, sizeof ( colon ) );
|
|
digest_update ( &md5_algorithm, ctx, string, strlen ( string ) );
|
|
}
|
|
|
|
/**
|
|
* Finalise HTTP Digest
|
|
*
|
|
* @v ctx Digest context
|
|
* @v out Buffer for digest output
|
|
* @v len Buffer length
|
|
*/
|
|
static void http_digest_final ( struct md5_context *ctx, char *out,
|
|
size_t len ) {
|
|
uint8_t digest[MD5_DIGEST_SIZE];
|
|
|
|
/* Finalise and base16-encode MD5 digest */
|
|
digest_final ( &md5_algorithm, ctx, digest );
|
|
base16_encode ( digest, sizeof ( digest ), out, len );
|
|
}
|
|
|
|
/**
|
|
* Perform HTTP Digest authentication
|
|
*
|
|
* @v http HTTP transaction
|
|
* @ret rc Return status code
|
|
*/
|
|
static int http_digest_authenticate ( struct http_transaction *http ) {
|
|
struct http_request_auth *req = &http->request.auth;
|
|
struct http_response_auth *rsp = &http->response.auth;
|
|
char ha1[ base16_encoded_len ( MD5_DIGEST_SIZE ) + 1 /* NUL */ ];
|
|
char ha2[ base16_encoded_len ( MD5_DIGEST_SIZE ) + 1 /* NUL */ ];
|
|
static const char md5sess[] = "MD5-sess";
|
|
static const char md5[] = "MD5";
|
|
struct md5_context ctx;
|
|
|
|
/* Check for required response parameters */
|
|
if ( ! rsp->realm ) {
|
|
DBGC ( http, "HTTP %p has no realm for Digest authentication\n",
|
|
http );
|
|
return -EINVAL;
|
|
}
|
|
if ( ! rsp->nonce ) {
|
|
DBGC ( http, "HTTP %p has no nonce for Digest authentication\n",
|
|
http );
|
|
return -EINVAL;
|
|
}
|
|
|
|
/* Record username and password */
|
|
if ( ! http->uri->user ) {
|
|
DBGC ( http, "HTTP %p has no username for Digest "
|
|
"authentication\n", http );
|
|
return -EACCES_USERNAME;
|
|
}
|
|
req->username = http->uri->user;
|
|
req->password = ( http->uri->password ? http->uri->password : "" );
|
|
|
|
/* Handle quality of protection */
|
|
if ( rsp->qop ) {
|
|
|
|
/* Use "auth" in subsequent request */
|
|
req->qop = "auth";
|
|
|
|
/* Generate a client nonce */
|
|
snprintf ( req->cnonce, sizeof ( req->cnonce ),
|
|
"%08lx", random() );
|
|
|
|
/* Determine algorithm */
|
|
req->algorithm = md5;
|
|
if ( rsp->algorithm &&
|
|
( strcasecmp ( rsp->algorithm, md5sess ) == 0 ) ) {
|
|
req->algorithm = md5sess;
|
|
}
|
|
}
|
|
|
|
/* Generate HA1 */
|
|
http_digest_init ( &ctx );
|
|
http_digest_update ( &ctx, req->username );
|
|
http_digest_update ( &ctx, rsp->realm );
|
|
http_digest_update ( &ctx, req->password );
|
|
http_digest_final ( &ctx, ha1, sizeof ( ha1 ) );
|
|
if ( req->algorithm == md5sess ) {
|
|
http_digest_init ( &ctx );
|
|
http_digest_update ( &ctx, ha1 );
|
|
http_digest_update ( &ctx, rsp->nonce );
|
|
http_digest_update ( &ctx, req->cnonce );
|
|
http_digest_final ( &ctx, ha1, sizeof ( ha1 ) );
|
|
}
|
|
|
|
/* Generate HA2 */
|
|
http_digest_init ( &ctx );
|
|
http_digest_update ( &ctx, http->request.method->name );
|
|
http_digest_update ( &ctx, http->request.uri );
|
|
http_digest_final ( &ctx, ha2, sizeof ( ha2 ) );
|
|
|
|
/* Generate response */
|
|
http_digest_init ( &ctx );
|
|
http_digest_update ( &ctx, ha1 );
|
|
http_digest_update ( &ctx, rsp->nonce );
|
|
if ( req->qop ) {
|
|
http_digest_update ( &ctx, HTTP_DIGEST_NC );
|
|
http_digest_update ( &ctx, req->cnonce );
|
|
http_digest_update ( &ctx, req->qop );
|
|
}
|
|
http_digest_update ( &ctx, ha2 );
|
|
http_digest_final ( &ctx, req->response, sizeof ( req->response ) );
|
|
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Construct HTTP "Authorization" header for Digest authentication
|
|
*
|
|
* @v http HTTP transaction
|
|
* @v buf Buffer
|
|
* @v len Length of buffer
|
|
* @ret len Length of header value, or negative error
|
|
*/
|
|
static int http_format_digest_auth ( struct http_transaction *http,
|
|
char *buf, size_t len ) {
|
|
struct http_request_auth *req = &http->request.auth;
|
|
struct http_response_auth *rsp = &http->response.auth;
|
|
size_t used = 0;
|
|
|
|
/* Sanity checks */
|
|
assert ( rsp->realm != NULL );
|
|
assert ( rsp->nonce != NULL );
|
|
assert ( req->username != NULL );
|
|
if ( req->qop ) {
|
|
assert ( req->algorithm != NULL );
|
|
assert ( req->cnonce[0] != '\0' );
|
|
}
|
|
assert ( req->response[0] != '\0' );
|
|
|
|
/* Construct response */
|
|
used += ssnprintf ( ( buf + used ), ( len - used ),
|
|
"realm=\"%s\", nonce=\"%s\", uri=\"%s\", "
|
|
"username=\"%s\"", rsp->realm, rsp->nonce,
|
|
http->request.uri, req->username );
|
|
if ( rsp->opaque ) {
|
|
used += ssnprintf ( ( buf + used ), ( len - used ),
|
|
", opaque=\"%s\"", rsp->opaque );
|
|
}
|
|
if ( req->qop ) {
|
|
used += ssnprintf ( ( buf + used ), ( len - used ),
|
|
", qop=%s, algorithm=%s, cnonce=\"%s\", "
|
|
"nc=" HTTP_DIGEST_NC, req->qop,
|
|
req->algorithm, req->cnonce );
|
|
}
|
|
used += ssnprintf ( ( buf + used ), ( len - used ),
|
|
", response=\"%s\"", req->response );
|
|
|
|
return used;
|
|
}
|
|
|
|
/** HTTP Digest authentication scheme */
|
|
struct http_authentication http_digest_auth __http_authentication = {
|
|
.name = "Digest",
|
|
.authenticate = http_digest_authenticate,
|
|
.format = http_format_digest_auth,
|
|
};
|
|
|
|
/* Drag in HTTP authentication support */
|
|
REQUIRING_SYMBOL ( http_digest_auth );
|
|
REQUIRE_OBJECT ( httpauth );
|