1
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
3
* The contents of this file are subject to the Mozilla Public
4
* License Version 1.1 (the "License"); you may not use this file
5
* except in compliance with the License. You may obtain a copy of
6
* the License at http://www.mozilla.org/MPL/
8
* Software distributed under the License is distributed on an "AS
9
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
10
* implied. See the License for the specific language governing
11
* rights and limitations under the License.
13
* The Original Code is mozilla.org code.
15
* The Initial Developer of the Original Code is Netscape
16
* Communications Corporation. Portions created by Netscape are
17
* Copyright (C) 1998 Netscape Communications Corporation. All
21
* Justin Bradford <jab@atdot.org> (original author of nsDigestAuth.cpp)
22
* An-Cheng Huang <pach@cs.cmu.edu>
23
* Darin Fisher <darin@netscape.com>
28
#include "nsHttpDigestAuth.h"
29
#include "nsIHttpChannel.h"
30
#include "nsIServiceManager.h"
32
#include "nsISupportsPrimitives.h"
35
#include "nsReadableUtils.h"
43
//-----------------------------------------------------------------------------
44
// nsHttpDigestAuth <public>
45
//-----------------------------------------------------------------------------
47
nsHttpDigestAuth::nsHttpDigestAuth()
49
mVerifier = do_GetService(SIGNATURE_VERIFIER_CONTRACTID);
50
mGotVerifier = (mVerifier != nsnull);
52
#if defined(PR_LOGGING)
54
LOG(("nsHttpDigestAuth: Got signature_verifier\n"));
56
LOG(("nsHttpDigestAuth: No signature_verifier available\n"));
61
//-----------------------------------------------------------------------------
62
// nsHttpDigestAuth::nsISupports
63
//-----------------------------------------------------------------------------
65
NS_IMPL_ISUPPORTS1(nsHttpDigestAuth, nsIHttpAuthenticator)
67
//-----------------------------------------------------------------------------
68
// nsHttpDigestAuth <protected>
69
//-----------------------------------------------------------------------------
72
nsHttpDigestAuth::MD5Hash(const char *buf, PRUint32 len)
75
return NS_ERROR_NOT_INITIALIZED;
80
rv = mVerifier->HashBegin(nsISignatureVerifier::MD5, &hid);
81
if (NS_FAILED(rv)) return rv;
83
// must call HashEnd to destroy |hid|
84
unsigned char cbuf[DIGEST_LENGTH], *chash = cbuf;
87
rv = mVerifier->HashUpdate(hid, buf, len);
88
rv |= mVerifier->HashEnd(hid, &chash, &clen, DIGEST_LENGTH);
90
memcpy(mHashBuf, chash, DIGEST_LENGTH);
95
nsHttpDigestAuth::GetMethodAndPath(nsIHttpChannel *httpChannel,
97
nsCString &httpMethod,
101
nsCOMPtr<nsIURI> uri;
102
rv = httpChannel->GetURI(getter_AddRefs(uri));
103
if (NS_SUCCEEDED(rv)) {
105
rv = uri->SchemeIs("https", &isSecure);
106
if (NS_SUCCEEDED(rv)) {
108
// if we are being called in response to a 407, and if the protocol
109
// is HTTPS, then we are really using a CONNECT method.
111
if (isSecure && isProxyAuth) {
112
httpMethod = NS_LITERAL_CSTRING("CONNECT");
114
// generate hostname:port string. (unfortunately uri->GetHostPort
115
// leaves out the port if it matches the default value, so we can't
119
rv = uri->GetAsciiHost(path);
120
rv |= uri->GetPort(&port);
121
if (NS_SUCCEEDED(rv)) {
123
path.AppendInt(port < 0 ? NS_HTTPS_DEFAULT_PORT : port);
127
rv = httpChannel->GetRequestMethod(httpMethod);
128
rv |= uri->GetPath(path);
129
if (NS_SUCCEEDED(rv)) {
131
// strip any fragment identifier from the URL path.
133
PRInt32 ref = path.RFindChar('#');
134
if (ref != kNotFound)
137
// make sure we escape any UTF-8 characters in the URI path. the
138
// digest auth uri attribute needs to match the request-URI.
140
// XXX we should really ask the HTTP channel for this string
141
// instead of regenerating it here.
144
path = NS_EscapeURL(path, esc_OnlyNonASCII, buf);
152
//-----------------------------------------------------------------------------
153
// nsHttpDigestAuth::nsIHttpAuthenticator
154
//-----------------------------------------------------------------------------
157
nsHttpDigestAuth::ChallengeReceived(nsIHttpChannel *httpChannel,
158
const char *challenge,
160
nsISupports **sessionState,
161
nsISupports **continuationState,
164
nsCAutoString realm, domain, nonce, opaque;
166
PRUint16 algorithm, qop;
168
nsresult rv = ParseChallenge(challenge, realm, domain, nonce, opaque,
169
&stale, &algorithm, &qop);
170
if (NS_FAILED(rv)) return rv;
172
// if the challenge has the "stale" flag set, then the user identity is not
173
// necessarily invalid. by returning FALSE here we can suppress username
174
// and password prompting that usually accompanies a 401/407 challenge.
177
// clear any existing nonce_count since we have a new challenge.
178
NS_IF_RELEASE(*sessionState);
183
nsHttpDigestAuth::GenerateCredentials(nsIHttpChannel *httpChannel,
184
const char *challenge,
186
const PRUnichar *userdomain,
187
const PRUnichar *username,
188
const PRUnichar *password,
189
nsISupports **sessionState,
190
nsISupports **continuationState,
194
LOG(("nsHttpDigestAuth::GenerateCredentials [challenge=%s]\n", challenge));
196
NS_ENSURE_ARG_POINTER(creds);
198
PRBool isDigestAuth = !PL_strncasecmp(challenge, "digest ", 7);
199
NS_ENSURE_TRUE(isDigestAuth, NS_ERROR_UNEXPECTED);
201
// IIS implementation requires extra quotes
202
PRBool requireExtraQuotes = PR_FALSE;
204
nsCAutoString serverVal;
205
httpChannel->GetResponseHeader(NS_LITERAL_CSTRING("Server"), serverVal);
206
if (!serverVal.IsEmpty()) {
207
requireExtraQuotes = !PL_strncasecmp(serverVal.get(), "Microsoft-IIS", 13);
212
nsCAutoString httpMethod;
214
rv = GetMethodAndPath(httpChannel, isProxyAuth, httpMethod, path);
215
if (NS_FAILED(rv)) return rv;
217
nsCAutoString realm, domain, nonce, opaque;
219
PRUint16 algorithm, qop;
221
rv = ParseChallenge(challenge, realm, domain, nonce, opaque,
222
&stale, &algorithm, &qop);
224
LOG(("nsHttpDigestAuth::GenerateCredentials [ParseChallenge failed rv=%x]\n", rv));
228
char ha1_digest[EXPANDED_DIGEST_LENGTH+1];
229
char ha2_digest[EXPANDED_DIGEST_LENGTH+1];
230
char response_digest[EXPANDED_DIGEST_LENGTH+1];
231
char upload_data_digest[EXPANDED_DIGEST_LENGTH+1];
233
if (qop & QOP_AUTH_INT) {
234
// we do not support auth-int "quality of protection" currently
235
qop &= ~QOP_AUTH_INT;
237
NS_WARNING("no support for Digest authentication with data integrity quality of protection");
239
/* TODO: to support auth-int, we need to get an MD5 digest of
240
* TODO: the data uploaded with this request.
241
* TODO: however, i am not sure how to read in the file in without
242
* TODO: disturbing the channel''s use of it. do i need to copy it
246
if (http_channel != nsnull)
248
nsIInputStream * upload;
249
nsCOMPtr<nsIUploadChannel> uc = do_QueryInterface(http_channel);
250
NS_ENSURE_TRUE(uc, NS_ERROR_UNEXPECTED);
251
uc->GetUploadStream(&upload);
253
char * upload_buffer;
254
int upload_buffer_length = 0;
255
//TODO: read input stream into buffer
256
const char * digest = (const char*)
257
nsNetwerkMD5Digest(upload_buffer, upload_buffer_length);
258
ExpandToHex(digest, upload_data_digest);
265
if (!(algorithm & ALGO_MD5 || algorithm & ALGO_MD5_SESS)) {
266
// they asked only for algorithms that we do not support
267
NS_WARNING("unsupported algorithm requested by Digest authentication");
268
return NS_ERROR_NOT_IMPLEMENTED;
272
// the following are for increasing security. see RFC 2617 for more
275
// nonce_count allows the server to keep track of auth challenges (to help
276
// prevent spoofing). we increase this count every time.
278
char nonce_count[NONCE_COUNT_LENGTH+1] = "00000001"; // in hex
280
nsCOMPtr<nsISupportsPRUint32> v(do_QueryInterface(*sessionState));
284
PR_snprintf(nonce_count, sizeof(nonce_count), "%08x", ++nc);
289
nsCOMPtr<nsISupportsPRUint32> v(
290
do_CreateInstance(NS_SUPPORTS_PRUINT32_CONTRACTID, &rv));
293
NS_ADDREF(*sessionState = v);
296
LOG((" nonce_count=%s\n", nonce_count));
299
// this lets the client verify the server response (via a server
300
// returned Authentication-Info header). also used for session info.
302
nsCAutoString cnonce;
303
static const char hexChar[] = "0123456789abcdef";
304
for (int i=0; i<16; ++i) {
305
cnonce.Append(hexChar[(int)(15.0 * rand()/(RAND_MAX + 1.0))]);
307
LOG((" cnonce=%s\n", cnonce.get()));
310
// calculate credentials
313
NS_ConvertUCS2toUTF8 cUser(username), cPass(password);
314
rv = CalculateHA1(cUser, cPass, realm, algorithm, nonce, cnonce, ha1_digest);
315
if (NS_FAILED(rv)) return rv;
317
rv = CalculateHA2(httpMethod, path, qop, upload_data_digest, ha2_digest);
318
if (NS_FAILED(rv)) return rv;
320
rv = CalculateResponse(ha1_digest, ha2_digest, nonce, qop, nonce_count,
321
cnonce, response_digest);
322
if (NS_FAILED(rv)) return rv;
324
nsCAutoString authString("Digest ");
325
authString += "username=\"";
327
authString += NS_LITERAL_CSTRING("\", realm=\"");
329
authString += NS_LITERAL_CSTRING("\", nonce=\"");
331
authString += NS_LITERAL_CSTRING("\", uri=\"");
333
if (algorithm & ALGO_SPECIFIED) {
334
authString += "\", algorithm=";
335
if (algorithm & ALGO_MD5_SESS)
336
authString += "MD5-sess";
342
authString += ", response=\"";
343
authString += response_digest;
345
if (!opaque.IsEmpty()) {
346
authString += "\", opaque=\"";
347
authString += opaque;
351
authString += "\", qop=";
352
if (requireExtraQuotes)
354
if (qop & QOP_AUTH_INT)
355
authString += "auth-int";
357
authString += "auth";
358
if (requireExtraQuotes)
360
authString += ", nc=";
361
authString += nonce_count;
362
authString += ", cnonce=\"";
363
authString += cnonce;
367
*creds = ToNewCString(authString);
372
nsHttpDigestAuth::GetAuthFlags(PRUint32 *flags)
374
*flags = REQUEST_BASED | REUSABLE_CHALLENGE;
376
// NOTE: digest auth credentials must be uniquely computed for each request,
377
// so we do not set the REUSABLE_CREDENTIALS flag.
383
nsHttpDigestAuth::CalculateResponse(const char * ha1_digest,
384
const char * ha2_digest,
385
const nsAFlatCString & nonce,
387
const char * nonce_count,
388
const nsAFlatCString & cnonce,
391
PRUint32 len = 2*EXPANDED_DIGEST_LENGTH + nonce.Length() + 2;
393
if (qop & QOP_AUTH || qop & QOP_AUTH_INT) {
394
len += cnonce.Length() + NONCE_COUNT_LENGTH + 3;
395
if (qop & QOP_AUTH_INT)
396
len += 8; // length of "auth-int"
398
len += 4; // length of "auth"
401
nsCAutoString contents;
402
contents.SetCapacity(len);
404
contents.Assign(ha1_digest, EXPANDED_DIGEST_LENGTH);
405
contents.Append(':');
406
contents.Append(nonce);
407
contents.Append(':');
409
if (qop & QOP_AUTH || qop & QOP_AUTH_INT) {
410
contents.Append(nonce_count, NONCE_COUNT_LENGTH);
411
contents.Append(':');
412
contents.Append(cnonce);
413
contents.Append(':');
414
if (qop & QOP_AUTH_INT)
415
contents.Append(NS_LITERAL_CSTRING("auth-int:"));
417
contents.Append(NS_LITERAL_CSTRING("auth:"));
420
contents.Append(ha2_digest, EXPANDED_DIGEST_LENGTH);
422
nsresult rv = MD5Hash(contents.get(), contents.Length());
423
if (NS_SUCCEEDED(rv))
424
rv = ExpandToHex(mHashBuf, result);
429
nsHttpDigestAuth::ExpandToHex(const char * digest, char * result)
431
PRInt16 index, value;
433
for (index = 0; index < DIGEST_LENGTH; index++) {
434
value = (digest[index] >> 4) & 0xf;
436
result[index*2] = value + '0';
438
result[index*2] = value - 10 + 'a';
440
value = digest[index] & 0xf;
442
result[(index*2)+1] = value + '0';
444
result[(index*2)+1] = value - 10 + 'a';
447
result[EXPANDED_DIGEST_LENGTH] = 0;
452
nsHttpDigestAuth::CalculateHA1(const nsAFlatCString & username,
453
const nsAFlatCString & password,
454
const nsAFlatCString & realm,
456
const nsAFlatCString & nonce,
457
const nsAFlatCString & cnonce,
460
PRInt16 len = username.Length() + password.Length() + realm.Length() + 2;
461
if (algorithm & ALGO_MD5_SESS) {
462
PRInt16 exlen = EXPANDED_DIGEST_LENGTH + nonce.Length() + cnonce.Length() + 2;
467
nsCAutoString contents;
468
contents.SetCapacity(len + 1);
470
contents.Assign(username);
471
contents.Append(':');
472
contents.Append(realm);
473
contents.Append(':');
474
contents.Append(password);
477
rv = MD5Hash(contents.get(), contents.Length());
481
if (algorithm & ALGO_MD5_SESS) {
482
char part1[EXPANDED_DIGEST_LENGTH+1];
483
ExpandToHex(mHashBuf, part1);
485
contents.Assign(part1, EXPANDED_DIGEST_LENGTH);
486
contents.Append(':');
487
contents.Append(nonce);
488
contents.Append(':');
489
contents.Append(cnonce);
491
rv = MD5Hash(contents.get(), contents.Length());
496
return ExpandToHex(mHashBuf, result);
500
nsHttpDigestAuth::CalculateHA2(const nsAFlatCString & method,
501
const nsAFlatCString & path,
503
const char * bodyDigest,
506
PRInt16 methodLen = method.Length();
507
PRInt16 pathLen = path.Length();
508
PRInt16 len = methodLen + pathLen + 1;
510
if (qop & QOP_AUTH_INT) {
511
len += EXPANDED_DIGEST_LENGTH + 1;
514
nsCAutoString contents;
515
contents.SetCapacity(len);
517
contents.Assign(method);
518
contents.Append(':');
519
contents.Append(path);
521
if (qop & QOP_AUTH_INT) {
522
contents.Append(':');
523
contents.Append(bodyDigest, EXPANDED_DIGEST_LENGTH);
526
nsresult rv = MD5Hash(contents.get(), contents.Length());
527
if (NS_SUCCEEDED(rv))
528
rv = ExpandToHex(mHashBuf, result);
533
nsHttpDigestAuth::ParseChallenge(const char * challenge,
539
PRUint16 * algorithm,
542
const char *p = challenge + 7; // first 7 characters are "Digest "
545
*algorithm = ALGO_MD5; // default is MD5
549
while (*p && (*p == ',' || nsCRT::IsAsciiSpace(*p)))
555
PRInt16 nameStart = (p - challenge);
556
while (*p && !nsCRT::IsAsciiSpace(*p) && *p != '=')
559
return NS_ERROR_INVALID_ARG;
560
PRInt16 nameLength = (p - challenge) - nameStart;
562
while (*p && (nsCRT::IsAsciiSpace(*p) || *p == '='))
565
return NS_ERROR_INVALID_ARG;
567
PRBool quoted = PR_FALSE;
574
PRInt16 valueStart = (p - challenge);
575
PRInt16 valueLength = 0;
577
while (*p && *p != '"')
580
return NS_ERROR_INVALID_ARG;
581
valueLength = (p - challenge) - valueStart;
584
while (*p && !nsCRT::IsAsciiSpace(*p) && *p != ',')
586
valueLength = (p - challenge) - valueStart;
589
// extract information
590
if (nameLength == 5 &&
591
nsCRT::strncasecmp(challenge+nameStart, "realm", 5) == 0)
593
realm.Assign(challenge+valueStart, valueLength);
595
else if (nameLength == 6 &&
596
nsCRT::strncasecmp(challenge+nameStart, "domain", 6) == 0)
598
domain.Assign(challenge+valueStart, valueLength);
600
else if (nameLength == 5 &&
601
nsCRT::strncasecmp(challenge+nameStart, "nonce", 5) == 0)
603
nonce.Assign(challenge+valueStart, valueLength);
605
else if (nameLength == 6 &&
606
nsCRT::strncasecmp(challenge+nameStart, "opaque", 6) == 0)
608
opaque.Assign(challenge+valueStart, valueLength);
610
else if (nameLength == 5 &&
611
nsCRT::strncasecmp(challenge+nameStart, "stale", 5) == 0)
613
if (nsCRT::strncasecmp(challenge+valueStart, "true", 4) == 0)
618
else if (nameLength == 9 &&
619
nsCRT::strncasecmp(challenge+nameStart, "algorithm", 9) == 0)
621
// we want to clear the default, so we use = not |= here
622
*algorithm = ALGO_SPECIFIED;
623
if (valueLength == 3 &&
624
nsCRT::strncasecmp(challenge+valueStart, "MD5", 3) == 0)
625
*algorithm |= ALGO_MD5;
626
else if (valueLength == 8 &&
627
nsCRT::strncasecmp(challenge+valueStart, "MD5-sess", 8) == 0)
628
*algorithm |= ALGO_MD5_SESS;
630
else if (nameLength == 3 &&
631
nsCRT::strncasecmp(challenge+nameStart, "qop", 3) == 0)
633
PRInt16 ipos = valueStart;
634
while (ipos < valueStart+valueLength) {
635
while (ipos < valueStart+valueLength &&
636
(nsCRT::IsAsciiSpace(challenge[ipos]) ||
637
challenge[ipos] == ','))
639
PRInt16 algostart = ipos;
640
while (ipos < valueStart+valueLength &&
641
!nsCRT::IsAsciiSpace(challenge[ipos]) &&
642
challenge[ipos] != ',')
644
if ((ipos - algostart) == 4 &&
645
nsCRT::strncasecmp(challenge+algostart, "auth", 4) == 0)
647
else if ((ipos - algostart) == 8 &&
648
nsCRT::strncasecmp(challenge+algostart, "auth-int", 8) == 0)
649
*qop |= QOP_AUTH_INT;