1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 * RFC2195 CRAM-MD5 authentication
24 *
25 ***************************************************************************/
26
27 #include "curl_setup.h"
28
29 #ifndef CURL_DISABLE_DIGEST_AUTH
30
31 #include <curl/curl.h>
32 #include "urldata.h"
33
34 #include "vauth/vauth.h"
35 #include "curl_hmac.h"
36 #include "curl_md5.h"
37 #include "warnless.h"
38 #include "curl_printf.h"
39
40 /* The last #include files should be: */
41 #include "curl_memory.h"
42 #include "memdebug.h"
43
44
45 /*
46 * Curl_auth_create_cram_md5_message()
47 *
48 * This is used to generate a CRAM-MD5 response message ready for sending to
49 * the recipient.
50 *
51 * Parameters:
52 *
53 * chlg [in] - The challenge.
54 * userp [in] - The user name.
55 * passwdp [in] - The user's password.
56 * out [out] - The result storage.
57 *
58 * Returns CURLE_OK on success.
59 */
Curl_auth_create_cram_md5_message(const struct bufref * chlg,const char * userp,const char * passwdp,struct bufref * out)60 CURLcode Curl_auth_create_cram_md5_message(const struct bufref *chlg,
61 const char *userp,
62 const char *passwdp,
63 struct bufref *out)
64 {
65 struct HMAC_context *ctxt;
66 unsigned char digest[MD5_DIGEST_LEN];
67 char *response;
68
69 /* Compute the digest using the password as the key */
70 ctxt = Curl_HMAC_init(Curl_HMAC_MD5,
71 (const unsigned char *) passwdp,
72 curlx_uztoui(strlen(passwdp)));
73 if(!ctxt)
74 return CURLE_OUT_OF_MEMORY;
75
76 /* Update the digest with the given challenge */
77 if(Curl_bufref_len(chlg))
78 Curl_HMAC_update(ctxt, Curl_bufref_ptr(chlg),
79 curlx_uztoui(Curl_bufref_len(chlg)));
80
81 /* Finalise the digest */
82 Curl_HMAC_final(ctxt, digest);
83
84 /* Generate the response */
85 response = aprintf(
86 "%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
87 userp, digest[0], digest[1], digest[2], digest[3], digest[4],
88 digest[5], digest[6], digest[7], digest[8], digest[9], digest[10],
89 digest[11], digest[12], digest[13], digest[14], digest[15]);
90 if(!response)
91 return CURLE_OUT_OF_MEMORY;
92
93 Curl_bufref_set(out, response, strlen(response), curl_free);
94 return CURLE_OK;
95 }
96
97 #endif /* !CURL_DISABLE_DIGEST_AUTH */
98