[http] Cleanly shut down potentially looped interfaces
[ipxe.git] / src / net / tcp / httpdigest.c
1 /*
2 * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 *
19 * You can also choose to distribute this program under the terms of
20 * the Unmodified Binary Distribution Licence (as given in the file
21 * COPYING.UBDL), provided that you have satisfied its requirements.
22 */
23
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
26 /**
27 * @file
28 *
29 * Hyper Text Transfer Protocol (HTTP) Digest authentication
30 *
31 */
32
33 #include <stdio.h>
34 #include <errno.h>
35 #include <strings.h>
36 #include <ipxe/uri.h>
37 #include <ipxe/md5.h>
38 #include <ipxe/base16.h>
39 #include <ipxe/vsprintf.h>
40 #include <ipxe/http.h>
41
42 /* Disambiguate the various error causes */
43 #define EACCES_USERNAME __einfo_error ( EINFO_EACCES_USERNAME )
44 #define EINFO_EACCES_USERNAME \
45 __einfo_uniqify ( EINFO_EACCES, 0x01, \
46 "No username available for Digest authentication" )
47
48 /**
49 * Initialise HTTP Digest
50 *
51 * @v ctx Digest context
52 * @v string Initial string
53 */
54 static void http_digest_init ( struct md5_context *ctx ) {
55
56 /* Initialise MD5 digest */
57 digest_init ( &md5_algorithm, ctx );
58 }
59
60 /**
61 * Update HTTP Digest with new data
62 *
63 * @v ctx Digest context
64 * @v string String to append
65 */
66 static void http_digest_update ( struct md5_context *ctx, const char *string ) {
67 static const char colon = ':';
68
69 /* Add (possibly colon-separated) field to MD5 digest */
70 if ( ctx->len )
71 digest_update ( &md5_algorithm, ctx, &colon, sizeof ( colon ) );
72 digest_update ( &md5_algorithm, ctx, string, strlen ( string ) );
73 }
74
75 /**
76 * Finalise HTTP Digest
77 *
78 * @v ctx Digest context
79 * @v out Buffer for digest output
80 * @v len Buffer length
81 */
82 static void http_digest_final ( struct md5_context *ctx, char *out,
83 size_t len ) {
84 uint8_t digest[MD5_DIGEST_SIZE];
85
86 /* Finalise and base16-encode MD5 digest */
87 digest_final ( &md5_algorithm, ctx, digest );
88 base16_encode ( digest, sizeof ( digest ), out, len );
89 }
90
91 /**
92 * Perform HTTP Digest authentication
93 *
94 * @v http HTTP transaction
95 * @ret rc Return status code
96 */
97 static int http_digest_authenticate ( struct http_transaction *http ) {
98 struct http_request_auth *req = &http->request.auth;
99 struct http_response_auth *rsp = &http->response.auth;
100 char ha1[ base16_encoded_len ( MD5_DIGEST_SIZE ) + 1 /* NUL */ ];
101 char ha2[ base16_encoded_len ( MD5_DIGEST_SIZE ) + 1 /* NUL */ ];
102 static const char md5sess[] = "MD5-sess";
103 static const char md5[] = "MD5";
104 struct md5_context ctx;
105
106 /* Check for required response parameters */
107 if ( ! rsp->realm ) {
108 DBGC ( http, "HTTP %p has no realm for Digest authentication\n",
109 http );
110 return -EINVAL;
111 }
112 if ( ! rsp->nonce ) {
113 DBGC ( http, "HTTP %p has no nonce for Digest authentication\n",
114 http );
115 return -EINVAL;
116 }
117
118 /* Record username and password */
119 if ( ! http->uri->user ) {
120 DBGC ( http, "HTTP %p has no username for Digest "
121 "authentication\n", http );
122 return -EACCES_USERNAME;
123 }
124 req->username = http->uri->user;
125 req->password = ( http->uri->password ? http->uri->password : "" );
126
127 /* Handle quality of protection */
128 if ( rsp->qop ) {
129
130 /* Use "auth" in subsequent request */
131 req->qop = "auth";
132
133 /* Generate a client nonce */
134 snprintf ( req->cnonce, sizeof ( req->cnonce ),
135 "%08lx", random() );
136
137 /* Determine algorithm */
138 req->algorithm = md5;
139 if ( rsp->algorithm &&
140 ( strcasecmp ( rsp->algorithm, md5sess ) == 0 ) ) {
141 req->algorithm = md5sess;
142 }
143 }
144
145 /* Generate HA1 */
146 http_digest_init ( &ctx );
147 http_digest_update ( &ctx, req->username );
148 http_digest_update ( &ctx, rsp->realm );
149 http_digest_update ( &ctx, req->password );
150 http_digest_final ( &ctx, ha1, sizeof ( ha1 ) );
151 if ( req->algorithm == md5sess ) {
152 http_digest_init ( &ctx );
153 http_digest_update ( &ctx, ha1 );
154 http_digest_update ( &ctx, rsp->nonce );
155 http_digest_update ( &ctx, req->cnonce );
156 http_digest_final ( &ctx, ha1, sizeof ( ha1 ) );
157 }
158
159 /* Generate HA2 */
160 http_digest_init ( &ctx );
161 http_digest_update ( &ctx, http->request.method->name );
162 http_digest_update ( &ctx, http->request.uri );
163 http_digest_final ( &ctx, ha2, sizeof ( ha2 ) );
164
165 /* Generate response */
166 http_digest_init ( &ctx );
167 http_digest_update ( &ctx, ha1 );
168 http_digest_update ( &ctx, rsp->nonce );
169 if ( req->qop ) {
170 http_digest_update ( &ctx, HTTP_DIGEST_NC );
171 http_digest_update ( &ctx, req->cnonce );
172 http_digest_update ( &ctx, req->qop );
173 }
174 http_digest_update ( &ctx, ha2 );
175 http_digest_final ( &ctx, req->response, sizeof ( req->response ) );
176
177 return 0;
178 }
179
180 /**
181 * Construct HTTP "Authorization" header for Digest authentication
182 *
183 * @v http HTTP transaction
184 * @v buf Buffer
185 * @v len Length of buffer
186 * @ret len Length of header value, or negative error
187 */
188 static int http_format_digest_auth ( struct http_transaction *http,
189 char *buf, size_t len ) {
190 struct http_request_auth *req = &http->request.auth;
191 struct http_response_auth *rsp = &http->response.auth;
192 size_t used = 0;
193
194 /* Sanity checks */
195 assert ( rsp->realm != NULL );
196 assert ( rsp->nonce != NULL );
197 assert ( req->username != NULL );
198 if ( req->qop ) {
199 assert ( req->algorithm != NULL );
200 assert ( req->cnonce[0] != '\0' );
201 }
202 assert ( req->response[0] != '\0' );
203
204 /* Construct response */
205 used += ssnprintf ( ( buf + used ), ( len - used ),
206 "realm=\"%s\", nonce=\"%s\", uri=\"%s\", "
207 "username=\"%s\"", rsp->realm, rsp->nonce,
208 http->request.uri, req->username );
209 if ( rsp->opaque ) {
210 used += ssnprintf ( ( buf + used ), ( len - used ),
211 ", opaque=\"%s\"", rsp->opaque );
212 }
213 if ( req->qop ) {
214 used += ssnprintf ( ( buf + used ), ( len - used ),
215 ", qop=%s, algorithm=%s, cnonce=\"%s\", "
216 "nc=" HTTP_DIGEST_NC, req->qop,
217 req->algorithm, req->cnonce );
218 }
219 used += ssnprintf ( ( buf + used ), ( len - used ),
220 ", response=\"%s\"", req->response );
221
222 return used;
223 }
224
225 /** HTTP Digest authentication scheme */
226 struct http_authentication http_digest_auth __http_authentication = {
227 .name = "Digest",
228 .authenticate = http_digest_authenticate,
229 .format = http_format_digest_auth,
230 };
231
232 /* Drag in HTTP authentication support */
233 REQUIRING_SYMBOL ( http_digest_auth );
234 REQUIRE_OBJECT ( httpauth );