htaabrow.c

www工具包. 这是W3C官方支持的www支撑库. 其中提供通用目的的客户端的WebAPI: complete HTTP/1.1 (with caching, pipelining, PUT, POS

PRIVATE BOOL digest_credentials (HTRequest * request, HTDigest * digest)
{
    if (request && digest && digest->realm)
    {
        char * realm = (char *) digest->realm;
	char * uri;
	char * method = (char *) HTMethod_name (HTRequest_method (request));
	char * cleartext = NULL;
	char nc[9];
	HASHHEX HA1;
        HASHHEX HA2;
	HASHHEX response;

	/* @@ maybe optimize all my reallocs by preallocating the memory */

	if (digest->proxy)
	    uri = HTRequest_proxy(request);
	else {
	     char * tmp;
	     /* we get the absolute URL */
	     tmp = HTAnchor_address( (HTAnchor*)HTRequest_anchor(request));
	     /* and then remove what makes it absolute, to be backwards
		compatible */
	     uri = HTParse (tmp, "", PARSE_PATH | PARSE_PUNCTUATION);
	     HT_FREE(tmp);
	}

	/* increment the nonce counter */
	digest->nc++;
	sprintf (nc, "%08lx", digest->nc);
	add_param (&cleartext, "username", digest->uid, YES);
	add_param (&cleartext, "realm", realm, YES);
	add_param (&cleartext, "nonce", digest->nonce, YES);
	add_param (&cleartext, "uri", uri, YES);
	/* @@@  no support for auth-int yet */
	if (digest->qop) {
	    add_param (&cleartext, "qop", "auth", NO);
	    add_param (&cleartext, "nc", nc, NO);
	    add_param (&cleartext, "cnonce", digest->cnonce, YES);
	}
	/* compute the response digest */
	/* @@@ md5 hard coded, change it to something from the answer, 
	   md5-sess, etc */
	DigestCalcHA1 (digest->algorithm, "md5", digest->uid, realm, digest->pw, digest->nonce,
		       digest->cnonce, HA1);
	DigestCalcResponse (digest->algorithm, HA1, digest->nonce, nc, digest->cnonce,
			    digest->qop, method, uri, HA2, response);
	add_param (&cleartext, "response", response, NO);
	add_param (&cleartext, "opaque", digest->opaque, NO);

	/* Create the credentials and assign them to the request object */
	{
 	    int cr_len = strlen ("Digest") + strlen (cleartext) + 3;
	    char * cookie = (char *) HT_MALLOC(cr_len+1);
	    if (!cookie) HT_OUTOFMEM("digest_credentials");
	    strcpy(cookie, "Digest ");
	    strcat (cookie, cleartext);
	    HTTRACE(AUTH_TRACE, "Digest Cookie `%s\'\n" _ cookie);

	    /* Check whether it is proxy or normal credentials */
	    if (digest->proxy)
		HTRequest_addCredentials(request, "Proxy-Authorization",
					 cookie);
	    else
		HTRequest_addCredentials(request, "Authorization", cookie);

	    HT_FREE(cookie);
	}
	if (!digest->proxy)
	  HT_FREE(uri);
	HT_FREE(cleartext);
	return HT_OK;
    }
    return HT_ERROR;
}

/*	HTDigest_generate
**	----------------
**	This function generates "digest" credentials for the challenge found in
**	the authentication information base for this request. The result is
**	stored as an association list in the request object.
**	This is a callback function for the AA handler.
*/
PUBLIC int HTDigest_generate (HTRequest * request, void * context, int mode)
{ 
    HTDigest * digest = (HTDigest *) context;
    BOOL proxy = mode==HT_NO_PROXY_ACCESS ? YES : NO;
    if (request) {
	const char * realm = HTRequest_realm(request);

	/*
	**  If we were asked to explicitly ask the user again
	*/
	if (mode == HT_REAUTH || mode == HT_PROXY_REAUTH)
	    digest->retry = YES;

	/*
	** If we don't have a digest context then add a new one to the tree.
	** We use different trees for normal and proxy authentication
	*/
	if (!digest) {
	    digest = HTDigest_new();
	    if (proxy) {
		char * url = HTRequest_proxy(request);
		digest->proxy = YES;
		HTAA_updateNode(proxy, DIGEST_AUTH, realm, url, digest);
	    } else {
		char * url = HTAnchor_address((HTAnchor*)HTRequest_anchor(request));
		HTAA_updateNode(proxy, DIGEST_AUTH, realm, url, digest);
		HT_FREE(url);
	    }
	}

	/*
	** If we have a set of credentials (or the user provides a new set)
	** then store it in the request object as the credentials
	*/
	if ((digest->retry && 
	     prompt_digest_user(request, realm, digest) == HT_OK) ||
	    (!digest->retry && digest->uid)) {
	/* @@@ here we should generate a new cnonce value */
	    HTSACopy (&(digest->cnonce), "012345678");
	    digest->retry = NO;
	    return digest_credentials(request, digest);
	} else {
	    char * url = HTAnchor_address((HTAnchor*)HTRequest_anchor(request));
	    if (proxy)
		HTAA_deleteNode(proxy, DIGEST_AUTH, realm, url);
	    else
		HTAA_deleteNode(proxy, DIGEST_AUTH, realm, url);
	    HT_FREE(url);
	    return HT_ERROR;
	}
    }
    return HT_OK;
}

/*
**	Evaluates the existing authentication info (nonce, uid, pwd) and
**      returns TRUE if we evaluate that the nonce is stale, FALSE
**      otherwise.
*/
PRIVATE BOOL nonce_is_stale (HTRequest *request, HTDigest * digest, char * old_nonce)
{
  if (!digest->uid || !digest->pw)
      return FALSE;
  if (!digest->nonce || !old_nonce)
     return FALSE;
  if (strcmp (digest->nonce, old_nonce))
     return TRUE;
  /* because of a pipelining implementation bug, we don't send any good
     credentials on requests following the first one in the pipeline  */
  if (!HTRequest_credentials (request) && HTRequest_AAretrys (request) == 1)
     return TRUE;
  
  return FALSE;
}

/*	HTDigest_parse
**	-------------
**	This function parses the contents of a "digest" challenge 
**	and stores the challenge in our authentication information datebase.
**	We also store the realm in the request object which will help finding
**	the right set of credentials to generate.
**	The function is a callback function for the AA handler.
*/
PUBLIC int HTDigest_parse (HTRequest * request, HTResponse * response,
			   void * context, int status)
{
    HTAssocList * challenge = HTResponse_challenge(response);
    HTDigest * digest = NULL;    
    BOOL proxy = status==HT_NO_PROXY_ACCESS ? YES : NO;
    if (request && challenge) {
	char * p = HTAssocList_findObject(challenge, DIGEST_AUTH);
	char * realm =  HTNextField(&p);
	char * rm    =  HTNextField(&p);
	char * value = NULL;
	char * token = NULL;
	char * uris = NULL;
	/* the value of the previous nonce in case the server has changed its
	   challenge */
	char * old_nonce = NULL;

	/*
	** If valid challenge then make a template for the resource and
	** store this information in our authentication URL Tree
	*/
	if (realm && !strcasecomp(realm, "realm") && rm) {
	    HTTRACE(AUTH_TRACE, "Digest Parse. Realm `%s\' found\n" _ rm);
	    HTRequest_setRealm(request, rm);

	    /*
	    **  If we are in proxy mode then add the proxy - not the final URL
	    */
	    if (proxy) {
		char * url = HTRequest_proxy(request);
		HTTRACE(AUTH_TRACE, "Digest Parse. Proxy authentication\n");
		digest = (HTDigest *) HTAA_updateNode(proxy, DIGEST_AUTH, rm,
						      url, NULL);
		/* if the previous authentication failed, then try again */
		if (HTRequest_AAretrys (request) > 1 
		    && status == HT_NO_ACCESS && digest)
		  digest->retry = YES;
	    } else {
		char * url = HTAnchor_address((HTAnchor *)
					      HTRequest_anchor(request));
		char * tmplate = make_template(url);
		digest = (HTDigest *) HTAA_updateNode(proxy, DIGEST_AUTH, rm,
						      tmplate, NULL);
		/* if the previous authentication failed, then try again */
		if (HTRequest_AAretrys (request) > 1 
		    && status == HT_NO_ACCESS && digest)
		  digest->retry = YES;
		HT_FREE(tmplate);
		HT_FREE(url);
	    }
	} else {
	    HTTRACE(AUTH_TRACE, "Digest Parse. Missing or incomplete realm\n");
	    return HT_ERROR;
	}


	/* if we get here it's because there's no digest */
	/* we parse the digest parameters from the challenge */

	if (digest) {
	    /* it's an old digest, so we clean all in it except for the
	       uid and the password, hoping that the server send back
	       that data */
	    old_nonce = digest->nonce;
	    digest->nonce = NULL;
	    HTDigest_reset (digest);
	} else {
	    /* it's a brand new digest */
	    digest = HTDigest_new();
	    StrAllocCopy (digest->realm, rm);
	}

	/*
	**  Search through the set of parameters in the digest header.
	**  If valid challenge then make a template for the resource and
	**  store this information in our authentication URL Tree
	*/
	while ((token = HTNextField(&p))) {
	    if (!strcasecomp(token, "domain")) {
		if ((value = HTNextField(&p)))
		    uris = value;
	    } else if (!strcasecomp(token, "nonce")) {
		if ((value = HTNextField(&p)))
		    StrAllocCopy(digest->nonce, value);
	    } else if (!strcasecomp(token, "opaque")) {
		if ((value = HTNextField(&p)))
		    StrAllocCopy(digest->opaque, value);
	    } else if (!strcasecomp(token, "qop")) {
		/* split the qop */
		if ((value = HTNextField(&p)))
		    StrAllocCopy(digest->qop, value);
	    } else if (!strcasecomp(token, "stale")) {
		if ((value = HTNextField(&p)) && !strcasecomp(value, "true")) {
		    /* only true if we already had a digest with uid and pw info */
		    if (digest->uid && digest->pw) {
			digest->stale = YES;		
		    }
		}
	    } else if (!strcasecomp(token, "algorithm")) {
		if ((value = HTNextField(&p)) && strcasecomp(value, "md5")) {
		    /*
		    **  We only support MD5 for the moment
		    */
		    HTTRACE(AUTH_TRACE, "Digest Parse Unknown algorithm `%s\'\n" _ value);
		    HTDigest_delete(digest);
		    if (old_nonce)
		      HT_FREE (old_nonce);
		    return HT_ERROR;
		} else
		    digest->algorithm = HTDaMD5;
	    }
	}

	/* Pipelining support. If a nonce becomes stale When sending 
	** several requests thru the pipeline, we may miss the stale
	** reply in the server's answer. To avoid this, we keep a copy
	** of the nonce in each request. If the nonce wasn't explicitly
	** marked stale and if it's the same that we sent, then we 
	** consider that the uid/pwd pairs were false. Otherwise, we
	** assume the stole went stale before 
	*/
	if (!digest->stale && nonce_is_stale (request, digest, old_nonce))
	    digest->stale = YES;

	if (old_nonce)
	  HT_FREE (old_nonce);

	if (digest->stale) {
	    digest->stale = NO;
	    digest->retry = NO;
	    return HT_OK;
	}
	else if (digest->uid || digest->pw) {
	    /*
	    ** For some reason there was no stale nonce header and the
	    ** authentication failed so we have to ask the user if we should
	    ** try again. It may be because the user typed the wrong user name
	    ** and password
	    */
	    HTAlertCallback * prompt = HTAlert_find(HT_A_CONFIRM);

	    /*
	    ** Do we have a method registered for prompting the user whether
	    ** we should retry
	    */
	    if (prompt) {
		int code = proxy ?
		    HT_MSG_RETRY_PROXY_AUTH : HT_MSG_RETRY_AUTHENTICATION;
		if ((*prompt)(request, HT_A_CONFIRM, code,
			      NULL, NULL, NULL) != YES)
		    return HT_ERROR;
		return HT_OK;
	    }
	    return HT_ERROR;
	}

	/*
	** It's the first time we go this way, so we check the domain field to 
	** create the digest node entries for each URI.
	*/
	if (!uris) {
	    if (proxy) {
		/* we ignore the domain */
		char * location = HTRequest_proxy(request);
		HTTRACE(AUTH_TRACE, "Digest Parse Proxy authentication\n");
		HTAA_updateNode(proxy, DIGEST_AUTH, rm, location, digest);
	    } else {
		char * url = HTAnchor_address((HTAnchor *) HTRequest_anchor(request));
		char * tmplate = make_template(url);
		HTAA_updateNode(proxy, DIGEST_AUTH, rm, tmplate, digest);
		HT_FREE(url);
		HT_FREE(tmplate);
	    }
	} else {
	    char * base_url =
		HTAnchor_address((HTAnchor *) HTRequest_anchor(request));
	    char * domain_url;
	    char * full_url;

	    while ((domain_url = HTNextField (&uris))) {
		/* complete the URL if it's an absolute one */
		full_url = HTParse (domain_url, base_url, PARSE_ALL);
		digest->references++;
		if (proxy) {
		    HTTRACE(AUTH_TRACE, "Digest Parse Proxy authentication\n");
		    HTAA_updateNode(proxy, DIGEST_AUTH, rm, full_url, digest);
		} else {
		    char * tmplate = make_template(full_url);
		    HTAA_updateNode (proxy, DIGEST_AUTH, rm, tmplate, digest);
		    HT_FREE (tmplate);
		}
		HT_FREE (full_url);
	    }
	    HT_FREE (base_url);
	}
	return HT_OK;
    }	
    HTTRACE(AUTH_TRACE, "Auth........ No challenges found\n");
    return HT_ERROR;
}