diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/ne_auth.c | 13 | ||||
| -rw-r--r-- | src/ne_auth.h | 11 |
2 files changed, 22 insertions, 2 deletions
diff --git a/src/ne_auth.c b/src/ne_auth.c index ad44842..9015f21 100644 --- a/src/ne_auth.c +++ b/src/ne_auth.c @@ -846,6 +846,11 @@ static int digest_challenge(auth_session *sess, int attempt, challenge_error(errmsg, _("stale Digest challenge with new algorithm or realm")); return -1; } + else if (!parms->got_qop + && (parms->handler->protomask & NE_AUTH_WEAK_DIGEST) == 0) { + challenge_error(errmsg, _("weak Digest challenge not supported")); + return -1; + } hash = alg_to_hash[parms->alg]; p = ne_strhash(hash, "", NULL); @@ -1668,6 +1673,14 @@ static void auth_register(ne_session *sess, int isproxy, unsigned protomask, } } + /* For backwards-compatibility with older releases where DIGEST + * used to be defined as WEAKEST, if only WEAK_DIGEST is given, + * that implies DIGEST|WEAK_DIGEST. */ + if ((protomask & (NE_AUTH_WEAK_DIGEST|NE_AUTH_DIGEST)) == NE_AUTH_WEAK_DIGEST) { + NE_DEBUG(NE_DBG_HTTPAUTH, "auth: Weak Digest support compatibility mode.\n"); + protomask |= NE_AUTH_DIGEST; + } + if ((protomask & NE_AUTH_NEGOTIATE) == NE_AUTH_NEGOTIATE) { /* Map NEGOTIATE to NTLM | GSSAPI. */ protomask |= NE_AUTH_GSSAPI | NE_AUTH_NTLM; diff --git a/src/ne_auth.h b/src/ne_auth.h index a114f7f..d241920 100644 --- a/src/ne_auth.h +++ b/src/ne_auth.h @@ -77,8 +77,13 @@ void ne_set_proxy_auth(ne_session *sess, ne_auth_creds creds, void *userdata); * password, and certain aspects of the request, so prevents passive * attackers from obtaining the credentials; active attackers can * still modify most of the request/response if using an unsecured - * channel. */ -#define NE_AUTH_DIGEST (0x0002) + * channel. Supports algorithms from RFC 2617 and RFC 7616. */ +#define NE_AUTH_DIGEST (0x0080) + +/* NE_AUTH_WEAK_DIGEST: This may be used in conjunction with + * NE_AUTH_DIGEST to enable support for the older, weaker version of + * the Digest algorithm specified in RFC 2069. */ +#define NE_AUTH_WEAK_DIGEST (0x0002) /* NE_AUTH_NEGOTIATE: Negotiate uses GSSAPI/SSPI, or NTLM, to * authenticate the user; an active attacker can modify any of the @@ -108,6 +113,8 @@ void ne_set_proxy_auth(ne_session *sess, ne_auth_creds creds, void *userdata); * this must not be used over an unsecured channel. */ #define NE_AUTH_GSSAPI_ONLY (0x0040) +/* 0x0080 used for NE_AUTH_DIGEST */ + /* The default set of supported protocols, as deemed appropriate for * the given session scheme. */ #define NE_AUTH_DEFAULT (0x1000) |