diff options
| author | James Yonan <james@openvpn.net> | 2010-05-11 19:32:41 +0000 |
|---|---|---|
| committer | James Yonan <james@openvpn.net> | 2010-05-11 19:32:41 +0000 |
| commit | b27dc04c366c031f4bb349e3235a2b0eb76c821a (patch) | |
| tree | ecf3f1de1ef0efd4fe0b802e8789988ae42fe271 /httpdigest.c | |
| parent | 8db6234db7dd61e9cef60baf1ace39f5575e8fbb (diff) | |
| download | openvpn-b27dc04c366c031f4bb349e3235a2b0eb76c821a.tar.gz openvpn-b27dc04c366c031f4bb349e3235a2b0eb76c821a.tar.xz openvpn-b27dc04c366c031f4bb349e3235a2b0eb76c821a.zip | |
Proxy improvements:
Improved the ability of http-auth "auto" flag to dynamically detect
the auth method required by the proxy.
Added http-auth "auto-nct" flag to reject weak proxy auth methods.
Added HTTP proxy digest authentication method.
Removed extraneous openvpn_sleep calls from proxy.c.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5628 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'httpdigest.c')
| -rw-r--r-- | httpdigest.c | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/httpdigest.c b/httpdigest.c new file mode 100644 index 0000000..abe5bea --- /dev/null +++ b/httpdigest.c @@ -0,0 +1,143 @@ +/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include "syshead.h"
+
+#if PROXY_DIGEST_AUTH
+
+#include "crypto.h"
+#include "httpdigest.h"
+
+static void
+CvtHex(
+ IN HASH Bin,
+ OUT HASHHEX Hex
+ )
+{
+ unsigned short i;
+ unsigned char j;
+
+ for (i = 0; i < HASHLEN; i++) {
+ j = (Bin[i] >> 4) & 0xf;
+ if (j <= 9)
+ Hex[i*2] = (j + '0');
+ else
+ Hex[i*2] = (j + 'a' - 10);
+ j = Bin[i] & 0xf;
+ if (j <= 9)
+ Hex[i*2+1] = (j + '0');
+ else
+ Hex[i*2+1] = (j + 'a' - 10);
+ };
+ Hex[HASHHEXLEN] = '\0';
+};
+
+/* calculate H(A1) as per spec */
+void
+DigestCalcHA1(
+ IN char * pszAlg,
+ IN char * pszUserName,
+ IN char * pszRealm,
+ IN char * pszPassword,
+ IN char * pszNonce,
+ IN char * pszCNonce,
+ OUT HASHHEX SessionKey
+ )
+{
+ MD5_CTX Md5Ctx;
+ HASH HA1;
+
+ MD5_Init(&Md5Ctx);
+ MD5_Update(&Md5Ctx, pszUserName, strlen(pszUserName));
+ MD5_Update(&Md5Ctx, ":", 1);
+ MD5_Update(&Md5Ctx, pszRealm, strlen(pszRealm));
+ MD5_Update(&Md5Ctx, ":", 1);
+ MD5_Update(&Md5Ctx, pszPassword, strlen(pszPassword));
+ MD5_Final(HA1, &Md5Ctx);
+ if (pszAlg && stricmp(pszAlg, "md5-sess") == 0)
+ {
+ MD5_Init(&Md5Ctx);
+ MD5_Update(&Md5Ctx, HA1, HASHLEN);
+ MD5_Update(&Md5Ctx, ":", 1);
+ MD5_Update(&Md5Ctx, pszNonce, strlen(pszNonce));
+ MD5_Update(&Md5Ctx, ":", 1);
+ MD5_Update(&Md5Ctx, pszCNonce, strlen(pszCNonce));
+ MD5_Final(HA1, &Md5Ctx);
+ };
+ CvtHex(HA1, SessionKey);
+}
+
+/* calculate request-digest/response-digest as per HTTP Digest spec */
+void
+DigestCalcResponse(
+ IN HASHHEX HA1, /* H(A1) */
+ IN char * pszNonce, /* nonce from server */
+ IN char * pszNonceCount, /* 8 hex digits */
+ IN char * pszCNonce, /* client nonce */
+ IN char * pszQop, /* qop-value: "", "auth", "auth-int" */
+ IN char * pszMethod, /* method from the request */
+ IN char * pszDigestUri, /* requested URL */
+ IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */
+ OUT HASHHEX Response /* request-digest or response-digest */
+ )
+{
+ MD5_CTX Md5Ctx;
+ HASH HA2;
+ HASH RespHash;
+ HASHHEX HA2Hex;
+
+ // calculate H(A2)
+ MD5_Init(&Md5Ctx);
+ MD5_Update(&Md5Ctx, pszMethod, strlen(pszMethod));
+ MD5_Update(&Md5Ctx, ":", 1);
+ MD5_Update(&Md5Ctx, pszDigestUri, strlen(pszDigestUri));
+ if (stricmp(pszQop, "auth-int") == 0)
+ {
+ MD5_Update(&Md5Ctx, ":", 1);
+ MD5_Update(&Md5Ctx, HEntity, HASHHEXLEN);
+ };
+ MD5_Final(HA2, &Md5Ctx);
+ CvtHex(HA2, HA2Hex);
+
+ // calculate response
+ MD5_Init(&Md5Ctx);
+ MD5_Update(&Md5Ctx, HA1, HASHHEXLEN);
+ MD5_Update(&Md5Ctx, ":", 1);
+ MD5_Update(&Md5Ctx, pszNonce, strlen(pszNonce));
+ MD5_Update(&Md5Ctx, ":", 1);
+ if (*pszQop)
+ {
+ MD5_Update(&Md5Ctx, pszNonceCount, strlen(pszNonceCount));
+ MD5_Update(&Md5Ctx, ":", 1);
+ MD5_Update(&Md5Ctx, pszCNonce, strlen(pszCNonce));
+ MD5_Update(&Md5Ctx, ":", 1);
+ MD5_Update(&Md5Ctx, pszQop, strlen(pszQop));
+ MD5_Update(&Md5Ctx, ":", 1);
+ };
+ MD5_Update(&Md5Ctx, HA2Hex, HASHHEXLEN);
+ MD5_Final(RespHash, &Md5Ctx);
+ CvtHex(RespHash, Response);
+}
+
+#endif
|