- Internet Explorer had a broken HTTP digest authentication before v7 and

                                  Changelog

Daniel Stenberg (11 Dec 2008)

- Internet Explorer had a broken HTTP digest authentication before v7 and

  there are servers "out there" that relies on the client doing this broken

  Digest authentication. Apache even comes with an option to work with such

  broken clients.

  The difference is only for URLs that contain a query-part (a '?'-letter and

  text to the right of it).

  libcurl now supports this quirk, and you enable it by setting the

  CURLAUTH_DIGEST_IE bit in the bitmask you pass to the CURLOPT_HTTPAUTH or

  CURLOPT_PROXYAUTH options. They are thus individually controlled to server

  and proxy.

  (note that there's no way to activate this with the curl tool yet)

Daniel Fandrich (9 Dec 2008)

- Added test cases 1089 and 1090 to test --write-out after a redirect to

  test a report that the size didn't work, but these test cases pass.

This release includes the following changes:

 o 

 o CURLAUTH_DIGEST_IE bit added for CURLOPT_HTTPAUTH and CURLOPT_PROXYAUTH

This release includes the following bugfixes:

.\" * $Id$

.\" **************************************************************************

.\"

.TH curl_easy_setopt 3 "28 Oct 2008" "libcurl 7.19.1" "libcurl Manual"

.TH curl_easy_setopt 3 "11 Dec 2008" "libcurl 7.19.3" "libcurl Manual"

.SH NAME

curl_easy_setopt \- set options for a curl easy handle

.SH SYNOPSIS

HTTP Digest authentication.  Digest authentication is defined in RFC2617 and

is a more secure way to do authentication over public networks than the

regular old-fashioned Basic method.

.IP CURLAUTH_DIGEST_IE

HTTP Digest authentication with an IE flavor.  Digest authentication is

defined in RFC2617 and is a more secure way to do authentication over public

networks than the regular old-fashioned Basic method. The IE flavor is simply

that libcurl will use a special "quirk" that IE is known to have used before

version 7 and that some servers require the client to use. (This define was

added in 7.19.3)

.IP CURLAUTH_GSSNEGOTIATE

HTTP GSS-Negotiate authentication. The GSS-Negotiate (also known as plain

\&"Negotiate") method was designed by Microsoft and is used in their web

#define CURLAUTH_DIGEST       (1<<1)  /* Digest */

#define CURLAUTH_GSSNEGOTIATE (1<<2)  /* GSS-Negotiate */

#define CURLAUTH_NTLM         (1<<3)  /* NTLM */

#define CURLAUTH_ANY ~0               /* all types set */

#define CURLAUTH_ANYSAFE (~CURLAUTH_BASIC)

#define CURLAUTH_DIGEST_IE    (1<<4)  /* Digest with IE flavour */

#define CURLAUTH_ANY (~CURLAUTH_DIGEST_IE)  /* all fine types set */

#define CURLAUTH_ANYSAFE (~(CURLAUTH_BASIC|CURLAUTH_DIGEST_IE))

#define CURLSSH_AUTH_ANY       ~0     /* all types supported by the server */

#define CURLSSH_AUTH_NONE      0      /* none allowed, silly but complete */

    5.1.1 of RFC 2616)

  */

  /* So IE browsers < v7 cut off the URI part at the query part when they

     evaluate the MD5 and some (IIS?) servers work with them so we may need to

     do the Digest IE-style. Note that the different ways cause different MD5

     sums to get sent.

     Apache servers can be set to do the Digest IE-style automatically using

     the BrowserMatch feature:

     http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie

     Further details on Digest implementation differences:

     http://www.fngtps.com/2006/09/http-authentication

  */

  if(authp->iestyle && (tmp = strchr((char *)uripath, '?'))) {

    md5this = (unsigned char *)aprintf("%s:%.*s", request,

                                       (int)(tmp - (char *)uripath), uripath);

  }

  else

    md5this = (unsigned char *)aprintf("%s:%s", request, uripath);

  if(!md5this) {

    free(ha1);

    return CURLE_OUT_OF_MEMORY;