digest_sspi: Fix nonce-count generation in HTTP digest

#if defined(USE_WINDOWS_SSPI)

  BYTE *input_token;

  size_t input_token_len;

  CtxtHandle *http_context;

#else

  char *nonce;

  char *cnonce;

                                              char **outptr, size_t *outlen)

{

  size_t token_max;

  CredHandle credentials;

  CtxtHandle context;

  char *resp;

  BYTE *output_token;

  size_t output_token_len;

  PSecPkgInfo SecurityPackage;

  SEC_WINNT_AUTH_IDENTITY identity;

  SEC_WINNT_AUTH_IDENTITY *p_identity;

  SecBuffer chlg_buf[3];

  SecBuffer resp_buf;

  SecBuffer chlg_buf[5];

  SecBufferDesc chlg_desc;

  SecBufferDesc resp_desc;

  SECURITY_STATUS status;

  unsigned long attrs;

  TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */

  TCHAR *spn;

  (void) data;

  /* Release the package buffer as it is not required anymore */

  s_pSecFn->FreeContextBuffer(SecurityPackage);

  /* Allocate the output buffer according to the max token size as indicated

     by the security package */

  output_token = malloc(token_max);

  if(!output_token) {

    return CURLE_OUT_OF_MEMORY;

  }

  if(digest->http_context) {

    chlg_desc.ulVersion    = SECBUFFER_VERSION;

    chlg_desc.cBuffers     = 5;

    chlg_desc.pBuffers     = chlg_buf;

    chlg_buf[0].BufferType = SECBUFFER_TOKEN;

    chlg_buf[0].pvBuffer   = NULL;

    chlg_buf[0].cbBuffer   = 0;

    chlg_buf[1].BufferType = SECBUFFER_PKG_PARAMS;

    chlg_buf[1].pvBuffer   = (void *) request;

    chlg_buf[1].cbBuffer   = curlx_uztoul(strlen((const char *) request));

    chlg_buf[2].BufferType = SECBUFFER_PKG_PARAMS;

    chlg_buf[2].pvBuffer   = (void *) uripath;

    chlg_buf[2].cbBuffer   = curlx_uztoul(strlen((const char *) uripath));

    chlg_buf[3].BufferType = SECBUFFER_PKG_PARAMS;

    chlg_buf[3].pvBuffer   = NULL;

    chlg_buf[3].cbBuffer   = 0;

    chlg_buf[4].BufferType = SECBUFFER_PADDING;

    chlg_buf[4].pvBuffer   = output_token;

    chlg_buf[4].cbBuffer   = curlx_uztoul(token_max);

    status = s_pSecFn->MakeSignature(digest->http_context, 0, &chlg_desc, 0);

    if(status == SEC_E_OK)

      output_token_len = chlg_buf[4].cbBuffer;

    else { /* delete the context so a new one can be made */

      infof(data, "digest_sspi: MakeSignature failed, error 0x%08lx\n",

            (long)status);

      s_pSecFn->DeleteSecurityContext(digest->http_context);

      Curl_safefree(digest->http_context);

    }

  }

  if(!digest->http_context) {

    CredHandle credentials;

    SEC_WINNT_AUTH_IDENTITY identity;

    SEC_WINNT_AUTH_IDENTITY *p_identity;

    SecBuffer resp_buf;

    SecBufferDesc resp_desc;

    unsigned long attrs;

    TimeStamp expiry; /* For Windows 9x compatibility of SSPI calls */

    TCHAR *spn;

    if(userp && *userp) {

      /* Populate our identity structure */

    if(Curl_create_sspi_identity(userp, passwdp, &identity))

      if(Curl_create_sspi_identity(userp, passwdp, &identity)) {

        free(output_token);

        return CURLE_OUT_OF_MEMORY;

      }

      /* Populate our identity domain */

      if(Curl_override_sspi_http_realm((const char *) digest->input_token,

                                     &identity))

                                       &identity)) {

        free(output_token);

        return CURLE_OUT_OF_MEMORY;

      }

      /* Allow proper cleanup of the identity structure */

      p_identity = &identity;

                                                &credentials, &expiry);

    if(status != SEC_E_OK) {

      Curl_sspi_free_identity(p_identity);

      free(output_token);

      return CURLE_LOGIN_DENIED;

    }

  /* Allocate the output buffer according to the max token size as indicated

     by the security package */

  output_token = malloc(token_max);

  if(!output_token) {

    s_pSecFn->FreeCredentialsHandle(&credentials);

    Curl_sspi_free_identity(p_identity);

    return CURLE_OUT_OF_MEMORY;

  }

    /* Setup the challenge "input" security buffer if present */

    chlg_desc.ulVersion    = SECBUFFER_VERSION;

    chlg_desc.cBuffers     = 3;

      return CURLE_OUT_OF_MEMORY;

    }

    /* Allocate our new context handle */

    digest->http_context = calloc(1, sizeof(CtxtHandle));

    if(!digest->http_context)

      return CURLE_OUT_OF_MEMORY;

    /* Generate our reponse message */

    status = s_pSecFn->InitializeSecurityContext(&credentials, NULL,

                                                 spn,

                                                 ISC_REQ_USE_HTTP_STYLE, 0, 0,

                                               &chlg_desc, 0, &context,

                                                 &chlg_desc, 0,

                                                 digest->http_context,

                                                 &resp_desc, &attrs, &expiry);

    Curl_unicodefree(spn);

      Curl_sspi_free_identity(p_identity);

      free(output_token);

      Curl_safefree(digest->http_context);

      return CURLE_OUT_OF_MEMORY;

    }

  resp = malloc(resp_buf.cbBuffer + 1);

  if(!resp) {

    s_pSecFn->DeleteSecurityContext(&context);

    s_pSecFn->FreeCredentialsHandle(&credentials);

    output_token_len = resp_buf.cbBuffer;

    s_pSecFn->FreeCredentialsHandle(&credentials);

    Curl_sspi_free_identity(p_identity);

  }

  resp = malloc(output_token_len + 1);

  if(!resp) {

    free(output_token);

    Curl_safefree(digest->http_context);

    return CURLE_OUT_OF_MEMORY;

  }

  /* Copy the generated reponse */

  memcpy(resp, resp_buf.pvBuffer, resp_buf.cbBuffer);

  resp[resp_buf.cbBuffer] = 0x00;

  memcpy(resp, output_token, output_token_len);

  resp[output_token_len] = 0;

  /* Return the response */

  *outptr = resp;

  *outlen = resp_buf.cbBuffer;

  /* Free our handles */

  s_pSecFn->DeleteSecurityContext(&context);

  s_pSecFn->FreeCredentialsHandle(&credentials);

  /* Free the identity structure */

  Curl_sspi_free_identity(p_identity);

  *outlen = output_token_len;

  /* Free the response buffer */

  free(output_token);

  /* Reset any variables */

  digest->input_token_len = 0;

  /* Delete security context */

  if(digest->http_context) {

    s_pSecFn->DeleteSecurityContext(digest->http_context);

    Curl_safefree(digest->http_context);

  }

}

#endif /* USE_WINDOWS_SSPI && !CURL_DISABLE_CRYPTO_AUTH */

test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \

test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \

\

test1280 test1281 test1282 test1283 test1284 test1285 \

test1280 test1281 test1282 test1283 test1284 test1285 test1286 \

\

test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \

test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \

<testcase>

<info>

<keywords>

HTTP

HTTP GET

HTTP Digest auth

followlocation

</keywords>

</info>

# Server-side

<reply>

<data>

HTTP/1.1 401 authentication please swsbounce

Server: Microsoft-IIS/6.0

WWW-Authenticate: Digest realm="testrealm", nonce="1053604144", qop="auth"

Content-Type: text/html; charset=iso-8859-1

Content-Length: 0

</data>

<data1000>

HTTP/1.1 302 Thanks for this, but we want to redir you!

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Location: /12860001

Content-Length: 0

</data1000>

<data1001>

HTTP/1.1 404 Not Found

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 0

</data1001>

<datacheck>

HTTP/1.1 401 authentication please swsbounce

Server: Microsoft-IIS/6.0

WWW-Authenticate: Digest realm="testrealm", nonce="1053604144", qop="auth"

Content-Type: text/html; charset=iso-8859-1

Content-Length: 0

HTTP/1.1 302 Thanks for this, but we want to redir you!

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Location: /12860001

Content-Length: 0

HTTP/1.1 404 Not Found

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 0

</datacheck>

</reply>

# Client-side

<client>

#

<server>

http

</server>

<features>

crypto

</features>

<name>

HTTP GET --digest increasing nonce-count

</name>

# This test is to ensure the nonce-count (nc) increases

# https://github.com/curl/curl/pull/1251

<command>

-u auser:apasswd --location --digest http://%HOSTIP:%HTTPPORT/1286

</command>

</client>

# Verify data after the test has been "shot"

<verify>

<strip>

^User-Agent:.*

</strip>

# Reorder the fields in 'Authorization: Digest' header.

# Since regular and SSPI digest auth header fields may not have the same order

# or whitespace we homogenize so that both may be tested. Also:

# - Remove the unique value from cnonce if in RFC format

# - Remove the unique value from response if in RFC format

# - Remove quotes from qop="auth" used by SSPI

# The if statement is one line because runtests evaluates one line at a time.

<strippart>

if(s/^(Authorization: Digest )([^\r\n]+)(\r?\n)$//) { $_ = $1 . join(', ', map { s/^(cnonce=)"[a-zA-Z0-9+\/=]+"$/$1REMOVED/; s/^(response=)"[a-f0-9]{32}"$/$1REMOVED/; s/^qop="auth"$/qop=auth/; $_ } sort split(/, */, $2)) . $3; }

</strippart>

<protocol>

GET /1286 HTTP/1.1

Host: %HOSTIP:%HTTPPORT

Accept: */*

GET /1286 HTTP/1.1

Host: %HOSTIP:%HTTPPORT

Authorization: Digest cnonce=REMOVED, nc=00000001, nonce="1053604144", qop=auth, realm="testrealm", response=REMOVED, uri="/1286", username="auser"

Accept: */*

GET /12860001 HTTP/1.1

Host: %HOSTIP:%HTTPPORT

Authorization: Digest cnonce=REMOVED, nc=00000002, nonce="1053604144", qop=auth, realm="testrealm", response=REMOVED, uri="/12860001", username="auser"

Accept: */*

</protocol>

</verify>

</testcase>