/*

     This file is part of libmicrohttpd

     Copyright (C) 2010, 2011, 2012, 2015 Daniel Pittman and Christian Grothoff

     This library is free software; you can redistribute it and/or

     modify it under the terms of the GNU Lesser General Public

     License as published by the Free Software Foundation; either

     version 2.1 of the License, or (at your option) any later version.

     This library is distributed in the hope that it will be useful,

     but WITHOUT ANY WARRANTY; without even the implied warranty of

     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

     Lesser General Public License for more details.

     You should have received a copy of the GNU Lesser General Public

     License along with this library; if not, write to the Free Software

     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

*/

/**

 * @file digestauth.c

 * @brief Implements HTTP digest authentication

 * @author Amr Ali

 * @author Matthieu Speder

 */

#include "platform.h"

#include "mhd_limits.h"

#include "internal.h"

#include "md5.h"

#include "mhd_mono_clock.h"

#include "mhd_str.h"

#include "mhd_compat.h"

#if defined(MHD_W32_MUTEX_)

#ifndef WIN32_LEAN_AND_MEAN

#define WIN32_LEAN_AND_MEAN 1

#endif /* !WIN32_LEAN_AND_MEAN */

#include <windows.h>

#endif /* MHD_W32_MUTEX_ */

#define HASH_MD5_HEX_LEN (2 * MD5_DIGEST_SIZE)

/* 32 bit value is 4 bytes */

#define TIMESTAMP_BIN_SIZE 4

#define TIMESTAMP_HEX_LEN (2 * TIMESTAMP_BIN_SIZE)

/* Standard server nonce length, not including terminating null */

#define NONCE_STD_LEN (HASH_MD5_HEX_LEN + TIMESTAMP_HEX_LEN)

/**

 * Beginning string for any valid Digest authentication header.

 */

#define _BASE		"Digest "

/**

 * Maximum length of a username for digest authentication.

 */

#define MAX_USERNAME_LENGTH 128

/**

 * Maximum length of a realm for digest authentication.

 */

#define MAX_REALM_LENGTH 256

/**

 * Maximum length of the response in digest authentication.

 */

#define MAX_AUTH_RESPONSE_LENGTH 128

/**

 * convert bin to hex

 *

 * @param bin binary data

 * @param len number of bytes in bin

 * @param hex pointer to len*2+1 bytes

 */

static void

cvthex (const unsigned char *bin,

	size_t len,

	char *hex)

{

  size_t i;

  unsigned int j;

  for (i = 0; i < len; ++i)

    {

      j = (bin[i] >> 4) & 0x0f;

      hex[i * 2] = (char)((j <= 9) ? (j + '0') : (j - 10 + 'a'));

      j = bin[i] & 0x0f;

      hex[i * 2 + 1] = (char)((j <= 9) ? (j + '0') : (j - 10 + 'a'));

    }

  hex[len * 2] = '\0';

}

/**

 * calculate H(A1) as per RFC2617 spec and store the

 * result in 'sessionkey'.

 *

 * @param alg The hash algorithm used, can be "md5" or "md5-sess"

 * @param username A `char *' pointer to the username value

 * @param realm A `char *' pointer to the realm value

 * @param password A `char *' pointer to the password value

 * @param nonce A `char *' pointer to the nonce value

 * @param cnonce A `char *' pointer to the cnonce value

 * @param sessionkey pointer to buffer of HASH_MD5_HEX_LEN+1 bytes

 */

static void

digest_calc_ha1 (const char *alg,

		 const char *username,

		 const char *realm,

		 const char *password,

		 const char *nonce,

		 const char *cnonce,

		 char sessionkey[HASH_MD5_HEX_LEN + 1])

{

  struct MD5Context md5;

  unsigned char ha1[MD5_DIGEST_SIZE];

  MD5Init (&md5;;

  MD5Update (&md5,

             (const unsigned char *) username,

             strlen (username));

  MD5Update (&md5,

             (const unsigned char *) ":",

             1);

  MD5Update (&md5,

             (const unsigned char *) realm,

             strlen (realm));

  MD5Update (&md5,

             (const unsigned char *) ":",

             1);

  MD5Update (&md5,

             (const unsigned char *) password,

             strlen (password));

  MD5Final (ha1,

            &md5;;

  if (MHD_str_equal_caseless_(alg,

                              "md5-sess"))

    {

      MD5Init (&md5;;

      MD5Update (&md5,

                 (const unsigned char *) ha1,

                 sizeof (ha1));

      MD5Update (&md5,

                 (const unsigned char *) ":",

                 1);

      MD5Update (&md5,

                 (const unsigned char *) nonce,

                 strlen (nonce));

      MD5Update (&md5,

                 (const unsigned char *) ":",

                 1);

      MD5Update (&md5,

                 (const unsigned char *) cnonce,

                 strlen (cnonce));

      MD5Final (ha1,

                &md5;;

    }

  cvthex (ha1,

          sizeof (ha1),

          sessionkey);

}

/**

 * Calculate request-digest/response-digest as per RFC2617 spec

 *

 * @param ha1 H(A1)

 * @param nonce nonce from server

 * @param noncecount 8 hex digits

 * @param cnonce client nonce

 * @param qop qop-value: "", "auth" or "auth-int"

 * @param method method from request

 * @param uri requested URL

 * @param hentity H(entity body) if qop="auth-int"

 * @param response request-digest or response-digest

 */

static void

digest_calc_response (const char ha1[HASH_MD5_HEX_LEN + 1],

		      const char *nonce,

		      const char *noncecount,

		      const char *cnonce,

		      const char *qop,

		      const char *method,

		      const char *uri,

		      const char *hentity,

		      char response[HASH_MD5_HEX_LEN + 1])

{

  struct MD5Context md5;

  unsigned char ha2[MD5_DIGEST_SIZE];

  unsigned char resphash[MD5_DIGEST_SIZE];

  char ha2hex[HASH_MD5_HEX_LEN + 1];

  (void)hentity; /* Unused. Silent compiler warning. */

  MD5Init (&md5;;

  MD5Update (&md5,

             (const unsigned char *) method,

             strlen (method));

  MD5Update (&md5,

             (const unsigned char *) ":",

             1);

  MD5Update (&md5,

             (const unsigned char *) uri,

             strlen (uri));

#if 0

  if (0 == strcasecmp(qop,

                      "auth-int"))

    {

      /* This is dead code since the rest of this module does

	 not support auth-int. */

      MD5Update (&md5,

                 ":",

                 1);

      if (NULL != hentity)

	MD5Update (&md5,

                   hentity,

                   strlen (hentity));

    }

#endif

  MD5Final (ha2,

            &md5;;

  cvthex (ha2,

          MD5_DIGEST_SIZE,

          ha2hex);

  MD5Init (&md5;;

  /* calculate response */

  MD5Update (&md5,

             (const unsigned char *) ha1,

             HASH_MD5_HEX_LEN);

  MD5Update (&md5,

             (const unsigned char *) ":",

             1);

  MD5Update (&md5,

             (const unsigned char *) nonce,

             strlen (nonce));

  MD5Update (&md5,

             (const unsigned char*) ":",

             1);

  if ('\0' != *qop)

    {

      MD5Update (&md5,

                 (const unsigned char *) noncecount,

                 strlen (noncecount));

      MD5Update (&md5,

                 (const unsigned char *) ":",

                 1);

      MD5Update (&md5,

                 (const unsigned char *) cnonce,

                 strlen (cnonce));

      MD5Update (&md5,

                 (const unsigned char *) ":",

                 1);

      MD5Update (&md5,

                 (const unsigned char *) qop,

                 strlen (qop));

      MD5Update (&md5,

                 (const unsigned char *) ":",

                 1);

    }

  MD5Update (&md5,

             (const unsigned char *) ha2hex,

             HASH_MD5_HEX_LEN);

  MD5Final (resphash,

            &md5;;

  cvthex (resphash,

          sizeof(resphash),

          response);

}

/**

 * Lookup subvalue off of the HTTP Authorization header.

 *

 * A description of the input format for 'data' is at

 * http://en.wikipedia.org/wiki/Digest_access_authentication

 *

 *

 * @param dest where to store the result (possibly truncated if

 *             the buffer is not big enough).

 * @param size size of dest

 * @param data pointer to the Authorization header

 * @param key key to look up in data

 * @return size of the located value, 0 if otherwise

 */

static size_t

lookup_sub_value (char *dest,

		  size_t size,

		  const char *data,

		  const char *key)

{

  size_t keylen;

  size_t len;

  const char *ptr;

  const char *eq;

  const char *q1;

  const char *q2;

  const char *qn;

  if (0 == size)

    return 0;

  keylen = strlen (key);

  ptr = data;

  while ('\0' != *ptr)

    {

      if (NULL == (eq = strchr (ptr,

                                '=')))

	return 0;

      q1 = eq + 1;

      while (' ' == *q1)

	q1++;

      if ('\"' != *q1)

	{

	  q2 = strchr (q1,

                       ',');

	  qn = q2;

	}

      else

	{

	  q1++;

	  q2 = strchr (q1,

                       '\"');

	  if (NULL == q2)

	    return 0; /* end quote not found */

	  qn = q2 + 1;

	}

      if ( (MHD_str_equal_caseless_n_(ptr,

                                      key,

                                      keylen)) &&

	   (eq == &ptr[keylen]) )

	{

	  if (NULL == q2)

	    {

	      len = strlen (q1) + 1;

	      if (size > len)

		size = len;

	      size--;

	      strncpy (dest,

		       q1,

		       size);

	      dest[size] = '\0';

	      return size;

	    }

	  else

	    {

	      if (size > (size_t) ((q2 - q1) + 1))

		size = (q2 - q1) + 1;

	      size--;

	      memcpy (dest,

		      q1,

		      size);

	      dest[size] = '\0';

	      return size;

	    }

	}

      if (NULL == qn)

	return 0;

      ptr = strchr (qn,

                    ',');

      if (NULL == ptr)

	return 0;

      ptr++;

      while (' ' == *ptr)

	ptr++;

    }

  return 0;

}

/**

 * Check nonce-nc map array with either new nonce counter

 * or a whole new nonce.

 *

 * @param connection The MHD connection structure

 * @param nonce A pointer that referenced a zero-terminated array of nonce

 * @param nc The nonce counter, zero to add the nonce to the array

 * @return #MHD_YES if successful, #MHD_NO if invalid (or we have no NC array)

 */

static int

check_nonce_nc (struct MHD_Connection *connection,

		const char *nonce,

		uint64_t nc)

{

  struct MHD_Daemon *daemon = connection->daemon;

  struct MHD_NonceNc *nn;

  uint32_t off;

  uint32_t mod;

  const char *np;

  if (MAX_NONCE_LENGTH <= strlen (nonce))

    return MHD_NO; /* This should be impossible, but static analysis

                      tools have a hard time with it *and* this also

                      protects against unsafe modifications that may

                      happen in the future... */

  mod = daemon->nonce_nc_size;

  if (0 == mod)

    return MHD_NO; /* no array! */

  /* super-fast xor-based "hash" function for HT lookup in nonce array */

  off = 0;

  np = nonce;

  while ('\0' != *np)

    {

      off = (off << 8) | (*np ^ (off >> 24));

      np++;

    }

  off = off % mod;

  /*

   * Look for the nonce, if it does exist and its corresponding

   * nonce counter is less than the current nonce counter by 1,

   * then only increase the nonce counter by one.

   */

  nn = &daemon->nnc[off];

  MHD_mutex_lock_chk_ (&daemon->nnc_lock);

  if (0 == nc)

    {

      /* Fresh nonce, reinitialize array */

      strcpy (nn->nonce,

	      nonce);

      nn->nc = 0;

      nn->nmask = 0;

      MHD_mutex_unlock_chk_ (&daemon->nnc_lock);

      return MHD_YES;

    }

  /* Note that we use 64 here, as we do not store the

     bit for 'nn->nc' itself in 'nn->nmask' */

  if ( (nc < nn->nc) &&

       (nc + 64 > nc /* checking for overflow */) &&

       (nc + 64 >= nn->nc) &&

       (0 == ((1LLU << (nn->nc - nc - 1)) & nn->nmask)) )

    {

      /* Out-of-order nonce, but within 64-bit bitmask, set bit */

      nn->nmask |= (1LLU << (nn->nc - nc - 1));

      MHD_mutex_unlock_chk_ (&daemon->nnc_lock);

      return MHD_YES;

    }

  if ( (nc <= nn->nc) ||

       (0 != strcmp (nn->nonce,

                     nonce)) )

    {

      /* Nonce does not match, fail */

      MHD_mutex_unlock_chk_ (&daemon->nnc_lock);

#ifdef HAVE_MESSAGES

      MHD_DLOG (daemon,

		_("Stale nonce received.  If this happens a lot, you should probably increase the size of the nonce array.\n"));

#endif

      return MHD_NO;

    }

  /* Nonce is larger, shift bitmask and bump limit */

  if (64 > nc - nn->nc)

    nn->nmask <<= (nc - nn->nc); /* small jump, less than mask width */

  else

    nn->nmask = 0; /* big jump, unset all bits in the mask */

  nn->nc = nc;

  MHD_mutex_unlock_chk_ (&daemon->nnc_lock);

  return MHD_YES;

}

/**

 * Get the username from the authorization header sent by the client

 *

 * @param connection The MHD connection structure

 * @return NULL if no username could be found, a pointer

 * 			to the username if found

 * @warning Returned value must be freed by #MHD_free().

 * @ingroup authentication

 */

char *

MHD_digest_auth_get_username(struct MHD_Connection *connection)

{

  size_t len;

  char user[MAX_USERNAME_LENGTH];

  const char *header;

  if (NULL == (header =

               MHD_lookup_connection_value (connection,

                                            MHD_HEADER_KIND,

                                            MHD_HTTP_HEADER_AUTHORIZATION)))

    return NULL;

  if (0 != strncmp (header,

                    _BASE,

                    MHD_STATICSTR_LEN_ (_BASE)))

    return NULL;

  header += MHD_STATICSTR_LEN_ (_BASE);

  if (0 == (len = lookup_sub_value (user,

				    sizeof (user),

				    header,

				    "username")))

    return NULL;

  return strdup (user);

}

/**

 * Calculate the server nonce so that it mitigates replay attacks

 * The current format of the nonce is ...

 * H(timestamp ":" method ":" random ":" uri ":" realm) + Hex(timestamp)

 *

 * @param nonce_time The amount of time in seconds for a nonce to be invalid

 * @param method HTTP method

 * @param rnd A pointer to a character array for the random seed

 * @param rnd_size The size of the random seed array @a rnd

 * @param uri HTTP URI (in MHD, without the arguments ("?k=v")

 * @param realm A string of characters that describes the realm of auth.

 * @param nonce A pointer to a character array for the nonce to put in

 */

static void

calculate_nonce (uint32_t nonce_time,

		 const char *method,

		 const char *rnd,

		 size_t rnd_size,

		 const char *uri,

		 const char *realm,

		 char nonce[NONCE_STD_LEN + 1])

{

  struct MD5Context md5;

  unsigned char timestamp[TIMESTAMP_BIN_SIZE];

  unsigned char tmpnonce[MD5_DIGEST_SIZE];

  char timestamphex[TIMESTAMP_HEX_LEN + 1];

  MD5Init (&md5;;

  timestamp[0] = (unsigned char)((nonce_time & 0xff000000) >> 0x18);

  timestamp[1] = (unsigned char)((nonce_time & 0x00ff0000) >> 0x10);

  timestamp[2] = (unsigned char)((nonce_time & 0x0000ff00) >> 0x08);

  timestamp[3] = (unsigned char)((nonce_time & 0x000000ff));

  MD5Update (&md5,

             timestamp,

             sizeof (timestamp));

  MD5Update (&md5,

             (const unsigned char *) ":",

             1);

  MD5Update (&md5,

             (const unsigned char *) method,

             strlen (method));

  MD5Update (&md5,

             (const unsigned char *) ":",

             1);

  if (rnd_size > 0)

    MD5Update (&md5,

               (const unsigned char *) rnd,

               rnd_size);

  MD5Update (&md5,

             (const unsigned char *) ":",

             1);

  MD5Update (&md5,

             (const unsigned char *) uri,

             strlen (uri));

  MD5Update (&md5,

             (const unsigned char *) ":",

             1);

  MD5Update (&md5,

             (const unsigned char *) realm,

             strlen (realm));

  MD5Final (tmpnonce,

            &md5;;

  cvthex (tmpnonce,

          sizeof (tmpnonce),

          nonce);

  cvthex (timestamp,

          sizeof (timestamp),

          timestamphex);

  strncat (nonce,

           timestamphex,

           8);

}

/**

 * Test if the given key-value pair is in the headers for the

 * given connection.

 *

 * @param connection the connection

 * @param key the key

 * @param value the value, can be NULL

 * @param kind type of the header

 * @return #MHD_YES if the key-value pair is in the headers,

 *         #MHD_NO if not

 */

static int

test_header (struct MHD_Connection *connection,

	     const char *key,

	     const char *value,

	     enum MHD_ValueKind kind)

{

  struct MHD_HTTP_Header *pos;

  for (pos = connection->headers_received; NULL != pos; pos = pos->next)

    {

      if (kind != pos->kind)

	continue;

      if (0 != strcmp (key,

                       pos->header))

	continue;

      if ( (NULL == value) &&

	   (NULL == pos->value) )

	return MHD_YES;

      if ( (NULL == value) ||

	   (NULL == pos->value) ||

	   (0 != strcmp (value,

                         pos->value)) )

	continue;

      return MHD_YES;

    }

  return MHD_NO;

}

/**

 * Check that the arguments given by the client as part

 * of the authentication header match the arguments we

 * got as part of the HTTP request URI.

 *

 * @param connection connections with headers to compare against

 * @param args argument URI string (after "?" in URI)

 * @return #MHD_YES if the arguments match,

 *         #MHD_NO if not

 */

static int

check_argument_match (struct MHD_Connection *connection,

		      const char *args)

{

  struct MHD_HTTP_Header *pos;

  char *argb;

  unsigned int num_headers;

  int ret;

  argb = strdup (args);

  if (NULL == argb)

    {

#ifdef HAVE_MESSAGES

      MHD_DLOG (connection->daemon,

		_("Failed to allocate memory for copy of URI arguments\n"));

#endif /* HAVE_MESSAGES */

      return MHD_NO;

    }

  ret = MHD_parse_arguments_ (connection,

			      MHD_GET_ARGUMENT_KIND,

			      argb,

			      &test_header,

			      &num_headers);

  free (argb);

  if (MHD_YES != ret)

    return MHD_NO;

  /* also check that the number of headers matches */

  for (pos = connection->headers_received; NULL != pos; pos = pos->next)

    {

      if (MHD_GET_ARGUMENT_KIND != pos->kind)

	continue;

      num_headers--;

    }

  if (0 != num_headers)

    {

      /* argument count mismatch */

      return MHD_NO;

    }

  return MHD_YES;

}

/**

 * Authenticates the authorization header sent by the client

 *

 * @param connection The MHD connection structure

 * @param realm The realm presented to the client

 * @param username The username needs to be authenticated

 * @param password The password used in the authentication

 * @param nonce_timeout The amount of time for a nonce to be

 * 			invalid in seconds

 * @return #MHD_YES if authenticated, #MHD_NO if not,

 * 			#MHD_INVALID_NONCE if nonce is invalid

 * @ingroup authentication

 */

int

MHD_digest_auth_check (struct MHD_Connection *connection,

		       const char *realm,

		       const char *username,

		       const char *password,

		       unsigned int nonce_timeout)

{

  struct MHD_Daemon *daemon = connection->daemon;

  size_t len;

  const char *header;

  char nonce[MAX_NONCE_LENGTH];

  char cnonce[MAX_NONCE_LENGTH];

  char qop[15]; /* auth,auth-int */

  char nc[20];

  char response[MAX_AUTH_RESPONSE_LENGTH];

  const char *hentity = NULL; /* "auth-int" is not supported */

  char ha1[HASH_MD5_HEX_LEN + 1];

  char respexp[HASH_MD5_HEX_LEN + 1];

  char noncehashexp[NONCE_STD_LEN + 1];

  uint32_t nonce_time;

  uint32_t t;

  size_t left; /* number of characters left in 'header' for 'uri' */

  uint64_t nci;

  header = MHD_lookup_connection_value (connection,

					MHD_HEADER_KIND,

					MHD_HTTP_HEADER_AUTHORIZATION);

  if (NULL == header)

    return MHD_NO;

  if (0 != strncmp (header,

                    _BASE,

                    MHD_STATICSTR_LEN_(_BASE)))

    return MHD_NO;

  header += MHD_STATICSTR_LEN_ (_BASE);

  left = strlen (header);

  {

    char un[MAX_USERNAME_LENGTH];

    len = lookup_sub_value (un,

			    sizeof (un),

			    header,

                            "username");

    if ( (0 == len) ||

	 (0 != strcmp (username,

                       un)) )

      return MHD_NO;

    left -= strlen ("username") + len;

  }

  {

    char r[MAX_REALM_LENGTH];

    len = lookup_sub_value (r,

                            sizeof (r),

                            header,

                            "realm");

    if ( (0 == len) ||

	 (0 != strcmp (realm,

                       r)) )

      return MHD_NO;

    left -= strlen ("realm") + len;

  }

  if (0 == (len = lookup_sub_value (nonce,

				    sizeof (nonce),

				    header,

                                    "nonce")))

    return MHD_NO;

  left -= strlen ("nonce") + len;

  if (left > 32 * 1024)

  {

    /* we do not permit URIs longer than 32k, as we want to

       make sure to not blow our stack (or per-connection

       heap memory limit).  Besides, 32k is already insanely

       large, but of course in theory the

       #MHD_OPTION_CONNECTION_MEMORY_LIMIT might be very large

       and would thus permit sending a >32k authorization

       header value. */

    return MHD_NO;

  }

  if (TIMESTAMP_HEX_LEN !=

      MHD_strx_to_uint32_n_ (nonce + len - TIMESTAMP_HEX_LEN,

                             TIMESTAMP_HEX_LEN,

                             &nonce_time))

    {

#ifdef HAVE_MESSAGES

      MHD_DLOG (daemon,

                _("Authentication failed, invalid timestamp format.\n"));

#endif

      return MHD_NO;

    }

  t = (uint32_t) MHD_monotonic_sec_counter();

  /*

   * First level vetting for the nonce validity: if the timestamp

   * attached to the nonce exceeds `nonce_timeout', then the nonce is

   * invalid.

   */

  if ( (t > nonce_time + nonce_timeout) ||

       (nonce_time + nonce_timeout < nonce_time) )

    {

      /* too old */

      return MHD_INVALID_NONCE;

    }

  calculate_nonce (nonce_time,

                   connection->method,

                   daemon->digest_auth_random,

                   daemon->digest_auth_rand_size,

                   connection->url,

                   realm,

                   noncehashexp);

  /*

   * Second level vetting for the nonce validity

   * if the timestamp attached to the nonce is valid

   * and possibly fabricated (in case of an attack)

   * the attacker must also know the random seed to be

   * able to generate a "sane" nonce, which if he does

   * not, the nonce fabrication process going to be

   * very hard to achieve.

   */

  if (0 != strcmp (nonce, noncehashexp))

    {

      return MHD_INVALID_NONCE;

    }

  if ( (0 == lookup_sub_value (cnonce,

                               sizeof (cnonce),

                               header,

                               "cnonce")) ||

       (0 == lookup_sub_value (qop,

                               sizeof (qop),

                               header,

                               "qop")) ||

       ( (0 != strcmp (qop,

                       "auth")) &&

         (0 != strcmp (qop,

                       "")) ) ||

       (0 == (len = lookup_sub_value (nc,

                                      sizeof (nc),

                                      header,

                                      "nc")) )  ||

       (0 == lookup_sub_value (response,

                               sizeof (response),

                               header,

                               "response")) )

    {

#ifdef HAVE_MESSAGES

      MHD_DLOG (daemon,

		_("Authentication failed, invalid format.\n"));

#endif

      return MHD_NO;

    }

  if (len != MHD_strx_to_uint64_n_ (nc,

                                    len,

                                    &nci))

    {

#ifdef HAVE_MESSAGES

      MHD_DLOG (daemon,

		_("Authentication failed, invalid nc format.\n"));

#endif

      return MHD_NO; /* invalid nonce format */

    }

  /*

   * Checking if that combination of nonce and nc is sound

   * and not a replay attack attempt. Also adds the nonce

   * to the nonce-nc map if it does not exist there.

   */

  if (MHD_YES !=

      check_nonce_nc (connection,

                      nonce,

                      nci))

    {

      return MHD_NO;

    }

  {

    char *uri;

    uri = malloc (left + 1);

    if (NULL == uri)

    {

#ifdef HAVE_MESSAGES

      MHD_DLOG(daemon,

               _("Failed to allocate memory for auth header processing\n"));

#endif /* HAVE_MESSAGES */

      return MHD_NO;

    }

    if (0 == lookup_sub_value (uri,

                               left + 1,

                               header,

                               "uri"))

    {

      free (uri);

      return MHD_NO;

    }

    digest_calc_ha1 ("md5",

                     username,

                     realm,

                     password,

                     nonce,

                     cnonce,

                     ha1);

    digest_calc_response (ha1,

			  nonce,

			  nc,