From 4f6e0c1d27071cbc6e2acbe08f5e0baf30ffb123 Mon Sep 17 00:00:00 2001
From: Shubham Kulkarni <shubham.kulkarni@espressif.com>
Date: Mon, 15 Mar 2021 10:22:15 +0530
Subject: [PATCH] esp_http_client: Add config option for HTTP Digest auth

---
 components/esp_http_client/Kconfig                 |  7 +++++++
 components/esp_http_client/esp_http_client.c       | 14 ++++++++++++--
 .../esp_http_client/main/esp_http_client_example.c |  4 ++++
 examples/protocols/esp_http_client/sdkconfig.ci    |  1 +
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/components/esp_http_client/Kconfig b/components/esp_http_client/Kconfig
index 9833098cb1..abcee0f327 100644
--- a/components/esp_http_client/Kconfig
+++ b/components/esp_http_client/Kconfig
@@ -14,4 +14,11 @@ menu "ESP HTTP client"
             This option will enable HTTP Basic Authentication. It is disabled by default as Basic
             auth uses unencrypted encoding, so it introduces a vulnerability when not using TLS
 
+    config ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
+        bool "Enable HTTP Digest Authentication"
+        default y
+        help
+            This option will enable HTTP Digest Authentication. It is enabled by default, but use of this
+            configuration is not recommended as the password can be derived from the exchange, so it introduces
+            a vulnerability when not using TLS
 endmenu
diff --git a/components/esp_http_client/esp_http_client.c b/components/esp_http_client/esp_http_client.c
index ab96094345..681956422c 100644
--- a/components/esp_http_client/esp_http_client.c
+++ b/components/esp_http_client/esp_http_client.c
@@ -510,11 +510,13 @@ static esp_err_t esp_http_client_prepare(esp_http_client_handle_t client)
 
         if (client->connection_info.auth_type == HTTP_AUTH_TYPE_BASIC) {
             auth_response = http_auth_basic(client->connection_info.username, client->connection_info.password);
+#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
         } else if (client->connection_info.auth_type == HTTP_AUTH_TYPE_DIGEST && client->auth_data) {
             client->auth_data->uri = client->connection_info.path;
             client->auth_data->cnonce = ((uint64_t)esp_random() << 32) + esp_random();
             auth_response = http_auth_digest(client->connection_info.username, client->connection_info.password, client->auth_data);
             client->auth_data->nc ++;
+#endif
         }
 
         if (auth_response) {
@@ -1410,19 +1412,27 @@ void esp_http_client_add_auth(esp_http_client_handle_t client)
         http_utils_trim_whitespace(&auth_header);
         ESP_LOGD(TAG, "UNAUTHORIZED: %s", auth_header);
         client->redirect_counter++;
+#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
         if (http_utils_str_starts_with(auth_header, "Digest") == 0) {
             ESP_LOGD(TAG, "type = Digest");
             client->connection_info.auth_type = HTTP_AUTH_TYPE_DIGEST;
+        } else {
+#endif
 #ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
-        } else if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
+        if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
             ESP_LOGD(TAG, "type = Basic");
             client->connection_info.auth_type = HTTP_AUTH_TYPE_BASIC;
-#endif
         } else {
+#endif
             client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
             ESP_LOGE(TAG, "This authentication method is not supported: %s", auth_header);
             return;
+#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
         }
+#endif
+#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
+        }
+#endif
 
         _clear_auth_data(client);
 
diff --git a/examples/protocols/esp_http_client/main/esp_http_client_example.c b/examples/protocols/esp_http_client/main/esp_http_client_example.c
index e017d17780..7dd2b93df6 100644
--- a/examples/protocols/esp_http_client/main/esp_http_client_example.c
+++ b/examples/protocols/esp_http_client/main/esp_http_client_example.c
@@ -341,6 +341,7 @@ static void http_auth_basic_redirect(void)
 }
 #endif
 
+#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
 static void http_auth_digest(void)
 {
     esp_http_client_config_t config = {
@@ -359,6 +360,7 @@ static void http_auth_digest(void)
     }
     esp_http_client_cleanup(client);
 }
+#endif
 
 static void https_with_url(void)
 {
@@ -681,7 +683,9 @@ static void http_test_task(void *pvParameters)
     http_auth_basic();
     http_auth_basic_redirect();
 #endif
+#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
     http_auth_digest();
+#endif
     http_relative_redirect();
     http_absolute_redirect();
     https_with_url();
diff --git a/examples/protocols/esp_http_client/sdkconfig.ci b/examples/protocols/esp_http_client/sdkconfig.ci
index 6132bbfb89..18d318212a 100644
--- a/examples/protocols/esp_http_client/sdkconfig.ci
+++ b/examples/protocols/esp_http_client/sdkconfig.ci
@@ -8,3 +8,4 @@ CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
 CONFIG_EXAMPLE_ETH_PHY_ADDR=1
 CONFIG_EXAMPLE_CONNECT_IPV6=y
 CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH=y
+CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH=y