From aae235b6ba92662a6fb7b459614f7ee2e290ae17 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 28 Nov 2021 02:22:40 -0500
Subject: digest: compute user:realm:pass digest w/o userhash

https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4
  ... the client MUST calculate a hash of the username after
      any other hash calculation ...

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Closes #8066
---
 lib/vauth/digest.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'lib/vauth/digest.c')

diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c
index a04ffab6f..52179c265 100644
--- a/lib/vauth/digest.c
+++ b/lib/vauth/digest.c
@@ -722,8 +722,7 @@ static CURLcode auth_create_digest_http_message(
            unq(nonce-value) ":" unq(cnonce-value)
   */
 
-  hashthis = aprintf("%s:%s:%s", digest->userhash ? userh : userp,
-                                 digest->realm, passwdp);
+  hashthis = aprintf("%s:%s:%s", userp, digest->realm, passwdp);
   if(!hashthis)
     return CURLE_OUT_OF_MEMORY;
 
-- 
cgit v1.2.1