/usr/share/php/Sabre/HTTP/DigestAuth.php is in php-sabre-dav 1.8.12-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 | <?php
namespace Sabre\HTTP;
/**
* HTTP Digest Authentication handler
*
* Use this class for easy http digest authentication.
* Instructions:
*
* 1. Create the object
* 2. Call the setRealm() method with the realm you plan to use
* 3. Call the init method function.
* 4. Call the getUserName() function. This function may return false if no
* authentication information was supplied. Based on the username you
* should check your internal database for either the associated password,
* or the so-called A1 hash of the digest.
* 5. Call either validatePassword() or validateA1(). This will return true
* or false.
* 6. To make sure an authentication prompt is displayed, call the
* requireLogin() method.
*
*
* @copyright Copyright (C) 2007-2015 fruux GmbH (https://fruux.com/).
* @author Evert Pot (http://evertpot.com/)
* @license http://sabre.io/license/ Modified BSD License
*/
class DigestAuth extends AbstractAuth {
/**
* These constants are used in setQOP();
*/
const QOP_AUTH = 1;
const QOP_AUTHINT = 2;
protected $nonce;
protected $opaque;
protected $digestParts;
protected $A1;
protected $qop = self::QOP_AUTH;
/**
* Initializes the object
*/
public function __construct() {
$this->nonce = uniqid();
$this->opaque = md5($this->realm);
parent::__construct();
}
/**
* Gathers all information from the headers
*
* This method needs to be called prior to anything else.
*
* @return void
*/
public function init() {
$digest = $this->getDigest();
$this->digestParts = $this->parseDigest($digest);
}
/**
* Sets the quality of protection value.
*
* Possible values are:
* Sabre\HTTP\DigestAuth::QOP_AUTH
* Sabre\HTTP\DigestAuth::QOP_AUTHINT
*
* Multiple values can be specified using logical OR.
*
* QOP_AUTHINT ensures integrity of the request body, but this is not
* supported by most HTTP clients. QOP_AUTHINT also requires the entire
* request body to be md5'ed, which can put strains on CPU and memory.
*
* @param int $qop
* @return void
*/
public function setQOP($qop) {
$this->qop = $qop;
}
/**
* Validates the user.
*
* The A1 parameter should be md5($username . ':' . $realm . ':' . $password);
*
* @param string $A1
* @return bool
*/
public function validateA1($A1) {
$this->A1 = $A1;
return $this->validate();
}
/**
* Validates authentication through a password. The actual password must be provided here.
* It is strongly recommended not store the password in plain-text and use validateA1 instead.
*
* @param string $password
* @return bool
*/
public function validatePassword($password) {
$this->A1 = md5($this->digestParts['username'] . ':' . $this->realm . ':' . $password);
return $this->validate();
}
/**
* Returns the username for the request
*
* @return string
*/
public function getUsername() {
return $this->digestParts['username'];
}
/**
* Validates the digest challenge
*
* @return bool
*/
protected function validate() {
$A2 = $this->httpRequest->getMethod() . ':' . $this->digestParts['uri'];
if ($this->digestParts['qop']=='auth-int') {
// Making sure we support this qop value
if (!($this->qop & self::QOP_AUTHINT)) return false;
// We need to add an md5 of the entire request body to the A2 part of the hash
$body = $this->httpRequest->getBody(true);
$this->httpRequest->setBody($body,true);
$A2 .= ':' . md5($body);
} else {
// We need to make sure we support this qop value
if (!($this->qop & self::QOP_AUTH)) return false;
}
$A2 = md5($A2);
$validResponse = md5("{$this->A1}:{$this->digestParts['nonce']}:{$this->digestParts['nc']}:{$this->digestParts['cnonce']}:{$this->digestParts['qop']}:{$A2}");
return $this->digestParts['response']==$validResponse;
}
/**
* Returns an HTTP 401 header, forcing login
*
* This should be called when username and password are incorrect, or not supplied at all
*
* @return void
*/
public function requireLogin() {
$qop = '';
switch($this->qop) {
case self::QOP_AUTH : $qop = 'auth'; break;
case self::QOP_AUTHINT : $qop = 'auth-int'; break;
case self::QOP_AUTH | self::QOP_AUTHINT : $qop = 'auth,auth-int'; break;
}
$this->httpResponse->setHeader('WWW-Authenticate','Digest realm="' . $this->realm . '",qop="'.$qop.'",nonce="' . $this->nonce . '",opaque="' . $this->opaque . '"');
$this->httpResponse->sendStatus(401);
}
/**
* This method returns the full digest string.
*
* It should be compatibile with mod_php format and other webservers.
*
* If the header could not be found, null will be returned
*
* @return mixed
*/
public function getDigest() {
// mod_php
$digest = $this->httpRequest->getRawServerValue('PHP_AUTH_DIGEST');
if ($digest) return $digest;
// most other servers
$digest = $this->httpRequest->getHeader('Authorization');
// Apache could prefix environment variables with REDIRECT_ when urls
// are passed through mod_rewrite
if (!$digest) {
$digest = $this->httpRequest->getRawServerValue('REDIRECT_HTTP_AUTHORIZATION');
}
if ($digest && strpos(strtolower($digest),'digest')===0) {
return substr($digest,7);
} else {
return null;
}
}
/**
* Parses the different pieces of the digest string into an array.
*
* This method returns false if an incomplete digest was supplied
*
* @param string $digest
* @return mixed
*/
protected function parseDigest($digest) {
// protect against missing data
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
preg_match_all('@(\w+)=(?:(?:")([^"]+)"|([^\s,$]+))@', $digest, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[2] ? $m[2] : $m[3];
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
}
|