function AuthenticationDigestHTTP($realm, $users, $phpcgi = 0)
{
if (empty($_SERVER['PHP_AUTH_DIGEST']) && empty($_SERVER['REDIRECT_REMOTE_USER'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . $realm . '" qop="auth" nonce="' . uniqid(rand(), true) . '" opaque="' . md5($realm) . '"');
die('401 Unauthorized');
}
// analyze the PHP_AUTH_DIGEST variable
$auth = $_SERVER['PHP_AUTH_DIGEST'];
if ($phpcgi == 1) {
$auth = $_SERVER['REDIRECT_REMOTE_USER'];
}
$data = http_digest_parse($auth);
if (!array_key_exists($data['username'], $users)) {
header('HTTP/1.1 401 Unauthorized');
die('401 Unauthorized');
}
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
if ($data['response'] != $valid_response) {
header('HTTP/1.1 401 Unauthorized');
die('401 Unauthorized');
}
return TRUE;
}
function http_authentication($users)
{
$realm = 'Restricted area';
//user => password
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"');
die('Text to send if user hits Cancel button');
}
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])) {
die('Wrong Credentials!');
}
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
if ($data['response'] != $valid_response) {
die('Wrong Credentials!');
}
}
static function user()
{
if (isset(Authentication::$user)) {
return Authentication::$user;
}
if (!isset($_SERVER['PHP_AUTH_DIGEST'])) {
return Authentication::$user = "******";
}
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']))) {
Authentication::forbidden("Invalid authentication");
}
if (isset($data['realm']) && $data['realm'] != AUTH_REALM) {
Authentication::forbidden("Invalid authentication");
// allow re-login
}
// generate the valid response
$A1 = Authentication::password_for($data['username']);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
if ($data['response'] != $valid_response) {
Authentication::forbidden("Incorrect username or password");
}
return Authentication::$user = $data['username'];
}
<?php
$realm = 'Restricted area';
//user => password
$users = array('admin' => 'mypass', 'guest' => 'guest');
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"');
die('Text to send if user hits Cancel button');
}
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])) {
die('Wrong Credentials!');
}
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
if ($data['response'] != $valid_response) {
die('Wrong Credentials!');
}
// ok, valid username & password
echo 'Your are logged in as: ' . $data['username'];
// function to parse the http auth header
function http_digest_parse($txt)
{
// protect against missing data
$needed_parts = array('nonce' => 1, 'nc' => 1, 'cnonce' => 1, 'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1);
$data = array();
$keys = implode('|', array_keys($needed_parts));
preg_match_all('@(' . $keys . ')=(?:([\'"])([^\\2]+?)\\2|([^\\s,]+))@', $txt, $matches, PREG_SET_ORDER);
function foaf_password($config, $realm, $authreqissuer)
{
/*
print "<pre>";
print_r($_SERVER);
print "</pre>";
*/
if (empty($_SERVER['HTTP_AUTHORIZATION'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth,auth-int",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"');
// failed_password_check('Authentication was cancelled', $authreqissuer);
die;
}
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['HTTP_AUTHORIZATION']))) {
failed_password_check('HTTP Digest was incomplete', $authreqissuer);
}
//$uri = 'http://'. $data['username'];
$uri = $data['username'];
$uri = urldecode($uri);
if (!is_valid_url($uri)) {
// $errmsg = "Authentication Failed - $uri is not a valid username for this service";
// failed_password_check($errmsg, $authreqissuer);
$agent = NULL;
} else {
$agent = get_agent($uri);
}
// set up db
$db = new db_class();
$db->connect('localhost', $config['db_user'], $config['db_pwd'], $config['db_name']);
$webid = isset($agent) ? $agent['agent']['webid'] : '';
// $sql ='select password from passwords where webid="'. $webid . '" or mbox = "' . $data['username'] . '" and active = 1 and verified_mbox = 1 ';
$sql = 'select password from passwords where webid="' . $webid . '" and active = 1 and verified_mbox = 1 ';
// print $sql . "<br/>";
$results = $db->select($sql);
if ($row = mysql_fetch_assoc($results)) {
$pin = $row['password'];
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $pin);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
/*
print "<br/>A1 = md5 ( username= "******" :realm= " . $realm . " :password/pin= ". $pin . ")<br/>";
print "A2 = md5 ( request_method = " . $_SERVER['REQUEST_METHOD']. " uri = " . $data['uri'] . ")<br/>";
print "valid = md5 ( A1 : nonce= " . $data['nonce'] . " :nc= " . $data['nc'] . " :cnonce= " . $data['cnonce'] . " :qop= " . $data['qop'] . ")<br/>";
print "valid response = " . $valid_response . "<br/><br/>";
print "http digest response = " . $data['response'] . "<br/><br/>";
*/
if ($valid_response == $data['response']) {
// print "auth " . $authreqissuer . "<br/><br/>";
// print "webid " . $agent['agent']['webid'] . "<br/><br/>";
if (isset($authreqissuer)) {
webid_redirect($authreqissuer, $agent['agent']['webid']);
} else {
login_screen($agent['agent']['webid']);
}
} else {
failed_password_check('FOAF Password doesnot match', $authreqissuer);
}
} else {
failed_password_check('FOAF Password doesnot match', $authreqissuer);
}
}
private static function authenticate() {
// figure out if we need to challenge the user
if(empty($_SERVER['PHP_AUTH_DIGEST']))
{
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . AUTH_REALM . '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5(AUTH_REALM) . '"');
// show the error if they hit cancel
die(RestControllerLib::error(401, true));
}
// now, analayze the PHP_AUTH_DIGEST var
if(!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || $auth_username != $data['username'])
{
// show the error due to bad auth
die(RestUtils::sendResponse(401));
}
// so far, everything's good, let's now check the response a bit more...
$A1 = md5($data['username'] . ':' . AUTH_REALM . ':' . $auth_pass);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
// last check..
if($data['response'] != $valid_response)
{
die(RestUtils::sendResponse(401));
}
}
//user => password
$users = array('admin' => 'mypass', 'guest' => 'guest');
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
die('Text to send if user hits Cancel button');
}
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
!isset($users[$data['username']]))
die('Wrong Credentials!');
// generate the valid response
$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
if ($data['response'] != $valid_response)
die('Wrong Credentials!');
// ok, valid username & password
echo 'You are logged in as: ' . $data['username'];
for ($i = 0; $i < count($matches[0]); $i++) {
// ignore unneeded parameters
if (isset($needed_parts[$matches[1][$i]])) {
unset($needed_parts[$matches[1][$i]]);
if ('"' == substr($matches[2][$i], 0, 1)) {
$data[$matches[1][$i]] = substr($matches[2][$i], 1, -1);
} else {
$data[$matches[1][$i]] = $matches[2][$i];
}
}
}
return !empty($needed_parts) ? false : $data;
}
$realm = 'HTTP_Request2 tests';
$wantedUser = isset($_GET['user']) ? $_GET['user'] : null;
$wantedPass = isset($_GET['pass']) ? $_GET['pass'] : null;
$validAuth = false;
if (!empty($_SERVER['PHP_AUTH_DIGEST']) && ($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) && $wantedUser == $data['username']) {
// generate the valid response
$a1 = md5($data['username'] . ':' . $realm . ':' . $wantedPass);
$a2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$response = md5($a1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $a2);
// check valid response against existing one
$validAuth = $data['response'] == $response;
}
if (!$validAuth || empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid() . '"', true, 401);
echo "Login required";
} else {
echo "Username={$user}";
}
function getSipAccountFromHTTPDigest () {
require("/etc/cdrtool/enrollment/config.ini");
if (!is_array($enrollment) || !strlen($enrollment['nonce_key'])) {
$log= 'Error: Missing nonce in enrollment settings';
syslog(LOG_NOTICE, $log);
die($log);
return false;
}
if ($_REQUEST['realm']) {
// required by Blink cocoa
$realm=$_REQUEST['realm'];
$a=explode("@",$realm);
if (count($a) == 2) {
$realm = $a[1];
}
} else {
$realm = 'SIP_settings';
}
// security implemented based on
// http://static.springsource.org/spring-security/site/docs/2.0.x/reference/digest.html
$_id = microtime(true)+ 300; // expires 5 minutes in the future
$_key = $enrollment['nonce_key'];
$nonce = base64_encode($_id.":".md5($_id.":".$_key));
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.$nonce.'",opaque="'.md5($realm).'"');
//syslog(LOG_NOTICE, sprintf ("SIP settings page: sent auth request for realm %s to %s", $realm, $_SERVER['REMOTE_ADDR']));
die();
}
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
!isset($data['username'])) {
$log=sprintf("SIP settings page: Invalid credentials from %s", $_SERVER['REMOTE_ADDR']);
syslog(LOG_NOTICE, $log);
die($log);
}
// generate the valid response
$username = $data['username'];
if (strstr($username, '@')) {
$a = explode("@",$username);
$username = $a[0];
$domain = $a[1];
} else {
$domain = $realm;
}
require("/etc/cdrtool/ngnpro_engines.inc");
global $domainFilters, $resellerFilters, $soapEngines ;
$credentials['account'] = sprintf("%s@%s",$username, $domain);
if ($domainFilters[$domain]['sip_engine']) {
$credentials['engine'] = $domainFilters[$domain]['sip_engine'];
$credentials['customer'] = $domainFilters[$domain]['customer'];
$credentials['reseller'] = $domainFilters[$domain]['reseller'];
} else if ($domainFilters['default']['sip_engine']) {
$credentials['engine']=$domainFilters['default']['sip_engine'];
} else {
$log=sprintf("SIP settings page error: no domainFilter available in ngnpro_engines.inc from %s", $_SERVER['REMOTE_ADDR']);
syslog(LOG_NOTICE, $log);
die();
}
$SOAPlogin=array(
"username" => $soapEngines[$credentials['engine']]['username'],
"password" => $soapEngines[$credentials['engine']]['password'],
"admin" => true
);
$SoapAuth = array('auth', $SOAPlogin , 'urn:AGProjects:NGNPro', 0, '');
$SipPort = new WebService_NGNPro_SipPort($soapEngines[$credentials['engine']]['url']);
$SipPort->_options['timeout'] = 5;
$SipPort->setOpt('curl', CURLOPT_SSL_VERIFYPEER, 0);
$SipPort->setOpt('curl', CURLOPT_SSL_VERIFYHOST, 0);
$SipPort->addHeader($SoapAuth);
$result = $SipPort->getAccount(array("username" =>$username,"domain" =>$domain));
if (PEAR::isError($result)) {
$error_msg = $result->getMessage();
$error_fault= $result->getFault();
$error_code = $result->getCode();
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.$nonce.'",opaque="'.md5($realm).'"');
$log=sprintf("SIP settings page error: non-existent username %s from %s", $credentials['account'], $_SERVER['REMOTE_ADDR']);
syslog(LOG_NOTICE, $log);
die();
}
$web_password='';
foreach ($result->properties as $_property) {
if ($_property->name == 'web_password') {
//$web_password = explode(":", $_property->value, -1);
$split=explode(":",$_property->value);
$web_password=$split['0'];
break;
}
}
if (!empty($web_password)) {
//$A1 = md5($data['username'] . ':' . $realm . ':' . $data['password']);
$A1 = $web_password;
$login_type_log = 'web password';
//$log=sprintf("TEST %s %s %s %s", $data['username'], $realm, $web_password , $data['nonce']);
//syslog(LOG_NOTICE, $log);
// } else if (strstr($data['username'], '@')) {
// $A1 = md5($data['username'] . ':' . $realm . ':' . $result->password);
// $login_type_log = 'cleartext legacy password';
} else if ($result->ha1) {
$login_type_log = sprintf('encrypted password');
$A1 = $result->ha1;
} else {
$A1 = md5($data['username'] . ':' . $realm . ':' . $result->password);
$login_type_log = 'cleartext password';
}
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
if ($data['response'] != $valid_response ) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.$nonce.'",opaque="'.md5($realm).'"');
$log=sprintf("SIP settings page error: wrong credentials using %s for %s from %s", $login_type_log, $credentials['account'], $_SERVER['REMOTE_ADDR']);
syslog(LOG_NOTICE, $log);
die();
}
// check nonce
$client_nonce_els=explode(":",base64_decode($data['nonce']));
if (md5($client_nonce_els[0].":".$_key) != $client_nonce_els[1]) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.$nonce.'",opaque="'.md5($realm).'"');
$log=sprintf("SIP settings page error: wrong nonce for %s from %s", $credentials['account'], $_SERVER['REMOTE_ADDR']);
syslog(LOG_NOTICE, $log);
die();
}
if (microtime(true) > $client_nonce_els[0]) {
// nonce is stale
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.$nonce.'",stale=true,opaque="'.md5($realm).'"');
$log=sprintf("SIP settings page error: nonce has expired for %s from %s", $username, $_SERVER['REMOTE_ADDR']);
syslog(LOG_NOTICE, $log);
die();
}
$log=sprintf("SIP settings page: %s logged in using %s from %s", $credentials['account'], $login_type_log, $_SERVER['REMOTE_ADDR']);
syslog(LOG_NOTICE, $log);
$credentials['customer'] = $result->customer;
$credentials['reseller'] = $result->reseller;
return $credentials;
}
$Out['error'] = 'Can`t decode request.';
}
}
# Authenticate:
if ($CONF['AUTH_RULES']) {
if (isset($Recv['digest'])) {
$Digest = $Recv['digest'];
if (false == http_digest_validate($Out)) {
$Digest = false;
$Out['auth_status'] = 'Wrong credentials.';
$Out['auth_error'] = true;
}
$Out['nonce'] = md5(rand());
}
} else {
$Digest = http_digest_parse();
}
if ($Digest !== false) {
global $UserID;
if ($Digest['username'] != 'null') {
$UserID = $Digest['username'];
}
}
# Process response:
if (array_key_exists('walkdir', $Recv)) {
$Out['walkdir'] = array();
foreach ($Recv['walkdir'] as $dir) {
$rem = array('../', '../', '..');
$dir = str_replace($rem, '', $dir);
$walkdir = array();
walkDir($Recv, $dir, $walkdir, 0);
header('HTTP/1.1 401 Authorization Required');
header('WWW-Authenticate: Digest realm="' . $realm . '", qop="auth", nonce="' . uniqid() . '", opaque="' . md5($realm) . '"');
header("Content-Type: text/html");
$content = 'Authorization Cancelled';
header("Content-Length: " . strval(strlen($content)));
echo $content;
die;
}
//set the realm
$realm = $_SESSION['domain_name'];
//request authentication
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
http_digest_request($realm);
}
//check for valid digest authentication details
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || $data['username'] != $provision["http_auth_username"]) {
header('HTTP/1.1 401 Unauthorized');
header("Content-Type: text/html");
$content = 'Unauthorized ' . $__line__;
header("Content-Length: " . strval(strlen($content)));
echo $content;
exit;
}
//generate the valid response
$A1 = md5($provision["http_auth_username"] . ':' . $realm . ':' . $provision["http_auth_password"]);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
if ($data['response'] != $valid_response) {
header('HTTP/1.0 401 Unauthorized');
header("Content-Type: text/html");
$content = 'Unauthorized ' . $__line__;
function http_digest_check()
{
global $realm, $user_name, $password;
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"');
die('Not Authenticated');
}
// analyze the PHP_AUTH_DIGEST variable
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || $data['username'] !== $user_name) {
return false;
}
// generate the valid response
//$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$valid_response = md5($password . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
return $data['response'] == $valid_response;
}
require dirname(__FILE__) . "/../../http/classes/class_administration.php";
require dirname(__FILE__) . "/../../http/classes/class_connector.php";
require_once dirname(__FILE__) . "/../../http/classes/class_mb_exception.php";
require dirname(__FILE__) . "/../../owsproxy/http/classes/class_QueryHandler.php";
//database connection
$db = db_connect($DBSERVER, $OWNER, $PW);
db_select_db(DB, $db);
$imageformats = array("image/png", "image/gif", "image/jpeg", "image/jpg");
//control if digest auth is set, if not set, generate the challenge with getNonce()
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . REALM . '",qop="auth",nonce="' . getNonce() . '",opaque="' . md5(REALM) . '"');
die('Text to send if user hits Cancel button');
}
//read out the header in an array
$requestHeaderArray = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']);
//error if header could not be read
if (!$requestHeaderArray) {
echo 'Following Header information cannot be validated - check your clientsoftware!<br>';
echo $_SERVER['PHP_AUTH_DIGEST'] . '<br>';
die;
}
//get mb_username and email out of http_auth username string
$userIdentification = explode(';', $requestHeaderArray['username']);
$mbUsername = $userIdentification[0];
$mbEmail = $userIdentification[1];
$userInformation = getUserInfo($mbUsername, $mbEmail);
if ($userInformation[0] == '-1') {
die('User with name: ' . $mbUsername . ' and email: ' . $mbEmail . ' not known to security proxy!');
}
if ($userInformation[1] == '') {
