461 lines
11 KiB
C#
461 lines
11 KiB
C#
//
|
|
// System.Net.DigestClient.cs
|
|
//
|
|
// Authors:
|
|
// Greg Reinacker (gregr@rassoc.com)
|
|
// Sebastien Pouliot (spouliot@motus.com)
|
|
// Gonzalo Paniagua Javier (gonzalo@ximian.com
|
|
//
|
|
// Copyright 2002-2003 Greg Reinacker, Reinacker & Associates, Inc. All rights reserved.
|
|
// Portions (C) 2003 Motus Technologies Inc. (http://www.motus.com)
|
|
// (c) 2003 Novell, Inc. (http://www.novell.com)
|
|
//
|
|
// Original (server-side) source code available at
|
|
// http://www.rassoc.com/gregr/weblog/stories/2002/07/09/webServicesSecurityHttpDigestAuthenticationWithoutActiveDirectory.html
|
|
//
|
|
|
|
//
|
|
// Permission is hereby granted, free of charge, to any person obtaining
|
|
// a copy of this software and associated documentation files (the
|
|
// "Software"), to deal in the Software without restriction, including
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
// distribute, sublicense, and/or sell copies of the Software, and to
|
|
// permit persons to whom the Software is furnished to do so, subject to
|
|
// the following conditions:
|
|
//
|
|
// The above copyright notice and this permission notice shall be
|
|
// included in all copies or substantial portions of the Software.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
//
|
|
|
|
using System;
|
|
using System.Collections;
|
|
using System.Collections.Specialized;
|
|
using System.IO;
|
|
using System.Net;
|
|
using System.Security.Cryptography;
|
|
using System.Text;
|
|
|
|
namespace System.Net
|
|
{
|
|
//
|
|
// This works with apache mod_digest
|
|
//TODO:
|
|
// MD5-sess
|
|
// qop (auth-int)
|
|
//
|
|
// See RFC 2617 for details.
|
|
//
|
|
|
|
|
|
class DigestHeaderParser
|
|
{
|
|
string header;
|
|
int length;
|
|
int pos;
|
|
static string [] keywords = { "realm", "opaque", "nonce", "algorithm", "qop" };
|
|
string [] values = new string [keywords.Length];
|
|
|
|
public DigestHeaderParser (string header)
|
|
{
|
|
this.header = header.Trim ();
|
|
}
|
|
|
|
public string Realm {
|
|
get { return values [0]; }
|
|
}
|
|
|
|
public string Opaque {
|
|
get { return values [1]; }
|
|
}
|
|
|
|
public string Nonce {
|
|
get { return values [2]; }
|
|
}
|
|
|
|
public string Algorithm {
|
|
get { return values [3]; }
|
|
}
|
|
|
|
public string QOP {
|
|
get { return values [4]; }
|
|
}
|
|
|
|
public bool Parse ()
|
|
{
|
|
if (!header.ToLower ().StartsWith ("digest "))
|
|
return false;
|
|
|
|
pos = 6;
|
|
length = this.header.Length;
|
|
while (pos < length) {
|
|
string key, value;
|
|
if (!GetKeywordAndValue (out key, out value))
|
|
return false;
|
|
|
|
SkipWhitespace ();
|
|
if (pos < length && header [pos] == ',')
|
|
pos++;
|
|
|
|
int idx = Array.IndexOf (keywords, (key));
|
|
if (idx == -1)
|
|
continue;
|
|
|
|
if (values [idx] != null)
|
|
return false;
|
|
|
|
values [idx] = value;
|
|
}
|
|
|
|
if (Realm == null || Nonce == null)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
void SkipWhitespace ()
|
|
{
|
|
char c = ' ';
|
|
while (pos < length && (c == ' ' || c == '\t' || c == '\r' || c == '\n')) {
|
|
c = header [pos++];
|
|
}
|
|
pos--;
|
|
}
|
|
|
|
string GetKey ()
|
|
{
|
|
SkipWhitespace ();
|
|
int begin = pos;
|
|
while (pos < length && header [pos] != '=') {
|
|
pos++;
|
|
}
|
|
|
|
string key = header.Substring (begin, pos - begin).Trim ().ToLower ();
|
|
return key;
|
|
}
|
|
|
|
bool GetKeywordAndValue (out string key, out string value)
|
|
{
|
|
key = null;
|
|
value = null;
|
|
key = GetKey ();
|
|
if (pos >= length)
|
|
return false;
|
|
|
|
SkipWhitespace ();
|
|
if (pos + 1 >= length || header [pos++] != '=')
|
|
return false;
|
|
|
|
SkipWhitespace ();
|
|
// note: Apache doesn't use " in all case (like algorithm)
|
|
if (pos + 1 >= length)
|
|
return false;
|
|
|
|
bool useQuote = false;
|
|
if (header [pos] == '"') {
|
|
pos++;
|
|
useQuote = true;
|
|
}
|
|
|
|
int beginQ = pos;
|
|
if (useQuote) {
|
|
pos = header.IndexOf ('"', pos);
|
|
if (pos == -1)
|
|
return false;
|
|
} else {
|
|
do {
|
|
char c = header [pos];
|
|
if (c == ',' || c == ' ' || c == '\t' || c == '\r' || c == '\n')
|
|
break;
|
|
} while (++pos < length);
|
|
|
|
if (pos >= length && beginQ == pos)
|
|
return false;
|
|
}
|
|
|
|
value = header.Substring (beginQ, pos - beginQ);
|
|
pos += useQuote ? 2 : 1;
|
|
return true;
|
|
}
|
|
}
|
|
|
|
class DigestSession
|
|
{
|
|
static RandomNumberGenerator rng;
|
|
DateTime lastUse;
|
|
|
|
static DigestSession ()
|
|
{
|
|
rng = RandomNumberGenerator.Create ();
|
|
}
|
|
|
|
private int _nc;
|
|
private HashAlgorithm hash;
|
|
private DigestHeaderParser parser;
|
|
private string _cnonce;
|
|
|
|
public DigestSession ()
|
|
{
|
|
_nc = 1;
|
|
lastUse = DateTime.UtcNow;
|
|
}
|
|
|
|
public string Algorithm {
|
|
get { return parser.Algorithm; }
|
|
}
|
|
|
|
public string Realm {
|
|
get { return parser.Realm; }
|
|
}
|
|
|
|
public string Nonce {
|
|
get { return parser.Nonce; }
|
|
}
|
|
|
|
public string Opaque {
|
|
get { return parser.Opaque; }
|
|
}
|
|
|
|
public string QOP {
|
|
get { return parser.QOP; }
|
|
}
|
|
|
|
public string CNonce {
|
|
get {
|
|
if (_cnonce == null) {
|
|
// 15 is a multiple of 3 which is better for base64 because it
|
|
// wont end with '=' and risk messing up the server parsing
|
|
byte[] bincnonce = new byte [15];
|
|
rng.GetBytes (bincnonce);
|
|
_cnonce = Convert.ToBase64String (bincnonce);
|
|
Array.Clear (bincnonce, 0, bincnonce.Length);
|
|
}
|
|
return _cnonce;
|
|
}
|
|
}
|
|
|
|
public bool Parse (string challenge)
|
|
{
|
|
parser = new DigestHeaderParser (challenge);
|
|
if (!parser.Parse ()) {
|
|
return false;
|
|
}
|
|
|
|
// build the hash object (only MD5 is defined in RFC2617)
|
|
if ((parser.Algorithm == null) || (parser.Algorithm.ToUpper ().StartsWith ("MD5")))
|
|
hash = MD5.Create ();
|
|
|
|
return true;
|
|
}
|
|
|
|
private string HashToHexString (string toBeHashed)
|
|
{
|
|
if (hash == null)
|
|
return null;
|
|
|
|
hash.Initialize ();
|
|
byte[] result = hash.ComputeHash (Encoding.ASCII.GetBytes (toBeHashed));
|
|
|
|
StringBuilder sb = new StringBuilder ();
|
|
foreach (byte b in result)
|
|
sb.Append (b.ToString ("x2"));
|
|
return sb.ToString ();
|
|
}
|
|
|
|
private string HA1 (string username, string password)
|
|
{
|
|
string ha1 = String.Format ("{0}:{1}:{2}", username, Realm, password);
|
|
if (Algorithm != null && Algorithm.ToLower () == "md5-sess")
|
|
ha1 = String.Format ("{0}:{1}:{2}", HashToHexString (ha1), Nonce, CNonce);
|
|
return HashToHexString (ha1);
|
|
}
|
|
|
|
private string HA2 (HttpWebRequest webRequest)
|
|
{
|
|
string ha2 = String.Format ("{0}:{1}", webRequest.Method, webRequest.RequestUri.PathAndQuery);
|
|
if (QOP == "auth-int") {
|
|
// TODO
|
|
// ha2 += String.Format (":{0}", hentity);
|
|
}
|
|
return HashToHexString (ha2);
|
|
}
|
|
|
|
private string Response (string username, string password, HttpWebRequest webRequest)
|
|
{
|
|
string response = String.Format ("{0}:{1}:", HA1 (username, password), Nonce);
|
|
if (QOP != null)
|
|
response += String.Format ("{0}:{1}:{2}:", _nc.ToString ("X8"), CNonce, QOP);
|
|
response += HA2 (webRequest);
|
|
return HashToHexString (response);
|
|
}
|
|
|
|
public Authorization Authenticate (WebRequest webRequest, ICredentials credentials)
|
|
{
|
|
if (parser == null)
|
|
throw new InvalidOperationException ();
|
|
|
|
HttpWebRequest request = webRequest as HttpWebRequest;
|
|
if (request == null)
|
|
return null;
|
|
|
|
lastUse = DateTime.UtcNow;
|
|
NetworkCredential cred = credentials.GetCredential (request.RequestUri, "digest");
|
|
if (cred == null)
|
|
return null;
|
|
|
|
string userName = cred.UserName;
|
|
if (userName == null || userName == "")
|
|
return null;
|
|
|
|
string password = cred.Password;
|
|
|
|
StringBuilder auth = new StringBuilder ();
|
|
auth.AppendFormat ("Digest username=\"{0}\", ", userName);
|
|
auth.AppendFormat ("realm=\"{0}\", ", Realm);
|
|
auth.AppendFormat ("nonce=\"{0}\", ", Nonce);
|
|
auth.AppendFormat ("uri=\"{0}\", ", request.Address.PathAndQuery);
|
|
|
|
if (Algorithm != null) { // hash algorithm (only MD5 in RFC2617)
|
|
auth.AppendFormat ("algorithm=\"{0}\", ", Algorithm);
|
|
}
|
|
|
|
auth.AppendFormat ("response=\"{0}\", ", Response (userName, password, request));
|
|
|
|
if (QOP != null) { // quality of protection (server decision)
|
|
auth.AppendFormat ("qop=\"{0}\", ", QOP);
|
|
}
|
|
|
|
lock (this) {
|
|
// _nc MUST NOT change from here...
|
|
// number of request using this nonce
|
|
if (QOP != null) {
|
|
auth.AppendFormat ("nc={0:X8}, ", _nc);
|
|
_nc++;
|
|
}
|
|
// until here, now _nc can change
|
|
}
|
|
|
|
if (CNonce != null) // opaque value from the client
|
|
auth.AppendFormat ("cnonce=\"{0}\", ", CNonce);
|
|
|
|
if (Opaque != null) // exact same opaque value as received from server
|
|
auth.AppendFormat ("opaque=\"{0}\", ", Opaque);
|
|
|
|
auth.Length -= 2; // remove ", "
|
|
return new Authorization (auth.ToString ());
|
|
}
|
|
|
|
public DateTime LastUse {
|
|
get { return lastUse; }
|
|
}
|
|
}
|
|
|
|
class DigestClient : IAuthenticationModule
|
|
{
|
|
|
|
static readonly Hashtable cache = Hashtable.Synchronized (new Hashtable ());
|
|
|
|
static Hashtable Cache {
|
|
get {
|
|
lock (cache.SyncRoot) {
|
|
CheckExpired (cache.Count);
|
|
}
|
|
|
|
return cache;
|
|
}
|
|
}
|
|
|
|
static void CheckExpired (int count)
|
|
{
|
|
if (count < 10)
|
|
return;
|
|
|
|
DateTime t = DateTime.MaxValue;
|
|
DateTime now = DateTime.UtcNow;
|
|
ArrayList list = null;
|
|
foreach (int key in cache.Keys) {
|
|
DigestSession elem = (DigestSession) cache [key];
|
|
if (elem.LastUse < t &&
|
|
(elem.LastUse - now).Ticks > TimeSpan.TicksPerMinute * 10) {
|
|
t = elem.LastUse;
|
|
if (list == null)
|
|
list = new ArrayList ();
|
|
|
|
list.Add (key);
|
|
}
|
|
}
|
|
|
|
if (list != null) {
|
|
foreach (int k in list)
|
|
cache.Remove (k);
|
|
}
|
|
}
|
|
|
|
// IAuthenticationModule
|
|
|
|
public Authorization Authenticate (string challenge, WebRequest webRequest, ICredentials credentials)
|
|
{
|
|
if (credentials == null || challenge == null)
|
|
return null;
|
|
|
|
string header = challenge.Trim ();
|
|
if (header.ToLower ().IndexOf ("digest") == -1)
|
|
return null;
|
|
|
|
HttpWebRequest request = webRequest as HttpWebRequest;
|
|
if (request == null)
|
|
return null;
|
|
|
|
DigestSession currDS = new DigestSession();
|
|
if (!currDS.Parse (challenge))
|
|
return null;
|
|
|
|
int hashcode = request.Address.GetHashCode () ^ credentials.GetHashCode () ^ currDS.Nonce.GetHashCode ();
|
|
DigestSession ds = (DigestSession) Cache [hashcode];
|
|
bool addDS = (ds == null);
|
|
if (addDS)
|
|
ds = currDS;
|
|
else if (!ds.Parse (challenge))
|
|
return null;
|
|
|
|
if (addDS)
|
|
Cache.Add (hashcode, ds);
|
|
|
|
return ds.Authenticate (webRequest, credentials);
|
|
}
|
|
|
|
public Authorization PreAuthenticate (WebRequest webRequest, ICredentials credentials)
|
|
{
|
|
HttpWebRequest request = webRequest as HttpWebRequest;
|
|
if (request == null)
|
|
return null;
|
|
|
|
if (credentials == null)
|
|
return null;
|
|
|
|
int hashcode = request.Address.GetHashCode () ^ credentials.GetHashCode ();
|
|
DigestSession ds = (DigestSession) Cache [hashcode];
|
|
if (ds == null)
|
|
return null;
|
|
|
|
return ds.Authenticate (webRequest, credentials);
|
|
}
|
|
|
|
public string AuthenticationType {
|
|
get { return "Digest"; }
|
|
}
|
|
|
|
public bool CanPreAuthenticate {
|
|
get { return true; }
|
|
}
|
|
}
|
|
}
|
|
|