// System.Net.DigestClient.cs
//
// Authors:
-// Gonzalo Paniagua Javier (gonzalo@ximian.com)
+// Greg Reinacker (gregr@rassoc.com)
+// Sebastien Pouliot (spouliot@motus.com)
+// Gonzalo Paniagua Javier (gonzalo@ximian.com
//
-// (C) 2003 Novell, Inc (http://www.ximian.com)
+// Copyright 2002-2003 Greg Reinacker, Reinacker & Associates, Inc. All rights reserved.
+// Portions (C) 2003 Motus Technologies Inc. (http://www.motus.com)
+// (c) 2003 Novell, Inc. (http://www.novell.com)
+//
+// Original (server-side) source code available at
+// http://www.rassoc.com/gregr/weblog/stories/2002/07/09/webServicesSecurityHttpDigestAuthenticationWithoutActiveDirectory.html
+//
+
+//
+// Permission is hereby granted, free of charge, to any person obtaining
+// a copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so, subject to
+// the following conditions:
+//
+// The above copyright notice and this permission notice shall be
+// included in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
+using System;
+using System.Collections;
+using System.Collections.Specialized;
using System.IO;
+using System.Net;
using System.Security.Cryptography;
using System.Text;
+
namespace System.Net
{
//
// This works with apache mod_digest
//TODO:
// MD5-sess
- // qop
- // cnonce et al.
+ // qop (auth-int)
+ //
// See RFC 2617 for details.
//
+
class DigestHeaderParser
{
string header;
int length;
int pos;
- string realm, opaque, nonce, algorithm;
- static string [] keywords = { "realm", "opaque", "nonce", "algorithm" };
+ static string [] keywords = { "realm", "opaque", "nonce", "algorithm", "qop" };
string [] values = new string [keywords.Length];
public DigestHeaderParser (string header)
get { return values [3]; }
}
+ public string QOP {
+ get { return values [4]; }
+ }
+
public bool Parse ()
{
if (!header.ToLower ().StartsWith ("digest "))
pos--;
}
- void SkipNonWhitespace ()
- {
- char c = 'a';
- while (pos < length && c != ' ' && c != '\t' && c != '\r' && c != '\n') {
- c = header [pos++];
- }
- pos--;
- }
-
string GetKey ()
{
SkipWhitespace ();
return false;
SkipWhitespace ();
- if (pos + 1 >= length || header [pos++] != '"')
+ // note: Apache doesn't use " in all case (like algorithm)
+ if (pos + 1 >= length)
return false;
+ bool useQuote = false;
+ if (header [pos] == '"') {
+ pos++;
+ useQuote = true;
+ }
+
int beginQ = pos;
- pos = header.IndexOf ('"', pos);
- if (pos == -1)
- return false;
+ if (useQuote) {
+ pos = header.IndexOf ('"', pos);
+ if (pos == -1)
+ return false;
+ } else {
+ do {
+ char c = header [pos];
+ if (c == ',' || c == ' ' || c == '\t' || c == '\r' || c == '\n')
+ break;
+ } while (++pos < length);
+
+ if (pos >= length && beginQ == pos)
+ return false;
+ }
value = header.Substring (beginQ, pos - beginQ);
pos += 2;
return true;
}
}
-
- class DigestClient : IAuthenticationModule
+
+ class DigestSession
{
- public DigestClient ()
+ static RandomNumberGenerator rng;
+ DateTime lastUse;
+
+ static DigestSession ()
+ {
+ rng = RandomNumberGenerator.Create ();
+ }
+
+ private int _nc;
+ private HashAlgorithm hash;
+ private DigestHeaderParser parser;
+ private string _cnonce;
+
+ public DigestSession ()
{
+ _nc = 1;
+ lastUse = DateTime.Now;
}
- static string GetHexString (byte [] bytes)
+ public string Algorithm {
+ get { return parser.Algorithm; }
+ }
+
+ public string Realm {
+ get { return parser.Realm; }
+ }
+
+ public string Nonce {
+ get { return parser.Nonce; }
+ }
+
+ public string Opaque {
+ get { return parser.Opaque; }
+ }
+
+ public string QOP {
+ get { return parser.QOP; }
+ }
+
+ public string CNonce {
+ get {
+ if (_cnonce == null) {
+ // 15 is a multiple of 3 which is better for base64 because it
+ // wont end with '=' and risk messing up the server parsing
+ byte[] bincnonce = new byte [15];
+ rng.GetBytes (bincnonce);
+ _cnonce = Convert.ToBase64String (bincnonce);
+ Array.Clear (bincnonce, 0, bincnonce.Length);
+ }
+ return _cnonce;
+ }
+ }
+
+ public bool Parse (string challenge)
{
- StringBuilder result = new StringBuilder (bytes.Length * 2);
- foreach (byte b in bytes)
- result.AppendFormat ("{0:x2}", (int) b);
+ parser = new DigestHeaderParser (challenge);
+ if (!parser.Parse ()) {
+ return false;
+ }
- return result.ToString ();
+ // build the hash object (only MD5 is defined in RFC2617)
+ if ((parser.Algorithm == null) || (parser.Algorithm.ToUpper ().StartsWith ("MD5")))
+ hash = HashAlgorithm.Create ("MD5");
+
+ return true;
}
- public Authorization Authenticate (string challenge, WebRequest webRequest, ICredentials credentials)
+ private string HashToHexString (string toBeHashed)
{
- if (credentials == null || challenge == null)
+ if (hash == null)
return null;
+ hash.Initialize ();
+ byte[] result = hash.ComputeHash (Encoding.ASCII.GetBytes (toBeHashed));
+
+ StringBuilder sb = new StringBuilder ();
+ foreach (byte b in result)
+ sb.Append (b.ToString ("x2"));
+ return sb.ToString ();
+ }
+
+ private string HA1 (string username, string password)
+ {
+ string ha1 = String.Format ("{0}:{1}:{2}", username, Realm, password);
+ if (Algorithm != null && Algorithm.ToLower () == "md5-sess")
+ ha1 = String.Format ("{0}:{1}:{2}", HashToHexString (ha1), Nonce, CNonce);
+ return HashToHexString (ha1);
+ }
+
+ private string HA2 (HttpWebRequest webRequest)
+ {
+ string ha2 = String.Format ("{0}:{1}", webRequest.Method, webRequest.RequestUri.PathAndQuery);
+ if (QOP == "auth-int") {
+ // TODO
+ // ha2 += String.Format (":{0}", hentity);
+ }
+ return HashToHexString (ha2);
+ }
+
+ private string Response (string username, string password, HttpWebRequest webRequest)
+ {
+ string response = String.Format ("{0}:{1}:", HA1 (username, password), Nonce);
+ if (QOP != null)
+ response += String.Format ("{0}:{1}:{2}:", _nc.ToString ("X8"), CNonce, QOP);
+ response += HA2 (webRequest);
+ return HashToHexString (response);
+ }
+
+ public Authorization Authenticate (WebRequest webRequest, ICredentials credentials)
+ {
+ if (parser == null)
+ throw new InvalidOperationException ();
+
HttpWebRequest request = webRequest as HttpWebRequest;
if (request == null)
return null;
+
+ lastUse = DateTime.Now;
+ NetworkCredential cred = credentials.GetCredential (request.RequestUri, "digest");
+ if (cred == null)
+ return null;
- NetworkCredential cred = credentials.GetCredential (request.AuthUri, "digest");
string userName = cred.UserName;
if (userName == null || userName == "")
return null;
- DigestHeaderParser parser = new DigestHeaderParser (challenge);
- if (!parser.Parse ())
- return null;
-
- Encoding enc = Encoding.Default;
- MD5 md5 = new MD5CryptoServiceProvider ();
string password = cred.Password;
+
+ StringBuilder auth = new StringBuilder ();
+ auth.AppendFormat ("Digest username=\"{0}\", ", userName);
+ auth.AppendFormat ("realm=\"{0}\", ", Realm);
+ auth.AppendFormat ("nonce=\"{0}\", ", Nonce);
+ auth.AppendFormat ("uri=\"{0}\", ", request.Address.PathAndQuery);
+
+ if (Algorithm != null) { // hash algorithm (only MD5 in RFC2617)
+ auth.AppendFormat ("algorithm=\"{0}\", ", Algorithm);
+ }
- // A1: user ":" realm ":" password
- string a1str = String.Format ("{0}:{1}:{2}", userName, parser.Realm, password);
- byte [] a1 = md5.ComputeHash (enc.GetBytes (a1str));
- a1str = GetHexString (a1);
- // A2: method ":" path
- string a2str = String.Format ("{0}:{1}", request.Method, request.Address.PathAndQuery);
- byte [] a2 = md5.ComputeHash (enc.GetBytes (a2str));
- a2str = GetHexString (a2);
-
- // Response: a1 ":" nonce ":" a2
- string respString = String.Format ("{0}:{1}:{2}", a1str, parser.Nonce, a2str);
- byte [] respBytes = md5.ComputeHash (enc.GetBytes (respString));
- respString = GetHexString (respBytes);
+ auth.AppendFormat ("response=\"{0}\", ", Response (userName, password, request));
+
+ if (QOP != null) { // quality of protection (server decision)
+ auth.AppendFormat ("qop=\"{0}\", ", QOP);
+ }
- StringBuilder response = new StringBuilder ();
- response.AppendFormat ("Digest username=\"{0}\", ", userName);
- response.AppendFormat ("realm=\"{0}\", ", parser.Realm);
- response.AppendFormat ("nonce=\"{0}\", ", parser.Nonce);
- response.AppendFormat ("uri=\"{0}\", ", request.Address.PathAndQuery);
- response.AppendFormat ("response=\"{0}\"", respString);
- if (parser.Opaque != null)
- response.AppendFormat (", opaque=\"{0}\"", parser.Opaque);
+ lock (this) {
+ // _nc MUST NOT change from here...
+ // number of request using this nonce
+ if (QOP != null) {
+ auth.AppendFormat ("nc={0:X8}, ", _nc);
+ _nc++;
+ }
+ // until here, now _nc can change
+ }
+
+ if (CNonce != null) // opaque value from the client
+ auth.AppendFormat ("cnonce=\"{0}\", ", CNonce);
- if (parser.Algorithm != null)
- response.AppendFormat (", algorithm=\"{0}\"", parser.Algorithm);
+ if (Opaque != null) // exact same opaque value as received from server
+ auth.AppendFormat ("opaque=\"{0}\", ", Opaque);
+
+ auth.Length -= 2; // remove ", "
+ return new Authorization (auth.ToString ());
+ }
- return new Authorization (response.ToString ());
+ public DateTime LastUse {
+ get { return lastUse; }
}
+ }
+
+ class DigestClient : IAuthenticationModule
+ {
+
+ static readonly Hashtable cache = Hashtable.Synchronized (new Hashtable ());
+
+ static Hashtable Cache {
+ get {
+ lock (cache.SyncRoot) {
+ CheckExpired (cache.Count);
+ }
+
+ return cache;
+ }
+ }
+
+ static void CheckExpired (int count)
+ {
+ if (count < 10)
+ return;
+
+ DateTime t = DateTime.MaxValue;
+ DateTime now = DateTime.Now;
+ ArrayList list = null;
+ foreach (int key in cache.Keys) {
+ DigestSession elem = (DigestSession) cache [key];
+ if (elem.LastUse < t &&
+ (elem.LastUse - now).Ticks > TimeSpan.TicksPerMinute * 10) {
+ t = elem.LastUse;
+ if (list == null)
+ list = new ArrayList ();
+
+ list.Add (key);
+ }
+ }
- [MonoTODO]
- public Authorization PreAuthenticate (WebRequest webRequest, ICredentials credentials)
+ if (list != null) {
+ foreach (int k in list)
+ cache.Remove (k);
+ }
+ }
+
+ // IAuthenticationModule
+
+ public Authorization Authenticate (string challenge, WebRequest webRequest, ICredentials credentials)
{
- throw new NotImplementedException ();
+ if (credentials == null || challenge == null)
+ return null;
+
+ string header = challenge.Trim ();
+ if (header.ToLower ().IndexOf ("digest") == -1)
+ return null;
+
+ HttpWebRequest request = webRequest as HttpWebRequest;
+ if (request == null)
+ return null;
+
+ int hashcode = request.Address.GetHashCode () ^ credentials.GetHashCode ();
+ DigestSession ds = (DigestSession) Cache [hashcode];
+ bool addDS = (ds == null);
+ if (addDS)
+ ds = new DigestSession ();
+
+ if (!ds.Parse (challenge))
+ return null;
+
+ if (addDS)
+ Cache.Add (hashcode, ds);
+
+ return ds.Authenticate (webRequest, credentials);
}
- public string AuthenticationType {
+ public Authorization PreAuthenticate (WebRequest webRequest, ICredentials credentials)
+ {
+ HttpWebRequest request = webRequest as HttpWebRequest;
+ if (request == null)
+ return null;
+
+ if (credentials == null)
+ return null;
+
+ int hashcode = request.Address.GetHashCode () ^ credentials.GetHashCode ();
+ DigestSession ds = (DigestSession) Cache [hashcode];
+ if (ds == null)
+ return null;
+
+ return ds.Authenticate (webRequest, credentials);
+ }
+
+ public string AuthenticationType {
get { return "Digest"; }
}
-
- public bool CanPreAuthenticate {
+
+ public bool CanPreAuthenticate {
get { return true; }
}
}