-
Notifications
You must be signed in to change notification settings - Fork 28
/
digest_auth.go
158 lines (131 loc) · 2.98 KB
/
digest_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
package main
import (
"crypto/md5"
"encoding/csv"
"errors"
"fmt"
"io"
"math/rand"
"os"
"strconv"
"time"
)
const (
chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
maxNonceInactiveInterval = 12 * time.Hour
)
type NonceInfo struct {
issued time.Time
lastUsed time.Time
lastNonceCounter uint64
}
type DigestAuth struct {
users map[string]string
// issued nonce values
nonces map[string](*NonceInfo)
}
type DigestAuthData struct {
user string
realm string
nonce string
method string
uri string
response string
qop string
nc string
cnonce string
}
func makeRandomString(l int) string {
b := make([]byte, l)
for i := 0; i < l; i++ {
b[i] = chars[rand.Intn(len(chars))]
}
return string(b)
}
func newDigestAuthFromFile(path string) (*DigestAuth, error) {
r, err := os.Open(path)
if err != nil {
return nil, err
}
return newDigestAuth(r)
}
func newDigestAuth(file io.Reader) (*DigestAuth, error) {
csvReader := csv.NewReader(file)
csvReader.Comma = ':'
csvReader.Comment = '#'
csvReader.TrimLeadingSpace = true
records, err := csvReader.ReadAll()
if err != nil {
return nil, err
}
h := &DigestAuth{users: make(map[string]string), nonces: make(map[string](*NonceInfo))}
for _, record := range records {
// each record has to be in form: "user:realm:md5hash"
if len(record) != 3 {
return nil, errors.New("invalid htdigest file format")
}
key := record[0] + ":" + record[1]
value := record[2]
h.users[key] = value
}
rand.Seed(time.Now().UnixNano())
return h, nil
}
func (h *DigestAuth) validate(data *DigestAuthData) bool {
lookupKey := data.user + ":" + data.realm
ha1, exists := h.users[lookupKey]
if !exists {
return false
}
nonceInfo, nonceExists := h.nonces[data.nonce]
if !nonceExists {
return false
}
nc, err := strconv.ParseUint(data.nc, 16, 64)
if err != nil {
return false
}
// reply attack ?
if nc == nonceInfo.lastNonceCounter {
return false
}
s := data.method + ":" + data.uri
ha2 := fmt.Sprintf("%x", md5.Sum([]byte(s)))
s = ha1 + ":" + data.nonce + ":" + data.nc + ":" + data.cnonce + ":" + data.qop + ":" + ha2
realResponse := fmt.Sprintf("%x", md5.Sum([]byte(s)))
if data.response == realResponse {
nonceInfo.lastUsed = time.Now()
nonceInfo.lastNonceCounter = nc
return true
}
return false
}
func (h *DigestAuth) newNonce() string {
var nonce string
for {
rs := makeRandomString(100)
nonce = fmt.Sprintf("%x", md5.Sum([]byte(rs)))
_, exists := h.nonces[nonce]
if !exists {
h.addNonce(nonce)
break
}
}
return nonce
}
func (h *DigestAuth) addNonce(nonce string) {
h.nonces[nonce] = &NonceInfo{
issued: time.Now(),
lastUsed: time.Now(),
lastNonceCounter: 0,
}
}
func (h *DigestAuth) expireNonces() {
currentTime := time.Now()
limit := currentTime.Add(-maxNonceInactiveInterval)
for key, value := range h.nonces {
if value.lastUsed.Before(limit) {
delete(h.nonces, key)
}
}
}