PageRenderTime 46ms CodeModel.GetById 20ms RepoModel.GetById 1ms app.codeStats 0ms

/www/libs/Zend/Authentication/Adapter/Http.php

https://bitbucket.org/Ppito/kawaiviewmodel2
PHP | 827 lines | 430 code | 97 blank | 300 comment | 109 complexity | efa8d3a57e7d6a56e13bf2ad341fbdbf MD5 | raw file
Possible License(s): BSD-3-Clause
  1. <?php
  2. /**
  3. * Zend Framework (http://framework.zend.com/)
  4. *
  5. * @link http://github.com/zendframework/zf2 for the canonical source repository
  6. * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
  7. * @license http://framework.zend.com/license/new-bsd New BSD License
  8. * @package Zend_Authentication
  9. */
  10. namespace Zend\Authentication\Adapter;
  11. use Zend\Authentication;
  12. use Zend\Http\Request as HTTPRequest;
  13. use Zend\Http\Response as HTTPResponse;
  14. use Zend\Uri\UriFactory;
  15. /**
  16. * HTTP Authentication Adapter
  17. *
  18. * Implements a pretty good chunk of RFC 2617.
  19. *
  20. * @category Zend
  21. * @package Zend_Authentication
  22. * @subpackage Adapter_Http
  23. * @todo Support auth-int
  24. * @todo Track nonces, nonce-count, opaque for replay protection and stale support
  25. * @todo Support Authentication-Info header
  26. */
  27. class Http implements AdapterInterface
  28. {
  29. /**
  30. * Reference to the HTTP Request object
  31. *
  32. * @var HTTPRequest
  33. */
  34. protected $request;
  35. /**
  36. * Reference to the HTTP Response object
  37. *
  38. * @var HTTPResponse
  39. */
  40. protected $response;
  41. /**
  42. * Object that looks up user credentials for the Basic scheme
  43. *
  44. * @var Http\ResolverInterface
  45. */
  46. protected $basicResolver;
  47. /**
  48. * Object that looks up user credentials for the Digest scheme
  49. *
  50. * @var Http\ResolverInterface
  51. */
  52. protected $digestResolver;
  53. /**
  54. * List of authentication schemes supported by this class
  55. *
  56. * @var array
  57. */
  58. protected $supportedSchemes = array('basic', 'digest');
  59. /**
  60. * List of schemes this class will accept from the client
  61. *
  62. * @var array
  63. */
  64. protected $acceptSchemes;
  65. /**
  66. * Space-delimited list of protected domains for Digest Auth
  67. *
  68. * @var string
  69. */
  70. protected $domains;
  71. /**
  72. * The protection realm to use
  73. *
  74. * @var string
  75. */
  76. protected $realm;
  77. /**
  78. * Nonce timeout period
  79. *
  80. * @var integer
  81. */
  82. protected $nonceTimeout;
  83. /**
  84. * Whether to send the opaque value in the header. True by default
  85. *
  86. * @var boolean
  87. */
  88. protected $useOpaque;
  89. /**
  90. * List of the supported digest algorithms. I want to support both MD5 and
  91. * MD5-sess, but MD5-sess won't make it into the first version.
  92. *
  93. * @var array
  94. */
  95. protected $supportedAlgos = array('MD5');
  96. /**
  97. * The actual algorithm to use. Defaults to MD5
  98. *
  99. * @var string
  100. */
  101. protected $algo;
  102. /**
  103. * List of supported qop options. My intention is to support both 'auth' and
  104. * 'auth-int', but 'auth-int' won't make it into the first version.
  105. *
  106. * @var array
  107. */
  108. protected $supportedQops = array('auth');
  109. /**
  110. * Whether or not to do Proxy Authentication instead of origin server
  111. * authentication (send 407's instead of 401's). Off by default.
  112. *
  113. * @var boolean
  114. */
  115. protected $imaProxy;
  116. /**
  117. * Flag indicating the client is IE and didn't bother to return the opaque string
  118. *
  119. * @var boolean
  120. */
  121. protected $ieNoOpaque;
  122. /**
  123. * Constructor
  124. *
  125. * @param array $config Configuration settings:
  126. * 'accept_schemes' => 'basic'|'digest'|'basic digest'
  127. * 'realm' => <string>
  128. * 'digest_domains' => <string> Space-delimited list of URIs
  129. * 'nonce_timeout' => <int>
  130. * 'use_opaque' => <bool> Whether to send the opaque value in the header
  131. * 'algorithm' => <string> See $supportedAlgos. Default: MD5
  132. * 'proxy_auth' => <bool> Whether to do authentication as a Proxy
  133. * @throws Exception\InvalidArgumentException
  134. */
  135. public function __construct(array $config)
  136. {
  137. $this->request = null;
  138. $this->response = null;
  139. $this->ieNoOpaque = false;
  140. if (empty($config['accept_schemes'])) {
  141. throw new Exception\InvalidArgumentException('Config key "accept_schemes" is required');
  142. }
  143. $schemes = explode(' ', $config['accept_schemes']);
  144. $this->acceptSchemes = array_intersect($schemes, $this->supportedSchemes);
  145. if (empty($this->acceptSchemes)) {
  146. throw new Exception\InvalidArgumentException(sprintf(
  147. 'No supported schemes given in "accept_schemes". Valid values: %s',
  148. implode(', ', $this->supportedSchemes)
  149. ));
  150. }
  151. // Double-quotes are used to delimit the realm string in the HTTP header,
  152. // and colons are field delimiters in the password file.
  153. if (empty($config['realm']) ||
  154. !ctype_print($config['realm']) ||
  155. strpos($config['realm'], ':') !== false ||
  156. strpos($config['realm'], '"') !== false) {
  157. throw new Exception\InvalidArgumentException(
  158. 'Config key \'realm\' is required, and must contain only printable characters,'
  159. . 'excluding quotation marks and colons'
  160. );
  161. } else {
  162. $this->realm = $config['realm'];
  163. }
  164. if (in_array('digest', $this->acceptSchemes)) {
  165. if (empty($config['digest_domains']) ||
  166. !ctype_print($config['digest_domains']) ||
  167. strpos($config['digest_domains'], '"') !== false) {
  168. throw new Exception\InvalidArgumentException(
  169. 'Config key \'digest_domains\' is required, and must contain '
  170. . 'only printable characters, excluding quotation marks'
  171. );
  172. } else {
  173. $this->domains = $config['digest_domains'];
  174. }
  175. if (empty($config['nonce_timeout']) ||
  176. !is_numeric($config['nonce_timeout'])) {
  177. throw new Exception\InvalidArgumentException(
  178. 'Config key \'nonce_timeout\' is required, and must be an integer'
  179. );
  180. } else {
  181. $this->nonceTimeout = (int) $config['nonce_timeout'];
  182. }
  183. // We use the opaque value unless explicitly told not to
  184. if (isset($config['use_opaque']) && false == (bool) $config['use_opaque']) {
  185. $this->useOpaque = false;
  186. } else {
  187. $this->useOpaque = true;
  188. }
  189. if (isset($config['algorithm']) && in_array($config['algorithm'], $this->supportedAlgos)) {
  190. $this->algo = $config['algorithm'];
  191. } else {
  192. $this->algo = 'MD5';
  193. }
  194. }
  195. // Don't be a proxy unless explicitly told to do so
  196. if (isset($config['proxy_auth']) && true == (bool) $config['proxy_auth']) {
  197. $this->imaProxy = true; // I'm a Proxy
  198. } else {
  199. $this->imaProxy = false;
  200. }
  201. }
  202. /**
  203. * Setter for the basicResolver property
  204. *
  205. * @param Http\ResolverInterface $resolver
  206. * @return Http Provides a fluent interface
  207. */
  208. public function setBasicResolver(Http\ResolverInterface $resolver)
  209. {
  210. $this->basicResolver = $resolver;
  211. return $this;
  212. }
  213. /**
  214. * Getter for the basicResolver property
  215. *
  216. * @return Http\ResolverInterface
  217. */
  218. public function getBasicResolver()
  219. {
  220. return $this->basicResolver;
  221. }
  222. /**
  223. * Setter for the digestResolver property
  224. *
  225. * @param Http\ResolverInterface $resolver
  226. * @return Http Provides a fluent interface
  227. */
  228. public function setDigestResolver(Http\ResolverInterface $resolver)
  229. {
  230. $this->digestResolver = $resolver;
  231. return $this;
  232. }
  233. /**
  234. * Getter for the digestResolver property
  235. *
  236. * @return Http\ResolverInterface
  237. */
  238. public function getDigestResolver()
  239. {
  240. return $this->digestResolver;
  241. }
  242. /**
  243. * Setter for the Request object
  244. *
  245. * @param HTTPRequest $request
  246. * @return Http Provides a fluent interface
  247. */
  248. public function setRequest(HTTPRequest $request)
  249. {
  250. $this->request = $request;
  251. return $this;
  252. }
  253. /**
  254. * Getter for the Request object
  255. *
  256. * @return HTTPRequest
  257. */
  258. public function getRequest()
  259. {
  260. return $this->request;
  261. }
  262. /**
  263. * Setter for the Response object
  264. *
  265. * @param HTTPResponse $response
  266. * @return Http Provides a fluent interface
  267. */
  268. public function setResponse(HTTPResponse $response)
  269. {
  270. $this->response = $response;
  271. return $this;
  272. }
  273. /**
  274. * Getter for the Response object
  275. *
  276. * @return HTTPResponse
  277. */
  278. public function getResponse()
  279. {
  280. return $this->response;
  281. }
  282. /**
  283. * Authenticate
  284. *
  285. * @throws Exception\RuntimeException
  286. * @return Authentication\Result
  287. */
  288. public function authenticate()
  289. {
  290. if (empty($this->request) || empty($this->response)) {
  291. throw new Exception\RuntimeException('Request and Response objects must be set before calling '
  292. . 'authenticate()');
  293. }
  294. if ($this->imaProxy) {
  295. $getHeader = 'Proxy-Authorization';
  296. } else {
  297. $getHeader = 'Authorization';
  298. }
  299. $headers = $this->request->getHeaders();
  300. if (!$headers->has($getHeader)) {
  301. return $this->_challengeClient();
  302. }
  303. $authHeader = $headers->get($getHeader)->getFieldValue();
  304. if (!$authHeader) {
  305. return $this->_challengeClient();
  306. }
  307. list($clientScheme) = explode(' ', $authHeader);
  308. $clientScheme = strtolower($clientScheme);
  309. // The server can issue multiple challenges, but the client should
  310. // answer with only the selected auth scheme.
  311. if (!in_array($clientScheme, $this->supportedSchemes)) {
  312. $this->response->setStatusCode(400);
  313. return new Authentication\Result(
  314. Authentication\Result::FAILURE_UNCATEGORIZED,
  315. array(),
  316. array('Client requested an incorrect or unsupported authentication scheme')
  317. );
  318. }
  319. // client sent a scheme that is not the one required
  320. if (!in_array($clientScheme, $this->acceptSchemes)) {
  321. // challenge again the client
  322. return $this->_challengeClient();
  323. }
  324. switch ($clientScheme) {
  325. case 'basic':
  326. $result = $this->_basicAuth($authHeader);
  327. break;
  328. case 'digest':
  329. $result = $this->_digestAuth($authHeader);
  330. break;
  331. default:
  332. throw new Exception\RuntimeException('Unsupported authentication scheme: ' . $clientScheme);
  333. }
  334. return $result;
  335. }
  336. /**
  337. * Challenge Client
  338. *
  339. * Sets a 401 or 407 Unauthorized response code, and creates the
  340. * appropriate Authenticate header(s) to prompt for credentials.
  341. *
  342. * @return Authentication\Result Always returns a non-identity Auth result
  343. */
  344. protected function _challengeClient()
  345. {
  346. if ($this->imaProxy) {
  347. $statusCode = 407;
  348. $headerName = 'Proxy-Authenticate';
  349. } else {
  350. $statusCode = 401;
  351. $headerName = 'WWW-Authenticate';
  352. }
  353. $this->response->setStatusCode($statusCode);
  354. // Send a challenge in each acceptable authentication scheme
  355. $headers = $this->response->getHeaders();
  356. if (in_array('basic', $this->acceptSchemes)) {
  357. $headers->addHeaderLine($headerName, $this->_basicHeader());
  358. }
  359. if (in_array('digest', $this->acceptSchemes)) {
  360. $headers->addHeaderLine($headerName, $this->_digestHeader());
  361. }
  362. return new Authentication\Result(
  363. Authentication\Result::FAILURE_CREDENTIAL_INVALID,
  364. array(),
  365. array('Invalid or absent credentials; challenging client')
  366. );
  367. }
  368. /**
  369. * Basic Header
  370. *
  371. * Generates a Proxy- or WWW-Authenticate header value in the Basic
  372. * authentication scheme.
  373. *
  374. * @return string Authenticate header value
  375. */
  376. protected function _basicHeader()
  377. {
  378. return 'Basic realm="' . $this->realm . '"';
  379. }
  380. /**
  381. * Digest Header
  382. *
  383. * Generates a Proxy- or WWW-Authenticate header value in the Digest
  384. * authentication scheme.
  385. *
  386. * @return string Authenticate header value
  387. */
  388. protected function _digestHeader()
  389. {
  390. $wwwauth = 'Digest realm="' . $this->realm . '", '
  391. . 'domain="' . $this->domains . '", '
  392. . 'nonce="' . $this->_calcNonce() . '", '
  393. . ($this->useOpaque ? 'opaque="' . $this->_calcOpaque() . '", ' : '')
  394. . 'algorithm="' . $this->algo . '", '
  395. . 'qop="' . implode(',', $this->supportedQops) . '"';
  396. return $wwwauth;
  397. }
  398. /**
  399. * Basic Authentication
  400. *
  401. * @param string $header Client's Authorization header
  402. * @throws Exception\ExceptionInterface
  403. * @return Authentication\Result
  404. */
  405. protected function _basicAuth($header)
  406. {
  407. if (empty($header)) {
  408. throw new Exception\RuntimeException('The value of the client Authorization header is required');
  409. }
  410. if (empty($this->basicResolver)) {
  411. throw new Exception\RuntimeException(
  412. 'A basicResolver object must be set before doing Basic '
  413. . 'authentication');
  414. }
  415. // Decode the Authorization header
  416. $auth = substr($header, strlen('Basic '));
  417. $auth = base64_decode($auth);
  418. if (!$auth) {
  419. throw new Exception\RuntimeException('Unable to base64_decode Authorization header value');
  420. }
  421. // See ZF-1253. Validate the credentials the same way the digest
  422. // implementation does. If invalid credentials are detected,
  423. // re-challenge the client.
  424. if (!ctype_print($auth)) {
  425. return $this->_challengeClient();
  426. }
  427. // Fix for ZF-1515: Now re-challenges on empty username or password
  428. $creds = array_filter(explode(':', $auth));
  429. if (count($creds) != 2) {
  430. return $this->_challengeClient();
  431. }
  432. $result = $this->basicResolver->resolve($creds[0], $this->realm, $creds[1]);
  433. if ($result instanceof Authentication\Result && $result->isValid()) {
  434. return $result;
  435. }
  436. if (!$result instanceof Authentication\Result
  437. && !is_array($result)
  438. && $this->_secureStringCompare($result, $creds[1])
  439. ) {
  440. $identity = array('username'=>$creds[0], 'realm'=>$this->realm);
  441. return new Authentication\Result(Authentication\Result::SUCCESS, $identity);
  442. } elseif (is_array($result)) {
  443. return new Authentication\Result(Authentication\Result::SUCCESS, $result);
  444. }
  445. return $this->_challengeClient();
  446. }
  447. /**
  448. * Digest Authentication
  449. *
  450. * @param string $header Client's Authorization header
  451. * @throws Exception\ExceptionInterface
  452. * @return Authentication\Result Valid auth result only on successful auth
  453. */
  454. protected function _digestAuth($header)
  455. {
  456. if (empty($header)) {
  457. throw new Exception\RuntimeException('The value of the client Authorization header is required');
  458. }
  459. if (empty($this->digestResolver)) {
  460. throw new Exception\RuntimeException('A digestResolver object must be set before doing Digest authentication');
  461. }
  462. $data = $this->_parseDigestAuth($header);
  463. if ($data === false) {
  464. $this->response->setStatusCode(400);
  465. return new Authentication\Result(
  466. Authentication\Result::FAILURE_UNCATEGORIZED,
  467. array(),
  468. array('Invalid Authorization header format')
  469. );
  470. }
  471. // See ZF-1052. This code was a bit too unforgiving of invalid
  472. // usernames. Now, if the username is bad, we re-challenge the client.
  473. if ('::invalid::' == $data['username']) {
  474. return $this->_challengeClient();
  475. }
  476. // Verify that the client sent back the same nonce
  477. if ($this->_calcNonce() != $data['nonce']) {
  478. return $this->_challengeClient();
  479. }
  480. // The opaque value is also required to match, but of course IE doesn't
  481. // play ball.
  482. if (!$this->ieNoOpaque && $this->_calcOpaque() != $data['opaque']) {
  483. return $this->_challengeClient();
  484. }
  485. // Look up the user's password hash. If not found, deny access.
  486. // This makes no assumptions about how the password hash was
  487. // constructed beyond that it must have been built in such a way as
  488. // to be recreatable with the current settings of this object.
  489. $ha1 = $this->digestResolver->resolve($data['username'], $data['realm']);
  490. if ($ha1 === false) {
  491. return $this->_challengeClient();
  492. }
  493. // If MD5-sess is used, a1 value is made of the user's password
  494. // hash with the server and client nonce appended, separated by
  495. // colons.
  496. if ($this->algo == 'MD5-sess') {
  497. $ha1 = hash('md5', $ha1 . ':' . $data['nonce'] . ':' . $data['cnonce']);
  498. }
  499. // Calculate h(a2). The value of this hash depends on the qop
  500. // option selected by the client and the supported hash functions
  501. switch ($data['qop']) {
  502. case 'auth':
  503. $a2 = $this->request->getMethod() . ':' . $data['uri'];
  504. break;
  505. case 'auth-int':
  506. // Should be REQUEST_METHOD . ':' . uri . ':' . hash(entity-body),
  507. // but this isn't supported yet, so fall through to default case
  508. default:
  509. throw new Exception\RuntimeException('Client requested an unsupported qop option');
  510. }
  511. // Using hash() should make parameterizing the hash algorithm
  512. // easier
  513. $ha2 = hash('md5', $a2);
  514. // Calculate the server's version of the request-digest. This must
  515. // match $data['response']. See RFC 2617, section 3.2.2.1
  516. $message = $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $ha2;
  517. $digest = hash('md5', $ha1 . ':' . $message);
  518. // If our digest matches the client's let them in, otherwise return
  519. // a 401 code and exit to prevent access to the protected resource.
  520. if ($this->_secureStringCompare($digest, $data['response'])) {
  521. $identity = array('username'=>$data['username'], 'realm'=>$data['realm']);
  522. return new Authentication\Result(Authentication\Result::SUCCESS, $identity);
  523. }
  524. return $this->_challengeClient();
  525. }
  526. /**
  527. * Calculate Nonce
  528. *
  529. * @return string The nonce value
  530. */
  531. protected function _calcNonce()
  532. {
  533. // Once subtle consequence of this timeout calculation is that it
  534. // actually divides all of time into nonceTimeout-sized sections, such
  535. // that the value of timeout is the point in time of the next
  536. // approaching "boundary" of a section. This allows the server to
  537. // consistently generate the same timeout (and hence the same nonce
  538. // value) across requests, but only as long as one of those
  539. // "boundaries" is not crossed between requests. If that happens, the
  540. // nonce will change on its own, and effectively log the user out. This
  541. // would be surprising if the user just logged in.
  542. $timeout = ceil(time() / $this->nonceTimeout) * $this->nonceTimeout;
  543. $userAgentHeader = $this->request->getHeaders()->get('User-Agent');
  544. if ($userAgentHeader) {
  545. $userAgent = $userAgentHeader->getFieldValue();
  546. } elseif (isset($_SERVER['HTTP_USER_AGENT'])) {
  547. $userAgent = $_SERVER['HTTP_USER_AGENT'];
  548. } else {
  549. $userAgent = 'Zend_Authenticaion';
  550. }
  551. $nonce = hash('md5', $timeout . ':' . $userAgent . ':' . __CLASS__);
  552. return $nonce;
  553. }
  554. /**
  555. * Calculate Opaque
  556. *
  557. * The opaque string can be anything; the client must return it exactly as
  558. * it was sent. It may be useful to store data in this string in some
  559. * applications. Ideally, a new value for this would be generated each time
  560. * a WWW-Authenticate header is sent (in order to reduce predictability),
  561. * but we would have to be able to create the same exact value across at
  562. * least two separate requests from the same client.
  563. *
  564. * @return string The opaque value
  565. */
  566. protected function _calcOpaque()
  567. {
  568. return hash('md5', 'Opaque Data:' . __CLASS__);
  569. }
  570. /**
  571. * Parse Digest Authorization header
  572. *
  573. * @param string $header Client's Authorization: HTTP header
  574. * @return array|bool Data elements from header, or false if any part of
  575. * the header is invalid
  576. */
  577. protected function _parseDigestAuth($header)
  578. {
  579. $temp = null;
  580. $data = array();
  581. // See ZF-1052. Detect invalid usernames instead of just returning a
  582. // 400 code.
  583. $ret = preg_match('/username="([^"]+)"/', $header, $temp);
  584. if (!$ret || empty($temp[1])
  585. || !ctype_print($temp[1])
  586. || strpos($temp[1], ':') !== false) {
  587. $data['username'] = '::invalid::';
  588. } else {
  589. $data['username'] = $temp[1];
  590. }
  591. $temp = null;
  592. $ret = preg_match('/realm="([^"]+)"/', $header, $temp);
  593. if (!$ret || empty($temp[1])) {
  594. return false;
  595. }
  596. if (!ctype_print($temp[1]) || strpos($temp[1], ':') !== false) {
  597. return false;
  598. } else {
  599. $data['realm'] = $temp[1];
  600. }
  601. $temp = null;
  602. $ret = preg_match('/nonce="([^"]+)"/', $header, $temp);
  603. if (!$ret || empty($temp[1])) {
  604. return false;
  605. }
  606. if (!ctype_xdigit($temp[1])) {
  607. return false;
  608. }
  609. $data['nonce'] = $temp[1];
  610. $temp = null;
  611. $ret = preg_match('/uri="([^"]+)"/', $header, $temp);
  612. if (!$ret || empty($temp[1])) {
  613. return false;
  614. }
  615. // Section 3.2.2.5 in RFC 2617 says the authenticating server must
  616. // verify that the URI field in the Authorization header is for the
  617. // same resource requested in the Request Line.
  618. $rUri = $this->request->getUri();
  619. $cUri = UriFactory::factory($temp[1]);
  620. // Make sure the path portion of both URIs is the same
  621. if ($rUri->getPath() != $cUri->getPath()) {
  622. return false;
  623. }
  624. // Section 3.2.2.5 seems to suggest that the value of the URI
  625. // Authorization field should be made into an absolute URI if the
  626. // Request URI is absolute, but it's vague, and that's a bunch of
  627. // code I don't want to write right now.
  628. $data['uri'] = $temp[1];
  629. $temp = null;
  630. $ret = preg_match('/response="([^"]+)"/', $header, $temp);
  631. if (!$ret || empty($temp[1])) {
  632. return false;
  633. }
  634. if (32 != strlen($temp[1]) || !ctype_xdigit($temp[1])) {
  635. return false;
  636. }
  637. $data['response'] = $temp[1];
  638. $temp = null;
  639. // The spec says this should default to MD5 if omitted. OK, so how does
  640. // that square with the algo we send out in the WWW-Authenticate header,
  641. // if it can easily be overridden by the client?
  642. $ret = preg_match('/algorithm="?(' . $this->algo . ')"?/', $header, $temp);
  643. if ($ret && !empty($temp[1])
  644. && in_array($temp[1], $this->supportedAlgos)) {
  645. $data['algorithm'] = $temp[1];
  646. } else {
  647. $data['algorithm'] = 'MD5'; // = $this->algo; ?
  648. }
  649. $temp = null;
  650. // Not optional in this implementation
  651. $ret = preg_match('/cnonce="([^"]+)"/', $header, $temp);
  652. if (!$ret || empty($temp[1])) {
  653. return false;
  654. }
  655. if (!ctype_print($temp[1])) {
  656. return false;
  657. }
  658. $data['cnonce'] = $temp[1];
  659. $temp = null;
  660. // If the server sent an opaque value, the client must send it back
  661. if ($this->useOpaque) {
  662. $ret = preg_match('/opaque="([^"]+)"/', $header, $temp);
  663. if (!$ret || empty($temp[1])) {
  664. // Big surprise: IE isn't RFC 2617-compliant.
  665. $headers = $this->request->getHeaders();
  666. if (!$headers->has('User-Agent')) {
  667. return false;
  668. }
  669. $userAgent = $headers->get('User-Agent')->getFieldValue();
  670. if (false === strpos($userAgent, 'MSIE')) {
  671. return false;
  672. }
  673. $temp[1] = '';
  674. $this->ieNoOpaque = true;
  675. }
  676. // This implementation only sends MD5 hex strings in the opaque value
  677. if (!$this->ieNoOpaque &&
  678. (32 != strlen($temp[1]) || !ctype_xdigit($temp[1]))) {
  679. return false;
  680. }
  681. $data['opaque'] = $temp[1];
  682. $temp = null;
  683. }
  684. // Not optional in this implementation, but must be one of the supported
  685. // qop types
  686. $ret = preg_match('/qop="?(' . implode('|', $this->supportedQops) . ')"?/', $header, $temp);
  687. if (!$ret || empty($temp[1])) {
  688. return false;
  689. }
  690. if (!in_array($temp[1], $this->supportedQops)) {
  691. return false;
  692. }
  693. $data['qop'] = $temp[1];
  694. $temp = null;
  695. // Not optional in this implementation. The spec says this value
  696. // shouldn't be a quoted string, but apparently some implementations
  697. // quote it anyway. See ZF-1544.
  698. $ret = preg_match('/nc="?([0-9A-Fa-f]{8})"?/', $header, $temp);
  699. if (!$ret || empty($temp[1])) {
  700. return false;
  701. }
  702. if (8 != strlen($temp[1]) || !ctype_xdigit($temp[1])) {
  703. return false;
  704. }
  705. $data['nc'] = $temp[1];
  706. $temp = null;
  707. return $data;
  708. }
  709. /**
  710. * Securely compare two strings for equality while avoided C level memcmp()
  711. * optimisations capable of leaking timing information useful to an attacker
  712. * attempting to iteratively guess the unknown string (e.g. password) being
  713. * compared against.
  714. *
  715. * @param string $a
  716. * @param string $b
  717. * @return bool
  718. */
  719. protected function _secureStringCompare($a, $b)
  720. {
  721. if (strlen($a) !== strlen($b)) {
  722. return false;
  723. }
  724. $result = 0;
  725. for ($i = 0; $i < strlen($a); $i++) {
  726. $result |= ord($a[$i]) ^ ord($b[$i]);
  727. }
  728. return $result == 0;
  729. }
  730. }