1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
# -*- test-case-name: twisted.cred.test.test_digestauth -*-
# Copyright (c) Twisted Matrix Laboratories.
# See LICENSE for details.
"""
Calculations for HTTP Digest authentication.
@see: U{http://www.faqs.org/rfcs/rfc2617.html}
"""
from binascii import hexlify
from hashlib import md5, sha1
# The digest math
algorithms = {
b"md5": md5,
# md5-sess is more complicated than just another algorithm. It requires
# H(A1) state to be remembered from the first WWW-Authenticate challenge
# issued and re-used to process any Authorization header in response to
# that WWW-Authenticate challenge. It is *not* correct to simply
# recalculate H(A1) each time an Authorization header is received. Read
# RFC 2617, section 3.2.2.2 and do not try to make DigestCredentialFactory
# support this unless you completely understand it. -exarkun
b"md5-sess": md5,
b"sha": sha1,
}
# DigestCalcHA1
def calcHA1(
pszAlg, pszUserName, pszRealm, pszPassword, pszNonce, pszCNonce, preHA1=None
):
"""
Compute H(A1) from RFC 2617.
@param pszAlg: The name of the algorithm to use to calculate the digest.
Currently supported are md5, md5-sess, and sha.
@param pszUserName: The username
@param pszRealm: The realm
@param pszPassword: The password
@param pszNonce: The nonce
@param pszCNonce: The cnonce
@param preHA1: If available this is a str containing a previously
calculated H(A1) as a hex string. If this is given then the values for
pszUserName, pszRealm, and pszPassword must be L{None} and are ignored.
"""
if preHA1 and (pszUserName or pszRealm or pszPassword):
raise TypeError(
"preHA1 is incompatible with the pszUserName, "
"pszRealm, and pszPassword arguments"
)
if preHA1 is None:
# We need to calculate the HA1 from the username:realm:password
m = algorithms[pszAlg]()
m.update(pszUserName)
m.update(b":")
m.update(pszRealm)
m.update(b":")
m.update(pszPassword)
HA1 = hexlify(m.digest())
else:
# We were given a username:realm:password
HA1 = preHA1
if pszAlg == b"md5-sess":
m = algorithms[pszAlg]()
m.update(HA1)
m.update(b":")
m.update(pszNonce)
m.update(b":")
m.update(pszCNonce)
HA1 = hexlify(m.digest())
return HA1
def calcHA2(algo, pszMethod, pszDigestUri, pszQop, pszHEntity):
"""
Compute H(A2) from RFC 2617.
@param algo: The name of the algorithm to use to calculate the digest.
Currently supported are md5, md5-sess, and sha.
@param pszMethod: The request method.
@param pszDigestUri: The request URI.
@param pszQop: The Quality-of-Protection value.
@param pszHEntity: The hash of the entity body or L{None} if C{pszQop} is
not C{'auth-int'}.
@return: The hash of the A2 value for the calculation of the response
digest.
"""
m = algorithms[algo]()
m.update(pszMethod)
m.update(b":")
m.update(pszDigestUri)
if pszQop == b"auth-int":
m.update(b":")
m.update(pszHEntity)
return hexlify(m.digest())
def calcResponse(HA1, HA2, algo, pszNonce, pszNonceCount, pszCNonce, pszQop):
"""
Compute the digest for the given parameters.
@param HA1: The H(A1) value, as computed by L{calcHA1}.
@param HA2: The H(A2) value, as computed by L{calcHA2}.
@param pszNonce: The challenge nonce.
@param pszNonceCount: The (client) nonce count value for this response.
@param pszCNonce: The client nonce.
@param pszQop: The Quality-of-Protection value.
"""
m = algorithms[algo]()
m.update(HA1)
m.update(b":")
m.update(pszNonce)
m.update(b":")
if pszNonceCount and pszCNonce:
m.update(pszNonceCount)
m.update(b":")
m.update(pszCNonce)
m.update(b":")
m.update(pszQop)
m.update(b":")
m.update(HA2)
respHash = hexlify(m.digest())
return respHash
|
