/// <summary> /// Raises <b>GetUserInfo</b> event. /// </summary> /// <param name="userName">User name.</param> /// <returns>Returns specified user info.</returns> private AUTH_e_UserInfo OnGetUserInfo(string userName) { AUTH_e_UserInfo retVal = new AUTH_e_UserInfo(userName); if (GetUserInfo != null) { GetUserInfo(this, retVal); } return(retVal); }
/// <summary> /// Raises <b>GetUserInfo</b> event. /// </summary> /// <param name="userName">User name.</param> /// <returns>Returns specified user info.</returns> private AUTH_e_UserInfo OnGetUserInfo(string userName) { AUTH_e_UserInfo retVal = new AUTH_e_UserInfo(userName); if (GetUserInfo != null) { GetUserInfo(this, retVal); } return retVal; }
/// <summary> /// Continues authentication process. /// </summary> /// <param name="clientResponse">Client sent SASL response.</param> /// <returns>Retunrns challange response what must be sent to client or null if authentication has completed.</returns> /// <exception cref="ArgumentNullException">Is raised when <b>clientResponse</b> is null reference.</exception> public override string Continue(string clientResponse) { if (clientResponse == null) { throw new ArgumentNullException("clientResponse"); } /* RFC 2195 2. Challenge-Response Authentication Mechanism. * The authentication type associated with CRAM is "CRAM-MD5". * * The data encoded in the first ready response contains an * presumptively arbitrary string of random digits, a timestamp, and the * fully-qualified primary host name of the server. The syntax of the * unencoded form must correspond to that of an RFC 822 'msg-id' * [RFC822] as described in [POP3]. * * The client makes note of the data and then responds with a string * consisting of the user name, a space, and a 'digest'. The latter is * computed by applying the keyed MD5 algorithm from [KEYED-MD5] where * the key is a shared secret and the digested text is the timestamp * (including angle-brackets). * * This shared secret is a string known only to the client and server. * The `digest' parameter itself is a 16-octet value which is sent in * hexadecimal format, using lower-case ASCII characters. * * When the server receives this client response, it verifies the digest * provided. If the digest is correct, the server should consider the * client authenticated and respond appropriately. * * Example: * The examples in this document show the use of the CRAM mechanism with * the IMAP4 AUTHENTICATE command [IMAP-AUTH]. The base64 encoding of * the challenges and responses is part of the IMAP4 AUTHENTICATE * command, not part of the CRAM specification itself. * * S: * OK IMAP4 Server * C: A0001 AUTHENTICATE CRAM-MD5 * S: + PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+ * C: dGltIGI5MTNhNjAyYzdlZGE3YTQ5NWI0ZTZlNzMzNGQzODkw * S: A0001 OK CRAM authentication successful * * In this example, the shared secret is the string * 'tanstaaftanstaaf'. Hence, the Keyed MD5 digest is produced by * calculating * * MD5((tanstaaftanstaaf XOR opad), * MD5((tanstaaftanstaaf XOR ipad), * <*****@*****.**>)) * * where ipad and opad are as defined in the keyed-MD5 Work in * Progress [KEYED-MD5] and the string shown in the challenge is the * base64 encoding of <*****@*****.**>. The * shared secret is null-padded to a length of 64 bytes. If the * shared secret is longer than 64 bytes, the MD5 digest of the * shared secret is used as a 16 byte input to the keyed MD5 * calculation. * * This produces a digest value (in hexadecimal) of * * b913a602c7eda7a495b4e6e7334d3890 * * The user name is then prepended to it, forming * * tim b913a602c7eda7a495b4e6e7334d3890 * * Which is then base64 encoded to meet the requirements of the IMAP4 * AUTHENTICATE command (or the similar POP3 AUTH command), yielding * * dGltIGI5MTNhNjAyYzdlZGE3YTQ5NWI0ZTZlNzMzNGQzODkw */ if (m_State == 0) { m_State++; m_Key = "<" + Guid.NewGuid() + "@host" + ">"; return(m_Key); } else { // Parse client response. response = userName SP hash. string[] user_hash = clientResponse.Split(' '); if (user_hash.Length == 2 && !string.IsNullOrEmpty(user_hash[0])) { m_UserName = user_hash[0]; AUTH_e_UserInfo result = OnGetUserInfo(user_hash[0]); if (result.UserExists) { // hash = Hex(HmacMd5(hashKey,password)) string hash = Net_Utils.Hex(HmacMd5(m_Key, result.Password)); if (hash == user_hash[1]) { m_IsAuthenticated = true; } } } m_IsCompleted = true; } return(null); }
/// <summary> /// Continues authentication process. /// </summary> /// <param name="clientResponse">Client sent SASL response.</param> /// <returns>Retunrns challange response what must be sent to client or null if authentication has completed.</returns> /// <exception cref="ArgumentNullException">Is raised when <b>clientResponse</b> is null reference.</exception> public override string Continue(string clientResponse) { if (clientResponse == null) { throw new ArgumentNullException("clientResponse"); } /* RFC 2831. * The base64-decoded version of the SASL exchange is: * * S: realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth", * algorithm=md5-sess,charset=utf-8 * C: charset=utf-8,username="******",realm="elwood.innosoft.com", * nonce="OA6MG9tEQGm2hh",nc=00000001,cnonce="OA6MHXh6VqTrRk", * digest-uri="imap/elwood.innosoft.com", * response=d388dad90d4bbd760a152321f2143af7,qop=auth * S: rspauth=ea40f60335c427b5527b84dbabcdfffd * C: * S: ok * * The password in this example was "secret". */ if (m_State == 0) { m_State++; return("realm=\"" + m_Realm + "\",nonce=\"" + m_Nonce + "\",qop=\"auth\",algorithm=md5-sess,charset=utf-8"); } else if (m_State == 1) { m_State++; Auth_HttpDigest auth = new Auth_HttpDigest(clientResponse, "AUTHENTICATE"); auth.Qop = "auth"; auth.Algorithm = "md5-sess"; // Check realm and nonce value. if (m_Realm != auth.Realm || m_Nonce != auth.Nonce) { return("rspauth=\"\""); } m_UserName = auth.UserName; AUTH_e_UserInfo result = OnGetUserInfo(auth.UserName); if (result.UserExists) { if (auth.Authenticate(result.UserName, result.Password)) { m_IsAuthenticated = true; return("rspauth=" + auth.CalculateRspAuth(result.UserName, result.Password)); } } return("rspauth=\"\""); } else { m_IsCompleted = true; } return(null); }