Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: research
Branches Tags
krackattacks
/
hs20
/
server
/
www
/
spp.php

spp.php 4.0 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. <?php
    2. 

  2. 

  3. require('config.php');
    4. 

  4. 

  5. if (!stristr($_SERVER["CONTENT_TYPE"], "application/soap+xml")) {
    6. 

  6.   error_log("spp.php - Unexpected Content-Type " . $_SERVER["CONTENT_TYPE"]);
    7. 

  7.   die("Unexpected Content-Type");
    8. 

  8. }
    9. 

  9. 

  10. if ($_SERVER["REQUEST_METHOD"] != "POST") {
    11. 

  11.   error_log("spp.php - Unexpected method " . $_SERVER["REQUEST_METHOD"]);
    12. 

  12.   die("Unexpected method");
    13. 

  13. }
    14. 

  14. 

  15. if (isset($_GET["realm"])) {
    16. 

  16.   $realm = $_GET["realm"];
    17. 

  17.   $realm = PREG_REPLACE("/[^0-9a-zA-Z\.\-]/i", '', $realm);
    18. 

  18. } else {
    19. 

  19.   error_log("spp.php - Realm not specified");
    20. 

  20.   die("Realm not specified");
    21. 

  21. }
    22. 

  22. 

  23. unset($user);
    24. 

  24. putenv("HS20CERT");
    25. 

  25. 

  26. if (!empty($_SERVER['PHP_AUTH_DIGEST'])) {
    27. 

  27.   $needed = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1,
    28. 

  28. 		  'uri'=>1, 'response'=>1);
    29. 

  29.   $data = array();
    30. 

  30.   $keys = implode('|', array_keys($needed));
    31. 

  31.   preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@',
    32. 

  32. 		 $_SERVER['PHP_AUTH_DIGEST'], $matches, PREG_SET_ORDER);
    33. 

  33.   foreach ($matches as $m) {
    34. 

  34.     $data[$m[1]] = $m[3] ? $m[3] : $m[4];
    35. 

  35.     unset($needed[$m[1]]);
    36. 

  36.   }
    37. 

  37.   if ($needed) {
    38. 

  38.     error_log("spp.php - Authentication failed - missing: " . print_r($needed));
    39. 

  39.     die('Authentication failed');
    40. 

  40.   }
    41. 

  41.   $user = $data['username'];
    42. 

  42.   if (strlen($user) < 1) {
    43. 

  43.     error_log("spp.php - Authentication failed - empty username");
    44. 

  44.     die('Authentication failed');
    45. 

  45.   }
    46. 

  46. 

  47. 

  48.   $db = new PDO($osu_db);
    49. 

  49.   if (!$db) {
    50. 

  50.     error_log("spp.php - Could not access database");
    51. 

  51.     die("Could not access database");
    52. 

  52.   }
    53. 

  53.   $row = $db->query("SELECT password FROM users " .
    54. 

  54. 		    "WHERE identity='$user' AND realm='$realm'")->fetch();
    55. 

  55.   if (!$row) {
    56. 

  56.     $row = $db->query("SELECT osu_password FROM users " .
    57. 

  57. 		      "WHERE osu_user='$user' AND realm='$realm'")->fetch();
    58. 

  58.     $pw = $row['osu_password'];
    59. 

  59.   } else
    60. 

  60.     $pw = $row['password'];
    61. 

  61.   if (!$row) {
    62. 

  62.     error_log("spp.php - Authentication failed - user '$user' not found");
    63. 

  63.     die('Authentication failed');
    64. 

  64.   }
    65. 

  65.   if (strlen($pw) < 1) {
    66. 

  66.     error_log("spp.php - Authentication failed - empty password");
    67. 

  67.     die('Authentication failed');
    68. 

  68.   }
    69. 

  69. 

  70.   $A1 = md5($user . ':' . $realm . ':' . $pw);
    71. 

  71.   $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
    72. 

  72.   $resp = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' .
    73. 

  73. 	      $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
    74. 

  74.   if ($data['response'] != $resp) {
    75. 

  75.     error_log("Authentication failure - response mismatch");
    76. 

  76.     die('Authentication failed');
    77. 

  77.   }
    78. 

  78. } else if (isset($_SERVER["SSL_CLIENT_VERIFY"]) &&
    79. 

  79. 	   $_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" &&
    80. 

  80. 	   isset($_SERVER["SSL_CLIENT_M_SERIAL"])) {
    81. 

  81.   $user = "cert-" . $_SERVER["SSL_CLIENT_M_SERIAL"];
    82. 

  82.   putenv("HS20CERT=yes");
    83. 

  83. } else if (!isset($_SERVER["PATH_INFO"]) ||
    84. 

  84. 	   $_SERVER["PATH_INFO"] != "/signup") {
    85. 

  85.   header('HTTP/1.1 401 Unauthorized');
    86. 

  86.   header('WWW-Authenticate: Digest realm="'.$realm.
    87. 

  87. 	 '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
    88. 

  88.   error_log("spp.php - Authentication required (not signup)");
    89. 

  89.   die('Authentication required (not signup)');
    90. 

  90. }
    91. 

  91. 

  92. 

  93. if (isset($user) && strlen($user) > 0)
    94. 

  94.   putenv("HS20USER=$user");
    95. 

  95. else
    96. 

  96.   putenv("HS20USER");
    97. 

  97. 

  98. putenv("HS20REALM=$realm");
    99. 

  99. $postdata = file_get_contents("php://input");
    100. 

  100. putenv("HS20POST=$postdata");
    101. 

  101. $addr = $_SERVER["REMOTE_ADDR"];
    102. 

  102. putenv("HS20ADDR=$addr");
    103. 

  103. 

  104. $last = exec("$osu_root/spp/hs20_spp_server -r$osu_root -f/tmp/hs20_spp_server.log", $output, $ret);
    105. 

  105. 

  106. if ($ret == 2) {
    107. 

  107.   if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
    108. 

  108.     header('HTTP/1.1 401 Unauthorized');
    109. 

  109.     header('WWW-Authenticate: Digest realm="'.$realm.
    110. 

  110.            '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
    111. 

  111.     error_log("spp.php - Authentication required (ret 2)");
    112. 

  112.     die('Authentication required');
    113. 

  113.   } else {
    114. 

  114.     error_log("spp.php - Unexpected authentication error");
    115. 

  115.     die("Unexpected authentication error");
    116. 

  116.   }
    117. 

  117. }
    118. 

  118. if ($ret != 0) {
    119. 

  119.   error_log("spp.php - Failed to process SPP request");
    120. 

  120.   die("Failed to process SPP request");
    121. 

  121. }
    122. 

  122. //error_log("spp.php: Response: " . implode($output));
    123. 

  123. 

  124. header("Content-Type: application/soap+xml");
    125. 

  125. 

  126. echo implode($output);
    127. 

  127. 

  128. ?>
    129.