Merge pull request #11 from pear/v0.3.0

ashnazg · web-flow · commit a0698f5730f5 · 2023-11-27T07:45:22.000-06:00
mark authentication methods CRAM-MD5, DIGEST-MD5 and LOGIN as deprecated and bugfix broken SCRAM-SHA-244
diff --git a/.travis.yml b/.travis.yml
@@ -6,6 +6,12 @@ php:
   - 5.6
   - 7.0
   - 7.1
+  - 7.2
+  - 7.3
+  - 7.4
+  - 8.0
+  - 8.1
+  - 8.2
 script:
   - pear list
   - pear channel-update pear.php.net
diff --git a/Auth/SASL2.php b/Auth/SASL2.php
@@ -49,9 +49,11 @@ class Auth_SASL2
     * type.
     *
     * @param string $type One of: Anonymous
+    *                             Login (DEPRECATED)
     *                             Plain
-    *                             CramMD5
-    *                             DigestMD5
+    *                             External
+    *                             CramMD5 (DEPRECATED)
+    *                             DigestMD5 (DEPRECATED)
     *                             SCRAM-* (any mechanism of the SCRAM family)
     *                     Types are not case sensitive
     */
@@ -64,6 +66,10 @@ function factory($type)
                 break;
 
             case 'login':
+                /* TODO trigger deprecation warning in 1.0.0 and remove LOGIN authentication in 2.0.0
+                trigger_error(__CLASS__ . ': Authentication method LOGIN' .
+                    ' is no longer secure and should be avoided.', E_USER_DEPRECATED);
+                */
                 $filename  = 'Auth/SASL2/Login.php';
                 $classname = 'Auth_SASL2_Login';
                 break;
@@ -82,6 +88,10 @@ function factory($type)
                 // $msg = 'Deprecated mechanism name. Use IANA-registered name: CRAM-MD5.';
                 // trigger_error($msg, E_USER_DEPRECATED);
             case 'cram-md5':
+                /* TODO trigger deprecation warning in 1.0.0 and remove CRAM-MD5 authentication in 2.0.0
+                trigger_error(__CLASS__ . ': Authentication method CRAM-MD5' .
+                    ' is no longer secure and should be avoided.', E_USER_DEPRECATED);
+                */
                 $filename  = 'Auth/SASL2/CramMD5.php';
                 $classname = 'Auth_SASL2_CramMD5';
                 break;
@@ -90,8 +100,10 @@ function factory($type)
                 // $msg = 'Deprecated mechanism name. Use IANA-registered name: DIGEST-MD5.';
                 // trigger_error($msg, E_USER_DEPRECATED);
             case 'digest-md5':
-                // $msg = 'DIGEST-MD5 is a deprecated SASL mechanism as per RFC-6331. Using it could be a security risk.';
-                // trigger_error($msg, E_USER_NOTICE);
+                /* TODO trigger deprecation warning in 1.0.0 and remove DIGEST-MD5 authentication in 2.0.0
+                trigger_error(__CLASS__ . ': Authentication method DIGEST-MD5' .
+                    ' is no longer secure and should be avoided.', E_USER_DEPRECATED);
+                */
                 $filename  = 'Auth/SASL2/DigestMD5.php';
                 $classname = 'Auth_SASL2_DigestMD5';
                 break;
@@ -101,7 +113,7 @@ function factory($type)
                 if (preg_match($scram, $type, $matches))
                 {
                     $hash = $matches[1];
-                    $filename = dirname(__FILE__) .'/SASL2/SCRAM.php';
+                    $filename = __DIR__ .'/SASL2/SCRAM.php';
                     $classname = 'Auth_SASL2_SCRAM';
                     $parameter = $hash;
                     break;
diff --git a/Auth/SASL2/CramMD5.php b/Auth/SASL2/CramMD5.php
@@ -40,6 +40,7 @@
 * @author  Richard Heyes <richard@php.net>
 * @access  public
 * @version 1.0
+* @deprecated since 0.3.0
 * @package Auth_SASL
 */
 
diff --git a/Auth/SASL2/DigestMD5.php b/Auth/SASL2/DigestMD5.php
@@ -40,6 +40,7 @@
 * @author  Richard Heyes <richard@php.net>
 * @access  public
 * @version 1.0
+* @deprecated since 0.3.0
 * @package Auth_SASL
 */
 
diff --git a/Auth/SASL2/Login.php b/Auth/SASL2/Login.php
@@ -43,6 +43,7 @@
 * @author  Richard Heyes <richard@php.net>
 * @access  public
 * @version 1.0
+* @deprecated since 0.3.0
 * @package Auth_SASL2
 */
 
diff --git a/Auth/SASL2/SCRAM.php b/Auth/SASL2/SCRAM.php
@@ -50,6 +50,14 @@
 
 class Auth_SASL2_SCRAM extends Auth_SASL2_Common
 {
+    private $hash;
+    private $hmac;
+    private $gs2_header;
+    private $cnonce;
+    private $first_message_bare;
+    private $saltedPassword;
+    private $authMessage;
+
     /**
      * Construct a SCRAM-H client where 'H' is a cryptographic hash function.
      *
@@ -70,8 +78,8 @@ function __construct($hash)
             'md5' => 'md5',
             'sha-1' => 'sha1',
             'sha1' => 'sha1',
-            'sha-224' > 'sha224',
-            'sha224' > 'sha224',
+            'sha-224' => 'sha224',
+            'sha224' => 'sha224',
             'sha-256' => 'sha256',
             'sha256' => 'sha256',
             'sha-384' => 'sha384',
@@ -80,17 +88,26 @@ function __construct($hash)
             'sha512' => 'sha512');
         if (function_exists('hash_hmac') && isset($hashes[$hash]))
         {
-            $this->hash = create_function('$data', 'return hash("' . $hashes[$hash] . '", $data, TRUE);');
-            $this->hmac = create_function('$key,$str,$raw', 'return hash_hmac("' . $hashes[$hash] . '", $str, $key, $raw);');
+            $selectedHash = $hashes[$hash];
+            $this->hash = function($data) use ($selectedHash) {
+                return hash($selectedHash, $data, TRUE);
+            };
+            $this->hmac = function($key,$str,$raw) use ($selectedHash) {
+                return hash_hmac($selectedHash, $str, $key, $raw);
+            };
         }
         elseif ($hash == 'md5')
         {
-            $this->hash = create_function('$data', 'return md5($data, true);');
+            $this->hash = function($data) {
+                return md5($data, true);
+            };
             $this->hmac = array($this, '_HMAC_MD5');
         }
         elseif (in_array($hash, array('sha1', 'sha-1')))
         {
-            $this->hash = create_function('$data', 'return sha1($data, true);');
+            $this->hash = function($data) {
+                return sha1($data, true);
+            };
             $this->hmac = array($this, '_HMAC_SHA1');
         }
         else {
@@ -258,7 +275,7 @@ public function processOutcome($data)
     * Hi() call, which is essentially PBKDF2 (RFC-2898) with HMAC-H() as the pseudorandom function.
     *
     * @param string $str The string to hash.
-    * @param string $hash The hash value.
+    * @param string $salt The salt value.
     * @param int $i The iteration count.
     * @access private
     */
diff --git a/README.md b/README.md
@@ -4,12 +4,13 @@
     
 
 Provides code to generate responses to common SASL2 mechanisms, including:
-- Digest-MD5
-- Cram-MD5
-- Plain
 - Anonymous
-- Login (Pseudo mechanism)
-- SCRAM	
+- Cram-MD5 (DEPRECATED)
+- Digest-MD5 (DEPRECATED)
+- External
+- Login (Pseudo mechanism) (DEPRECATED)
+- Plain
+- SCRAM
 
 [Homepage](http://pear.php.net/package/Auth_SASL2/)
 
diff --git a/package.xml b/package.xml
@@ -13,11 +13,12 @@
  <summary>Abstraction of various SASL mechanism responses</summary>
  <description>
 Provides code to generate responses to common SASL mechanisms, including:
-- Digest-MD5
-- Cram-MD5
-- Plain
 - Anonymous
-- Login (Pseudo mechanism)
+- Cram-MD5 (DEPRECATED)
+- Digest-MD5 (DEPRECATED)
+- External
+- Login (Pseudo mechanism) (DEPRECATED)
+- Plain
 - SCRAM
  </description>
 
@@ -39,6 +40,12 @@ Provides code to generate responses to common SASL mechanisms, including:
   <email>michael@bretterklieber.com</email>
   <active>no</active>
  </lead>
+ <lead>
+  <name>Armin Graefe</name>
+  <user>schengawegga</user>
+  <email>schengawegga@gmail.com</email>
+  <active>yes</active>
+ </lead>
 
  <date>2017-03-07</date>
  <version>
