From d35cf439943d4cfecf87f00f66288e934c3aa865 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <jkowalsk@student.agh.edu.pl> Date: Mon, 17 Aug 2015 14:36:20 +0000 Subject: [PATCH] Verify SSL certificate on PHP 5.5 and older --- uphpCAS.php | 71 ++++++++++++++++++++++++++--------- 1 files changed, 52 insertions(+), 19 deletions(-) diff --git a/uphpCAS.php b/uphpCAS.php index bce5aab..ea04ed6 100644 --- a/uphpCAS.php +++ b/uphpCAS.php @@ -26,10 +26,12 @@ $port = 0; if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { $url = 'https://'; - if(isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] != '443') { + if(isset($_SERVER['SERVER_PORT']) + && $_SERVER['SERVER_PORT'] != '443') { $port = $_SERVER['SERVER_PORT']; } - } elseif(isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] != '80') { + } elseif(isset($_SERVER['SERVER_PORT']) + && $_SERVER['SERVER_PORT'] != '80') { $port = $_SERVER['SERVER_PORT']; } @@ -53,7 +55,7 @@ } public function loginUrl() { - return $this->serverUrl.'/login?service='.urlencode($this->serviceUrl); + return $this->serverUrl.'/login?method=POST&service='.urlencode($this->serviceUrl); } public function logoutUrl() { @@ -73,8 +75,8 @@ session_start(); if(isset($_SESSION['uphpCAS-user'])) { return $_SESSION['uphpCAS-user']; - } elseif(isset($_GET['ticket'])) { - $user = $this->verifyTicket($_GET['ticket']); + } elseif(isset($_REQUEST['ticket'])) { + $user = $this->verifyTicket($_REQUEST['ticket']); $_SESSION['uphpCAS-user'] = $user; return $user; } else { @@ -92,13 +94,37 @@ ), 'ssl' => array( 'verify_peer' => TRUE, - 'allow_self_signed' => FALSE, + 'verify_peer_name' => TRUE, 'verify_depth' => 5, - 'ciphers' => 'HIGH:-MD5:-aNULL:-DES', + 'allow_self_signed' => FALSE, + 'disable_compression' => TRUE, ), ); - $data = file_get_contents($this->serverUrl.'/serviceValidate?service='.urlencode($this->serviceUrl).'&ticket='.urlencode($ticket), + if(version_compare(PHP_VERSION, '5.6', '<')) { + $cafiles = array( + '/etc/ssl/certs/ca-certificates.crt', + '/etc/ssl/certs/ca-bundle.crt', + '/etc/pki/tls/certs/ca-bundle.crt', + ); + $cafile = NULL; + foreach($cafiles as $file) { + if(is_file($file)) { + $cafile = $file; + break; + } + } + + $url = parse_url($this->serverUrl); + $context['ssl']['cafile'] = $cafile; + $context['ssl']['ciphers'] = 'ECDH:DH:AES:CAMELLIA:!SSLv2:!aNULL' + .':!eNULL:!EXPORT:!DES:!3DES:!MD5:!RC4:!ADH:!PSK:!SRP'; + $context['ssl']['CN_match'] = $url['host']; + } + + $data = file_get_contents($this->serverUrl + .'/serviceValidate?service='.urlencode($this->serviceUrl) + .'&ticket='.urlencode($ticket), FALSE, stream_context_create($context)); if($data === FALSE) { throw new JasigException('Authentication error: CAS server is unavailable'); @@ -111,19 +137,20 @@ $xml->loadXML($data); foreach(libxml_get_errors() as $error) { - $e = new ErrorException($error->message, $error->code, 1, $error->file, $error->line); + $e = new ErrorException($error->message, $error->code, 1, + $error->file, $error->line); switch ($error->level) { case LIBXML_ERR_ERROR: - throw new Exception('Fatal error during XML parsing', 0, $e); - break; case LIBXML_ERR_FATAL: - throw new Exception('Fatal error during XML parsing', 0, $e); + throw new Exception('Fatal error during XML parsing', + 0, $e); break; } } } catch(Exception $e) { - throw new JasigException('Authentication error: CAS server response invalid - parse error', 0, $e); + throw new JasigException('Authentication error: CAS server' + .' response invalid - parse error', 0, $e); } finally { libxml_clear_errors(); libxml_disable_entity_loader($xmlEntityLoader); @@ -136,23 +163,28 @@ if($failure->length > 0) { $failure = $failure->item(0); if(!($failure instanceof DOMElement)) { - throw new JasigException('Authentication error: CAS server response invalid - authenticationFailure'); + throw new JasigException('Authentication error: CAS server' + .' response invalid - authenticationFailure'); } - throw new JasigAuthException('Authentication error: '.$failure->textContent); + throw new JasigAuthException('Authentication error: ' + .$failure->textContent); } elseif($success->length > 0) { $success = $success->item(0); if(!($success instanceof DOMElement)) { - throw new JasigException('Authentication error: CAS server response invalid - authenticationSuccess'); + throw new JasigException('Authentication error: CAS server' + .' response invalid - authenticationSuccess'); } $user = $success->getElementsByTagName('user'); if($user->length == 0) { - throw new JasigException('Authentication error: CAS server response invalid - user'); + throw new JasigException('Authentication error: CAS server' + .' response invalid - user'); } $user = trim($user->item(0)->textContent); if(strlen($user)<1) { - throw new JasigException('Authentication error: CAS server response invalid - user value'); + throw new JasigException('Authentication error: CAS server' + .' response invalid - user value'); } $jusr = new JasigUser(); @@ -170,7 +202,8 @@ } else { - throw new JasigException('Authentication error: CAS server response invalid - required tag not found'); + throw new JasigException('Authentication error: CAS server' + .' response invalid - required tag not found'); } } } -- Gitblit v1.9.1