Rev 1102 | Rev 1119 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
1090 | daniel-mar | 1 | <?php |
2 | |||
3 | /* |
||
4 | * OIDplus 2.0 |
||
5 | * Copyright 2019 - 2022 Daniel Marschall, ViaThinkSoft |
||
6 | * |
||
7 | * Licensed under the Apache License, Version 2.0 (the "License"); |
||
8 | * you may not use this file except in compliance with the License. |
||
9 | * You may obtain a copy of the License at |
||
10 | * |
||
11 | * http://www.apache.org/licenses/LICENSE-2.0 |
||
12 | * |
||
13 | * Unless required by applicable law or agreed to in writing, software |
||
14 | * distributed under the License is distributed on an "AS IS" BASIS, |
||
15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||
16 | * See the License for the specific language governing permissions and |
||
17 | * limitations under the License. |
||
18 | */ |
||
19 | |||
20 | use ViaThinkSoft\OIDplus\OIDplusDatabaseConnection; |
||
1116 | daniel-mar | 21 | use ViaThinkSoft\OIDplus\OIDplusException; |
1090 | daniel-mar | 22 | |
23 | /** |
||
24 | * This function is internally called by oidplus_dbupdate_1002(). |
||
25 | * It changes the auth keys A1*# and A2# to VTS-MCF and A3# to BCrypt-MCF. |
||
26 | * @param OIDplusDatabaseConnection $db is the OIDplusDatabaseConnection class |
||
1116 | daniel-mar | 27 | * @throws OIDplusException |
1090 | daniel-mar | 28 | */ |
29 | function oidplus_dbupdate_1002_migrate_ra_passwords(OIDplusDatabaseConnection $db) { |
||
30 | $res = $db->query("select * from ###ra "); |
||
31 | while ($row = $res->fetch_array()) { |
||
1100 | daniel-mar | 32 | $salt = isset($row['salt']) ? $row['salt'] : ''; |
33 | $new_auth_key = vts_crypt_convert_from_old_oidplus($row['authkey'], $salt); |
||
1090 | daniel-mar | 34 | $email = $row['email']; |
35 | if ($new_auth_key !== $row['authkey']) { |
||
36 | //echo 'Migrate authkey '.$row['authkey'].' to '.$new_auth_key.' for '.$email.'<br><br>'; |
||
37 | $db->query("update ###ra set authkey = ?, salt = ? where email = ?", array($new_auth_key, '', $email)); |
||
38 | } |
||
39 | } |
||
40 | } |
||
41 | |||
42 | /** |
||
1091 | daniel-mar | 43 | * This function converts A1*#, A2#, A3# hashes to Crypt compatible hashes. |
44 | * @param string $authkey is old database field value "authkey" |
||
45 | * @param string $salt is old database field value "salt" |
||
46 | * @returns New authkey field (Crypt compatible hash) |
||
47 | */ |
||
48 | function vts_crypt_convert_from_old_oidplus($authkey, $salt) { |
||
49 | if (preg_match('@^A1([abcd])#(.+):(.+)$@', $authkey, $m)) { |
||
50 | // A1a#hashalgo:X with X being H(salt+password) in hex- or rfc4648-base64-notation |
||
51 | // A1b#hashalgo:X with X being H(password+salt) in hex- or rfc4648-base64-notation |
||
52 | // A1c#hashalgo:X with X being H(salt+password+salt) in hex- or rfc4648-base64-notation |
||
53 | // A1d#hashalgo:X with X being H_HMAC(password,salt) in hex- or rfc4648-base64-notation |
||
54 | $mode = ''; // avoid PHPstan warning |
||
55 | if ($m[1] == 'a') $mode = 'sp'; |
||
56 | else if ($m[1] == 'b') $mode = 'ps'; |
||
57 | else if ($m[1] == 'c') $mode = 'sps'; |
||
58 | else if ($m[1] == 'd') $mode = 'hmac'; |
||
59 | else assert(false); |
||
60 | $algo = $m[2]; |
||
61 | $bin_salt = $salt; |
||
62 | if (($algo == 'sha3-512') || ($algo == 'sha3-384') || ($algo == 'sha512') || ($algo == 'sha384')) { |
||
63 | $bin_hash = base64_decode($m[3]); |
||
64 | } else { |
||
65 | $bin_hash = hex2bin($m[3]); |
||
66 | } |
||
1102 | daniel-mar | 67 | return crypt_modular_format_encode(OID_MCF_VTS_V1, $bin_salt, $bin_hash, array('a'=>$algo,'m'=>$mode)); |
1091 | daniel-mar | 68 | } else if (preg_match('@^A2#(.+)$@', $authkey, $m)) { |
69 | // A2#X with X being sha3(salt+password) in rfc4648-base64-notation |
||
70 | $mode = 'sp'; |
||
71 | $algo = 'sha3-512'; |
||
72 | $bin_salt = $salt; |
||
73 | $bin_hash = base64_decode($m[1]); |
||
1102 | daniel-mar | 74 | return crypt_modular_format_encode(OID_MCF_VTS_V1, $bin_salt, $bin_hash, array('a'=>$algo,'m'=>$mode)); |
1091 | daniel-mar | 75 | } else if (preg_match('@^A3#(.+)$@', $authkey, $m)) { |
76 | // A3#X with X being bcrypt [not VTS hash!] |
||
77 | return $m[1]; |
||
78 | } else { |
||
79 | // Nothing to convert |
||
80 | return $authkey; |
||
81 | } |
||
82 | } |
||
83 | |||
84 | /** |
||
1090 | daniel-mar | 85 | * This function will be called by OIDplusDatabaseConnection.class.php at method afterConnect(). |
86 | * @param OIDplusDatabaseConnection $db is the OIDplusDatabaseConnection class |
||
87 | * @return int new version set |
||
88 | * @throws \ViaThinkSoft\OIDplus\OIDplusException |
||
89 | */ |
||
90 | function oidplus_dbupdate_1002(OIDplusDatabaseConnection $db) { |
||
1100 | daniel-mar | 91 | if ($db->transaction_supported()) $db->transaction_begin(); |
1090 | daniel-mar | 92 | |
93 | if ($db->getSlang()->id() == 'mssql') { |
||
94 | $db->query("alter table ###ra alter column [authkey] [varchar](250) NULL;"); |
||
95 | oidplus_dbupdate_1002_migrate_ra_passwords($db); |
||
1100 | daniel-mar | 96 | try { |
97 | $db->query("alter table ###ra drop column [salt];"); |
||
98 | } catch(Exception $e) {} |
||
1090 | daniel-mar | 99 | } |
100 | else if ($db->getSlang()->id() == 'mysql') { |
||
101 | $db->query("alter table ###ra modify authkey varchar(250) NULL;"); |
||
102 | oidplus_dbupdate_1002_migrate_ra_passwords($db); |
||
1100 | daniel-mar | 103 | try { |
104 | $db->query("alter table ###ra drop column salt;"); |
||
105 | } catch(Exception $e) {} |
||
1090 | daniel-mar | 106 | } |
107 | else if ($db->getSlang()->id() == 'pgsql') { |
||
108 | $db->query("alter table ###ra alter column authkey type varchar(250)"); |
||
109 | oidplus_dbupdate_1002_migrate_ra_passwords($db); |
||
1100 | daniel-mar | 110 | try { |
111 | $db->query("alter table ###ra drop column salt"); |
||
112 | } catch(Exception $e) {} |
||
1090 | daniel-mar | 113 | } |
114 | else if ($db->getSlang()->id() == 'oracle') { |
||
115 | $db->query("alter table ###ra modify authkey varchar2(250)"); |
||
116 | oidplus_dbupdate_1002_migrate_ra_passwords($db); |
||
1100 | daniel-mar | 117 | try { |
118 | $db->query("alter table ###ra set unused column salt"); |
||
119 | $db->query("alter table ###ra set drop unused columns"); |
||
120 | } catch(Exception $e) {} |
||
1090 | daniel-mar | 121 | } |
122 | else if ($db->getSlang()->id() == 'sqlite') { |
||
123 | oidplus_dbupdate_1002_migrate_ra_passwords($db); |
||
1100 | daniel-mar | 124 | try { |
125 | $db->query("alter table ###ra drop column salt"); |
||
126 | } catch(Exception $e) {} |
||
1090 | daniel-mar | 127 | } |
128 | else if ($db->getSlang()->id() == 'access') { |
||
129 | oidplus_dbupdate_1002_migrate_ra_passwords($db); |
||
1100 | daniel-mar | 130 | try { |
131 | $db->query("alter table ###ra drop column salt"); |
||
132 | } catch(Exception $e) {} |
||
1090 | daniel-mar | 133 | } |
134 | |||
135 | // Auth plugins A1 and A2 have been replaced with A5 |
||
1100 | daniel-mar | 136 | // Note that you cannot use `value` in the where clause on MSSQL, because "text and varchar" are incompatible... |
137 | $res = $db->query("SELECT value from ###config where name = 'default_ra_auth_method'"); |
||
138 | if ($row = $res->fetch_array()) { |
||
139 | if (($row['value'] == 'A1_phpgeneric_salted_hex') || ($row['value'] == 'A2_sha3_salted_base64')) { |
||
140 | $db->query("UPDATE ###config SET value = 'A5_vts_mcf' WHERE name = 'default_ra_auth_method'"); |
||
141 | } |
||
142 | } |
||
1090 | daniel-mar | 143 | |
144 | $version = 1002; |
||
145 | $db->query("UPDATE ###config SET value = ? WHERE name = 'database_version'", array($version)); |
||
146 | |||
1100 | daniel-mar | 147 | if ($db->transaction_supported()) $db->transaction_commit(); |
148 | |||
1090 | daniel-mar | 149 | return $version; |
150 | } |