Subversion Repositories oidplus

Rev

Rev 635 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
635 daniel-mar 1 
<?php
2 
 
3 
/*
4 
 * OIDplus 2.0
5 
 * Copyright 2019 - 2021 Daniel Marschall, ViaThinkSoft
6 
 *
7 
 * Licensed under the Apache License, Version 2.0 (the "License");
8 
 * you may not use this file except in compliance with the License.
9 
 * You may obtain a copy of the License at
10 
 *
11 
 *     http://www.apache.org/licenses/LICENSE-2.0
12 
 *
13 
 * Unless required by applicable law or agreed to in writing, software
14 
 * distributed under the License is distributed on an "AS IS" BASIS,
15 
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 
 * See the License for the specific language governing permissions and
17 
 * limitations under the License.
18 
 */
19 
 
1050 daniel-mar 20 
namespace ViaThinkSoft\OIDplus;
635 daniel-mar 21 
 
22 
class OIDplusAuthPluginPhpGenericSaltedHex extends OIDplusAuthPlugin {
23 
 
24 
        public function verify(OIDplusRAAuthInfo $authInfo, $check_password) {
25 
                $authKey = $authInfo->getAuthKey();
26 
                $salt = $authInfo->getSalt();
27 
                @list($s_authmethod, $s_authkey) = explode('#', $authKey, 2);
28 
 
29 
                if ($s_authmethod == 'A1a') {
30 
                        // This auth method can be used by you if you migrate users from another software solution into OIDplus
31 
                        // A1a#hashalgo:X with X being H(salt+password) in hex-notation
32 
                        // Attention: With some hash algorithms, prepending the salt makes it vulnerable against length-extension-attacks
33 
                        $hashalgo = explode(':', $s_authkey, 2)[0];
34 
                        $calc_authkey = $hashalgo.':'.hash($hashalgo, $salt.$check_password);
35 
                } else if ($s_authmethod == 'A1b') {
36 
                        // This auth method can be used by you if you migrate users from another software solution into OIDplus
37 
                        // A1b#hashalgo:X with X being H(password+salt) in hex-notation
38 
                        $hashalgo = explode(':', $s_authkey, 2)[0];
39 
                        $calc_authkey = $hashalgo.':'.hash($hashalgo, $check_password.$salt);
40 
                } else if ($s_authmethod == 'A1c') {
41 
                        // This auth method can be used by you if you migrate users from another software solution into OIDplus
42 
                        // A1c#hashalgo:X with X being H(salt+password+salt) in hex-notation
43 
                        $hashalgo = explode(':', $s_authkey, 2)[0];
44 
                        $calc_authkey = $hashalgo.':'.hash($hashalgo, $salt.$check_password.$salt);
45 
                } else if ($s_authmethod == 'A1d') {
46 
                        // This auth method can be used by you if you migrate users from another software solution into OIDplus
47 
                        // A1d#hashalgo:X with X being H_HMAC(password,salt) in hex-notation
48 
                        $hashalgo = explode(':', $s_authkey, 2)[0];
49 
                        $calc_authkey = $hashalgo.':'.hash_hmac($hashalgo, $check_password, $salt);
50 
                } else {
51 
                        // Invalid auth code
52 
                        return false;
53 
                }
54 
 
55 
                return hash_equals($calc_authkey, $s_authkey);
56 
        }
57 
 
58 
        public function generate($password): OIDplusRAAuthInfo {
59 
                $preferred_hash_algos = array(
60 
                    // sorted by priority
61 
                    //'sha3-512', // this would exceed the 100 byte auth key length
62 
                    //'sha3-384', // this would exceed the 100 byte auth key length
63 
                    'sha3-256',
64 
                    'sha3-224',
65 
                    //'sha512', // this would exceed the 100 byte auth key length
66 
                    'sha512/256',
67 
                    'sha512/224',
68 
                    //'sha384', // this would exceed the 100 byte auth key length
69 
                    'sha256',
70 
                    'sha224',
71 
                    'sha1',
72 
                    'md5'
73 
                );
74 
                $algos = hash_algos();
75 
                $hashalgo = null;
76 
                foreach ($preferred_hash_algos as $a) {
77 
                        if (in_array($a, $algos)) {
78 
                                $hashalgo = $a;
79 
                                break;
80 
                        }
81 
                }
82 
                if (is_null($hashalgo)) {
83 
                        throw new OIDplusException(_L('No fitting hash algorithm found'));
84 
                }
85 
                $s_salt = bin2hex(OIDplus::authUtils()->getRandomBytes(50)); // DB field ra.salt is limited to 100 chars (= 50 bytes)
86 
                $calc_authkey = 'A1c#'.$hashalgo.':'.hash($hashalgo, $s_salt.$password.$s_salt);
87 
 
88 
                return new OIDplusRAAuthInfo($s_salt, $calc_authkey);
89 
        }
90 
 
91 
}