WebSVN – php_clientchallenge – Blame – /trunk/ClientChallenge.class.php

Rev	Author	Line No.	Line
2	daniel-mar	1	<?php
		2
		3	/*
		4	* php_clientchallenge
6	daniel-mar	5	* Copyright 2021-2022 Daniel Marschall, ViaThinkSoft
2	daniel-mar	6	*
		7	* Licensed under the Apache License, Version 2.0 (the "License");
		8	* you may not use this file except in compliance with the License.
		9	* You may obtain a copy of the License at
		10	*
		11	* http://www.apache.org/licenses/LICENSE-2.0
		12	*
		13	* Unless required by applicable law or agreed to in writing, software
		14	* distributed under the License is distributed on an "AS IS" BASIS,
		15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		16	* See the License for the specific language governing permissions and
		17	* limitations under the License.
		18	*/
		19
		20	namespace ViaThinkSoft\RateLimitingChallenge;
		21
		22	class ClientChallenge {
		23
7	daniel-mar	24	private static function tryDownloadPhpSha3() {
		25	// Download file if required (usually composer should do it)
		26	if (file_exists(__DIR__.'/Sha3.php')) include_once __DIR__.'/Sha3.php';
		27	if (!class_exists('\bb\Sha3\Sha3')) {
		28	$sha3_lib = file_get_contents('https://raw.githubusercontent.com/danielmarschall/php-sha3/master/src/Sha3.php');
		29	if (@file_put_contents(__DIR__.'/Sha3.php', $sha3_lib)) {
		30	include_once __DIR__.'/Sha3.php';
		31	} else {
		32	eval('?>'.$sha3_lib);
6	daniel-mar	33	}
7	daniel-mar	34	}
2	daniel-mar	35	}
		36
7	daniel-mar	37	private static function sha3_512($message, $raw_output=false) {
		38	if (version_compare(PHP_VERSION, '7.1.0') >= 0) {
		39	return hash('sha3-512', $message, $raw_output);
		40	} else {
		41	self::tryDownloadPhpSha3();
		42	return \bb\Sha3\Sha3::hash($message, 512, $raw_output);
		43	}
		44	}
		45
4	daniel-mar	46	private static function sha3_512_hmac($message, $key, $raw_output=false) {
		47	// RFC 2104 HMAC
7	daniel-mar	48	if (version_compare(PHP_VERSION, '7.1.0') >= 0) {
		49	return hash_hmac('sha3-512', $message, $key, $raw_output);
		50	} else {
		51	self::tryDownloadPhpSha3();
		52	return \bb\Sha3\Sha3::hash_hmac($message, $key, 512, $raw_output);
		53	}
4	daniel-mar	54	}
		55
10	daniel-mar	56	private static function getOpenTransFileName($ip_target, $random, $server_secret) {
8	daniel-mar	57	$dir = defined('VTS_CS_OPEN_TRANS_DIR') ? VTS_CS_OPEN_TRANS_DIR : __DIR__.'/cache';
		58	if ($dir == '') $dir = '.'; /** @phpstan-ignore-line */
		59
		60	// First, delete challenges which were never completed
9	daniel-mar	61	$files = glob($dir.'/vts_client_challenge_*.tmp');
6	daniel-mar	62	$expire = strtotime('-3 DAYS');
		63	foreach ($files as $file) {
		64	if (!is_file($file)) continue;
		65	if (filemtime($file) > $expire) continue;
		66	@unlink($file);
		67	}
4	daniel-mar	68
10	daniel-mar	69	return $dir.'/vts_client_challenge_'.self::sha3_512_hmac($ip_target.'/'.$random, $server_secret).'.tmp';
6	daniel-mar	70	}
4	daniel-mar	71
6	daniel-mar	72	public static function checkValidation($client_response, $max_time=10, $server_secret) {
11	daniel-mar	73	if (!is_array($client_response)) throw new \Exception('Challenge response is invalid');
		74	if (count($client_response) != 5) throw new \Exception('Challenge response is invalid');
6	daniel-mar	75	list($starttime, $ip_target, $challenge, $answer, $challenge_integrity) = $client_response;
11	daniel-mar	76	if (!is_numeric($starttime)) throw new \Exception('Challenge response is invalid');
		77	if (!is_string($ip_target)) throw new \Exception('Challenge response is invalid');
		78	if (!is_string($challenge)) throw new \Exception('Challenge response is invalid');
		79	if (!is_numeric($answer)) throw new \Exception('Challenge response is invalid');
		80	if (!is_string($challenge_integrity)) throw new \Exception('Challenge response is invalid');
		81
10	daniel-mar	82	$open_trans_file = self::getOpenTransFileName($ip_target, $answer, $server_secret);
4	daniel-mar	83
11	daniel-mar	84	$current_ip = (isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : 'unknown');
		85	if ($ip_target != $current_ip) {
		86	throw new \Exception("IP address has changed. Please try again. (current IP $current_ip, expected $ip_target)");
2	daniel-mar	87	} else if (time()-$starttime > $max_time) {
11	daniel-mar	88	throw new \Exception('Challenge expired. Please try again.');
4	daniel-mar	89	} else if ($challenge_integrity != self::sha3_512_hmac($challenge,$server_secret)) {
		90	throw new \Exception('Challenge integrity failed');
2	daniel-mar	91	} else if ($challenge !== self::sha3_512($starttime.'/'.$ip_target.'/'.$answer)) {
4	daniel-mar	92	throw new \Exception('Wrong answer');
6	daniel-mar	93	} else if (!file_exists($open_trans_file)) {
		94	throw new \Exception('Challenge submitted twice or transaction missing');
2	daniel-mar	95	} else {
9	daniel-mar	96	@unlink($open_trans_file);
2	daniel-mar	97	return true;
		98	}
		99	}
		100
6	daniel-mar	101	public static function createChallenge($complexity=50000, $server_secret) {
		102	$offset = 0; // doesn't matter
		103	$min = $offset;
		104	$max = $offset + $complexity;
2	daniel-mar	105
		106	$starttime = time();
		107
		108	$random = rand($min,$max); // TODO: cryptographic rand
		109
		110	$ip_target = $_SERVER['REMOTE_ADDR'];
		111
		112	$challenge = self::sha3_512($starttime.'/'.$ip_target.'/'.$random);
		113
4	daniel-mar	114	$challenge_integrity = self::sha3_512_hmac($challenge,$server_secret);
2	daniel-mar	115
4	daniel-mar	116	$send_to_client = array($starttime, $ip_target, $challenge, $min, $max, $challenge_integrity);
		117
10	daniel-mar	118	$open_trans_file = self::getOpenTransFileName($ip_target, $random, $server_secret);
6	daniel-mar	119	if (@file_put_contents($open_trans_file, '') === false) {
		120	throw new \Exception("Cannot write $open_trans_file");
		121	}
2	daniel-mar	122
6	daniel-mar	123	return $send_to_client;
2	daniel-mar	124	}
		125
		126	}

Subversion Repositories php_clientchallenge

php_clientchallenge/trunk/ClientChallenge.class.php – Rev 11