/trunk/includes/classes/OIDplus.class.php |
---|
294,7 → 294,7 |
throw new OIDplusException(_L('Invalid auth plugin folder name. Do only enter a folder name, not an absolute or relative path')); |
} |
OIDplus::checkRaAuthPluginAvailable($value); |
OIDplus::checkRaAuthPluginAvailable($value, true); |
}); |
} |
495,7 → 495,7 |
return null; |
} |
private static function checkRaAuthPluginAvailable($plugin_foldername) { |
private static function checkRaAuthPluginAvailable($plugin_foldername, $must_hash) { |
// if (!wildcard_is_dir(OIDplus::localpath().'plugins/'.'*'.'/auth/'.$plugin_foldername)) { |
$plugin = OIDplus::getAuthPluginByFoldername($plugin_foldername); |
if (is_null($plugin)) { |
503,16 → 503,19 |
} |
$reason = ''; |
if (!$plugin->available($reason)) { |
throw new OIDplusException(trim(_L('The auth plugin "%1" is not available on this system.',$plugin_foldername).' '.$reason)); |
if (!$plugin->availableForVerify($reason)) { |
throw new OIDplusException(trim(_L('The auth plugin "%1" is not available for password verification on this system.',$plugin_foldername).' '.$reason)); |
} |
if ($must_hash && !$plugin->availableForHash($reason)) { |
throw new OIDplusException(trim(_L('The auth plugin "%1" is not available for hashing on this system.',$plugin_foldername).' '.$reason)); |
} |
} |
public static function getDefaultRaAuthPlugin()/*: OIDplusAuthPlugin*/ { |
public static function getDefaultRaAuthPlugin($must_hash)/*: OIDplusAuthPlugin*/ { |
// 1. Priority: Use the auth plugin the user prefers |
$def_plugin_foldername = OIDplus::config()->getValue('default_ra_auth_method'); |
if (trim($def_plugin_foldername) !== '') { |
OIDplus::checkRaAuthPluginAvailable($def_plugin_foldername); |
OIDplus::checkRaAuthPluginAvailable($def_plugin_foldername, $must_hash); |
$plugin = OIDplus::getAuthPluginByFoldername($def_plugin_foldername); |
return $plugin; |
} |
519,9 → 522,11 |
// 2. Priority: If empty (i.e. OIDplus may decide), choose the best ViaThinkSoft plugin that is supported on this system |
$preferred_auth_plugins = array( |
'A4_argon2', |
'A3_bcrypt', |
'A5_vts_mcf' |
// Sorted by preference |
'A4_argon2', // usually Salted Argon2id |
'A3_bcrypt', // usually Salted BCrypt |
'A5_vts_mcf', // usually SHA3-512-HMAC |
'A6_crypt' // usually Salted SHA512 with 5000 rounds |
); |
foreach ($preferred_auth_plugins as $plugin_foldername) { |
$plugin = OIDplus::getAuthPluginByFoldername($plugin_foldername); |
528,15 → 533,18 |
if (is_null($plugin)) continue; |
$reason = ''; |
if (!$plugin->available($reason)) continue; |
if (!$plugin->availableForHash($reason)) continue; |
if ($must_hash && !$plugin->availableForVerify($reason)) continue; |
return $plugin; |
} |
// 3. Priority: If nothing found, take the first found plugin |
$plugins = OIDplus::getAuthPlugins(); |
if (count($plugins) > 0) { |
return $plugins[0]; |
foreach ($plugins as $plugin) { |
$reason = ''; |
if (!$plugin->availableForHash($reason)) continue; |
if ($must_hash && !$plugin->availableForVerify($reason)) continue; |
return $plugin; |
} |
// 4. Priority: We must deny the creation of the password because we have no auth plugin! |
545,7 → 553,7 |
private static function registerAuthPlugin(OIDplusAuthPlugin $plugin) { |
$reason = ''; |
if (OIDplus::baseConfig()->getValue('DEBUG') && $plugin->available($reason)) { |
if (OIDplus::baseConfig()->getValue('DEBUG') && $plugin->availableForHash($reason) && $plugin->availableForVerify($reason)) { |
$password = generateRandomString(25); |
try { |
/trunk/includes/classes/OIDplusAuthPlugin.class.php |
---|
26,5 → 26,6 |
abstract class OIDplusAuthPlugin extends OIDplusPlugin { |
public abstract function verify(OIDplusRAAuthInfo $authKey, $check_password); |
public abstract function generate($password): OIDplusRAAuthInfo; |
public abstract function available(&$reason): bool; |
public abstract function availableForHash(&$reason): bool; |
public abstract function availableForVerify(&$reason): bool; |
} |
/trunk/includes/classes/OIDplusAuthUtils.class.php |
---|
350,7 → 350,7 |
// Generate RA passwords |
public static function raGeneratePassword($password): OIDplusRAAuthInfo { |
$plugin = OIDplus::getDefaultRaAuthPlugin(); |
$plugin = OIDplus::getDefaultRaAuthPlugin(true); |
return $plugin->generate(self::raPepperProcessing($password)); |
} |
/trunk/plugins/viathinksoft/adminPages/800_plugins/OIDplusPageAdminPlugins.class.php |
---|
39,16 → 39,17 |
} |
private function pluginTableLine(&$out, $plugin, $modifier=0, $na_reason='') { |
$html_reason = empty($na_reason) ? '' : ' ('.htmlentities($na_reason).')'; |
$out['text'] .= ' <tr>'; |
if ($modifier == 0) { |
// normal line |
$out['text'] .= ' <td><a '.OIDplus::gui()->link('oidplus:system_plugins$'.get_class($plugin)).'>'.htmlentities(get_class($plugin)).'</a></td>'; |
$out['text'] .= ' <td><a '.OIDplus::gui()->link('oidplus:system_plugins$'.get_class($plugin)).'>'.htmlentities(get_class($plugin)).'</a>'.$html_reason.'</td>'; |
} else if ($modifier == 1) { |
// active |
$out['text'] .= '<td><a '.OIDplus::gui()->link('oidplus:system_plugins$'.get_class($plugin)).'><b>'.htmlentities(get_class($plugin)).'</b> ('.htmlentities($na_reason).')</a></td>'; |
$out['text'] .= '<td><a '.OIDplus::gui()->link('oidplus:system_plugins$'.get_class($plugin)).'><b>'.htmlentities(get_class($plugin)).'</b>'.$html_reason.'</a></td>'; |
} else if ($modifier == 2) { |
// not available with reason |
$out['text'] .= '<td><a '.OIDplus::gui()->link('oidplus:system_plugins$'.get_class($plugin)).'><font color="gray">'.htmlentities(get_class($plugin)).'</font></a> <font color="gray">('.$na_reason.')</font></td>'; |
$out['text'] .= '<td><a '.OIDplus::gui()->link('oidplus:system_plugins$'.get_class($plugin)).'><font color="gray">'.htmlentities(get_class($plugin)).'</font></a><font color="gray">'.$html_reason.'</font></td>'; |
} |
$out['text'] .= ' <td>' . htmlentities(empty($plugin->getManifest()->getName()) ? _L('n/a') : $plugin->getManifest()->getName()) . '</td>'; |
$out['text'] .= ' <td>' . htmlentities(empty($plugin->getManifest()->getVersion()) ? _L('n/a') : $plugin->getManifest()->getVersion()) . '</td>'; |
380,16 → 381,44 |
$out['text'] .= '<table class="table table-bordered table-striped">'; |
$this->pluginTableHead($out); |
foreach ($plugins as $plugin) { |
$reason = ''; |
if ($plugin->available($reason)) { |
$default = OIDplus::getDefaultRaAuthPlugin()->getManifest()->getOid() === $plugin->getManifest()->getOid(); |
$this->pluginTableLine($out, $plugin, $default?1:0, _L('default')); |
} else if ($reason) { |
$this->pluginTableLine($out, $plugin, 2, _L('not available: %1',htmlentities($reason))); |
$default = OIDplus::getDefaultRaAuthPlugin(true)->getManifest()->getOid() === $plugin->getManifest()->getOid(); |
$reason_hash = ''; |
$can_hash = $plugin->availableForHash($reason_hash); |
$reason_verify = ''; |
$can_verify = $plugin->availableForHash($reason_verify); |
if ($can_hash && !$can_verify) { |
$note = _L('Only hashing, no verification'); |
if (!empty($reason_verify)) $note .= '. '.$reason_verify; /* @phpstan-ignore-line */ |
$modifier = $default ? 1 : 0; |
} |
else if (!$can_hash && $can_verify) { |
$note = _L('Only verification, no hashing'); |
if (!empty($reason_hash)) $note .= '. '.$reason_hash; /* @phpstan-ignore-line */ |
$modifier = $default ? 1 : 0; |
} |
else if (!$can_hash && !$can_verify) { |
$note = _L('Not available on this system'); |
$app1 = ''; |
$app2 = ''; |
if (!empty($reason_verify)) $app1 = $reason_verify; /* @phpstan-ignore-line */ |
if (!empty($reason_hash)) $app2 = $reason_hash; /* @phpstan-ignore-line */ |
if ($app1 != $app2) { |
$note .= '. '.$app1.'. '.$app2; |
} else { |
$this->pluginTableLine($out, $plugin, 2, _L('not available')); |
$note .= '. '.$app1; |
} |
$modifier = 2; |
} |
else /*if ($can_hash && $can_verify)*/ { |
$modifier = $default ? 1 : 0; |
$note = ''; |
} |
$this->pluginTableLine($out, $plugin, $modifier, htmlentities($note)); |
} |
$out['text'] .= '</table>'; |
$out['text'] .= '</div></div>'; |
} |
602,7 → 631,7 |
$txt = (empty($plugin->getManifest()->getName())) ? get_class($plugin) : $plugin->getManifest()->getName(); |
$reason = ''; |
if (!$plugin->available($reason)) $txt = '<font color="gray">'.$txt.'</font>'; |
if (!$plugin->availableForHash($reason) && !$plugin->availableForVerify($reason)) $txt = '<font color="gray">'.$txt.'</font>'; |
$auth_plugins[] = array( |
'id' => 'oidplus:system_plugins$'.get_class($plugin), |
/trunk/plugins/viathinksoft/auth/A3_bcrypt/OIDplusAuthPluginBCrypt.class.php |
---|
66,7 → 66,7 |
return new OIDplusRAAuthInfo($calc_authkey); |
} |
public function available(&$reason): bool { |
public function availableForHash(&$reason): bool { |
if (version_compare(PHP_VERSION, '7.4.0') >= 0) { |
$ok = in_array('2', password_algos()) || |
in_array('2a', password_algos()) || |
84,4 → 84,8 |
return false; |
} |
public function availableForVerify(&$reason): bool { |
return $this->availableForHash($reason); |
} |
} |
/trunk/plugins/viathinksoft/auth/A4_argon2/OIDplusAuthPluginArgon2.class.php |
---|
85,7 → 85,7 |
} |
} |
public function available(&$reason): bool { |
public function availableForHash(&$reason): bool { |
if (!$this->supportsArgon2i() && !$this->supportsArgon2id()) { |
$reason = _L('No fitting hash algorithm found'); |
return false; |
94,4 → 94,8 |
} |
} |
public function availableForVerify(&$reason): bool { |
return $this->availableForHash($reason); |
} |
} |
/trunk/plugins/viathinksoft/auth/A5_vts_mcf/OIDplusAuthPluginVtsMcf.class.php |
---|
58,8 → 58,12 |
return new OIDplusRAAuthInfo($calc_authkey); |
} |
public function available(&$reason): bool { |
return function_exists('sha3_512_hmac') || function_exists('sha3_512'); |
public function availableForHash(&$reason): bool { |
return function_exists('vts_password_hash') && (function_exists('sha3_512_hmac') || function_exists('sha3_512')); |
} |
public function availableForVerify(&$reason): bool { |
return function_exists('vts_password_verify'); |
} |
} |
/trunk/plugins/viathinksoft/auth/A6_crypt/OIDplusAuthPluginCrypt.class.php |
---|
36,8 → 36,12 |
return new OIDplusRAAuthInfo($calc_authkey); |
} |
public function available(&$reason): bool { |
public function availableForHash(&$reason): bool { |
return function_exists('vts_password_hash'); |
} |
public function availableForVerify(&$reason): bool { |
return function_exists('vts_password_verify'); |
} |
} |