58,8 → 58,12 |
// then ALL passwords of RAs become INVALID! |
$pepper = OIDplus::baseConfig()->getValue('RA_PASSWORD_PEPPER',''); |
if ($pepper !== '') { |
// sha512 works with PHP 7.0 |
$hmac = hash_hmac('sha512', $password, $pepper); |
$algo = OIDplus::baseConfig()->getValue('RA_PASSWORD_PEPPER_ALGO','sha512'); // sha512 works with PHP 7.0 |
if (strtolower($algo) === 'sha3-512') { |
$hmac = sha3_512_hmac($password, $pepper); |
} else { |
$hmac = hash_hmac($algo, $password, $pepper); |
} |
if ($hmac === false) throw new OIDplusException(_L('HMAC failed')); /** @phpstan-ignore-line */ |
return $hmac; |
} else { |
309,9 → 313,7 |
// Authentication keys for validating arguments (e.g. sent by mail) |
|
public static function makeAuthKey($data) { |
$data = OIDplus::baseConfig()->getValue('SERVER_SECRET') . '/AUTHKEY/' . $data; |
$calc_authkey = sha3_512($data, false); |
return $calc_authkey; |
return sha3_512_hmac($data, 'authkey:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false); |
} |
|
public static function validateAuthKey($data, $auth_key) { |