Rev 1090 | Rev 1112 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1090 | Rev 1099 | ||
---|---|---|---|
Line 292... | Line 292... | ||
292 | if (strpos($value,'..') !== false) $good = false; |
292 | if (strpos($value,'..') !== false) $good = false; |
293 | if (!$good) { |
293 | if (!$good) { |
294 | throw new OIDplusException(_L('Invalid auth plugin folder name. Do only enter a folder name, not an absolute or relative path')); |
294 | throw new OIDplusException(_L('Invalid auth plugin folder name. Do only enter a folder name, not an absolute or relative path')); |
295 | } |
295 | } |
296 | 296 | ||
297 | OIDplus::checkRaAuthPluginAvailable($value); |
297 | OIDplus::checkRaAuthPluginAvailable($value, true); |
298 | }); |
298 | }); |
299 | } |
299 | } |
300 | 300 | ||
301 | return self::$config; |
301 | return self::$config; |
302 | } |
302 | } |
Line 493... | Line 493... | ||
493 | } |
493 | } |
494 | } |
494 | } |
495 | return null; |
495 | return null; |
496 | } |
496 | } |
497 | 497 | ||
498 | private static function checkRaAuthPluginAvailable($plugin_foldername) { |
498 | private static function checkRaAuthPluginAvailable($plugin_foldername, $must_hash) { |
499 | // if (!wildcard_is_dir(OIDplus::localpath().'plugins/'.'*'.'/auth/'.$plugin_foldername)) { |
499 | // if (!wildcard_is_dir(OIDplus::localpath().'plugins/'.'*'.'/auth/'.$plugin_foldername)) { |
500 | $plugin = OIDplus::getAuthPluginByFoldername($plugin_foldername); |
500 | $plugin = OIDplus::getAuthPluginByFoldername($plugin_foldername); |
501 | if (is_null($plugin)) { |
501 | if (is_null($plugin)) { |
502 | throw new OIDplusException(_L('The auth plugin "%1" does not exist in plugin directory %2',$plugin_foldername,'plugins/[vendorname]/auth/')); |
502 | throw new OIDplusException(_L('The auth plugin "%1" does not exist in plugin directory %2',$plugin_foldername,'plugins/[vendorname]/auth/')); |
503 | } |
503 | } |
504 | 504 | ||
505 | $reason = ''; |
505 | $reason = ''; |
506 | if (!$plugin->available($reason)) { |
506 | if (!$plugin->availableForVerify($reason)) { |
- | 507 | throw new OIDplusException(trim(_L('The auth plugin "%1" is not available for password verification on this system.',$plugin_foldername).' '.$reason)); |
|
- | 508 | } |
|
- | 509 | if ($must_hash && !$plugin->availableForHash($reason)) { |
|
507 | throw new OIDplusException(trim(_L('The auth plugin "%1" is not available on this system.',$plugin_foldername).' '.$reason)); |
510 | throw new OIDplusException(trim(_L('The auth plugin "%1" is not available for hashing on this system.',$plugin_foldername).' '.$reason)); |
508 | } |
511 | } |
509 | } |
512 | } |
510 | 513 | ||
511 | public static function getDefaultRaAuthPlugin()/*: OIDplusAuthPlugin*/ { |
514 | public static function getDefaultRaAuthPlugin($must_hash)/*: OIDplusAuthPlugin*/ { |
512 | // 1. Priority: Use the auth plugin the user prefers |
515 | // 1. Priority: Use the auth plugin the user prefers |
513 | $def_plugin_foldername = OIDplus::config()->getValue('default_ra_auth_method'); |
516 | $def_plugin_foldername = OIDplus::config()->getValue('default_ra_auth_method'); |
514 | if (trim($def_plugin_foldername) !== '') { |
517 | if (trim($def_plugin_foldername) !== '') { |
515 | OIDplus::checkRaAuthPluginAvailable($def_plugin_foldername); |
518 | OIDplus::checkRaAuthPluginAvailable($def_plugin_foldername, $must_hash); |
516 | $plugin = OIDplus::getAuthPluginByFoldername($def_plugin_foldername); |
519 | $plugin = OIDplus::getAuthPluginByFoldername($def_plugin_foldername); |
517 | return $plugin; |
520 | return $plugin; |
518 | } |
521 | } |
519 | 522 | ||
520 | // 2. Priority: If empty (i.e. OIDplus may decide), choose the best ViaThinkSoft plugin that is supported on this system |
523 | // 2. Priority: If empty (i.e. OIDplus may decide), choose the best ViaThinkSoft plugin that is supported on this system |
521 | $preferred_auth_plugins = array( |
524 | $preferred_auth_plugins = array( |
- | 525 | // Sorted by preference |
|
522 | 'A4_argon2', |
526 | 'A4_argon2', // usually Salted Argon2id |
523 | 'A3_bcrypt', |
527 | 'A3_bcrypt', // usually Salted BCrypt |
524 | 'A5_vts_mcf' |
528 | 'A5_vts_mcf', // usually SHA3-512-HMAC |
- | 529 | 'A6_crypt' // usually Salted SHA512 with 5000 rounds |
|
525 | ); |
530 | ); |
526 | foreach ($preferred_auth_plugins as $plugin_foldername) { |
531 | foreach ($preferred_auth_plugins as $plugin_foldername) { |
527 | $plugin = OIDplus::getAuthPluginByFoldername($plugin_foldername); |
532 | $plugin = OIDplus::getAuthPluginByFoldername($plugin_foldername); |
528 | if (is_null($plugin)) continue; |
533 | if (is_null($plugin)) continue; |
529 | 534 | ||
530 | $reason = ''; |
535 | $reason = ''; |
531 | if (!$plugin->available($reason)) continue; |
536 | if (!$plugin->availableForHash($reason)) continue; |
532 | - | ||
- | 537 | if ($must_hash && !$plugin->availableForVerify($reason)) continue; |
|
533 | return $plugin; |
538 | return $plugin; |
534 | } |
539 | } |
535 | 540 | ||
536 | // 3. Priority: If nothing found, take the first found plugin |
541 | // 3. Priority: If nothing found, take the first found plugin |
537 | $plugins = OIDplus::getAuthPlugins(); |
542 | $plugins = OIDplus::getAuthPlugins(); |
538 | if (count($plugins) > 0) { |
543 | foreach ($plugins as $plugin) { |
- | 544 | $reason = ''; |
|
- | 545 | if (!$plugin->availableForHash($reason)) continue; |
|
- | 546 | if ($must_hash && !$plugin->availableForVerify($reason)) continue; |
|
539 | return $plugins[0]; |
547 | return $plugin; |
540 | } |
548 | } |
541 | 549 | ||
542 | // 4. Priority: We must deny the creation of the password because we have no auth plugin! |
550 | // 4. Priority: We must deny the creation of the password because we have no auth plugin! |
543 | throw new OIDplusException(_L('Could not find a fitting auth plugin!')); |
551 | throw new OIDplusException(_L('Could not find a fitting auth plugin!')); |
544 | } |
552 | } |
545 | 553 | ||
546 | private static function registerAuthPlugin(OIDplusAuthPlugin $plugin) { |
554 | private static function registerAuthPlugin(OIDplusAuthPlugin $plugin) { |
547 | $reason = ''; |
555 | $reason = ''; |
548 | if (OIDplus::baseConfig()->getValue('DEBUG') && $plugin->available($reason)) { |
556 | if (OIDplus::baseConfig()->getValue('DEBUG') && $plugin->availableForHash($reason) && $plugin->availableForVerify($reason)) { |
549 | $password = generateRandomString(25); |
557 | $password = generateRandomString(25); |
550 | 558 | ||
551 | try { |
559 | try { |
552 | $authInfo = $plugin->generate($password); |
560 | $authInfo = $plugin->generate($password); |
553 | } catch (OIDplusException $e) { |
561 | } catch (OIDplusException $e) { |