WebSVN – oidplus – Diff – /trunk/includes/classes/OIDplusAuthUtils.class.php



        /**
         * @param string $password
         * @return string
         * @throws OIDplusException
         */
        private function raPepperProcessing(string $password): string {
                // Additional feature: Pepper
                // The pepper is stored inside the base configuration file
                // It prevents that an attacker with SQL write rights can
                // create accounts.
                // ATTENTION!!! If a pepper is used, then the

                $plugins = OIDplus::getAuthPlugins();
                if (count($plugins) == 0) {
                        throw new OIDplusException(_L('No RA authentication plugins found'));
                }
                foreach ($plugins as $plugin) {
                        if ($plugin->verify($authInfo, $this->raPepperProcessing($password))) return true;
                }
 
                return false;
        }
 

        /**
         * @param string $data
         * @return string
         * @throws OIDplusException
         */
        public function makeAuthKey(string $data): string {
                return sha3_512_hmac($data, 'authkey:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false);
        }
 
        /**
         * @param string $data
         * @param string $auth_key
         * @return bool
         * @throws OIDplusException
         */
        public function validateAuthKey(string $data, string $auth_key): bool {
                return hash_equals($this->makeAuthKey($data), $auth_key);
        }
 
        // "Veto" functions to force logout state
 
        /**

        /**
         * @param string $password
         * @return OIDplusRAAuthInfo
         * @throws OIDplusException
         */
        public function raGeneratePassword(string $password): OIDplusRAAuthInfo {
                $plugin = OIDplus::getDefaultRaAuthPlugin(true);
                return $plugin->generate($this->raPepperProcessing($password));
        }
 
        // Generate admin password
 
        /* Nothing here; the admin password will be generated in setup_base.js , purely in the web-browser */

Rev 1130	Rev 1186
Line 30...	Line 30...
30	/**	30	/**
31	* @param string $password	31	* @param string $password
32	* @return string	32	* @return string
33	* @throws OIDplusException	33	* @throws OIDplusException
34	*/	34	*/
35	private static function raPepperProcessing(string $password): string {	35	private function raPepperProcessing(string $password): string {
36	// Additional feature: Pepper	36	// Additional feature: Pepper
37	// The pepper is stored inside the base configuration file	37	// The pepper is stored inside the base configuration file
38	// It prevents that an attacker with SQL write rights can	38	// It prevents that an attacker with SQL write rights can
39	// create accounts.	39	// create accounts.
40	// ATTENTION!!! If a pepper is used, then the	40	// ATTENTION!!! If a pepper is used, then the
Line 138...	Line 138...
138	$plugins = OIDplus::getAuthPlugins();	138	$plugins = OIDplus::getAuthPlugins();
139	if (count($plugins) == 0) {	139	if (count($plugins) == 0) {
140	throw new OIDplusException(_L('No RA authentication plugins found'));	140	throw new OIDplusException(_L('No RA authentication plugins found'));
141	}	141	}
142	foreach ($plugins as $plugin) {	142	foreach ($plugins as $plugin) {
143	if ($plugin->verify($authInfo, self::raPepperProcessing($password))) return true;	143	if ($plugin->verify($authInfo, $this->raPepperProcessing($password))) return true;
144	}	144	}
145		145
146	return false;	146	return false;
147	}	147	}
148		148
Line 376...	Line 376...
376	/**	376	/**
377	* @param string $data	377	* @param string $data
378	* @return string	378	* @return string
379	* @throws OIDplusException	379	* @throws OIDplusException
380	*/	380	*/
381	public static function makeAuthKey(string $data): string {	381	public function makeAuthKey(string $data): string {
382	return sha3_512_hmac($data, 'authkey:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false);	382	return sha3_512_hmac($data, 'authkey:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false);
383	}	383	}
384		384
385	/**	385	/**
386	* @param string $data	386	* @param string $data
387	* @param string $auth_key	387	* @param string $auth_key
388	* @return bool	388	* @return bool
389	* @throws OIDplusException	389	* @throws OIDplusException
390	*/	390	*/
391	public static function validateAuthKey(string $data, string $auth_key): bool {	391	public function validateAuthKey(string $data, string $auth_key): bool {
392	return hash_equals(self::makeAuthKey($data), $auth_key);	392	return hash_equals($this->makeAuthKey($data), $auth_key);
393	}	393	}
394		394
395	// "Veto" functions to force logout state	395	// "Veto" functions to force logout state
396		396
397	/**	397	/**
Line 462...	Line 462...
462	/**	462	/**
463	* @param string $password	463	* @param string $password
464	* @return OIDplusRAAuthInfo	464	* @return OIDplusRAAuthInfo
465	* @throws OIDplusException	465	* @throws OIDplusException
466	*/	466	*/
467	public static function raGeneratePassword(string $password): OIDplusRAAuthInfo {	467	public function raGeneratePassword(string $password): OIDplusRAAuthInfo {
468	$plugin = OIDplus::getDefaultRaAuthPlugin(true);	468	$plugin = OIDplus::getDefaultRaAuthPlugin(true);
469	return $plugin->generate(self::raPepperProcessing($password));	469	return $plugin->generate($this->raPepperProcessing($password));
470	}	470	}
471		471
472	// Generate admin password	472	// Generate admin password
473		473
474	/* Nothing here; the admin password will be generated in setup_base.js , purely in the web-browser */	474	/* Nothing here; the admin password will be generated in setup_base.js , purely in the web-browser */

Subversion Repositories oidplus

oidplus/trunk/includes/classes/OIDplusAuthUtils.class.php @ 1301 – Rev 1130 → 1186