Rev 1130 | Rev 1199 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1130 | Rev 1186 | ||
---|---|---|---|
Line 30... | Line 30... | ||
30 | /** |
30 | /** |
31 | * @param string $password |
31 | * @param string $password |
32 | * @return string |
32 | * @return string |
33 | * @throws OIDplusException |
33 | * @throws OIDplusException |
34 | */ |
34 | */ |
35 | private static function raPepperProcessing(string $password): string { |
35 | private function raPepperProcessing(string $password): string { |
36 | // Additional feature: Pepper |
36 | // Additional feature: Pepper |
37 | // The pepper is stored inside the base configuration file |
37 | // The pepper is stored inside the base configuration file |
38 | // It prevents that an attacker with SQL write rights can |
38 | // It prevents that an attacker with SQL write rights can |
39 | // create accounts. |
39 | // create accounts. |
40 | // ATTENTION!!! If a pepper is used, then the |
40 | // ATTENTION!!! If a pepper is used, then the |
Line 138... | Line 138... | ||
138 | $plugins = OIDplus::getAuthPlugins(); |
138 | $plugins = OIDplus::getAuthPlugins(); |
139 | if (count($plugins) == 0) { |
139 | if (count($plugins) == 0) { |
140 | throw new OIDplusException(_L('No RA authentication plugins found')); |
140 | throw new OIDplusException(_L('No RA authentication plugins found')); |
141 | } |
141 | } |
142 | foreach ($plugins as $plugin) { |
142 | foreach ($plugins as $plugin) { |
143 | if ($plugin->verify($authInfo, self::raPepperProcessing($password))) return true; |
143 | if ($plugin->verify($authInfo, $this->raPepperProcessing($password))) return true; |
144 | } |
144 | } |
145 | 145 | ||
146 | return false; |
146 | return false; |
147 | } |
147 | } |
148 | 148 | ||
Line 376... | Line 376... | ||
376 | /** |
376 | /** |
377 | * @param string $data |
377 | * @param string $data |
378 | * @return string |
378 | * @return string |
379 | * @throws OIDplusException |
379 | * @throws OIDplusException |
380 | */ |
380 | */ |
381 | public static function makeAuthKey(string $data): string { |
381 | public function makeAuthKey(string $data): string { |
382 | return sha3_512_hmac($data, 'authkey:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false); |
382 | return sha3_512_hmac($data, 'authkey:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false); |
383 | } |
383 | } |
384 | 384 | ||
385 | /** |
385 | /** |
386 | * @param string $data |
386 | * @param string $data |
387 | * @param string $auth_key |
387 | * @param string $auth_key |
388 | * @return bool |
388 | * @return bool |
389 | * @throws OIDplusException |
389 | * @throws OIDplusException |
390 | */ |
390 | */ |
391 | public static function validateAuthKey(string $data, string $auth_key): bool { |
391 | public function validateAuthKey(string $data, string $auth_key): bool { |
392 | return hash_equals(self::makeAuthKey($data), $auth_key); |
392 | return hash_equals($this->makeAuthKey($data), $auth_key); |
393 | } |
393 | } |
394 | 394 | ||
395 | // "Veto" functions to force logout state |
395 | // "Veto" functions to force logout state |
396 | 396 | ||
397 | /** |
397 | /** |
Line 462... | Line 462... | ||
462 | /** |
462 | /** |
463 | * @param string $password |
463 | * @param string $password |
464 | * @return OIDplusRAAuthInfo |
464 | * @return OIDplusRAAuthInfo |
465 | * @throws OIDplusException |
465 | * @throws OIDplusException |
466 | */ |
466 | */ |
467 | public static function raGeneratePassword(string $password): OIDplusRAAuthInfo { |
467 | public function raGeneratePassword(string $password): OIDplusRAAuthInfo { |
468 | $plugin = OIDplus::getDefaultRaAuthPlugin(true); |
468 | $plugin = OIDplus::getDefaultRaAuthPlugin(true); |
469 | return $plugin->generate(self::raPepperProcessing($password)); |
469 | return $plugin->generate($this->raPepperProcessing($password)); |
470 | } |
470 | } |
471 | 471 | ||
472 | // Generate admin password |
472 | // Generate admin password |
473 | 473 | ||
474 | /* Nothing here; the admin password will be generated in setup_base.js , purely in the web-browser */ |
474 | /* Nothing here; the admin password will be generated in setup_base.js , purely in the web-browser */ |