WebSVN – oidplus – Diff – /trunk/includes/classes/OIDplusAuthUtils.class.php

                 // ATTENTION!!! If a pepper is used, then the
                 // hashes are bound to that pepper. If you change the pepper,
                 // then ALL passwords of RAs become INVALID!
                 $pepper = OIDplus::baseConfig()->getValue('RA_PASSWORD_PEPPER','');
                 if ($pepper !== '') {
+                        $algo = OIDplus::baseConfig()->getValue('RA_PASSWORD_PEPPER_ALGO','sha512'); // sha512 works with PHP 7.0
+                        if (strtolower($algo) === 'sha3-512') {
-                        // sha512 works with PHP 7.0
+                                $hmac = sha3_512_hmac($password, $pepper);
+                        } else {
-                        $hmac = hash_hmac('sha512', $password, $pepper);
+                                $hmac = hash_hmac($algo, $password, $pepper);
+                        }
                         if ($hmac === false) throw new OIDplusException(_L('HMAC failed')); /** @phpstan-ignore-line */
                         return $hmac;
                 } else {
                         return $password;
+                }
+        }
         // Authentication keys for validating arguments (e.g. sent by mail)
         public static function makeAuthKey($data) {
-                $data = OIDplus::baseConfig()->getValue('SERVER_SECRET') . '/AUTHKEY/' . $data;
+                return sha3_512_hmac($data, 'authkey:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false);
-                $calc_authkey = sha3_512($data, false);
-                return $calc_authkey;
+        }
         public static function validateAuthKey($data, $auth_key) {
                 return hash_equals(self::makeAuthKey($data), $auth_key);
+        }

Subversion Repositories oidplus

oidplus/trunk/includes/classes/OIDplusAuthUtils.class.php @ 1301 – Rev 622 → 711