WebSVN – oidplus – Diff – /trunk/plugins/viathinksoft/captcha/vts_challenge/OIDplusCaptchaPluginVtsClientChallenge.class.php


<?php
 
/*
 * OIDplus 2.0
 * Copyright 2019 - 2023 Daniel Marschall, ViaThinkSoft
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 
namespace ViaThinkSoft\OIDplus;
 
// phpcs:disable PSR1.Files.SideEffects
\defined('INSIDE_OIDPLUS') or die;
// phpcs:enable PSR1.Files.SideEffects
 
class OIDplusCaptchaPluginVtsClientChallenge extends OIDplusCaptchaPlugin {
 
        /**
         * @return string
         */
        public static function id(): string {
                return 'ViaThinkSoft Client Challenge';
        }
 
        /**
         * @return bool
         */
        public function isVisible(): bool {
                return false;
        }
 
        /**
         * @param string $actionID
         * @return bool
         */
        public function csrfUnlock(string $actionID): bool {
                if ($actionID == 'get_challenge') return true;
                return parent::csrfUnlock($actionID);
        }
 
        /**
 
         * @param array $params
         * @return array
         * @throws OIDplusException
         */
        private function action_GetChallenge(array $params): array {
 
                $offset = 0; // doesn't matter
                $min = $offset;
                $max = $offset + OIDplus::baseConfig()->getValue('VTS_CAPTCHA_COMPLEXITY', 50000);
                if ($max > mt_getrandmax()) $max = mt_getrandmax();
 
                $starttime = time();
                $random = mt_rand($min,$max);
                $ip_target = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
                $challenge = sha3_512($starttime.'/'.$ip_target.'/'.$random); // $random is secret!
                $challenge_integrity = OIDplus::authUtils()->makeAuthKey(['797bfc34-f4fa-11ed-86ca-3c4a92df8582',$challenge]);
                $send_to_client = array($starttime, $ip_target, $challenge, $min, $max, $challenge_integrity);
 
                $open_trans_file = self::getOpenTransFileName($ip_target, $random);
                if (@file_put_contents($open_trans_file, '') === false) {
                        throw new OIDplusException(_L('Cannot write file %1', $open_trans_file));
                }
 
                return array(
                        "status" => 0,
                        "challenge" => $send_to_client,
                        // Autosolve on=calculate result on page load; off=calculate result on form submit
                        "autosolve" => OIDplus::baseConfig()->getValue('VTS_CAPTCHA_AUTOSOLVE', true)
                );
        }
 
        /**
         * @param string $actionID
         * @param array $params
         * @return array
         * @throws OIDplusException
         */
        public function action(string $actionID, array $params): array {
                if ($actionID == 'get_challenge') {
                        return $this->action_GetChallenge($params);
                } else {
                        return parent::action($actionID, $params);
                }
        }
 
        /**
         * @param string $ip_target
         * @param string|int $random
         * @return string
         * @throws OIDplusException
         */
        private static function getOpenTransFileName(string $ip_target, $random): string {
                $dir = OIDplus::localpath().'/userdata/cache';
 
                // First, delete challenges which were never completed
                $files = glob($dir.'/vts_client_challenge_*.tmp');
                $expire = strtotime('-3 DAYS');
                foreach ($files as $file) {
                        if (!is_file($file)) continue;
                        if (filemtime($file) > $expire) continue;
                        @unlink($file);
                }
 
                return $dir.'/vts_client_challenge_'.OIDplus::authUtils()->makeSecret(['461f4a9e-f4fa-11ed-86ca-3c4a92df8582',$ip_target,$random]).'.tmp';
        }
 
        /**
         * @param string|null $header_text
         * @param string|null $footer_text
         * @return string
         * @throws OIDplusException
         */
        public function captchaGenerate(string $header_text=null, string $footer_text=null): string {
                return '<noscript>'.
                       '<p><font color="red">'._L('You need to enable JavaScript to solve the CAPTCHA.').'</font></p>'.
                       '</noscript>'.
                       '<input type="hidden" id="vts_validation_result" name="vts_validation_result" value="">'.
                       '<script>'.
                       'OIDplusCaptchaPluginVtsClientChallenge.captchaShow('.js_escape(OIDplus::webpath(null,OIDplus::PATH_RELATIVE)).');'.
                       '</script>';
        }
 
        /**
         * @param array $params
         * @param string|null $fieldname
         * @return void
         * @throws OIDplusException
         */
        public function captchaVerify(array $params, string $fieldname=null) {
 
                if (is_null($fieldname)) $fieldname = 'vts_validation_result';
 
                if (!isset($params[$fieldname])) throw new OIDplusException(_L('No challenge response found').' (A)');
 
                $client_response = @json_decode($params[$fieldname], true);
 
                if (!is_array($client_response)) throw new OIDplusException(_L('Challenge response is invalid').' (B)');
                if (count($client_response) != 5) throw new OIDplusException(_L('Challenge response is invalid').' (C)');
                list($starttime, $ip_target, $challenge, $answer, $challenge_integrity) = $client_response;
                if (!is_numeric($starttime)) throw new OIDplusException(_L('Challenge response is invalid').' (D)');
                if (!is_string($ip_target)) throw new OIDplusException(_L('Challenge response is invalid').' (E)');
                if (!is_string($challenge)) throw new OIDplusException(_L('Challenge response is invalid').' (F)');
                if (!is_numeric($answer)) throw new OIDplusException(_L('Challenge response is invalid').' (G)');
                if (!is_string($challenge_integrity)) throw new OIDplusException(_L('Challenge response is invalid').' (H)');
 
                $open_trans_file = self::getOpenTransFileName($ip_target, $answer);
 
                $current_ip = ($_SERVER['REMOTE_ADDR'] ?? 'unknown');
                if ($ip_target != $current_ip) {
                        throw new OIDplusException(_L('IP address has changed. Please try again. (current IP %1, expected %2)', $current_ip, $ip_target));
                //} else if (time()-$starttime > OIDplus::baseConfig()->getValue('VTS_CAPTCHA_MAXTIME', 10*60/*10 minutes*/)) {
                //      throw new OIDplusException(_L('Challenge expired. Please try again.'));
                } else if (!OIDplus::authUtils()->validateAuthKey(['797bfc34-f4fa-11ed-86ca-3c4a92df8582',$challenge],$challenge_integrity,OIDplus::baseConfig()->getValue('VTS_CAPTCHA_MAXTIME', 10*60/*10 minutes*/))) {
                        throw new OIDplusException(_L('Invalid or expired authentication key'));
                } else if ($challenge !== sha3_512($starttime.'/'.$ip_target.'/'.$answer)) {
                        throw new OIDplusException(_L('Wrong answer'));
                } else if (!file_exists($open_trans_file)) {
                        throw new OIDplusException(_L('Challenge submitted twice or transaction missing'));
                } else {
                        @unlink($open_trans_file);
                }
        }
 
        /**
         * @return string
         */
        public static function setupHTML(): string {
                return '<div id="CAPTCHAPLUGIN_PARAMS_VtsClientChallenge">'.
                       '<p>'._L('ViaThinkSoft Client Challenge lets the client computer solve a cryptographic problem instead of letting the user solve a CAPTCHA. This slows down brute-force attacks.').'</p>'.
                       '</div>';
        }
 
}
 

Subversion Repositories oidplus

oidplus/trunk/plugins/viathinksoft/captcha/vts_challenge/OIDplusCaptchaPluginVtsClientChallenge.class.php – Rev 1283 → 1293

Rev 1283		Rev 1293
1	<?php	1	<?php
2		2
3	/*	3	/*
4	* OIDplus 2.0	4	* OIDplus 2.0
5	* Copyright 2019 - 2023 Daniel Marschall, ViaThinkSoft	5	* Copyright 2019 - 2023 Daniel Marschall, ViaThinkSoft
6	*	6	*
7	* Licensed under the Apache License, Version 2.0 (the "License");	7	* Licensed under the Apache License, Version 2.0 (the "License");
8	* you may not use this file except in compliance with the License.	8	* you may not use this file except in compliance with the License.
9	* You may obtain a copy of the License at	9	* You may obtain a copy of the License at
10	*	10	*
11	* http://www.apache.org/licenses/LICENSE-2.0	11	* http://www.apache.org/licenses/LICENSE-2.0
12	*	12	*
13	* Unless required by applicable law or agreed to in writing, software	13	* Unless required by applicable law or agreed to in writing, software
14	* distributed under the License is distributed on an "AS IS" BASIS,	14	* distributed under the License is distributed on an "AS IS" BASIS,
15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.	15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16	* See the License for the specific language governing permissions and	16	* See the License for the specific language governing permissions and
17	* limitations under the License.	17	* limitations under the License.
18	*/	18	*/
19		19
20	namespace ViaThinkSoft\OIDplus;	20	namespace ViaThinkSoft\OIDplus;
21		21
22	// phpcs:disable PSR1.Files.SideEffects	22	// phpcs:disable PSR1.Files.SideEffects
23	\defined('INSIDE_OIDPLUS') or die;	23	\defined('INSIDE_OIDPLUS') or die;
24	// phpcs:enable PSR1.Files.SideEffects	24	// phpcs:enable PSR1.Files.SideEffects
25		25
26	class OIDplusCaptchaPluginVtsClientChallenge extends OIDplusCaptchaPlugin {	26	class OIDplusCaptchaPluginVtsClientChallenge extends OIDplusCaptchaPlugin {
27		27
28	/**	28	/**
29	* @return string	29	* @return string
30	*/	30	*/
31	public static function id(): string {	31	public static function id(): string {
32	return 'ViaThinkSoft Client Challenge';	32	return 'ViaThinkSoft Client Challenge';
33	}	33	}
34		34
35	/**	35	/**
36	* @return bool	36	* @return bool
37	*/	37	*/
38	public function isVisible(): bool {	38	public function isVisible(): bool {
39	return false;	39	return false;
40	}	40	}
41		41
42	/**	42	/**
43	* @param string $actionID	43	* @param string $actionID
44	* @return bool	44	* @return bool
45	*/	45	*/
46	public function csrfUnlock(string $actionID): bool {	46	public function csrfUnlock(string $actionID): bool {
47	if ($actionID == 'get_challenge') return true;	47	if ($actionID == 'get_challenge') return true;
48	return parent::csrfUnlock($actionID);	48	return parent::csrfUnlock($actionID);
49	}	49	}
50		50
51	/**	51	/**
52	* @param string $actionID	-
53	* @param array $params	52	* @param array $params
54	* @return array	53	* @return array
55	* @throws OIDplusException	54	* @throws OIDplusException
56	*/	55	*/
57	public function action(string $actionID, array $params): array {	56	private function action_GetChallenge(array $params): array {
58	if ($actionID == 'get_challenge') {	-
59	$offset = 0; // doesn't matter	57	$offset = 0; // doesn't matter
60	$min = $offset;	58	$min = $offset;
61	$max = $offset + OIDplus::baseConfig()->getValue('VTS_CAPTCHA_COMPLEXITY', 50000);	59	$max = $offset + OIDplus::baseConfig()->getValue('VTS_CAPTCHA_COMPLEXITY', 50000);
62	if ($max > mt_getrandmax()) $max = mt_getrandmax();	60	if ($max > mt_getrandmax()) $max = mt_getrandmax();
63		61
64	$starttime = time();	62	$starttime = time();
65	$random = mt_rand($min,$max);	63	$random = mt_rand($min,$max);
66	$ip_target = $_SERVER['REMOTE_ADDR'] ?? 'unknown';	64	$ip_target = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
67	$challenge = sha3_512($starttime.'/'.$ip_target.'/'.$random); // $random is secret!	65	$challenge = sha3_512($starttime.'/'.$ip_target.'/'.$random); // $random is secret!
68	$challenge_integrity = OIDplus::authUtils()->makeAuthKey(['797bfc34-f4fa-11ed-86ca-3c4a92df8582',$challenge]);	66	$challenge_integrity = OIDplus::authUtils()->makeAuthKey(['797bfc34-f4fa-11ed-86ca-3c4a92df8582',$challenge]);
69	$send_to_client = array($starttime, $ip_target, $challenge, $min, $max, $challenge_integrity);	67	$send_to_client = array($starttime, $ip_target, $challenge, $min, $max, $challenge_integrity);
70		68
71	$open_trans_file = self::getOpenTransFileName($ip_target, $random);	69	$open_trans_file = self::getOpenTransFileName($ip_target, $random);
72	if (@file_put_contents($open_trans_file, '') === false) {	70	if (@file_put_contents($open_trans_file, '') === false) {
73	throw new OIDplusException(_L('Cannot write file %1', $open_trans_file));	71	throw new OIDplusException(_L('Cannot write file %1', $open_trans_file));
74	}	72	}
75		73
76	return array(	74	return array(
77	"status" => 0,	75	"status" => 0,
78	"challenge" => $send_to_client,	76	"challenge" => $send_to_client,
79	// Autosolve on=calculate result on page load; off=calculate result on form submit	77	// Autosolve on=calculate result on page load; off=calculate result on form submit
80	"autosolve" => OIDplus::baseConfig()->getValue('VTS_CAPTCHA_AUTOSOLVE', true)	78	"autosolve" => OIDplus::baseConfig()->getValue('VTS_CAPTCHA_AUTOSOLVE', true)
81	);	79	);
-		80	}
-		81
-		82	/**
-		83	* @param string $actionID
-		84	* @param array $params
-		85	* @return array
-		86	* @throws OIDplusException
-		87	*/
-		88	public function action(string $actionID, array $params): array {
-		89	if ($actionID == 'get_challenge') {
-		90	return $this->action_GetChallenge($params);
82	} else {	91	} else {
83	return parent::action($actionID, $params);	92	return parent::action($actionID, $params);
84	}	93	}
85	}	94	}
86		95
87	/**	96	/**
88	* @param string $ip_target	97	* @param string $ip_target
89	* @param string\|int $random	98	* @param string\|int $random
90	* @return string	99	* @return string
91	* @throws OIDplusException	100	* @throws OIDplusException
92	*/	101	*/
93	private static function getOpenTransFileName(string $ip_target, $random): string {	102	private static function getOpenTransFileName(string $ip_target, $random): string {
94	$dir = OIDplus::localpath().'/userdata/cache';	103	$dir = OIDplus::localpath().'/userdata/cache';
95		104
96	// First, delete challenges which were never completed	105	// First, delete challenges which were never completed
97	$files = glob($dir.'/vts_client_challenge_*.tmp');	106	$files = glob($dir.'/vts_client_challenge_*.tmp');
98	$expire = strtotime('-3 DAYS');	107	$expire = strtotime('-3 DAYS');
99	foreach ($files as $file) {	108	foreach ($files as $file) {
100	if (!is_file($file)) continue;	109	if (!is_file($file)) continue;
101	if (filemtime($file) > $expire) continue;	110	if (filemtime($file) > $expire) continue;
102	@unlink($file);	111	@unlink($file);
103	}	112	}
104		113
105	return $dir.'/vts_client_challenge_'.OIDplus::authUtils()->makeSecret(['461f4a9e-f4fa-11ed-86ca-3c4a92df8582',$ip_target,$random]).'.tmp';	114	return $dir.'/vts_client_challenge_'.OIDplus::authUtils()->makeSecret(['461f4a9e-f4fa-11ed-86ca-3c4a92df8582',$ip_target,$random]).'.tmp';
106	}	115	}
107		116
108	/**	117	/**
109	* @param string\|null $header_text	118	* @param string\|null $header_text
110	* @param string\|null $footer_text	119	* @param string\|null $footer_text
111	* @return string	120	* @return string
112	* @throws OIDplusException	121	* @throws OIDplusException
113	*/	122	*/
114	public function captchaGenerate(string $header_text=null, string $footer_text=null): string {	123	public function captchaGenerate(string $header_text=null, string $footer_text=null): string {
115	return '<noscript>'.	124	return '<noscript>'.
116	'<p><font color="red">'._L('You need to enable JavaScript to solve the CAPTCHA.').'</font></p>'.	125	'<p><font color="red">'._L('You need to enable JavaScript to solve the CAPTCHA.').'</font></p>'.
117	'</noscript>'.	126	'</noscript>'.
118	'<input type="hidden" id="vts_validation_result" name="vts_validation_result" value="">'.	127	'<input type="hidden" id="vts_validation_result" name="vts_validation_result" value="">'.
119	'<script>'.	128	'<script>'.
120	'OIDplusCaptchaPluginVtsClientChallenge.captchaShow('.js_escape(OIDplus::webpath(null,OIDplus::PATH_RELATIVE)).');'.	129	'OIDplusCaptchaPluginVtsClientChallenge.captchaShow('.js_escape(OIDplus::webpath(null,OIDplus::PATH_RELATIVE)).');'.
121	'</script>';	130	'</script>';
122	}	131	}
123		132
124	/**	133	/**
125	* @param array $params	134	* @param array $params
126	* @param string\|null $fieldname	135	* @param string\|null $fieldname
127	* @return void	136	* @return void
128	* @throws OIDplusException	137	* @throws OIDplusException
129	*/	138	*/
130	public function captchaVerify(array $params, string $fieldname=null) {	139	public function captchaVerify(array $params, string $fieldname=null) {
131		140
132	if (is_null($fieldname)) $fieldname = 'vts_validation_result';	141	if (is_null($fieldname)) $fieldname = 'vts_validation_result';
133		142
134	if (!isset($params[$fieldname])) throw new OIDplusException(_L('No challenge response found').' (A)');	143	if (!isset($params[$fieldname])) throw new OIDplusException(_L('No challenge response found').' (A)');
135		144
136	$client_response = @json_decode($params[$fieldname], true);	145	$client_response = @json_decode($params[$fieldname], true);
137		146
138	if (!is_array($client_response)) throw new OIDplusException(_L('Challenge response is invalid').' (B)');	147	if (!is_array($client_response)) throw new OIDplusException(_L('Challenge response is invalid').' (B)');
139	if (count($client_response) != 5) throw new OIDplusException(_L('Challenge response is invalid').' (C)');	148	if (count($client_response) != 5) throw new OIDplusException(_L('Challenge response is invalid').' (C)');
140	list($starttime, $ip_target, $challenge, $answer, $challenge_integrity) = $client_response;	149	list($starttime, $ip_target, $challenge, $answer, $challenge_integrity) = $client_response;
141	if (!is_numeric($starttime)) throw new OIDplusException(_L('Challenge response is invalid').' (D)');	150	if (!is_numeric($starttime)) throw new OIDplusException(_L('Challenge response is invalid').' (D)');
142	if (!is_string($ip_target)) throw new OIDplusException(_L('Challenge response is invalid').' (E)');	151	if (!is_string($ip_target)) throw new OIDplusException(_L('Challenge response is invalid').' (E)');
143	if (!is_string($challenge)) throw new OIDplusException(_L('Challenge response is invalid').' (F)');	152	if (!is_string($challenge)) throw new OIDplusException(_L('Challenge response is invalid').' (F)');
144	if (!is_numeric($answer)) throw new OIDplusException(_L('Challenge response is invalid').' (G)');	153	if (!is_numeric($answer)) throw new OIDplusException(_L('Challenge response is invalid').' (G)');
145	if (!is_string($challenge_integrity)) throw new OIDplusException(_L('Challenge response is invalid').' (H)');	154	if (!is_string($challenge_integrity)) throw new OIDplusException(_L('Challenge response is invalid').' (H)');
146		155
147	$open_trans_file = self::getOpenTransFileName($ip_target, $answer);	156	$open_trans_file = self::getOpenTransFileName($ip_target, $answer);
148		157
149	$current_ip = ($_SERVER['REMOTE_ADDR'] ?? 'unknown');	158	$current_ip = ($_SERVER['REMOTE_ADDR'] ?? 'unknown');
150	if ($ip_target != $current_ip) {	159	if ($ip_target != $current_ip) {
151	throw new OIDplusException(_L('IP address has changed. Please try again. (current IP %1, expected %2)', $current_ip, $ip_target));	160	throw new OIDplusException(_L('IP address has changed. Please try again. (current IP %1, expected %2)', $current_ip, $ip_target));
152	//} else if (time()-$starttime > OIDplus::baseConfig()->getValue('VTS_CAPTCHA_MAXTIME', 1060/10 minutes*/)) {	161	//} else if (time()-$starttime > OIDplus::baseConfig()->getValue('VTS_CAPTCHA_MAXTIME', 1060/10 minutes*/)) {
153	// throw new OIDplusException(_L('Challenge expired. Please try again.'));	162	// throw new OIDplusException(_L('Challenge expired. Please try again.'));
154	} else if (!OIDplus::authUtils()->validateAuthKey(['797bfc34-f4fa-11ed-86ca-3c4a92df8582',$challenge],$challenge_integrity,OIDplus::baseConfig()->getValue('VTS_CAPTCHA_MAXTIME', 1060/10 minutes*/))) {	163	} else if (!OIDplus::authUtils()->validateAuthKey(['797bfc34-f4fa-11ed-86ca-3c4a92df8582',$challenge],$challenge_integrity,OIDplus::baseConfig()->getValue('VTS_CAPTCHA_MAXTIME', 1060/10 minutes*/))) {
155	throw new OIDplusException(_L('Invalid or expired authentication key'));	164	throw new OIDplusException(_L('Invalid or expired authentication key'));
156	} else if ($challenge !== sha3_512($starttime.'/'.$ip_target.'/'.$answer)) {	165	} else if ($challenge !== sha3_512($starttime.'/'.$ip_target.'/'.$answer)) {
157	throw new OIDplusException(_L('Wrong answer'));	166	throw new OIDplusException(_L('Wrong answer'));
158	} else if (!file_exists($open_trans_file)) {	167	} else if (!file_exists($open_trans_file)) {
159	throw new OIDplusException(_L('Challenge submitted twice or transaction missing'));	168	throw new OIDplusException(_L('Challenge submitted twice or transaction missing'));
160	} else {	169	} else {
161	@unlink($open_trans_file);	170	@unlink($open_trans_file);
162	}	171	}
163	}	172	}
164		173
165	/**	174	/**
166	* @return string	175	* @return string
167	*/	176	*/
168	public static function setupHTML(): string {	177	public static function setupHTML(): string {
169	return '<div id="CAPTCHAPLUGIN_PARAMS_VtsClientChallenge">'.	178	return '<div id="CAPTCHAPLUGIN_PARAMS_VtsClientChallenge">'.
170	'<p>'._L('ViaThinkSoft Client Challenge lets the client computer solve a cryptographic problem instead of letting the user solve a CAPTCHA. This slows down brute-force attacks.').'</p>'.	179	'<p>'._L('ViaThinkSoft Client Challenge lets the client computer solve a cryptographic problem instead of letting the user solve a CAPTCHA. This slows down brute-force attacks.').'</p>'.
171	'</div>';	180	'</div>';
172	}	181	}
173		182
174	}	183	}
175		184