Subversion Repositories oidplus

Rev

Rev 458 | Go to most recent revision | Blame | Last modification | View Log | RSS feed

  1. <?php
  2.  
  3. /*
  4.  * OIDplus 2.0
  5.  * Copyright 2020 Daniel Marschall, ViaThinkSoft
  6.  *
  7.  * Licensed under the Apache License, Version 2.0 (the "License");
  8.  * you may not use this file except in compliance with the License.
  9.  * You may obtain a copy of the License at
  10.  *
  11.  *     http://www.apache.org/licenses/LICENSE-2.0
  12.  *
  13.  * Unless required by applicable law or agreed to in writing, software
  14.  * distributed under the License is distributed on an "AS IS" BASIS,
  15.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16.  * See the License for the specific language governing permissions and
  17.  * limitations under the License.
  18.  */
  19.  
  20. class OIDplusAuthPluginPhpGenericSaltedHex extends OIDplusAuthPlugin {
  21.  
  22.         public function verify(OIDplusRAAuthInfo $authInfo, $check_password) {
  23.                 @list($s_authmethod, $s_authkey) = explode('#', $authKey, 2);
  24.  
  25.                 $authKey = $authInfo->getAuthKey();
  26.                 $salt = $authInfo->getSalt();
  27.  
  28.                 if ($s_authmethod == 'A1a') {
  29.                         // This auth method can be used by you if you migrate users from another software solution into OIDplus
  30.                         // A1a#hashalgo:X with X being H(salt+password) in hex-notation
  31.                         // Attention: With some hash algorithms, prepending the salt makes it vulnerable against length-extension-attacks
  32.                         $hashalgo = explode(':', $s_authkey, 2)[0];
  33.                         $calc_authkey = $hashalgo.':'.hash($hashalgo, $salt.$check_password);
  34.                 } else if ($s_authmethod == 'A1b') {
  35.                         // This auth method can be used by you if you migrate users from another software solution into OIDplus
  36.                         // A1b#hashalgo:X with X being H(password+salt) in hex-notation
  37.                         $hashalgo = explode(':', $s_authkey, 2)[0];
  38.                         $calc_authkey = $hashalgo.':'.hash($hashalgo, $check_password.$salt);
  39.                 } else if ($s_authmethod == 'A1c') {
  40.                         // This auth method can be used by you if you migrate users from another software solution into OIDplus
  41.                         // A1c#hashalgo:X with X being H(salt+password+salt) in hex-notation
  42.                         $hashalgo = explode(':', $s_authkey, 2)[0];
  43.                         $calc_authkey = $hashalgo.':'.hash($hashalgo, $salt.$check_password.$salt);
  44.                 } else if ($s_authmethod == 'A1d') {
  45.                         // This auth method can be used by you if you migrate users from another software solution into OIDplus
  46.                         // A1d#hashalgo:X with X being H_HMAC(password,salt) in hex-notation
  47.                         $hashalgo = explode(':', $s_authkey, 2)[0];
  48.                         $calc_authkey = $hashalgo.':'.hash_hmac($hashalgo, $check_password, $salt);
  49.                 } else {
  50.                         // Invalid auth code
  51.                         return false;
  52.                 }
  53.  
  54.                 return hash_equals($calc_authkey, $s_authkey);
  55.         }
  56.  
  57.         public function generate($password): OIDplusRAAuthInfo {
  58.                 $preferred_hash_algos = array(
  59.                     // sorted by priority
  60.                     'sha3-512',
  61.                     'sha3-384',
  62.                     'sha3-256',
  63.                     'sha3-224',
  64.                     'sha512',
  65.                     'sha512/256',
  66.                     'sha512/224',
  67.                     'sha384',
  68.                     'sha256',
  69.                     'sha224',
  70.                     'sha1',
  71.                     'md5'
  72.                 );
  73.                 $algos = hash_algos();
  74.                 $hashalgo = null;
  75.                 foreach ($preferred_hash_algos as $a) {
  76.                         if (in_array($a, $algos)) {
  77.                                 $hashalgo = $a;
  78.                                 break;
  79.                         }
  80.                 }
  81.                 if (is_null($hashalgo)) {
  82.                         throw new OIDplusException(_L('No fitting hash algorithm found'));
  83.                 }
  84.                 $s_salt = bin2hex(OIDplusAuthUtils::getRandomBytes(50)); // DB field ra.salt is limited to 100 chars (= 50 bytes)
  85.                 $calc_authkey = 'A1c#'.$hashalgo.':'.hash($hashalgo, $s_salt.$password.$s_salt);
  86.                 return array($s_salt, $calc_authkey);
  87.         }
  88.  
  89. }
  90.