diff --git a/libraries/auth/swekey/authentication.inc.php b/libraries/auth/swekey/authentication.inc.php index d1f787523..ea23393df 100644 --- a/libraries/auth/swekey/authentication.inc.php +++ b/libraries/auth/swekey/authentication.inc.php @@ -8,45 +8,64 @@ function Swekey_Plugin() { try - { + { if (g_SwekeyPlugin != null) return g_SwekeyPlugin; - + if (window.ActiveXObject) { - g_SwekeyPlugin = new ActiveXObject("FbAuthAx.FbAuthCtl") + g_SwekeyPlugin = document.getElementById("swekey_activex"); + if (g_SwekeyPlugin == null) + { + // we must create the activex that way instead of new ActiveXObject("FbAuthAx.FbAuthCtl"); + // ortherwise SetClientSite is not called and we can not get the url + var div = document.createElement('div'); + div.innerHTML=''; + + // Never append to the body because it may still loading and it breaks IE + document.body.insertBefore(div, document.body.firstChild); + g_SwekeyPlugin = document.getElementById("swekey_activex"); + } return g_SwekeyPlugin; } - - g_SwekeyPlugin = document.embeds["script_generated_swekey_plugin"]; + + g_SwekeyPlugin = document.getElementById("swekey_plugin"); if (g_SwekeyPlugin != null) return g_SwekeyPlugin; - for (x = 0; x < navigator.plugins.length; x ++) + for (i = 0; i < navigator.plugins.length; i ++) { try { - if (navigator.plugins[x][0].type == "application/fbauth-plugin") + if (navigator.plugins[i] == null) + { + navigator.plugins.refresh(); + } + else if (navigator.plugins[i][0] != null && navigator.plugins[i][0].type == "application/fbauth-plugin") { var x = document.createElement('embed'); x.setAttribute('type', 'application/fbauth-plugin'); - x.setAttribute('id', 'script_generated_swekey_plugin'); + x.setAttribute('id', 'swekey_plugin'); x.setAttribute('width', '0'); x.setAttribute('height', '0'); - x.setAttribute('hidden', 'true'); - document.body.appendChild(x); - g_SwekeyPlugin = document.embeds["script_generated_swekey_plugin"]; + x.style.dislay='none'; + + //document.body.appendChild(x); + document.body.insertBefore(x, document.body.firstChild); + g_SwekeyPlugin = document.getElementById("swekey_plugin"); return g_SwekeyPlugin; } } catch (e) { + navigator.plugins.refresh(); + //alert ('Failed to create plugin: ' + e); } } } catch (e) { -// alert("Swekey_Plugin " + e); + //alert("Swekey_Plugin " + e); g_SwekeyPlugin = null; } return null; @@ -94,6 +113,40 @@ return ""; } + // ------------------------------------------------------------------- + // Ask the Connected Swekey to generate a OTP linked to the current https host + // id: The id of the connected Swekey (returne by Swekey_ListKeyIds()) + // rt: A random token + // return: The calculated OTP encoded in a 64 chars hexadecimal value. + // or "" if the current url does not start with https + function Swekey_GetLinkedOtp(id, rt) + { + try + { + return Swekey_Plugin().getlinkedotp(id, rt); + } + catch (e) + { +// alert("Swekey_GetSOtp " + e); + } + return ""; + } + + // ------------------------------------------------------------------- + // Calls Swekey_GetOtp or Swekey_GetLinkedOtp depending if we are in + // an https page or not. + // id: The id of the connected Swekey (returne by Swekey_ListKeyIds()) + // rt: A random token + // return: The calculated OTP encoded in a 64 chars hexadecimal value. + function Swekey_GetSmartOtp(id, rt) + { + var res = Swekey_GetLinkedOtp(id, rt); + if (res == "") + res = Swekey_GetOtp(id, rt); + + return res; + } + // ------------------------------------------------------------------- // Set a unplug handler (url) to the specified connected feebee // id: The id of the connected Swekey (returne by Swekey_ListKeyIds()) @@ -110,4 +163,5 @@ // alert("Swekey_SetUnplugUrl " + e); } } + diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php index 4663fef9b..a4203f45f 100644 --- a/libraries/auth/swekey/swekey.auth.lib.php +++ b/libraries/auth/swekey/swekey.auth.lib.php @@ -30,7 +30,7 @@ function Swekey_auth_check() } // Set default values for settings - if (isset($_SESSION['SWEKEY']['CONF_SERVER_CHECK'])) + if (! isset($_SESSION['SWEKEY']['CONF_SERVER_CHECK'])) $_SESSION['SWEKEY']['CONF_SERVER_CHECK'] = ""; if (! isset($_SESSION['SWEKEY']['CONF_SERVER_RNDTOKEN'])) $_SESSION['SWEKEY']['CONF_SERVER_RNDTOKEN'] = ""; @@ -39,7 +39,7 @@ function Swekey_auth_check() if (! isset($_SESSION['SWEKEY']['CONF_CA_FILE'])) $_SESSION['SWEKEY']['CONF_CA_FILE'] = ""; if (! isset($_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE'])) - $_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE'] = false; + $_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE'] = true; if (! isset($_SESSION['SWEKEY']['CONF_DEBUG'])) $_SESSION['SWEKEY']['CONF_DEBUG'] = false; } @@ -92,7 +92,7 @@ function Swekey_auth_error() { if (key != Swekey_GetValidKey()) { - window.location.search = ""; + window.location.search = "?swekey_reset"; } else setTimeout("timedCheck()",1000); @@ -127,9 +127,12 @@ function Swekey_auth_error() // if (file_exists($caFile)) // echo "\n"; } + if (file_exists($caFile)) Swekey_SetCAFile($caFile); - + else if (! empty($caFile) && (substr($_SESSION['SWEKEY']['CONF_SERVER_CHECK'], 0, 8) == "https://")) + return "Internal Error: CA File $caFile not found"; + $result = null; parse_str($_SERVER['QUERY_STRING']); if (isset($swekey_id)) { @@ -181,9 +184,7 @@ function Swekey_auth_error() var url = "" + window.location; if (url.indexOf("?") > 0) url = url.substr(0, url.indexOf("?")); - if (url.lastIndexOf("/") > 0) - url = url.substr(0, url.lastIndexOf("/")); - Swekey_SetUnplugUrl(key, "pma_login", url + "/libraries/auth/swekey/unplugged.php?session_to_unset="); + Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset="); var otp = Swekey_GetOtp(key, ); window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp; } @@ -218,7 +219,7 @@ function Swekey_login($input_name, $input_go) ?> function open_swekey_site() { - window.open("http://www.swekey.com?promo=pma"); + window.open("http://phpmyadmin.net/auth_key"); } var input_username = document.getElementById(""); @@ -249,4 +250,22 @@ function Swekey_login($input_name, $input_go) echo ''; } } + +if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) +{ + parse_str($_SERVER['QUERY_STRING']); + session_write_close(); + session_id($session_to_unset); + session_start(); + $_SESSION = array(); + session_write_close(); + session_destroy(); + exit; +} + +if (isset($_GET['swekey_reset'])) +{ + unset($_SESSION['SWEKEY']); +} + ?> diff --git a/libraries/auth/swekey/swekey.php b/libraries/auth/swekey/swekey.php index 94fb2b8eb..eb23f73ad 100644 --- a/libraries/auth/swekey/swekey.php +++ b/libraries/auth/swekey/swekey.php @@ -61,7 +61,7 @@ global $gSwekeyCA; global $gSwekeyTokenCacheEnabled; if (! isset($gSwekeyTokenCacheEnabled)) - $gSwekeyTokenCacheEnabled = false; + $gSwekeyTokenCacheEnabled = true; /** * Change the address of the Check server. @@ -185,7 +185,7 @@ function Swekey_HttpGet($url, &$response_code) if (substr($url, 0, 8) == "https://") { global $gSwekeyCA; - $caFileOk = false; + if (! empty($gSwekeyCA)) { if (file_exists($gSwekeyCA)) @@ -199,17 +199,8 @@ function Swekey_HttpGet($url, &$response_code) error_log("SWEKEY_ERROR:Could not find CA file $gSwekeyCA getting $url"); } - if ($caFileOk) - { - curl_setopt($sess, CURLOPT_SSL_VERIFYHOST, '1'); - curl_setopt($sess, CURLOPT_SSL_VERIFYPEER, '1'); - } - else - { - curl_setopt($sess, CURLOPT_SSL_VERIFYHOST, '0'); - curl_setopt($sess, CURLOPT_SSL_VERIFYPEER, '0'); - } - + curl_setopt($sess, CURLOPT_SSL_VERIFYHOST, '2'); + curl_setopt($sess, CURLOPT_SSL_VERIFYPEER, '2'); curl_setopt($sess, CURLOPT_CONNECTTIMEOUT, '20'); curl_setopt($sess, CURLOPT_TIMEOUT, '20'); } @@ -350,7 +341,10 @@ function Swekey_GetHalfRndToken() */ function Swekey_GetFastHalfRndToken() { + global $gSwekeyTokenCacheEnabled; + $res = ""; + $cachefile = ""; // We check if we have a valid RT is the session if (isset($_SESSION['rnd-token-date'])) @@ -360,14 +354,15 @@ function Swekey_GetFastHalfRndToken() // If not we try to get it from a temp file (PHP >= 5.2.1 only) if (strlen($res) != 32 && $gSwekeyTokenCacheEnabled) { - if (function_exists('sys_get_temp_dir') ) + if (function_exists('sys_get_temp_dir')) { $tempdir = sys_get_temp_dir(); - $modif = filemtime($tempdir."/swekey-rnd-token"); + $cachefile = $tempdir."/swekey-rnd-token-".get_current_user(); + $modif = filemtime($cachefile); if ($modif != false) - if (time() - $modif < 30) + if (time() - $modif < 30) { - $res = @file_get_contents($tempdir."/swekey-rnd-token"); + $res = @file_get_contents($cachefile); if (strlen($res) != 32) $res = ""; else @@ -378,23 +373,22 @@ function Swekey_GetFastHalfRndToken() } } } - + // If we don't have a valid RT here we have to get it from the server if (strlen($res) != 32) { $res = substr(Swekey_GetHalfRndToken(), 0, 32); $_SESSION['rnd-token'] = $res; $_SESSION['rnd-token-date'] = time(); - if (isset($tempdir)) + if (! empty($cachefile)) { // we unlink the file so no possible tempfile race attack (thanks Thijs) - unlink($tempdir."/swekey-rnd-token"); - $file = fopen ($tempdir."/swekey-rnd-token" , "x"); + unlink($cachefile); + $file = fopen($cachefile , "x"); if ($file != FALSE) { @fwrite($file, $res); @fclose($file); - chmod($tempdir."/swekey-rnd-token", 0666); // it is a shared file everybody can read and write it } } } @@ -444,8 +438,7 @@ define ("SWEKEY_STATUS_OK",0); define ("SWEKEY_STATUS_NOT_FOUND",1); // The key does not exist in the db define ("SWEKEY_STATUS_INACTIVE",2); // The key has never been activated define ("SWEKEY_STATUS_LOST",3); // The user has lost his key -define ("SWEKEY_STATUS_STOLLEN",4); // The key was stollen -define ("SWEKEY_STATUS_STOLEN",4); // The key was stollen +define ("SWEKEY_STATUS_STOLEN",4); // The key was stolen define ("SWEKEY_STATUS_FEE_DUE",5); // The annual fee was not paid define ("SWEKEY_STATUS_OBSOLETE",6); // The hardware is no longer supported define ("SWEKEY_STATUS_UNKOWN",201); // We could not connect to the authentication server @@ -474,7 +467,7 @@ function Swekey_GetStatusStr($status) case SWEKEY_STATUS_NOT_FOUND : return 'Key does not exist in the db'; case SWEKEY_STATUS_INACTIVE : return 'Key not activated'; case SWEKEY_STATUS_LOST : return 'Key was lost'; - case SWEKEY_STATUS_STOLLEN : return 'Key was stollen'; + case SWEKEY_STATUS_STOLEN : return 'Key was stolen'; case SWEKEY_STATUS_FEE_DUE : return 'The annual fee was not paid'; case SWEKEY_STATUS_OBSOLETE : return 'Key no longer supported'; case SWEKEY_STATUS_REPLACED : return 'This key has been replaced by a backup key'; diff --git a/libraries/auth/swekey/unplugged.php b/libraries/auth/swekey/unplugged.php deleted file mode 100644 index 504476b56..000000000 --- a/libraries/auth/swekey/unplugged.php +++ /dev/null @@ -1,9 +0,0 @@ -