nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

swekey patch 7

Browse Source
This commit is contained in:
Marc Delisle
2008-10-08 16:56:55 +00:00
parent f2c9af09e3
commit 19f448af24
4 changed files with 111 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
libraries/auth/swekey/authentication.inc.php
View File

@@ -8,45 +8,64 @@
function Swekey_Plugin() function Swekey_Plugin()
{ {
try try
{ {
if (g_SwekeyPlugin != null) if (g_SwekeyPlugin != null)
return g_SwekeyPlugin; return g_SwekeyPlugin;
if (window.ActiveXObject) if (window.ActiveXObject)
{ {
g_SwekeyPlugin = new ActiveXObject("FbAuthAx.FbAuthCtl") g_SwekeyPlugin = document.getElementById("swekey_activex");
if (g_SwekeyPlugin == null)
{
// we must create the activex that way instead of new ActiveXObject("FbAuthAx.FbAuthCtl");
// ortherwise SetClientSite is not called and we can not get the url
var div = document.createElement('div');
div.innerHTML='<object id="swekey_activex" style="display:none" CLASSID="CLSID:8E02E3F9-57AA-4EE1-AA68-A42DD7B0FADE"></object>';
// Never append to the body because it may still loading and it breaks IE
document.body.insertBefore(div, document.body.firstChild);
g_SwekeyPlugin = document.getElementById("swekey_activex");
}
return g_SwekeyPlugin; return g_SwekeyPlugin;
} }
g_SwekeyPlugin = document.embeds["script_generated_swekey_plugin"]; g_SwekeyPlugin = document.getElementById("swekey_plugin");
if (g_SwekeyPlugin != null) if (g_SwekeyPlugin != null)
return g_SwekeyPlugin; return g_SwekeyPlugin;
for (x = 0; x < navigator.plugins.length; x ++) for (i = 0; i < navigator.plugins.length; i ++)
{ {
try try
{ {
if (navigator.plugins[x][0].type == "application/fbauth-plugin") if (navigator.plugins[i] == null)
{
navigator.plugins.refresh();
}
else if (navigator.plugins[i][0] != null && navigator.plugins[i][0].type == "application/fbauth-plugin")
{ {
var x = document.createElement('embed'); var x = document.createElement('embed');
x.setAttribute('type', 'application/fbauth-plugin'); x.setAttribute('type', 'application/fbauth-plugin');
x.setAttribute('id', 'script_generated_swekey_plugin'); x.setAttribute('id', 'swekey_plugin');
x.setAttribute('width', '0'); x.setAttribute('width', '0');
x.setAttribute('height', '0'); x.setAttribute('height', '0');
x.setAttribute('hidden', 'true'); x.style.dislay='none';
document.body.appendChild(x);
g_SwekeyPlugin = document.embeds["script_generated_swekey_plugin"]; //document.body.appendChild(x);
document.body.insertBefore(x, document.body.firstChild);
g_SwekeyPlugin = document.getElementById("swekey_plugin");
return g_SwekeyPlugin; return g_SwekeyPlugin;
} }
} }
catch (e) catch (e)
{ {
navigator.plugins.refresh();
//alert ('Failed to create plugin: ' + e);
} }
} }
} }
catch (e) catch (e)
{ {
// alert("Swekey_Plugin " + e); //alert("Swekey_Plugin " + e);
g_SwekeyPlugin = null; g_SwekeyPlugin = null;
} }
return null; return null;
@@ -94,6 +113,40 @@
return ""; return "";
} }
// -------------------------------------------------------------------
// Ask the Connected Swekey to generate a OTP linked to the current https host
// id: The id of the connected Swekey (returne by Swekey_ListKeyIds())
// rt: A random token
// return: The calculated OTP encoded in a 64 chars hexadecimal value.
// or "" if the current url does not start with https
function Swekey_GetLinkedOtp(id, rt)
{
try
{
return Swekey_Plugin().getlinkedotp(id, rt);
}
catch (e)
{
// alert("Swekey_GetSOtp " + e);
}
return "";
}
// -------------------------------------------------------------------
// Calls Swekey_GetOtp or Swekey_GetLinkedOtp depending if we are in
// an https page or not.
// id: The id of the connected Swekey (returne by Swekey_ListKeyIds())
// rt: A random token
// return: The calculated OTP encoded in a 64 chars hexadecimal value.
function Swekey_GetSmartOtp(id, rt)
{
var res = Swekey_GetLinkedOtp(id, rt);
if (res == "")
res = Swekey_GetOtp(id, rt);
return res;
}
// ------------------------------------------------------------------- // -------------------------------------------------------------------
// Set a unplug handler (url) to the specified connected feebee // Set a unplug handler (url) to the specified connected feebee
// id: The id of the connected Swekey (returne by Swekey_ListKeyIds()) // id: The id of the connected Swekey (returne by Swekey_ListKeyIds())
@@ -110,4 +163,5 @@
// alert("Swekey_SetUnplugUrl " + e); // alert("Swekey_SetUnplugUrl " + e);
} }
} }
</script> </script>

35
libraries/auth/swekey/swekey.auth.lib.php
View File

@@ -30,7 +30,7 @@ function Swekey_auth_check()
} }
// Set default values for settings // Set default values for settings
if (isset($_SESSION['SWEKEY']['CONF_SERVER_CHECK'])) if (! isset($_SESSION['SWEKEY']['CONF_SERVER_CHECK']))
$_SESSION['SWEKEY']['CONF_SERVER_CHECK'] = ""; $_SESSION['SWEKEY']['CONF_SERVER_CHECK'] = "";
if (! isset($_SESSION['SWEKEY']['CONF_SERVER_RNDTOKEN'])) if (! isset($_SESSION['SWEKEY']['CONF_SERVER_RNDTOKEN']))
$_SESSION['SWEKEY']['CONF_SERVER_RNDTOKEN'] = ""; $_SESSION['SWEKEY']['CONF_SERVER_RNDTOKEN'] = "";
@@ -39,7 +39,7 @@ function Swekey_auth_check()
if (! isset($_SESSION['SWEKEY']['CONF_CA_FILE'])) if (! isset($_SESSION['SWEKEY']['CONF_CA_FILE']))
$_SESSION['SWEKEY']['CONF_CA_FILE'] = ""; $_SESSION['SWEKEY']['CONF_CA_FILE'] = "";
if (! isset($_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE'])) if (! isset($_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE']))
$_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE'] = false; $_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE'] = true;
if (! isset($_SESSION['SWEKEY']['CONF_DEBUG'])) if (! isset($_SESSION['SWEKEY']['CONF_DEBUG']))
$_SESSION['SWEKEY']['CONF_DEBUG'] = false; $_SESSION['SWEKEY']['CONF_DEBUG'] = false;
} }
@@ -92,7 +92,7 @@ function Swekey_auth_error()
{ {
if (key != Swekey_GetValidKey()) if (key != Swekey_GetValidKey())
{ {
window.location.search = ""; window.location.search = "?swekey_reset";
} }
else else
setTimeout("timedCheck()",1000); setTimeout("timedCheck()",1000);
@@ -127,9 +127,12 @@ function Swekey_auth_error()
// if (file_exists($caFile)) // if (file_exists($caFile))
// echo "<!-- exists -->\n"; // echo "<!-- exists -->\n";
} }
if (file_exists($caFile)) if (file_exists($caFile))
Swekey_SetCAFile($caFile); Swekey_SetCAFile($caFile);
else if (! empty($caFile) && (substr($_SESSION['SWEKEY']['CONF_SERVER_CHECK'], 0, 8) == "https://"))
return "Internal Error: CA File $caFile not found";
$result = null; $result = null;
parse_str($_SERVER['QUERY_STRING']); parse_str($_SERVER['QUERY_STRING']);
if (isset($swekey_id)) { if (isset($swekey_id)) {
@@ -181,9 +184,7 @@ function Swekey_auth_error()
var url = "" + window.location; var url = "" + window.location;
if (url.indexOf("?") > 0) if (url.indexOf("?") > 0)
url = url.substr(0, url.indexOf("?")); url = url.substr(0, url.indexOf("?"));
if (url.lastIndexOf("/") > 0) Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset=<?php echo session_id();?>");
url = url.substr(0, url.lastIndexOf("/"));
Swekey_SetUnplugUrl(key, "pma_login", url + "/libraries/auth/swekey/unplugged.php?session_to_unset=<?php echo session_id();?>");
var otp = Swekey_GetOtp(key, <?php echo '"'.$_SESSION['SWEKEY']['RND_TOKEN'].'"';?>); var otp = Swekey_GetOtp(key, <?php echo '"'.$_SESSION['SWEKEY']['RND_TOKEN'].'"';?>);
window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp; window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp;
} }
@@ -218,7 +219,7 @@ function Swekey_login($input_name, $input_go)
?> ?>
function open_swekey_site() function open_swekey_site()
{ {
window.open("http://www.swekey.com?promo=pma"); window.open("http://phpmyadmin.net/auth_key");
} }
var input_username = document.getElementById("<?php echo $input_name; ?>"); var input_username = document.getElementById("<?php echo $input_name; ?>");
@@ -249,4 +250,22 @@ function Swekey_login($input_name, $input_go)
echo '</script>'; echo '</script>';
} }
} }
if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
{
parse_str($_SERVER['QUERY_STRING']);
session_write_close();
session_id($session_to_unset);
session_start();
$_SESSION = array();
session_write_close();
session_destroy();
exit;
}
if (isset($_GET['swekey_reset']))
{
unset($_SESSION['SWEKEY']);
}
?> ?>

43
libraries/auth/swekey/swekey.php
View File

@@ -61,7 +61,7 @@ global $gSwekeyCA;
global $gSwekeyTokenCacheEnabled; global $gSwekeyTokenCacheEnabled;
if (! isset($gSwekeyTokenCacheEnabled)) if (! isset($gSwekeyTokenCacheEnabled))
$gSwekeyTokenCacheEnabled = false; $gSwekeyTokenCacheEnabled = true;
/** /**
* Change the address of the Check server. * Change the address of the Check server.
@@ -185,7 +185,7 @@ function Swekey_HttpGet($url, &$response_code)
if (substr($url, 0, 8) == "https://") if (substr($url, 0, 8) == "https://")
{ {
global $gSwekeyCA; global $gSwekeyCA;
$caFileOk = false;
if (! empty($gSwekeyCA)) if (! empty($gSwekeyCA))
{ {
if (file_exists($gSwekeyCA)) if (file_exists($gSwekeyCA))
@@ -199,17 +199,8 @@ function Swekey_HttpGet($url, &$response_code)
error_log("SWEKEY_ERROR:Could not find CA file $gSwekeyCA getting $url"); error_log("SWEKEY_ERROR:Could not find CA file $gSwekeyCA getting $url");
} }
if ($caFileOk) curl_setopt($sess, CURLOPT_SSL_VERIFYHOST, '2');
{ curl_setopt($sess, CURLOPT_SSL_VERIFYPEER, '2');
curl_setopt($sess, CURLOPT_SSL_VERIFYHOST, '1');
curl_setopt($sess, CURLOPT_SSL_VERIFYPEER, '1');
}
else
{
curl_setopt($sess, CURLOPT_SSL_VERIFYHOST, '0');
curl_setopt($sess, CURLOPT_SSL_VERIFYPEER, '0');
}
curl_setopt($sess, CURLOPT_CONNECTTIMEOUT, '20'); curl_setopt($sess, CURLOPT_CONNECTTIMEOUT, '20');
curl_setopt($sess, CURLOPT_TIMEOUT, '20'); curl_setopt($sess, CURLOPT_TIMEOUT, '20');
} }
@@ -350,7 +341,10 @@ function Swekey_GetHalfRndToken()
*/ */
function Swekey_GetFastHalfRndToken() function Swekey_GetFastHalfRndToken()
{ {
global $gSwekeyTokenCacheEnabled;
$res = ""; $res = "";
$cachefile = "";
// We check if we have a valid RT is the session // We check if we have a valid RT is the session
if (isset($_SESSION['rnd-token-date'])) if (isset($_SESSION['rnd-token-date']))
@@ -360,14 +354,15 @@ function Swekey_GetFastHalfRndToken()
// If not we try to get it from a temp file (PHP >= 5.2.1 only) // If not we try to get it from a temp file (PHP >= 5.2.1 only)
if (strlen($res) != 32 && $gSwekeyTokenCacheEnabled) if (strlen($res) != 32 && $gSwekeyTokenCacheEnabled)
{ {
if (function_exists('sys_get_temp_dir') ) if (function_exists('sys_get_temp_dir'))
{ {
$tempdir = sys_get_temp_dir(); $tempdir = sys_get_temp_dir();
$modif = filemtime($tempdir."/swekey-rnd-token"); $cachefile = $tempdir."/swekey-rnd-token-".get_current_user();
$modif = filemtime($cachefile);
if ($modif != false) if ($modif != false)
if (time() - $modif < 30) if (time() - $modif < 30)
{ {
$res = @file_get_contents($tempdir."/swekey-rnd-token"); $res = @file_get_contents($cachefile);
if (strlen($res) != 32) if (strlen($res) != 32)
$res = ""; $res = "";
else else
@@ -378,23 +373,22 @@ function Swekey_GetFastHalfRndToken()
} }
} }
} }
// If we don't have a valid RT here we have to get it from the server // If we don't have a valid RT here we have to get it from the server
if (strlen($res) != 32) if (strlen($res) != 32)
{ {
$res = substr(Swekey_GetHalfRndToken(), 0, 32); $res = substr(Swekey_GetHalfRndToken(), 0, 32);
$_SESSION['rnd-token'] = $res; $_SESSION['rnd-token'] = $res;
$_SESSION['rnd-token-date'] = time(); $_SESSION['rnd-token-date'] = time();
if (isset($tempdir)) if (! empty($cachefile))
{ {
// we unlink the file so no possible tempfile race attack (thanks Thijs) // we unlink the file so no possible tempfile race attack (thanks Thijs)
unlink($tempdir."/swekey-rnd-token"); unlink($cachefile);
$file = fopen ($tempdir."/swekey-rnd-token" , "x"); $file = fopen($cachefile , "x");
if ($file != FALSE) if ($file != FALSE)
{ {
@fwrite($file, $res); @fwrite($file, $res);
@fclose($file); @fclose($file);
chmod($tempdir."/swekey-rnd-token", 0666); // it is a shared file everybody can read and write it
} }
} }
} }
@@ -444,8 +438,7 @@ define ("SWEKEY_STATUS_OK",0);
define ("SWEKEY_STATUS_NOT_FOUND",1); // The key does not exist in the db define ("SWEKEY_STATUS_NOT_FOUND",1); // The key does not exist in the db
define ("SWEKEY_STATUS_INACTIVE",2); // The key has never been activated define ("SWEKEY_STATUS_INACTIVE",2); // The key has never been activated
define ("SWEKEY_STATUS_LOST",3); // The user has lost his key define ("SWEKEY_STATUS_LOST",3); // The user has lost his key
define ("SWEKEY_STATUS_STOLLEN",4); // The key was stollen define ("SWEKEY_STATUS_STOLEN",4); // The key was stolen
define ("SWEKEY_STATUS_STOLEN",4); // The key was stollen
define ("SWEKEY_STATUS_FEE_DUE",5); // The annual fee was not paid define ("SWEKEY_STATUS_FEE_DUE",5); // The annual fee was not paid
define ("SWEKEY_STATUS_OBSOLETE",6); // The hardware is no longer supported define ("SWEKEY_STATUS_OBSOLETE",6); // The hardware is no longer supported
define ("SWEKEY_STATUS_UNKOWN",201); // We could not connect to the authentication server define ("SWEKEY_STATUS_UNKOWN",201); // We could not connect to the authentication server
@@ -474,7 +467,7 @@ function Swekey_GetStatusStr($status)
case SWEKEY_STATUS_NOT_FOUND : return 'Key does not exist in the db'; case SWEKEY_STATUS_NOT_FOUND : return 'Key does not exist in the db';
case SWEKEY_STATUS_INACTIVE : return 'Key not activated'; case SWEKEY_STATUS_INACTIVE : return 'Key not activated';
case SWEKEY_STATUS_LOST : return 'Key was lost'; case SWEKEY_STATUS_LOST : return 'Key was lost';
case SWEKEY_STATUS_STOLLEN : return 'Key was stollen'; case SWEKEY_STATUS_STOLEN : return 'Key was stolen';
case SWEKEY_STATUS_FEE_DUE : return 'The annual fee was not paid'; case SWEKEY_STATUS_FEE_DUE : return 'The annual fee was not paid';
case SWEKEY_STATUS_OBSOLETE : return 'Key no longer supported'; case SWEKEY_STATUS_OBSOLETE : return 'Key no longer supported';
case SWEKEY_STATUS_REPLACED : return 'This key has been replaced by a backup key'; case SWEKEY_STATUS_REPLACED : return 'This key has been replaced by a backup key';

9
libraries/auth/swekey/unplugged.php
View File

@@ -1,9 +0,0 @@
<?php
// This url is triggered when a swekey is unplugged
parse_str($_SERVER['QUERY_STRING']);
session_id($session_to_unset);
session_start();
session_unset();
?>