nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

latest Swekey fixes

Browse Source
This commit is contained in:
Marc Delisle
2008-09-06 12:41:34 +00:00
parent 737de47117
commit 930ee57a1c
7 changed files with 446 additions and 182 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config.sample.inc.php
View File

@@ -54,7 +54,7 @@ $cfg['Servers'][$i]['bs_temp_log_threshold'] = '';
// $cfg['Servers'][$i]['history'] = 'pma_history'; // $cfg['Servers'][$i]['history'] = 'pma_history';
// $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords'; // $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';
/* Contrib / Swekey authentication */ /* Contrib / Swekey authentication */
// $cfg['Servers'][$i]['auth_swekey_config'] = './swekey.conf'; // $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
/* /*
* End of servers configuration * End of servers configuration

35
contrib/swekey.sample.conf
View File

@@ -1,12 +1,12 @@
# This is a typical file used to enable Swekey hardware authentication. # This is a typical file used to enable Swekey hardware authentication.
# #
# To activate the Swekey authentication add the following line in your config.inc.php file. # To activate the Swekey authentication add the following line in your config.inc.php file.
# $cfg['Servers'][$i]['auth_swekey_config'] = './swekey.conf'; # $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
# Then rename this file "swekey.conf" and copy it next to your config.inc.php file. # Then rename this file "swekey-pma.conf" and copy it in the /etc directory.
# Add all the Swekey ids you want to grant access to in the file. # Add all the Swekey ids you want to grant access to in the file.
# After each Swekey id put the corresponding user. # After each Swekey id put the corresponding user.
# #
# If you don't know the id of a Swekey just go on the http://auth-sample.musbe.com # If you don't know the id of a Swekey just go on the http://www.swekey.com?sel=support
# page while your Swekey is connected. # page while your Swekey is connected.
# #
# If you need to purchase a Swekey please visit http://phpmyadmin.net/auth_key # If you need to purchase a Swekey please visit http://phpmyadmin.net/auth_key
@@ -17,8 +17,29 @@
000000000000000000000000000089E4:steve 000000000000000000000000000089E4:steve
0000000000000000000000000000231E:scott 0000000000000000000000000000231E:scott
# You can also uncomment the following lines if you want to use custom authentication servers #
# Include following lines if you want to use authentication servers in ssl mode.
# Authentication is slower but more secure.
#
#SERVER_CHECK=http://auth-check.musbe.net SERVER_CHECK=https://auth-check-ssl.musbe.net
#SERVER_RNDTOKEN=http://auth-rnd-gen.musbe.net SERVER_RNDTOKEN=https://auth-rnd-gen-ssl.musbe.net
#SERVER_STATUS=http://auth-status.musbe.net SERVER_STATUS=https://auth-status-ssl.musbe.net
#
# In case of you want to use https servers you can set the path of the root certificate file
#
#CA_FILE=/var/http-root/phpmyadmin/libraries/auth/swekey/musbe-ca.crt
#
# If your sever receive lot of login requests, you can enable the random token caching to
# accelerate the authentication process.
# This is disabled by default because the cache file having full public access is vulnerable to
# a deny of service attack.
# You can enable it when your server is running in a secure environment.
#
#ENABLE_TOKEN_CACHE=1

35
libraries/auth/cookie.auth.lib.php
View File

@@ -222,31 +222,6 @@ if (top != self) {
PMA_select_language(true, false); PMA_select_language(true, false);
} }
// BEGIN Swekey Integration
$swekeyErr = Swekey_auth_error();
if ($swekeyErr != null) {
PMA_Message::error($swekeyErr)->display();
if ($GLOBALS['error_handler']->hasDisplayErrors()) {
echo '<div>';
$GLOBALS['error_handler']->dispErrors();
echo '</div>';
}
echo '</div>' . "\n";
if (file_exists('./config.footer.inc.php')) {
require './config.footer.inc.php';
}
echo '</body></html>';
exit;
}
if (isset($_SESSION['PHP_AUTH_FORCE_USER'])) {
$default_user = $_SESSION['PHP_AUTH_FORCE_USER'];
$user_input_disabled = 'readonly="readonly"';
} else {
$user_input_disabled = '';
}
// END Swekey Integration
?> ?>
<br /> <br />
<!-- Login form --> <!-- Login form -->
@@ -268,7 +243,7 @@ if (top != self) {
<?php } ?> <?php } ?>
<div class="item"> <div class="item">
<label for="input_username"><?php echo $GLOBALS['strLogUsername']; ?></label> <label for="input_username"><?php echo $GLOBALS['strLogUsername']; ?></label>
<input type="text" name="pma_username" id="input_username" value="<?php echo htmlspecialchars($default_user); ?>" size="24" class="textfield" <?php echo $user_input_disabled; ?>/> <input type="text" name="pma_username" id="input_username" value="" size="24" class="textfield"/>
</div> </div>
<div class="item"> <div class="item">
<label for="input_password"><?php echo $GLOBALS['strLogPassword']; ?></label> <label for="input_password"><?php echo $GLOBALS['strLogPassword']; ?></label>
@@ -296,7 +271,7 @@ if (top != self) {
?> ?>
</fieldset> </fieldset>
<fieldset class="tblFooters"> <fieldset class="tblFooters">
<input value="<?php echo $GLOBALS['strGo']; ?>" type="submit" /> <input value="<?php echo $GLOBALS['strGo']; ?>" type="submit" id="input_go" />
<?php <?php
$_form_params = array(); $_form_params = array();
if (! empty($GLOBALS['target'])) { if (! empty($GLOBALS['target'])) {
@@ -314,7 +289,13 @@ if (top != self) {
?> ?>
</fieldset> </fieldset>
</form> </form>
<?php <?php
// BEGIN Swekey Integration
Swekey_login('input_username', 'input_go');
// END Swekey Integration
// show the "Cookies required" message only if cookies are disabled // show the "Cookies required" message only if cookies are disabled
// (we previously tried to set some cookies) // (we previously tried to set some cookies)
if (empty($_COOKIE)) { if (empty($_COOKIE)) {

140
libraries/auth/swekey/authentication.inc.php
View File

@@ -1,52 +1,91 @@
<?php
<script>
?> var g_SwekeyPlugin = null;
<embed type="application/fbauth-plugin" width=1 height=1 hidden="true" id="fbauth"><br>
<script> // -------------------------------------------------------------------
var glob_SwekeyPlugin = document.embeds["fbauth"]; // Create the swekey plugin if it does not exists
var glob_ValidSwekeyId; function Swekey_Plugin()
var glob_ValidSwekeyOtp; {
try
{
if (g_SwekeyPlugin != null)
return g_SwekeyPlugin;
if (window.ActiveXObject)
{
g_SwekeyPlugin = new ActiveXObject("FbAuthAx.FbAuthCtl")
return g_SwekeyPlugin;
}
g_SwekeyPlugin = document.embeds["script_generated_swekey_plugin"];
if (g_SwekeyPlugin != null)
return g_SwekeyPlugin;
for (x = 0; x < navigator.plugins.length; x ++)
{
try
{
if (navigator.plugins[x][0].type == "application/fbauth-plugin")
{
var x = document.createElement('embed');
x.setAttribute('type', 'application/fbauth-plugin');
x.setAttribute('id', 'script_generated_swekey_plugin');
x.setAttribute('width', '0');
x.setAttribute('height', '0');
x.setAttribute('hidden', 'true');
document.body.appendChild(x);
g_SwekeyPlugin = document.embeds["script_generated_swekey_plugin"];
return g_SwekeyPlugin;
}
}
catch (e)
{
}
}
}
catch (e)
{
// alert("Swekey_Plugin " + e);
g_SwekeyPlugin = null;
}
return null;
}
// -------------------------------------------------------------------
// Returns true if the swekey plugin is installed
function Swekey_Installed()
{
return (Swekey_Plugin() != null);
}
// ------------------------------------------------------------------- // -------------------------------------------------------------------
// List the id of the Swekey connected to the PC // List the id of the Swekey connected to the PC
// Returns a string containing comma separated Swekey Ids // Returns a string containing comma separated Swekey Ids
// A Swekey id is a 32 char hexadecimal value. // A Swekey is a 32 char hexadecimal value.
function Swekey_ListKeyIds() function Swekey_ListKeyIds()
{ {
try try
{ {
if (window.ActiveXObject) return Swekey_Plugin().list();
{
var x = new ActiveXObject("FbAuthAx.FbAuthCtl");
return x.list();
}
else
return glob_SwekeyPlugin.list();
} }
catch (e) catch (e)
{ {
// alert("Swekey_ListKeyIds" + e); // alert("Swekey_ListKeyIds " + e);
} }
return ""; return "";
} }
// ------------------------------------------------------------------- // -------------------------------------------------------------------
// Ask the Connected Swekey to generate an OTP // Ask the Connected Swekey to generate an OTP
// fbid: The id of the connected Swekey (returne by Swekey_ListKeyIds()) // id: The id of the connected Swekey (returne by Swekey_ListKeyIds())
// rt: A random token // rt: A random token
// return: The calculated OTP encoded in a 64 chars hexadecimal value. // return: The calculated OTP encoded in a 64 chars hexadecimal value.
function Swekey_GetOtp(fbid, rt) function Swekey_GetOtp(id, rt)
{ {
try try
{ {
if (window.ActiveXObject) return Swekey_Plugin().getotp(id, rt);
{
var x = new ActiveXObject("FbAuthAx.FbAuthCtl");
return x.getotp(fbid, rt);
}
else
return glob_SwekeyPlugin.getotp(fbid, rt);
} }
catch (e) catch (e)
{ {
@@ -56,60 +95,19 @@
} }
// ------------------------------------------------------------------- // -------------------------------------------------------------------
// Set a unplug handler (url) to the specified connected swekey // Set a unplug handler (url) to the specified connected feebee
// fbid: The id of the connected Swekey (returne by Swekey_ListKeyIds()) // id: The id of the connected Swekey (returne by Swekey_ListKeyIds())
// key: The key that index that url, (aplhanumeric values only) // key: The key that index that url, (aplhanumeric values only)
// url: The url that will be launched ("" deletes the url) // url: The url that will be launched ("" deletes the url)
function Swekey_SetUnplugUrl(fbid, key, url) function Swekey_SetUnplugUrl(id, key, url)
{ {
try try
{ {
if (window.ActiveXObject) return Swekey_Plugin().setunplugurl(id, key, url);
{
var x = new ActiveXObject("FbAuthAx.FbAuthCtl");
return x.setunplugurl(fbid, key, url);
}
else
return glob_SwekeyPlugin.setunplugurl(fbid, key, url);
} }
catch (e) catch (e)
{ {
// alert("Swekey_SetUnplugUrl " + e); // alert("Swekey_SetUnplugUrl " + e);
} }
} }
</script>
// -------------------------------------------------------------------
// Return a valid connected key id
function Swekey_GetValidKey()
{
var valids = <?php echo '"'.$_SESSION['PHP_AUTH_VALID_SWEKEYS'].'"';?>;
var connected_keys = Swekey_ListKeyIds().split(",");
for (i in connected_keys)
if (connected_keys[i] != null && connected_keys[i].length == 32)
if (valids.indexOf(connected_keys[i]) >= 0)
return connected_keys[i];
return "none";
}
// -------------------------------------------------------------------
// Return a valid connected key id
function Swekey_GetOtpFromValidKey()
{
var key = Swekey_GetValidKey();
if (key.length != 32)
return "";
var url = "" + window.location;
if (url.indexOf("?") > 0)
url = url.substr(0, url.indexOf("?"));
if (url.lastIndexOf("/") > 0)
url = url.substr(0, url.lastIndexOf("/"));
Swekey_SetUnplugUrl(key, "pma_login", url + "/libraries/auth/swekey/unplugged.php?session_to_unset=<?php echo session_id();?>");
return Swekey_GetOtp(key, <?php echo '"'.$_SESSION['PHP_AUTH_SWEKEY_RND_TOKEN'].'"';?>);
}
</script>

25
libraries/auth/swekey/musbe-ca.crt Normal file
View File

@@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIJAMjw7QcLWCd6MA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQKEwtNdXNiZSwgSW5j
LjESMBAGA1UEAxMJbXVzYmUuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQG11c2Jl
LmNvbTAeFw0wODA5MDQxNDE2MTNaFw0zNzEyMjExNDE2MTNaMGsxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQKEwtNdXNiZSwgSW5jLjES
MBAGA1UEAxMJbXVzYmUuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQG11c2JlLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBhOljxVzQfK4gted2I
d3BemcjW4abAUOzn3KYWXpPO5xIfVeXNDGkDbyH+X+7fo94sX25/ewuKNFDSOcvo
tXHq7uQenTHB35r+a+LY81KceUHgW90a3XsqPAkwAjyYcgo3zmM2DtLvw+5Yod8T
wAHk9m3qavnQ1uk99jBTwL7RZ9jIZHh9pFCL93uJc2obtd8O96Iycbn2q0w/AWbb
+eUVWIHzvLtfPvROeL3lJzr/Uz5LjKapxJ3qyqASflfHpnj9pU8l6g2TQ6Hg5KT5
tLFkRe7uGhOfRtOQ/+NjaWrEuNCFnpyN4Q5Fv+5qA1Ip1IpH0200sWbAf/k2u0Qp
Sx0CAwEAAaOB0DCBzTAdBgNVHQ4EFgQUczJrQ7hCvtsnzcqiDIZ/GSn/CiwwgZ0G
A1UdIwSBlTCBkoAUczJrQ7hCvtsnzcqiDIZ/GSn/Ciyhb6RtMGsxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQKEwtNdXNiZSwgSW5jLjES
MBAGA1UEAxMJbXVzYmUuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQG11c2JlLmNv
bYIJAMjw7QcLWCd6MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAGxk
8xzIljeBDQWWVRr0NEALVSv3i09V4jAKkyEOfmZ8lKMKJi0atwbtjrXTzLnNYj+Q
pyUbyY/8ItWvV7pnVxMiF9qcer7e9X4vw358GZuMVE/da1nWxz+CwzTm5oO30RzA
antM9bISFFr9lJq69bDWOnCUi1IG8DSL3TxtlABso7S4vqiZ+sB33l6k1K4a/Njb
QkU9UejKhKkVVZTsOrumfnOJ4MCmPfX8Y/AY2o670y5HnzpxerIYziCVzApPVrW7
sKH0tuVGturMfQOKgstYe4/m9glBTeTLMkjD+6MJC2ONBD7GAiOO95gNl5M1fzJQ
FEe5CJ7DCYl0GdmLXXw=
-----END CERTIFICATE-----

238
libraries/auth/swekey/swekey.auth.lib.php
View File

@@ -2,33 +2,51 @@
function Swekey_auth_check() function Swekey_auth_check()
{ {
// Load the swekey.conf file the first time
if (empty($_SESSION['PHP_AUTH_REQUIRED_SWEKEY'])) {
global $cfg; global $cfg;
$confFile = $cfg['Server']['auth_swekey_config']; $confFile = $cfg['Server']['auth_swekey_config'];
$_SESSION['PHP_AUTH_REQUIRES_SWEKEY'] = (! empty($confFile) && file_exists($confFile));
if ($_SESSION['PHP_AUTH_REQUIRES_SWEKEY']) { if (! isset($_SESSION['SWEKEY'])) {
$_SESSION['PHP_AUTH_VALID_SWEKEYS'] = ""; $_SESSION['SWEKEY'] = array();
$_SESSION['PHP_AUTH_SERVER_CHECK'] = ""; }
$_SESSION['PHP_AUTH_SERVER_RNDTOKEN'] = "";
$_SESSION['PHP_AUTH_SERVER_STATUS'] = ""; $_SESSION['SWEKEY']['ENABLED'] = (! empty($confFile) && file_exists($confFile));
// Load the swekey.conf file the first time
if ($_SESSION['SWEKEY']['ENABLED'] && empty($_SESSION['SWEKEY']['CONF_LOADED'])) {
$_SESSION['SWEKEY']['CONF_LOADED'] = true;
$_SESSION['SWEKEY']['VALID_SWEKEYS'] = array();
$valid_swekeys = split("\n",@file_get_contents($confFile)); $valid_swekeys = split("\n",@file_get_contents($confFile));
foreach ($valid_swekeys as $line) { foreach ($valid_swekeys as $line) {
if (ereg("^[0-9A-F]{32}:.+$", $line) != false) if (ereg("^[0-9A-F]{32}:.+$", $line) != false)
$_SESSION['PHP_AUTH_VALID_SWEKEYS'] .= trim($line) . ","; {
else if (ereg("^SERVER_[A-Z]+=.*$", $line) != false) { $items = explode(":", $line);
if (count($items) == 2)
$_SESSION['SWEKEY']['VALID_SWEKEYS'][$items[0]] = trim($items[1]);
}
else if (ereg("^[A-Z_]+=.*$", $line) != false) {
$items = explode("=", $line); $items = explode("=", $line);
$_SESSION['PHP_AUTH_'.trim($items[0])] = trim($items[1]); $_SESSION['SWEKEY']['CONF_'.trim($items[0])] = trim($items[1]);
} }
} }
}
else // Set default values for settings
unset($_SESSION['PHP_AUTH_VALID_SWEKEYS']); if (isset($_SESSION['SWEKEY']['CONF_SERVER_CHECK']))
$_SESSION['SWEKEY']['CONF_SERVER_CHECK'] = "";
if (! isset($_SESSION['SWEKEY']['CONF_SERVER_RNDTOKEN']))
$_SESSION['SWEKEY']['CONF_SERVER_RNDTOKEN'] = "";
if (! isset($_SESSION['SWEKEY']['CONF_SERVER_STATUS']))
$_SESSION['SWEKEY']['CONF_SERVER_STATUS'] = "";
if (! isset($_SESSION['SWEKEY']['CONF_CA_FILE']))
$_SESSION['SWEKEY']['CONF_CA_FILE'] = "";
if (! isset($_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE']))
$_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE'] = false;
if (! isset($_SESSION['SWEKEY']['CONF_DEBUG']))
$_SESSION['SWEKEY']['CONF_DEBUG'] = false;
} }
// check if a web key has been authenticated // check if a web key has been authenticated
if ($_SESSION['PHP_AUTH_REQUIRES_SWEKEY']) { if ($_SESSION['SWEKEY']['ENABLED']) {
if (empty($_SESSION['PHP_AUTH_AUTHENTICATED_SWEKEY'])) if (empty($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']))
return false; return false;
} }
@@ -38,85 +56,197 @@ function Swekey_auth_check()
function Swekey_auth_error() function Swekey_auth_error()
{ {
if (! $_SESSION['PHP_AUTH_REQUIRES_SWEKEY']) if (! isset($_SESSION['SWEKEY']))
return null; return null;
if (! empty($_SESSION['PHP_AUTH_AUTHENTICATED_SWEKEY'])) if (! $_SESSION['SWEKEY']['ENABLED'])
return null; return null;
if (empty($_SESSION['PHP_AUTH_VALID_SWEKEYS'])) require_once './libraries/auth/swekey/authentication.inc.php';
?>
<script>
function Swekey_GetValidKey()
{
var valids = "<?php
foreach ($_SESSION['SWEKEY']['VALID_SWEKEYS'] as $key => $value)
echo $key.',';
?>";
var connected_keys = Swekey_ListKeyIds().split(",");
for (i in connected_keys)
if (connected_keys[i] != null && connected_keys[i].length == 32)
if (valids.indexOf(connected_keys[i]) >= 0)
return connected_keys[i];
if (connected_keys.length > 0)
if (connected_keys[0].length == 32)
return "unknown_key_" + connected_keys[0];
return "none";
}
var key = Swekey_GetValidKey();
function timedCheck()
{
if (key != Swekey_GetValidKey())
{
window.location.search = "";
}
else
setTimeout("timedCheck()",1000);
}
setTimeout("timedCheck()",1000);
</script>
<?php
if (! empty($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']))
return null;
if (count($_SESSION['SWEKEY']['VALID_SWEKEYS']) == 0)
return sprintf($GLOBALS['strSwekeyNoKeyId'], $GLOBALS['cfg']['Server']['auth_swekey_config']); return sprintf($GLOBALS['strSwekeyNoKeyId'], $GLOBALS['cfg']['Server']['auth_swekey_config']);
require_once "./libraries/auth/swekey/swekey.php"; require_once "./libraries/auth/swekey/swekey.php";
Swekey_SetCheckServer($_SESSION['PHP_AUTH_SERVER_CHECK']); Swekey_SetCheckServer($_SESSION['SWEKEY']['CONF_SERVER_CHECK']);
Swekey_SetRndTokenServer($_SESSION['PHP_AUTH_SERVER_RNDTOKEN']); Swekey_SetRndTokenServer($_SESSION['SWEKEY']['CONF_SERVER_RNDTOKEN']);
Swekey_SetStatusServer($_SESSION['PHP_AUTH_SERVER_STATUS']); Swekey_SetStatusServer($_SESSION['SWEKEY']['CONF_SERVER_STATUS']);
Swekey_EnableTokenCache($_SESSION['SWEKEY']['CONF_ENABLE_TOKEN_CACHE']);
$caFile = $_SESSION['SWEKEY']['CONF_CA_FILE'];
if (empty($caFile))
{
$caFile = __FILE__;
$pos = strrpos($caFile, '/');
if ($pos === false)
$pos = strrpos($caFile, '\\'); // windows
$caFile = substr($caFile, 0, $pos + 1).'musbe-ca.crt';
// echo "\n<!-- $caFile -->\n";
// if (file_exists($caFile))
// echo "<!-- exists -->\n";
}
if (file_exists($caFile))
Swekey_SetCAFile($caFile);
$result = null; $result = null;
parse_str($_SERVER['QUERY_STRING']); parse_str($_SERVER['QUERY_STRING']);
if (isset($swekey_id)) { if (isset($swekey_id)) {
unset($_SESSION['PHP_AUTH_AUTHENTICATED_SWEKEY']); unset($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']);
if (! isset($_SESSION['PHP_AUTH_SWEKEY_RND_TOKEN'])) { if (! isset($_SESSION['SWEKEY']['RND_TOKEN'])) {
unset($swekey_id); unset($swekey_id);
} }
else { else {
if (strlen($swekey_id) == 32) { if (strlen($swekey_id) == 32) {
$res = Swekey_CheckOtp($swekey_id, $_SESSION['PHP_AUTH_SWEKEY_RND_TOKEN'], $swekey_otp); $res = Swekey_CheckOtp($swekey_id, $_SESSION['SWEKEY']['RND_TOKEN'], $swekey_otp);
unset($_SESSION['PHP_AUTH_SWEKEY_RND_TOKEN']); unset($_SESSION['SWEKEY']['RND_TOKEN']);
if (! $res) { if (! $res) {
$result = $GLOBALS['strSwekeyAuthFailed'] . ' (' . Swekey_GetLastError() . ')'; $result = $GLOBALS['strSwekeyAuthFailed'] . ' (' . Swekey_GetLastError() . ')';
} }
else { else {
$_SESSION['PHP_AUTH_AUTHENTICATED_SWEKEY'] = $swekey_id; $_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY'] = $swekey_id;
unset($_SESSION['PHP_AUTH_FORCE_USER']); $_SESSION['SWEKEY']['FORCE_USER'] = $_SESSION['SWEKEY']['VALID_SWEKEYS'][$swekey_id];
$valid_swekeys = split(",",$_SESSION['PHP_AUTH_VALID_SWEKEYS']);
foreach ($valid_swekeys as $line) {
if (substr($line,0,32) == $swekey_id) {
$_SESSION['PHP_AUTH_FORCE_USER'] = substr($line,33);
break;
}
}
return null; return null;
} }
} }
else { else {
$result = $GLOBALS['strSwekeyNoKey']; $result = $GLOBALS['strSwekeyNoKey'];
if ($_SESSION['SWEKEY']['CONF_DEBUG'])
{
$result .= "<br>".$swekey_id;
}
unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file
} }
} }
} }
else
unset($_SESSION['SWEKEY']);
$_SESSION['PHP_AUTH_SWEKEY_RND_TOKEN'] = Swekey_GetFastRndToken(); $_SESSION['SWEKEY']['RND_TOKEN'] = Swekey_GetFastRndToken();
if (strlen($_SESSION['PHP_AUTH_SWEKEY_RND_TOKEN']) != 64) { if (strlen($_SESSION['SWEKEY']['RND_TOKEN']) != 64) {
$result = $GLOBALS['strSwekeyAuthFailed'] . ' (' . Swekey_GetLastError() . ')'; $result = $GLOBALS['strSwekeyAuthFailed'] . ' (' . Swekey_GetLastError() . ')';
unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file
} }
require_once './libraries/auth/swekey/authentication.inc.php';
if (! isset($swekey_id)) { if (! isset($swekey_id)) {
?> ?>
<script> <script>
window.location.search="?swekey_id=" + Swekey_GetValidKey() + "&swekey_otp=" + Swekey_GetOtpFromValidKey(); if (key.length != 32)
{
window.location.search="?swekey_id=" + key;
}
else
{
var url = "" + window.location;
if (url.indexOf("?") > 0)
url = url.substr(0, url.indexOf("?"));
if (url.lastIndexOf("/") > 0)
url = url.substr(0, url.lastIndexOf("/"));
Swekey_SetUnplugUrl(key, "pma_login", url + "/libraries/auth/swekey/unplugged.php?session_to_unset=<?php echo session_id();?>");
var otp = Swekey_GetOtp(key, <?php echo '"'.$_SESSION['SWEKEY']['RND_TOKEN'].'"';?>);
window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp;
}
</script> </script>
<?php <?php
return $GLOBALS['strSwekeyAuthenticating']; return $GLOBALS['strSwekeyAuthenticating'];
} }
?>
<script>
var key = Swekey_GetValidKey();
function timedCheck()
{
if (key != Swekey_GetValidKey())
window.location.search="";
setTimeout("timedCheck()",1000);
}
timedCheck();
</script>
<?php
return $result; return $result;
} }
function Swekey_login($input_name, $input_go)
{
$swekeyErr = Swekey_auth_error();
if ($swekeyErr != null) {
PMA_Message::error($swekeyErr)->display();
if ($GLOBALS['error_handler']->hasDisplayErrors()) {
echo '<div>';
$GLOBALS['error_handler']->dispErrors();
echo '</div>';
}
}
if (isset($_SESSION['SWEKEY']) && $_SESSION['SWEKEY']['ENABLED']) {
echo '<script type="text/javascript">';
if (empty($_SESSION['SWEKEY']['FORCE_USER']))
echo 'var user = null;';
else
echo 'var user = "'.$_SESSION['SWEKEY']['FORCE_USER'].'";';
?>
function open_swekey_site()
{
window.open("http://www.swekey.com?promo=pma");
}
var input_username = document.getElementById("<?php echo $input_name; ?>");
var input_go = document.getElementById("<?php echo $input_go; ?>");
var swekey_status = document.createElement('img');
swekey_status.setAttribute('onClick', 'open_swekey_site()');
swekey_status.setAttribute('style', 'width:8px; height:16px; border:0px; vspace:0px; hspace:0px; frameborder:no');
if (user == null)
{
swekey_status.setAttribute('src', 'http://artwork.swekey.com/unplugged-8x16.png');
//swekey_status.setAttribute('title', 'No swekey plugged');
input_go.disabled = true;
}
else
{
swekey_status.setAttribute('src', 'http://artwork.swekey.com/plugged-8x16.png');
//swekey_status.setAttribute('title', 'swekey plugged');
input_username.value = user;
}
input_username.readOnly = true;
if (input_username.nextSibling == null)
input_username.parentNode.appendChild(swekey_status);
else
input_username.parentNode.insertBefore(swekey_status, input_username.nextSibling);
<?php
echo '</script>';
}
}
?> ?>

123
libraries/auth/swekey/swekey.php
View File

@@ -4,6 +4,9 @@
* Version 1.0 * Version 1.0
* *
* History: * History:
* 1.2 Use curl (widely installed) to query the server
* Fixed a possible tempfile race attack
* Random token cache can now be disabled
* 1.1 Added Swekey_HttpGet function that support faulty servers * 1.1 Added Swekey_HttpGet function that support faulty servers
* Support for custom servers * Support for custom servers
* 1.0 First release * 1.0 First release
@@ -54,6 +57,12 @@ global $gSwekeyStatusServer;
if (! isset($gSwekeyStatusServer)) if (! isset($gSwekeyStatusServer))
$gSwekeyStatusServer = 'http://auth-status.musbe.net'; $gSwekeyStatusServer = 'http://auth-status.musbe.net';
global $gSwekeyCA;
global $gSwekeyTokenCacheEnabled;
if (! isset($gSwekeyTokenCacheEnabled))
$gSwekeyTokenCacheEnabled = false;
/** /**
* Change the address of the Check server. * Change the address of the Check server.
* If $server is empty the default value 'http://auth-check.musbe.net' will be used * If $server is empty the default value 'http://auth-check.musbe.net' will be used
@@ -102,6 +111,33 @@ function Swekey_SetStatusServer($server)
$gSwekeyStatusServer = $server; $gSwekeyStatusServer = $server;
} }
/**
* Change the certificat file in case of the the severs use https instead of http
*
* @param cafile The path of the crt file to use
* @access public
*/
function Swekey_SetCAFile($cafile)
{
global $gSwekeyCA;
$gSwekeyCA = $cafile;
}
/**
* Enable or disable the random token caching
* Because everybody has full access to the cache file, it can be a DOS vulnerability
* So disable it if you are running in a non secure enviromnement
*
* @param $enable
* @access public
*/
function Swekey_EnableTokenCache($enable)
{
global $gSwekeyTokenCacheEnabled;
$gSwekeyTokenCacheEnabled = ! empty($enable);
}
/** /**
* Return the last error. * Return the last error.
* *
@@ -142,7 +178,73 @@ function Swekey_HttpGet($url, &$response_code)
global $gSwekeyLastResult; global $gSwekeyLastResult;
$gSwekeyLastResult = "<not set>"; $gSwekeyLastResult = "<not set>";
// you should install the pecl_http to be able to handle timeouts // use curl if available
if (function_exists('curl_init'))
{
$sess = curl_init($url);
if (substr($url, 0, 8) == "https://")
{
global $gSwekeyCA;
$caFileOk = false;
if (! empty($gSwekeyCA))
{
if (file_exists($gSwekeyCA))
{
if (! curl_setopt($sess, CURLOPT_CAINFO, $gSwekeyCA))
error_log("SWEKEY_ERROR:Could not set CA file : ".curl_error($sess));
else
$caFileOk = true;
}
else
error_log("SWEKEY_ERROR:Could not find CA file $gSwekeyCA getting $url");
}
if ($caFileOk)
{
curl_setopt($sess, CURLOPT_SSL_VERIFYHOST, '1');
curl_setopt($sess, CURLOPT_SSL_VERIFYPEER, '1');
}
else
{
curl_setopt($sess, CURLOPT_SSL_VERIFYHOST, '0');
curl_setopt($sess, CURLOPT_SSL_VERIFYPEER, '0');
}
curl_setopt($sess, CURLOPT_CONNECTTIMEOUT, '20');
curl_setopt($sess, CURLOPT_TIMEOUT, '20');
}
else
{
curl_setopt($sess, CURLOPT_CONNECTTIMEOUT, '3');
curl_setopt($sess, CURLOPT_TIMEOUT, '5');
}
curl_setopt($sess, CURLOPT_RETURNTRANSFER, '1');
$res=curl_exec($sess);
$response_code = curl_getinfo($sess, CURLINFO_HTTP_CODE);
$curlerr = curl_error($sess);
curl_close($sess);
if ($response_code == 200)
{
$gSwekeyLastResult = $res;
return $res;
}
if (! empty($response_code))
{
$gSwekeyLastError = $response_code;
error_log("SWEKEY_ERROR:Error $gSwekeyLastError ($curlerr) getting $url");
return "";
}
$response_code = 408; // Request Timeout
$gSwekeyLastError = $response_code;
error_log("SWEKEY_ERROR:Error $curlerr getting $url");
return "";
}
// use pecl_http if available
if (class_exists('HttpRequest')) if (class_exists('HttpRequest'))
{ {
// retry if one of the server is down // retry if one of the server is down
@@ -155,6 +257,7 @@ function Swekey_HttpGet($url, &$response_code)
{ {
$sslOptions = array(); $sslOptions = array();
$sslOptions['verifypeer'] = true; $sslOptions['verifypeer'] = true;
$sslOptions['verifyhost'] = true;
$capath = __FILE__; $capath = __FILE__;
$name = strrchr($capath, '/'); $name = strrchr($capath, '/');
@@ -162,8 +265,8 @@ function Swekey_HttpGet($url, &$response_code)
$name = strrchr($capath, '\\'); $name = strrchr($capath, '\\');
$capath = substr($capath, 0, strlen($capath) - strlen($name) + 1).'musbe-ca.crt'; $capath = substr($capath, 0, strlen($capath) - strlen($name) + 1).'musbe-ca.crt';
if (file_exists($capath)) if (! empty($gSwekeyCA))
$sslOptions['capath'] = $capath; $sslOptions['cainfo'] = $gSwekeyCA;
$options['ssl'] = $sslOptions; $options['ssl'] = $sslOptions;
} }
@@ -255,7 +358,7 @@ function Swekey_GetFastHalfRndToken()
$res = $_SESSION['rnd-token']; $res = $_SESSION['rnd-token'];
// If not we try to get it from a temp file (PHP >= 5.2.1 only) // If not we try to get it from a temp file (PHP >= 5.2.1 only)
if (strlen($res) != 32) if (strlen($res) != 32 && $gSwekeyTokenCacheEnabled)
{ {
if (function_exists('sys_get_temp_dir') ) if (function_exists('sys_get_temp_dir') )
{ {
@@ -284,9 +387,15 @@ function Swekey_GetFastHalfRndToken()
$_SESSION['rnd-token-date'] = time(); $_SESSION['rnd-token-date'] = time();
if (isset($tempdir)) if (isset($tempdir))
{ {
$file = fopen ($tempdir."/swekey-rnd-token" , "w"); // we unlink the file so no possible tempfile race attack (thanks Thijs)
unlink($tempdir."/swekey-rnd-token");
$file = fopen ($tempdir."/swekey-rnd-token" , "x");
if ($file != FALSE)
{
@fwrite($file, $res); @fwrite($file, $res);
@fclose($file); @fclose($file);
chmod($tempdir."/swekey-rnd-token", 0666); // it is a shared file everybody can read and write it
}
} }
} }
@@ -335,8 +444,8 @@ define ("SWEKEY_STATUS_OK",0);
define ("SWEKEY_STATUS_NOT_FOUND",1); // The key does not exist in the db define ("SWEKEY_STATUS_NOT_FOUND",1); // The key does not exist in the db
define ("SWEKEY_STATUS_INACTIVE",2); // The key has never been activated define ("SWEKEY_STATUS_INACTIVE",2); // The key has never been activated
define ("SWEKEY_STATUS_LOST",3); // The user has lost his key define ("SWEKEY_STATUS_LOST",3); // The user has lost his key
define ("SWEKEY_STATUS_STOLLEN",4); // The key was stolen (typo kept for backward comp) define ("SWEKEY_STATUS_STOLLEN",4); // The key was stollen
define ("SWEKEY_STATUS_STOLEN",4); // The key was stolen define ("SWEKEY_STATUS_STOLEN",4); // The key was stollen
define ("SWEKEY_STATUS_FEE_DUE",5); // The annual fee was not paid define ("SWEKEY_STATUS_FEE_DUE",5); // The annual fee was not paid
define ("SWEKEY_STATUS_OBSOLETE",6); // The hardware is no longer supported define ("SWEKEY_STATUS_OBSOLETE",6); // The hardware is no longer supported
define ("SWEKEY_STATUS_UNKOWN",201); // We could not connect to the authentication server define ("SWEKEY_STATUS_UNKOWN",201); // We could not connect to the authentication server