/**
* Login form
* @author Benjamin BALET <*****@*****.**>
*/
public function login()
{
$data['title'] = lang('session_login_title');
$data['help'] = $this->help->create_help_link('global_link_doc_page_login');
$this->load->helper('form');
$this->load->library('form_validation');
//Note that we don't receive the password as a clear string
$this->form_validation->set_rules('login', lang('session_login_field_login'), 'required');
$data['last_page'] = $this->session->userdata('last_page');
if ($this->form_validation->run() === FALSE) {
$data['public_key'] = file_get_contents('./assets/keys/public.pem', TRUE);
$data['salt'] = $this->generateRandomString(rand(5, 20));
$data['language'] = $this->session->userdata('language');
$data['language_code'] = $this->session->userdata('language_code');
$this->session->set_userdata('salt', $data['salt']);
$data['flash_partial_view'] = $this->load->view('templates/flash', $data, TRUE);
$this->load->view('templates/header', $data);
$this->load->view('session/login', $data);
$this->load->view('templates/footer');
} else {
$this->load->model('users_model');
//Set language
$this->session->set_userdata('language_code', $this->input->post('language'));
$this->session->set_userdata('language', $this->polyglot->code2language($this->input->post('language')));
//Decipher the password value (RSA encoded -> base64 -> decode -> decrypt) and remove the salt!
require_once APPPATH . 'third_party/phpseclib/vendor/autoload.php';
$rsa = new phpseclib\Crypt\RSA();
$private_key = file_get_contents('./assets/keys/private.pem', TRUE);
$rsa->setEncryptionMode(phpseclib\Crypt\RSA::ENCRYPTION_PKCS1);
$rsa->loadKey($private_key, phpseclib\Crypt\RSA::PRIVATE_FORMAT_PKCS1);
$password = $rsa->decrypt(base64_decode($this->input->post('CipheredValue')));
//Remove the salt
$len_salt = strlen($this->session->userdata('salt')) * -1;
$password = substr($password, 0, $len_salt);
$loggedin = FALSE;
if ($this->config->item('ldap_enabled')) {
if ($password != "") {
//Bind to MS-AD with blank password might return OK
$ldap = ldap_connect($this->config->item('ldap_host'), $this->config->item('ldap_port'));
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
set_error_handler(function () {
/* ignore errors */
});
if ($this->config->item('ldap_basedn_db')) {
$basedn = $this->users_model->getBaseDN($this->input->post('login'));
} else {
$basedn = sprintf($this->config->item('ldap_basedn'), $this->input->post('login'));
}
$bind = ldap_bind($ldap, $basedn, $password);
restore_error_handler();
if ($bind) {
$loggedin = $this->users_model->checkCredentialsLDAP($this->input->post('login'));
}
ldap_close($ldap);
}
} else {
$loggedin = $this->users_model->checkCredentials($this->input->post('login'), $password);
}
if ($loggedin == FALSE) {
log_message('error', '{controllers/session/login} Invalid login id or password for user='******'login'));
$this->session->set_flashdata('msg', lang('session_login_flash_bad_credentials'));
$data['public_key'] = file_get_contents('./assets/keys/public.pem', TRUE);
$data['salt'] = $this->generateRandomString(rand(5, 20));
$data['language'] = $this->session->userdata('language');
$data['language_code'] = $this->session->userdata('language_code');
$this->session->set_userdata('salt', $data['salt']);
$data['flash_partial_view'] = $this->load->view('templates/flash', $data, TRUE);
$this->load->view('templates/header', $data);
$this->load->view('session/login', $data);
$this->load->view('templates/footer');
} else {
//If the user has a target page (e.g. link in an e-mail), redirect to this destination
if ($this->session->userdata('last_page') != '') {
if (strpos($this->session->userdata('last_page'), 'index.php', strlen($this->session->userdata('last_page')) - strlen('index.php'))) {
$this->session->set_userdata('last_page', base_url() . 'home');
}
if ($this->session->userdata('last_page_params') == '') {
redirect($this->session->userdata('last_page'));
} else {
redirect($this->session->userdata('last_page') . '?' . $this->session->userdata('last_page_params'));
}
} else {
redirect(base_url() . 'home');
}
}
}
}
echo "<tr><td>PHP_VERSION</td><td>" . (version_compare(PHP_VERSION, '4.2.0', '>=') ? '>=4.2.0' : '<4.2.0') . '</td></tr>';
echo "<tr><td>openssl</td><td>" . (extension_loaded('openssl') ? 'extension loaded' : 'extension not loaded') . '</td></tr>';
echo "<tr><td>openssl_pkey_get_details</td><td>" . (function_exists('openssl_pkey_get_details') ? 'exists' : 'doesn\'t exist') . '</td></tr>';
echo "<tr><td>Private key</td><td>" . ($privateKey != '' ? 'Found' : 'Not found') . '</td></tr>';
echo "<tr><td>Public key</td><td>" . ($publicKey != '' ? 'Found' : 'Not found') . '</td></tr>';
echo "<tr><td>OpenSSL Library</td><td>" . (isset($versions['Library']) ? $versions['Library'] : 'Not found') . '</td></tr>';
echo "<tr><td>OpenSSL Header</td><td>" . (isset($versions['Header']) ? $versions['Header'] : 'Not found') . '</td></tr>';
$rsa = new \phpseclib\Crypt\RSA();
echo "<tr><td>CRYPT_RSA_MODE</td><td>" . (CRYPT_RSA_MODE == 1 ? 'MODE_INTERNAL' : 'MODE_OPENSSL') . '</td></tr>';
$rsa->setEncryptionMode(phpseclib\Crypt\RSA::ENCRYPTION_PKCS1);
$plaintext = 'Jorani is the best open source Leave Management System';
$rsa->loadKey($publicKey);
$ciphertext = $rsa->encrypt($plaintext);
$rsa->loadKey($privateKey, phpseclib\Crypt\RSA::PRIVATE_FORMAT_PKCS1);
$time_start = microtime(true);
echo "<tr><td>Decrypted message</td><td>" . $rsa->decrypt($ciphertext) . '</td></tr>';
$time_end = microtime(true);
$time = $time_end - $time_start;
echo "<tr><td>Decryption speed</td><td>" . $time . '</td></tr>';
//Generate public and private keys for a single usage
extract($rsa->createKey(KEY_SIZE));
?>
</tbody>
</table>
<h2 id="pair">Private and public key pair</h2>
<p>This section will help you to create <code>assets/keys/private.pem</code> and <code>assets/keys/public.pem</code> files.
Beware that is a pair of keys that must be set together (i.e. you must update the both files at the same time with the corresponding content).</p>
<h3>Private Key</h3>
/**
* Update a given user in the database. Update data are coming from an HTML form
* @return int number of affected rows
* @author Benjamin BALET <*****@*****.**>
*/
public function resetPassword($id, $CipheredNewPassword)
{
//Decipher the password value (RSA encoded -> base64 -> decode -> decrypt)
require_once APPPATH . 'third_party/phpseclib/vendor/autoload.php';
$rsa = new phpseclib\Crypt\RSA();
$private_key = file_get_contents('./assets/keys/private.pem', TRUE);
$rsa->setEncryptionMode(phpseclib\Crypt\RSA::ENCRYPTION_PKCS1);
$rsa->loadKey($private_key, phpseclib\Crypt\RSA::PRIVATE_FORMAT_PKCS1);
$password = $rsa->decrypt(base64_decode($CipheredNewPassword));
//Hash the clear password using bcrypt (8 iterations)
$salt = '$2a$08$' . substr(strtr(base64_encode($this->getRandomBytes(16)), '+', '.'), 0, 22) . '$';
$hash = crypt($password, $salt);
$data = array('password' => $hash);
$this->db->where('id', $id);
return $this->db->update('users', $data);
}
public function decrypt()
{
$rsa = new \phpseclib\Crypt\RSA();
$rsa->loadKey($this->key);
$ciphertext = file_get_contents($this->getFileUploadDir() . '/' . $this->file_name);
$plaintext = $rsa->decrypt($ciphertext);
$hash = md5($plaintext);
$this->save_name = 'DecryptedFile_' . $hash;
file_put_contents($this->getFileRootDir() . '/' . $this->save_name, $plaintext);
unlink($this->file->getPathname());
return new CryptoFile($hash, $this->getWebPath() . '/' . $this->save_name);
}
/**
* Desencriptar datos cifrados con la clave pública
*
* @param string $data los datos a desencriptar
* @return string
*/
public function decryptRSA($data)
{
$Rsa = new \phpseclib\Crypt\RSA();
$Rsa->setEncryptionMode(\phpseclib\Crypt\RSA::ENCRYPTION_PKCS1);
$Rsa->loadKey($this->getPrivateKey());
return $Rsa->decrypt($data);
}
static function encryptResponse($handshake, $response)
{
//setup encryption engine with servers keys
$privateKey = Session::get("serverPrivate");
$serverAES = Session::get('serverAES');
$rsa = new \phpseclib\Crypt\RSA();
$rsa->setEncryptionMode($rsa::ENCRYPTION_PKCS1);
//decrypt the clients AESkey from the
$rsa->loadKey($privateKey);
$clientAESkey = $rsa->decrypt(base64_decode($handshake));
//use AES to encrypt the data
$AESEncrypted = cryptAES::enc($response, $clientAESkey);
return $AESEncrypted;
}
$private = file_get_contents('private.pem');
//This private key is password protected, so load key
$rsa_private->setPassword($password);
//load the private key
$rsa_private->load($private);
//set hash (I chose sha512 because sha1 apparently has collisions)
$rsa_private->setHash('sha512');
//set MGF hash
$rsa_private->setMGFHash('sha512');
//Create new RSA Object - public key
$rsa_public = new \phpseclib\Crypt\RSA();
//Get public key (in this case content of file)
$public = file_get_contents('public.pem');
//load the public key
$rsa_public->load($public);
//set hash
$rsa_public->setHash('sha512');
//set MGF hash
$rsa_public->setMGFHash('sha512');
echo 'Plaintext: ' . $plaintext . PHP_EOL;
//encrypt with public key and OAEP as padding
$ciphertext_raw = $rsa_public->encrypt($plaintext, phpseclib\Crypt\RSA::PADDING_OAEP);
echo 'Ciphertext (RAW): ' . $ciphertext_raw . PHP_EOL;
//Encode as base64 for better management
$ciphertext = base64_encode($ciphertext_raw);
echo 'Ciphertext (base64): ' . $ciphertext . PHP_EOL;
//Decode from base64 then decrypt with private key
$decrypted = $rsa_private->decrypt(base64_decode($ciphertext));
echo 'Decrypted: ' . $decrypted . PHP_EOL;
//Is everything ok?
var_dump($plaintext == $decrypted);
/**
* Update a given user in the database. Update data are coming from an
* HTML form
* @return type
* @author Benjamin BALET <*****@*****.**>
*/
public function reset_password($id, $CipheredNewPassword)
{
//log_message('debug', '{models/users_model/reset_password} Entering function id=' . $id . ' / Ciphered password='******'bcrypt');
//Decipher the password value (RSA encoded -> base64 -> decode -> decrypt)
require_once APPPATH . 'third_party/phpseclib/vendor/autoload.php';
$rsa = new phpseclib\Crypt\RSA();
$private_key = file_get_contents('./assets/keys/private.pem', true);
$rsa->setEncryptionMode(phpseclib\Crypt\RSA::ENCRYPTION_PKCS1);
$rsa->loadKey($private_key, phpseclib\Crypt\RSA::PRIVATE_FORMAT_PKCS1);
$password = $rsa->decrypt(base64_decode($CipheredNewPassword));
log_message('debug', '{models/users_model/reset_password} Password='******'debug', '{models/users_model/reset_password} Hash=' . $hash);
$data = array('password' => $hash);
$this->db->where('id', $id);
$result = $this->db->update('users', $data);
return $result;
}
