/**
* Generates a (semi-)random Secret Key for TOTP generation
*
* @return string
*/
public function generateSecret()
{
$secret = "";
for ($i = 1; $i <= $this->secretLength; $i++) {
$c = rand(0, 255);
$secret .= pack("c", $c);
}
return $this->base32->encode($secret);
}
protected function getAuthToken($algo = 1)
{
//Format: // <user type><algo id used>x<pack of uid & tid><hash of the algo>
$authtoken = sprintf('%s%dx%s', $this->isOwner() ? 'o' : 'c', $algo, Base32::encode(pack('VV', $this->getId(), $this->getTicketId())));
switch ($algo) {
case 1:
$authtoken .= substr(base64_encode(md5($this->getId() . $this->getTicket()->getCreateDate() . $this->getTicketId() . SECRET_SALT, true)), 8);
break;
default:
return null;
}
return $authtoken;
}
public static function hashFromPublicKey($publicKey)
{
// Convert PEM to DER encoding before hashing with SHA-1.
$string_start = '-----BEGIN PUBLIC KEY-----';
$string_end = '-----END PUBLIC KEY-----';
$pem = substr($publicKey, strpos($publicKey, $string_start) + strlen($string_start), (strlen($publicKey) - strpos($publicKey, $string_end)) * -1);
$der = base64_decode($pem);
$der = substr($der, 22, strlen($der));
// We skip the first 22 bytes.
// We only use the first half of the hash.
$sha = substr(sha1($der), 0, 20);
$onion_hash = Base32::encode(hex2bin($sha));
return strtolower($onion_hash);
}
public static function create($db, $class = '')
{
$params = func_get_args();
array_shift($params);
array_shift($params);
$class = strtolower(trim($class));
if (!strlen($class)) {
$class = 'null';
}
if (!isset(self::$classmap[$class])) {
trigger_error('Asset::create(): object class "' . $class . '" does not exist', E_USER_ERROR);
return null;
}
$className = self::$classmap[$class];
$db->insert('asset_object', array('object_class' => $class, '@object_created' => $db->now(), '@object_modified' => $db->now(), 'object_has_manifest' => false));
$id = $db->insertId();
$key = Base32::encode($id);
$db->update('asset_object', array('object_key' => $key), array('object_id' => $id));
echo 'Created new asset of class "' . $class . '" with key "' . $key . '"' . "\n";
call_user_func_array(array($className, 'createObject'), array($db, $key, $params));
return self::get($db, $key);
}
function otpenable()
{
require_once "lib/otphp/vendor/base32.php";
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
$password = $_REQUEST["password"];
$otp = $_REQUEST["otp"];
$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
if ($authenticator->check_password($_SESSION["uid"], $password)) {
$result = $this->dbh->query("SELECT salt\n\t\t\t\tFROM ttrss_users\n\t\t\t\tWHERE id = " . $_SESSION["uid"]);
$base32 = new Base32();
$secret = $base32->encode(sha1($this->dbh->fetch_result($result, 0, "salt")));
$topt = new \OTPHP\TOTP($secret);
$otp_check = $topt->now();
if ($otp == $otp_check) {
$this->dbh->query("UPDATE ttrss_users SET otp_enabled = true WHERE\n\t\t\t\t\tid = " . $_SESSION["uid"]);
print "OK";
} else {
print "ERROR:" . __("Incorrect one time password");
}
} else {
print "ERROR:" . __("Incorrect password");
}
}
function authenticate($login, $password)
{
$pwd_hash0 = hash_password($password);
$pwd_hash1 = encrypt_password($password);
$pwd_hash2 = encrypt_password($password, $login);
$login = db_escape_string($login);
$otp = db_escape_string($_REQUEST["otp"]);
if (get_schema_version() > 96) {
if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {
$result = db_query("SELECT otp_enabled,salt FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******'");
if (db_num_rows($result) > 0) {
require_once "lib/otphp/vendor/base32.php";
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
$base32 = new Base32();
$otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled"));
$secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt")));
$topt = new \OTPHP\TOTP($secret);
$otp_check = $topt->now();
if ($otp_enabled) {
if ($otp) {
if ($otp != $otp_check) {
return false;
}
} else {
$return = urlencode($_REQUEST["return"]);
?>
<html>
<head><title>Tiny Tiny RSS</title></head>
<?php
echo stylesheet_tag("css/utility.css");
?>
<body class="otp"><div class="content">
<form action="public.php?return=<?php
echo $return;
?>
"
method="POST" class="otpform">
<input type="hidden" name="op" value="login">
<input type="hidden" name="login" value="<?php
echo htmlspecialchars($login);
?>
">
<input type="hidden" name="password" value="<?php
echo htmlspecialchars($password);
?>
">
<input type="hidden" name="bw_limit" value="<?php
echo htmlspecialchars($_POST["bw_limit"]);
?>
">
<input type="hidden" name="remember_me" value="<?php
echo htmlspecialchars($_POST["remember_me"]);
?>
">
<input type="hidden" name="profile" value="<?php
echo htmlspecialchars($_POST["profile"]);
?>
">
<label><?php
echo __("Please enter your one time password:"******"off" size="6" name="otp" value=""/>
<input type="submit" value="Continue"/>
</form></div>
<script type="text/javascript">
document.forms[0].otp.focus();
</script>
<?php
exit;
}
}
}
}
}
$result = db_query("SELECT id,pwd_hash FROM ttrss_users WHERE\n\t\t\tlogin = '******'");
if (db_num_rows($result) === 1) {
if (version_compare(PHP_VERSION, '5.5.0', '<')) {
require_once 'vendor/ircmaxell/password-compat/lib/password.php';
}
$pwd_hash_dp = db_fetch_result($result, 0, "pwd_hash");
if (password_verify($password, $pwd_hash_dp)) {
return db_fetch_result($result, 0, "id");
}
}
if (get_schema_version() > 87) {
$result = db_query("SELECT salt FROM ttrss_users WHERE\n\t\t\t\tlogin = '******'");
if (db_num_rows($result) !== 1) {
return false;
}
$salt = db_fetch_result($result, 0, "salt");
if ($salt == "") {
$query = "SELECT id\n\t\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')";
// verify and upgrade password to new salt base
$result = db_query($query);
if (db_num_rows($result) === 1) {
// upgrade password to MODE2
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($password, $salt, true);
db_query("UPDATE ttrss_users SET\n\t\t\t\t\t\tpwd_hash = '{$pwd_hash}', salt = '{$salt}' WHERE login = '******'");
$query = "SELECT id\n\t\t\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'";
} else {
return false;
}
} else {
$pwd_hash = encrypt_password($password, $salt, true);
$query = "SELECT id\n\t\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'";
}
} else {
$query = "SELECT id\n\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')";
}
$result = db_query($query);
if (db_num_rows($result) === 1) {
// Authentication was successful, but the hash in the database
// is not secure. We need to update it.
db_query("UPDATE ttrss_users SET\n\t\t\t\tpwd_hash = '{$pwd_hash0}' WHERE login = '******'");
return db_fetch_result($result, 0, "id");
}
return false;
}
public function testEncodeEmptyString()
{
// RFC test vectors say that empty string returns empty string
$this->assertEquals('', Base32::encode(''));
}
/* Copyright 2009 Mo McRoberts.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The names of the author(s) of this software may not be used to endorse
* or promote products derived from this software without specific prior
* written permission.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
* AUTHORS OF THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
require dirname(__FILE__) . '/../lib/common.php';
array_shift($argv);
foreach ($argv as $value) {
echo $value . " = " . Base32::encode($value) . "\n";
}
function authenticate($login, $password)
{
$pwd_hash1 = encrypt_password($password);
$pwd_hash2 = encrypt_password($password, $login);
$login = db_escape_string($login);
$otp = db_escape_string($_REQUEST["otp"]);
if (get_schema_version($this->link) > 96) {
if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {
$result = db_query($this->link, "SELECT otp_enabled,salt FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******'");
if (db_num_rows($result) > 0) {
require_once "lib/otphp/vendor/base32.php";
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
$base32 = new Base32();
$otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled"));
$secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt")));
$topt = new \OTPHP\TOTP($secret);
$otp_check = $topt->now();
if ($otp_enabled) {
if ($otp) {
if ($otp != $otp_check) {
return false;
}
} else {
$return = urlencode($_REQUEST["return"]);
?>
<html>
<head><title>Tiny Tiny RSS</title></head>
<body>
<form action="public.php?return=<?php
echo $return;
?>
"
method="POST">
<input type="hidden" name="op" value="login">
<input type="hidden" name="login" value="<?php
echo htmlspecialchars($login);
?>
">
<input type="hidden" name="password" value="<?php
echo htmlspecialchars($password);
?>
">
<label><?php
echo __("Please enter your one time password:"******"password" size="6" name="otp"/>
<input type="submit" value="Continue"/>
</form>
<script type="text/javascript">
document.forms[0].otp.focus();
</script>
<?php
exit;
}
}
}
}
}
if (get_schema_version($this->link) > 87) {
$result = db_query($this->link, "SELECT salt FROM ttrss_users WHERE\n\t\t\t\tlogin = '******'");
if (db_num_rows($result) != 1) {
return false;
}
$salt = db_fetch_result($result, 0, "salt");
if ($salt == "") {
$query = "SELECT id\n\t FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')";
// verify and upgrade password to new salt base
$result = db_query($this->link, $query);
if (db_num_rows($result) == 1) {
// upgrade password to MODE2
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($password, $salt, true);
db_query($this->link, "UPDATE ttrss_users SET\n\t\t\t\t\t\tpwd_hash = '{$pwd_hash}', salt = '{$salt}' WHERE login = '******'");
$query = "SELECT id\n\t\t FROM ttrss_users WHERE\n\t\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'";
} else {
return false;
}
} else {
$pwd_hash = encrypt_password($password, $salt, true);
$query = "SELECT id\n\t\t FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'";
}
} else {
$query = "SELECT id\n\t FROM ttrss_users WHERE\n\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')";
}
$result = db_query($this->link, $query);
if (db_num_rows($result) == 1) {
return db_fetch_result($result, 0, "id");
}
return false;
}
function otpqrcode()
{
require_once "lib/otphp/vendor/base32.php";
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
require_once "lib/phpqrcode/phpqrcode.php";
$result = db_query($this->link, "SELECT login,salt,otp_enabled\n\t\t\tFROM ttrss_users\n\t\t\tWHERE id = " . $_SESSION["uid"]);
$base32 = new Base32();
$login = db_fetch_result($result, 0, "login");
$otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled"));
if (!$otp_enabled) {
$secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt")));
$topt = new \OTPHP\TOTP($secret);
print QRcode::png($topt->provisioning_uri($login));
}
}
function getTaggedEmailReferences($prefix, $refId)
{
$ref = "+{$prefix}" . Base32::encode(pack('VV', $this->getId(), $refId));
$mid = substr_replace($this->getEmailMessageId(), $ref, strpos($this->getEmailMessageId(), '@'), 0);
return sprintf('%s %s', $this->getEmailReferences(false), $mid);
}
')){ window.location = '<?php
print add_query_arg(array('tfa_priv_key_reset' => 1, 'settings-updated' => 'true'));
?>
'; }">reset</a>
)
</p>
<h3 class="normal" style="cursor: default">Base32</h3>
<p><?php
_e('Base32 is used by some third party apps like Google Authenticator. This is just as secret as the key in plain text.', TFA_TEXT_DOMAIN);
?>
</p>
<p><strong><?php
_e('Your private key in base32 is', TFA_TEXT_DOMAIN);
?>
</strong>: <?php
print Base32::encode($tfa_priv_key);
?>
</p>
<h3 class="normal" style="cursor: default"><?php
_e('Algorithm Used', TFA_TEXT_DOMAIN);
?>
</h3>
<form method="post" action="<?php
print add_query_arg('settings-updated', 'true', $_SERVER['REQUEST_URI']);
?>
">
<h2><?php
_e('Choose Algorithm', TFA_TEXT_DOMAIN);
?>
</h2>
function moveAndWriteFile($hashToUse,$targetDirectory,$fileArray) {
$base32String=Base32::encode($fileArray['name'].'|'.$fileArray['type']);
move_uploaded_file($fileArray['tmp_name'],$targetDirectory.'/'.$hashToUse.$base32String);
}
/**
* RFC 4648 Base32 encoding
*
* @param $str
* @return string
*/
public static function base32Encode(string $str) : string
{
return Base32::encode($str);
}
public function testEncoding()
{
$random_bytes = \random_bytes(31);
// Backwards compatibility:
$encoder = Halite::chooseEncoder(false);
$this->assertSame(Hex::encode($random_bytes), $encoder($random_bytes));
$encoder = Halite::chooseEncoder(true);
$this->assertSame(null, $encoder);
// New encoding in version 3:
$encoder = Halite::chooseEncoder(Halite::ENCODE_HEX);
$this->assertSame(Hex::encode($random_bytes), $encoder($random_bytes));
$encoder = Halite::chooseEncoder(Halite::ENCODE_BASE32);
$this->assertSame(Base32::encode($random_bytes), $encoder($random_bytes));
$encoder = Halite::chooseEncoder(Halite::ENCODE_BASE32HEX);
$this->assertSame(Base32Hex::encode($random_bytes), $encoder($random_bytes));
$encoder = Halite::chooseEncoder(Halite::ENCODE_BASE64);
$this->assertSame(Base64::encode($random_bytes), $encoder($random_bytes));
$encoder = Halite::chooseEncoder(Halite::ENCODE_BASE64URLSAFE);
$this->assertSame(Base64UrlSafe::encode($random_bytes), $encoder($random_bytes));
}
