private function updateTFA($oldsecret, $newsecret) { $this->container->session->set('tfa_warning', false); // There is no TFA in Joomla < 3.2 $jversion = $this->container->session->get('jversion'); if (version_compare($jversion, '3.2', 'lt')) { return; } $db = $this->getDatabase(); $query = $db->getQuery(true)->select('COUNT(extension_id)')->from($db->qn('#__extensions'))->where($db->qn('type') . ' = ' . $db->q('plugin'))->where($db->qn('folder') . ' = ' . $db->q('twofactorauth'))->where($db->qn('enabled') . ' = ' . $db->q('1')); $count = $db->setQuery($query)->loadResult(); // No enabled plugin, there is no point in continuing if (!$count) { return; } $query = $db->getQuery(true)->select('*')->from($db->qn('#__users'))->where($db->qn('otpKey') . ' != ' . $db->q(''))->where($db->qn('otep') . ' != ' . $db->q('')); $users = $db->setQuery($query)->loadObjectList(); // There are no users with TFA configured, let's stop here if (!$users) { return; } // Otherwise I'll get a blank page if (!defined('FOF_INCLUDED')) { define('FOF_INCLUDED', 1); } include_once APATH_LIBRARIES . '/fof/encrypt/aes.php'; // Does this host support AES? if (!FOFEncryptAes::isSupported()) { // If not, set a flag, so we will display a big, fat warning in the finalize screen $this->container->session->set('tfa_warning', true); // Let's disable them $query = $db->getQuery(true)->update($db->qn('#__extensions'))->set($db->qn('enabled') . ' = ' . $db->q('0'))->where($db->qn('type') . ' = ' . $db->q('plugin'))->where($db->qn('folder') . ' = ' . $db->q('twofactorauth')); $db->setQuery($query)->execute(); return; } $oldaes = new FOFEncryptAes($oldsecret, 256); $newaes = new FOFEncryptAes($newsecret, 256); foreach ($users as $user) { $update = (object) array('id' => $user->id, 'otpKey' => '', 'otep' => ''); list($method, $otpKey) = explode(':', $user->otpKey); $update->otpKey = $oldaes->decryptString($otpKey); $update->otpKey = $method . ':' . $newaes->encryptString($update->otpKey); $update->otep = $oldaes->decryptString($user->otep); $update->otep = $newaes->encryptString($update->otep); $db->updateObject('#__users', $update, 'id'); } }