function validate_two_factor_auth_code($code) { require_once CONFIG_PATH_THIRDPARTY . 'Google2FA/Google2FA.php'; $valid = false; $secret = db_select_one('two_factor_auth', array('secret'), array('user_id' => $_SESSION['id'])); try { $valid = Google2FA::verify_key($secret['secret'], $code); } catch (Exception $e) { message_error('Could not verify key.'); } return $valid; }
if (!empty($_POST['hash_one']) && !empty($_POST['hash_sec'])) { if (!empty($_POST['ga_playertest'])) { $this_admin = mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `ga_players` WHERE `username`='" . prot($_POST['hash_one']) . "' AND `passwd`='" . md5($_POST['hash_sec']) . "' LIMIT 1")); } else { $this_admin = mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `admins` WHERE `username`='" . prot($_POST['hash_one']) . "' AND `passwd`='" . md5($_POST['hash_sec']) . "' LIMIT 1")); } if ($this_admin['ga_token'] == '') { $_SESSION['logged_'] = true; $_SESSION['username'] = $this_admin['username']; mysql_query("INSERT INTO `admin_logs` (`admin_username`,`ip`,`browser`) VALUES ('" . $_SESSION['username'] . "','" . $_SERVER['REMOTE_ADDR'] . "','" . $_SERVER['HTTP_USER_AGENT'] . "')"); header('Location: ./'); } else { $_SESSION['2f_1']['username'] = $this_admin['username']; $_SESSION['2f_1']['ga_token'] = $this_admin['ga_token']; header('Location: ./?totp'); } exit; } else { if (!empty($_POST['totp'])) { include './ga_class.php'; $verify = Google2FA::verify_key($_SESSION['2f_1']['ga_token'], $_POST['totp'], 0); if ($verify == true) { $_SESSION['logged_'] = true; $_SESSION['username'] = $_SESSION['2f_1']['username']; $_SESSION['2f_1'] = false; mysql_query("INSERT INTO `admin_logs` (`admin_username`,`ip`,`browser`) VALUES ('" . $_SESSION['username'] . "','" . $_SERVER['REMOTE_ADDR'] . "','" . $_SERVER['HTTP_USER_AGENT'] . "')"); header('Location: ./'); } } } header('Location: ./?login_error');
public static function enableGoogle2fa($cell, $country_code) { global $CFG; $cell = preg_replace("/[^0-9]/", "", $cell); $country_code = preg_replace("/[^0-9]/", "", $country_code); if (!$CFG->session_active || User::$info['verified_authy'] == 'Y' || User::$info['verified_google'] == 'Y') { return false; } $key = Google2FA::generate_secret_key(); if (!$key) { return false; } self::deleteCache(); $result = db_update('site_users', User::$info['id'], array('tel' => $cell, 'country_code' => $country_code, 'google_2fa_code' => $key, 'verified_google' => 'N', 'using_sms' => 'N', 'authy_id' => '', 'confirm_withdrawal_2fa_btc' => 'Y', 'confirm_withdrawal_2fa_bank' => 'Y')); if ($result) { return $key; } }
<?php /* * © BitcoinDice */ if (!isset($included)) { exit; } include './ga_class.php'; $newtoken = Google2FA::generate_secret_key(); $this_admin = mysql_fetch_array(mysql_query("SELECT `id`,`ga_token` FROM `admins` WHERE `username`='{$_SESSION['username']}' LIMIT 1")); if (isset($_GET['rem'])) { mysql_query("UPDATE `admins` SET `ga_token`='' WHERE `id`={$this_admin['id']} LIMIT 1"); echo '<div class="zpravagreen"><b>Success:</b> Google Authenticator has been disabled for this account.</div>'; } $this_admin = mysql_fetch_array(mysql_query("SELECT `id`,`ga_token`,`username` FROM `admins` WHERE `id`={$this_admin['id']} LIMIT 1")); ?> <script type="text/javascript"> // QR code generator lib: (function(r){r.fn.qrcode=function(h){var s;function u(a){this.mode=s;this.data=a}function o(a,c){this.typeNumber=a;this.errorCorrectLevel=c;this.modules=null;this.moduleCount=0;this.dataCache=null;this.dataList=[]}function q(a,c){if(void 0==a.length)throw Error(a.length+"/"+c);for(var d=0;d<a.length&&0==a[d];)d++;this.num=Array(a.length-d+c);for(var b=0;b<a.length-d;b++)this.num[b]=a[b+d]}function p(a,c){this.totalCount=a;this.dataCount=c}function t(){this.buffer=[];this.length=0}u.prototype={getLength:function(){return this.data.length}, write:function(a){for(var c=0;c<this.data.length;c++)a.put(this.data.charCodeAt(c),8)}};o.prototype={addData:function(a){this.dataList.push(new u(a));this.dataCache=null},isDark:function(a,c){if(0>a||this.moduleCount<=a||0>c||this.moduleCount<=c)throw Error(a+","+c);return this.modules[a][c]},getModuleCount:function(){return this.moduleCount},make:function(){if(1>this.typeNumber){for(var a=1,a=1;40>a;a++){for(var c=p.getRSBlocks(a,this.errorCorrectLevel),d=new t,b=0,e=0;e<c.length;e++)b+=c[e].dataCount; for(e=0;e<this.dataList.length;e++)c=this.dataList[e],d.put(c.mode,4),d.put(c.getLength(),j.getLengthInBits(c.mode,a)),c.write(d);if(d.getLengthInBits()<=8*b)break}this.typeNumber=a}this.makeImpl(!1,this.getBestMaskPattern())},makeImpl:function(a,c){this.moduleCount=4*this.typeNumber+17;this.modules=Array(this.moduleCount);for(var d=0;d<this.moduleCount;d++){this.modules[d]=Array(this.moduleCount);for(var b=0;b<this.moduleCount;b++)this.modules[d][b]=null}this.setupPositionProbePattern(0,0);this.setupPositionProbePattern(this.moduleCount- 7,0);this.setupPositionProbePattern(0,this.moduleCount-7);this.setupPositionAdjustPattern();this.setupTimingPattern();this.setupTypeInfo(a,c);7<=this.typeNumber&&this.setupTypeNumber(a);null==this.dataCache&&(this.dataCache=o.createData(this.typeNumber,this.errorCorrectLevel,this.dataList));this.mapData(this.dataCache,c)},setupPositionProbePattern:function(a,c){for(var d=-1;7>=d;d++)if(!(-1>=a+d||this.moduleCount<=a+d))for(var b=-1;7>=b;b++)-1>=c+b||this.moduleCount<=c+b||(this.modules[a+d][c+b]= 0<=d&&6>=d&&(0==b||6==b)||0<=b&&6>=b&&(0==d||6==d)||2<=d&&4>=d&&2<=b&&4>=b?!0:!1)},getBestMaskPattern:function(){for(var a=0,c=0,d=0;8>d;d++){this.makeImpl(!0,d);var b=j.getLostPoint(this);if(0==d||a>b)a=b,c=d}return c},createMovieClip:function(a,c,d){a=a.createEmptyMovieClip(c,d);this.make();for(c=0;c<this.modules.length;c++)for(var d=1*c,b=0;b<this.modules[c].length;b++){var e=1*b;this.modules[c][b]&&(a.beginFill(0,100),a.moveTo(e,d),a.lineTo(e+1,d),a.lineTo(e+1,d+1),a.lineTo(e,d+1),a.endFill())}return a}, setupTimingPattern:function(){for(var a=8;a<this.moduleCount-8;a++)null==this.modules[a][6]&&(this.modules[a][6]=0==a%2);for(a=8;a<this.moduleCount-8;a++)null==this.modules[6][a]&&(this.modules[6][a]=0==a%2)},setupPositionAdjustPattern:function(){for(var a=j.getPatternPosition(this.typeNumber),c=0;c<a.length;c++)for(var d=0;d<a.length;d++){var b=a[c],e=a[d];if(null==this.modules[b][e])for(var f=-2;2>=f;f++)for(var i=-2;2>=i;i++)this.modules[b+f][e+i]=-2==f||2==f||-2==i||2==i||0==f&&0==i?!0:!1}},setupTypeNumber:function(a){for(var c= j.getBCHTypeNumber(this.typeNumber),d=0;18>d;d++){var b=!a&&1==(c>>d&1);this.modules[Math.floor(d/3)][d%3+this.moduleCount-8-3]=b}for(d=0;18>d;d++)b=!a&&1==(c>>d&1),this.modules[d%3+this.moduleCount-8-3][Math.floor(d/3)]=b},setupTypeInfo:function(a,c){for(var d=j.getBCHTypeInfo(this.errorCorrectLevel<<3|c),b=0;15>b;b++){var e=!a&&1==(d>>b&1);6>b?this.modules[b][8]=e:8>b?this.modules[b+1][8]=e:this.modules[this.moduleCount-15+b][8]=e}for(b=0;15>b;b++)e=!a&&1==(d>>b&1),8>b?this.modules[8][this.moduleCount- b-1]=e:9>b?this.modules[8][15-b-1+1]=e:this.modules[8][15-b-1]=e;this.modules[this.moduleCount-8][8]=!a},mapData:function(a,c){for(var d=-1,b=this.moduleCount-1,e=7,f=0,i=this.moduleCount-1;0<i;i-=2)for(6==i&&i--;;){for(var g=0;2>g;g++)if(null==this.modules[b][i-g]){var n=!1;f<a.length&&(n=1==(a[f]>>>e&1));j.getMask(c,b,i-g)&&(n=!n);this.modules[b][i-g]=n;e--; -1==e&&(f++,e=7)}b+=d;if(0>b||this.moduleCount<=b){b-=d;d=-d;break}}}};o.PAD0=236;o.PAD1=17;o.createData=function(a,c,d){for(var c=p.getRSBlocks(a, c),b=new t,e=0;e<d.length;e++){var f=d[e];b.put(f.mode,4);b.put(f.getLength(),j.getLengthInBits(f.mode,a));f.write(b)}for(e=a=0;e<c.length;e++)a+=c[e].dataCount;if(b.getLengthInBits()>8*a)throw Error("code length overflow. ("+b.getLengthInBits()+">"+8*a+")");for(b.getLengthInBits()+4<=8*a&&b.put(0,4);0!=b.getLengthInBits()%8;)b.putBit(!1);for(;!(b.getLengthInBits()>=8*a);){b.put(o.PAD0,8);if(b.getLengthInBits()>=8*a)break;b.put(o.PAD1,8)}return o.createBytes(b,c)};o.createBytes=function(a,c){for(var d= 0,b=0,e=0,f=Array(c.length),i=Array(c.length),g=0;g<c.length;g++){var n=c[g].dataCount,h=c[g].totalCount-n,b=Math.max(b,n),e=Math.max(e,h);f[g]=Array(n);for(var k=0;k<f[g].length;k++)f[g][k]=255&a.buffer[k+d];d+=n;k=j.getErrorCorrectPolynomial(h);n=(new q(f[g],k.getLength()-1)).mod(k);i[g]=Array(k.getLength()-1);for(k=0;k<i[g].length;k++)h=k+n.getLength()-i[g].length,i[g][k]=0<=h?n.get(h):0}for(k=g=0;k<c.length;k++)g+=c[k].totalCount;d=Array(g);for(k=n=0;k<b;k++)for(g=0;g<c.length;g++)k<f[g].length&& (d[n++]=f[g][k]);for(k=0;k<e;k++)for(g=0;g<c.length;g++)k<i[g].length&&(d[n++]=i[g][k]);return d};s=4;for(var j={PATTERN_POSITION_TABLE:[[],[6,18],[6,22],[6,26],[6,30],[6,34],[6,22,38],[6,24,42],[6,26,46],[6,28,50],[6,30,54],[6,32,58],[6,34,62],[6,26,46,66],[6,26,48,70],[6,26,50,74],[6,30,54,78],[6,30,56,82],[6,30,58,86],[6,34,62,90],[6,28,50,72,94],[6,26,50,74,98],[6,30,54,78,102],[6,28,54,80,106],[6,32,58,84,110],[6,30,58,86,114],[6,34,62,90,118],[6,26,50,74,98,122],[6,30,54,78,102,126],[6,26,52, 78,104,130],[6,30,56,82,108,134],[6,34,60,86,112,138],[6,30,58,86,114,142],[6,34,62,90,118,146],[6,30,54,78,102,126,150],[6,24,50,76,102,128,154],[6,28,54,80,106,132,158],[6,32,58,84,110,136,162],[6,26,54,82,110,138,166],[6,30,58,86,114,142,170]],G15:1335,G18:7973,G15_MASK:21522,getBCHTypeInfo:function(a){for(var c=a<<10;0<=j.getBCHDigit(c)-j.getBCHDigit(j.G15);)c^=j.G15<<j.getBCHDigit(c)-j.getBCHDigit(j.G15);return(a<<10|c)^j.G15_MASK},getBCHTypeNumber:function(a){for(var c=a<<12;0<=j.getBCHDigit(c)-
$header->jsFile('js/permissions.js'); $header->jsFile('js/swfupload.js'); $header->jsFile('js/jquery.swfupload.js'); $header->jsFile('ckeditor/ckeditor.js'); $header->jsFile('js/Ops.js'); $header->js('CKEDITOR.dtd.$removeEmpty[\'span\'] = false;'); $header->display(); $header->getJsGlobals(); } if ($_REQUEST['authy_form']) { $token1 = preg_replace("/[^0-9]/", "", $_REQUEST['authy_form']['token']); if (!($token1 > 0)) { Errors::add('Invalid token.'); } if (!is_array(Errors::$errors)) { $response = Google2FA::verify_key(User::$info['authy_id'], $token1); if (!$response) { Errors::add('Invalid token.'); } if (!is_array(Errors::$errors)) { $_SESSION['token_verified'] = 1; Errors::$errors = false; } } } if (User::isLoggedIn() && !(User::$info['verified_authy'] == 'Y' && !($_SESSION['token_verified'] > 0))) { $CFG->user_id = User::$info['id']; $CFG->group_id = User::$info['f_id']; if (!$CFG->bypass || $CFG->url == 'edit_page' && !$_REQUEST['tab_bypass']) { include_once 'includes/popups.php'; ?>
<?php /* * © CryptoDice * * * */ header('X-Frame-Options: DENY'); session_start(); if (!isset($_SESSION['logged_']) || $_SESSION['logged_'] !== true) { exit; } $included = true; include '../../inc/db-conf.php'; include '../../inc/functions.php'; include '../ga_class.php'; if (empty($_GET['newtoken']) || empty($_GET['totp']) || empty($_GET['id'])) { exit; } $verify = Google2FA::verify_key(prot($_GET['newtoken']), $_GET['totp'], 0); if ($verify == true) { mysql_query("UPDATE `admins` SET `ga_token`='" . prot($_GET['newtoken']) . "' WHERE `id`=" . prot($_GET['id']) . " LIMIT 1"); echo json_encode(array('success' => 'yes')); } else { echo json_encode(array('success' => 'no')); }
@extends('layouts.app') @section('content') <div class="container"> <div class="row"> <div class="col-md-8 col-md-offset-2"> <div class="panel panel-default"> <div class="panel-heading">Configuring One-Time password</div> <div class="panel-body"> <form class="form-horizontal" role="form" method="POST" action="{{ url('/auth/totp') }}"> {{ csrf_field() }} <?php $google2fa_url = Google2FA::getQRCodeGoogleUrl(env('APP_URL', 'MidasMarket'), Auth::user()->email, $secret); ?> <div class="alert alert-info"> <p>1. Scan this QR code or enter secret key with your 2FA app(Google Authenticator, Authy, etc..)</p> </div> <div class="form-group"> <label for="totp" class="col-md-4 control-label">Your secret key</label> <div class="col-md-6"> <input id="secret" readonly type="text" class="form-control" name="secret" value="{{$secret}}"> </div> </div> <p class="alert text-center"><img src="{{$google2fa_url}}"></p> <p class="alert alert-info">2. Input one-time password</p>
if (!$show_form) { $enable->verify(); $enable->show_errors(); $enable->HTML('<img class="qrcode" src="includes/qrcode.php?sec=1&code=otpauth://totp/Backstage2?secret=' . $key . '" />'); $enable->textInput('token', 'Enter token', true); $enable->submitButton('submit', 'Enable 2FA'); $enable->display(); } } else { if ($CFG->action == 'disable') { $show_form = false; $CFG->form_legend = 'Please enter your token...'; $disable = new Form('users_form_disable', false, false, false, false, true); if (!empty($_REQUEST['users_form_disable'])) { $key = User::$info['authy_id']; $response = Google2FA::verify_key($key, $disable->info['token']); if (!$response) { $response->errors[] = 'Invalid token.'; } else { db_update('admin_users', User::$info['id'], array('verified_authy' => 'N')); Messages::add('You have succesfully disabled 2FA.'); $show_form = true; } } if (!$show_form) { $disable->verify(); $disable->show_errors(); $disable->HTML('<img class="qrcode" src="includes/qrcode.php?sec=1&code=otpauth://totp/Backstage2?secret=' . $key . '" />'); $disable->textInput('token', 'Enter token', true); $disable->submitButton('submit', 'Disable 2FA'); $disable->display();
{ $offset = ord($hash[19]) & 0xf; return ( ((ord($hash[$offset+0]) & 0x7f) << 24 ) | ((ord($hash[$offset+1]) & 0xff) << 16 ) | ((ord($hash[$offset+2]) & 0xff) << 8 ) | (ord($hash[$offset+3]) & 0xff) ) % pow(10, self::otpLength); } } $InitalizationKey = "PEHMPSDNLXIOG65U"; // Set the inital key $TimeStamp = Google2FA::get_timestamp(); $secretkey = Google2FA::base32_decode($InitalizationKey); // Decode it into binary $otp = Google2FA::oath_hotp($secretkey, $TimeStamp); // Get current token echo("Init key: $InitalizationKey\n"); echo("Timestamp: $TimeStamp\n"); echo("One time password: $otp\n"); // Use this to verify a key as it allows for some time drift. $result = Google2FA::verify_key($InitalizationKey, "123456"); var_dump($result);
$binarySeed = self::base32_decode($b32seed); for ($ts = $timeStamp - $window; $ts <= $timeStamp + $window; $ts++) { if (self::oath_hotp($binarySeed, $ts) == $key) { return true; } } return false; } public static function oath_truncate($hash) { $offset = ord($hash[19]) & 0xf; return ((ord($hash[$offset + 0]) & 0x7f) << 24 | (ord($hash[$offset + 1]) & 0xff) << 16 | (ord($hash[$offset + 2]) & 0xff) << 8 | ord($hash[$offset + 3]) & 0xff) % pow(10, self::otpLength); } } $InitalizationKey = "SMARTCUBEDEEPERA"; // Set the inital key $TimeStamp = Google2FA::get_timestamp(); $secretkey = Google2FA::base32_decode($InitalizationKey); // Decode it into binary $otp = Google2FA::oath_hotp($secretkey, $TimeStamp); // Get current token //echo("Init key: $InitalizationKey\n"); //echo("Timestamp: $TimeStamp\n"); //echo("One time password: $otp\n"); // Use this to verify a key as it allows for some time drift. $result = Google2FA::verify_key($InitalizationKey, $_GET["password"]); if ($result) { echo "true"; } else { echo "false"; }
/** * @covers cymapgt\core\application\authentication\UserCredential\services\UserCredentialGoogleAuthLoginService::authenticate */ public function testAuthenticateStageEncKeyWrong() { //This should fail. Requesting Application did not respond with the correct Verification Hash generated in Stage 1 $this->object->setMultiFactor(true); $this->object->setMultiFactorStages(array('current' => 1, 1 => array())); $this->object->setEncKeyLength(16); $this->object->setCurrentUserName('rhossis'); $this->object->setCurrentPassword($this->password); $this->object->setPassword('123456'); $this->object->initialize(); $authResult = $this->object->authenticate(); $encKey = $authResult[2]['enc_key']; $verificationHash = \crypt($this->object->getCurrentPassword(), $authResult[2]['enc_key']); $nowObj = new \DateTime(); $nowObj->setTimestamp($nowObj->getTimestamp() - 181); $totpTimeLimit = 180; $this->object->setMultiFactor(true); $this->object->setMultiFactorStages(array('current' => 2, 1 => array('statuss' => true))); $this->object->setEncKeyLength(16); $this->object->setCurrentUserName('rhossis'); $this->object->setCurrentPassword($this->password); $totpProfile = array('enc_key' => 'hElLoThErEiAmAwRoNgEnCkEy', 'totp_timestamp' => $nowObj, 'totp_timelimit' => $totpTimeLimit); $this->object->setUserTotpProfile($totpProfile); $this->object->setVerificationHash($verificationHash); $this->multiOtpWrapper->SetToken('rhossis'); //die(print_r($this->multiOtpWrapper)); $tokenSeed = $this->multiOtpWrapper->GetTokenSeed('yebo32'); $TimeStamp = \Google2FA::get_timestamp(); $secretKey = hex2bin($tokenSeed); $oneTimeToken = \Google2FA::oath_hotp($secretKey, $TimeStamp); //die($oneTimeToken); $this->object->setOneTimeToken($oneTimeToken); $this->object->initialize(); $authResultStage2 = $this->object->authenticate(); $this->assertEquals(false, $authResultStage2); }
if (in_array($token1, $token_cache)) { $return['error'] = 'security-incorrect-token'; } else { if ($token1 > 0 && !empty($result[0]['authy_id']) && $result[0]['authy_id'] > 0) { $response = shell_exec('curl "https://api.authy.com/protected/json/verify/' . $token1 . '/' . $result[0]['authy_id'] . '?api_key=' . $CFG->authy_api_key . '"'); $response1 = !empty($response) ? json_decode($response, true) : false; if (empty($response) || (empty($response1) || !is_array($response1))) { $return['error'] = 'security-com-error'; } elseif (!empty($response1['errors']) || $response1['success'] === false || $response1['success'] === 'false') { $return['error'] = 'authy-errors'; $return['authy_errors'] = $response1['errors']; } elseif (!empty($response1['success']) && ($response1['success'] == true || $response1['success'] == 'true')) { $CFG->token_verified = true; } } elseif ($token1 > 0 && $result[0]['google_2fa_code']) { $response = Google2FA::verify_key($result[0]['google_2fa_code'], $token1); if ($response) { $CFG->token_verified = true; } else { $return['error'] = 'security-incorrect-token'; } } if ($CFG->memcached && !empty($CFG->token_verified)) { if (count($token_cache) > 1000) { array_shift($token_cache); } $token_cache[] = $token1; $CFG->m->set('tokens', $token_cache, 0); } } }
@include('bitaac::partials.heading', ['title' => 'Account', 'desc' => 'View and edit your account.']) <form method="POST"> {!! csrf_field() !!} <table> <tr class="header"> <th colspan="4" align="center">Two-Factor Authentication</th> </tr> <tr> <td align="center"> <div class="visible-print text-center"> <?php $secret = $account->secret ? $account->secret : Google2FA::generateSecretKey(); $google2fa_url = Google2FA::getQRCodeGoogleUrl('bitaac', $account->name, $account->bit->secret); ?> <img src="{{ $google2fa_url }}"> <div> <li>Scan the QR code above with <b>Google Authenticator</b> or <b>Authy</b>.</li> <li>Write the generated token into the field below and press enable/disable.</li> </div> </div> </td> </tr> <tr> <td align="center"> Token: <input type="text" name="secret">
<?php /** * @project Nitrado Interface */ $key = $_GET["key"]; $seed = $_GET["seed"]; require_once '../api/totp.php'; $res = Google2FA::verify_key($seed, $key); echo $res;