function proseswebhash($data, $postedhash)
{
$signature = $data["hash"];
$OTP = $data["otp"];
// $key = pack("H*",$OTP);
//hitung hmac dengan OTP sebagai key
$hmacresult = hitunghmacdata($signature, $OTP);
// echo $signature."\n";
// echo $OTP."\n";
// echo $hmacresult."\n";
// $hmacresult = hitunghmacdata($signature,$key);
// echo "sig=".$signature." OTP=".$OTP." hmac=".$hmacresult.PHP_EOL;
if (hash_compare($hmacresult, $postedhash)) {
return 1;
}
return 0;
}
<?php
include "conexion.php";
$usuario = mysql_real_escape_string($_POST['usuario']);
$pswd = mysql_real_escape_string($_POST['password']);
$answer = array();
$sel = mysql_query("SELECT * FROM usuarios WHERE Usuario_usu='{$usuario}' ");
if ($resp = mysql_num_rows($sel) != 0) {
$resp = mysql_fetch_array($sel);
$pass = $resp['Pass_usu'];
$secret = "orius2015";
$clavex = hash_hmac("sha512", $pswd, $secret);
if (hash_compare($clavex, $pass)) {
session_start();
$_SESSION['usulog'] = $resp['Usuario_usu'];
$_SESSION['tipousu'] = $resp['Tipo_usu'];
$answer['redirec'] = 'adminhome';
} else {
$answer = 'error';
}
} else {
$answer = 'error';
}
echo json_encode($answer);
function hash_compare($a, $b)
{
if (!is_string($a) || !is_string($b)) {
return false;
}
$len = strlen($a);
if ($len !== strlen($b)) {
/**
* Perform timing attack safe string comparison of tokens.
*
* @link http://blog.ircmaxell.com/2014/11/its-all-about-time.html
* @param string $token Known token.
* @param string $clientToken
* @return bool
*/
protected function compare($token, $clientToken)
{
if (function_exists('hash_compare')) {
return hash_compare($token, $clientToken);
}
$tokenLength = strlen($token);
$clientLength = strlen($clientToken);
if ($clientLength != $tokenLength) {
return false;
}
$result = 0;
for ($i = 0; $i < $clientLength; $i++) {
$result |= ord($token[$i]) ^ ord($clientToken[$i]);
}
return $result === 0;
}
/** Check whether a password is valid
* login_type can be uid, alias (for an email alias), hruid
*/
private function checkPassword($login, $response, $login_type = 'uid')
{
if ($login_type == 'alias') {
list($forlife, $domain) = explode('@', $login, 2);
$res = XDB::query('SELECT s.uid
FROM studies AS s
LEFT JOIN formations AS f ON (f.formation_id = s.formation_id AND f.domain = {?})
WHERE s.forlife = {?}', $domain, $forlife);
$login = $res->fetchOneCell();
$login_type = 'uid';
}
$res = XDB::query("SELECT uid, password, hruid\n FROM account\n WHERE {$login_type} = {?} AND state = 'active'", $login);
if (list($uid, $password, $hruid) = $res->fetchOneRow()) {
if (hash_compare($password, $response)) {
if (!S::logged()) {
Platal::page()->trigError('Mot de passe ou nom d\'utilisateur invalide');
} else {
Platal::page()->trigError('Mot de passe invalide');
}
S::logger($uid)->log('auth_fail', 'bad password');
return null;
}
return $uid;
}
Platal::page()->trigError('Mot de passe ou nom d\'utilisateur invalide');
return null;
}