commit 9107a9928b991fdd11429813d9550a86bc52c6b0
parent c6d5fc0d2056e85645cfa2a331e7b094276e10d8
Author: dankert <openrat@jandankert.de>
Date: Fri, 15 Apr 2022 20:45:19 +0200
Refactoring: Code cleanup.
Diffstat:
5 files changed, 63 insertions(+), 82 deletions(-)
diff --git a/modules/cms/action/login/LoginPasswordcodeAction.class.php b/modules/cms/action/login/LoginPasswordcodeAction.class.php
@@ -27,7 +27,7 @@ class LoginPasswordcodeAction extends LoginAction implements Method {
if ( $user && $user->isValid() )
{
- $newPw = $user->createPassword(); // Neues Kennwort erzeugen.
+ $newPw = Password::createPassword(); // Neues Kennwort erzeugen.
$eMail = new Mail($user->mail, Messages::MAIL_SUBJECT_PASSWORD_NEW,Messages::MAIL_TEXT_PASSWORD_NEW);
$eMail->setVar('name' ,$user->getName());
diff --git a/modules/cms/action/user/UserPwAction.class.php b/modules/cms/action/user/UserPwAction.class.php
@@ -5,7 +5,9 @@ use cms\action\UserAction;
use cms\base\Configuration;
use cms\model\User;
use language\Messages;
+use security\Password;
use util\exception\ValidationException;
+use util\mail\Mail;
class UserPwAction extends UserAction implements Method {
@@ -14,7 +16,7 @@ class UserPwAction extends UserAction implements Method {
$this->setTemplateVar('enabled',$this->user->type == User::AUTH_TYPE_INTERNAL );
$this->setTemplateVar('mail' ,(boolean) $this->user->mail );
- $this->setTemplateVar('password_proposal', $this->user->createPassword() );
+ $this->setTemplateVar('password_proposal', Password::createPassword() );
}
@@ -34,7 +36,10 @@ class UserPwAction extends UserAction implements Method {
$this->user->mail && // user has an e-mail.
Configuration::subset('mail')->is('enabled',true)
) {
- $this->mailPw( $password );
+ $eMail = new Mail($this->user->mail, Messages::MAIL_SUBJECT_PASSWORD_NEW,Messages::MAIL_TEXT_PASSWORD_NEW);
+ $eMail->setVar('name' ,$this->user->getName());
+ $eMail->setVar('password',$password );
+ $eMail->send();
$this->addNoticeFor( $this->user, Messages::MAIL_SENT);
}
diff --git a/modules/cms/auth/InternalAuth.class.php b/modules/cms/auth/InternalAuth.class.php
@@ -41,7 +41,7 @@ SQL
// Benutzer ist nicht vorhanden.
// Trotzdem das Kennwort hashen, um Timingattacken zu verhindern.
- $unusedHash = Password::hash(User::pepperPassword($password), Password::bestAlgoAvailable());
+ $unusedHash = Password::hash(Password::pepperPassword($password), Password::bestAlgoAvailable());
if ( DEVELOPMENT )
Logger::debug('user not found');
return Auth::STATUS_FAILED ;
@@ -55,7 +55,7 @@ SQL
}
// Pruefen ob Kennwort mit Datenbank uebereinstimmt.
- if (!Password::check(User::pepperPassword($password), $row_user['password_hash'], $row_user['password_algo'])) {
+ if (!Password::check(Password::pepperPassword($password), $row_user['password_hash'], $row_user['password_algo'])) {
// Password does NOT match.
// Increase password fail counter
diff --git a/modules/cms/model/User.class.php b/modules/cms/model/User.class.php
@@ -757,7 +757,7 @@ SQL
// Hashsumme für Kennwort erzeugen
$sql->setIntOrNull('expires',$expire);
$sql->setInt ('algo' ,$algo );
- $sql->setString('password',Password::hash(User::pepperPassword($password),$algo) );
+ $sql->setString('password',Password::hash(Password::pepperPassword($password),$algo) );
$sql->setInt ('userid' ,$this->userid );
$sql->execute(); // Updating the password
@@ -1036,55 +1036,11 @@ SQL
$row_user = $sql->getRow();
// Pruefen ob Kennwort mit Datenbank uebereinstimmt.
- return Password::check(User::pepperPassword($password),$row_user['password_hash'],$row_user['password_algo']);
+ return Password::check(Password::pepperPassword($password),$row_user['password_hash'],$row_user['password_algo']);
}
-
- /**
- * Erzeugt ein aussprechbares Kennwort.
- *
- * Inspired by http://www.phpbuilder.com/annotate/message.php3?id=1014451
- *
- * @return String Zuf�lliges Kennwort
- */
- public function createPassword()
- {
- $passwordConfig = Configuration::subset('security')->subset('password');
-
- $pw = '';
- $c = 'bcdfghjklmnprstvwz'; // consonants except hard to speak ones
- $v = 'aeiou'; // vowels
- $a = $c.$v.'123456789'; // both (plus numbers except zero)
- //use two syllables...
- for ( $i=0; $i < intval($passwordConfig->get('generated_length',16))/3; $i++ )
- {
- $pw .= $c[rand(0, strlen($c)-1)];
- $pw .= $v[rand(0, strlen($v)-1)];
- $pw .= $a[rand(0, strlen($a)-1)];
- }
-
- return $pw;
- }
-
-
- /**
- * Pepper the password.
- *
- * Siehe http://de.wikipedia.org/wiki/Salt_%28Kryptologie%29#Pfeffer
- * für weitere Informationen.
- *
- * @param $pass string password
- * @return string peppered password
- */
- public static function pepperPassword( $pass )
- {
- $salt = Configuration::Conf()->subset('security')->subset('password')->get('pepper');
- return $salt.$pass;
- }
-
-
/**
* Ermittelt projektübergreifend die letzten Änderungen des Benutzers.
*
@@ -1116,36 +1072,7 @@ SQL
}
- /**
- * Calculate the code, with given secret and point in time.
- *
- * @param string $secret
- * @param int|null $timeSlice
- *
- * @return string
- */
- public function getTOTPCode()
- {
- $codeLength = 6;
- $timeSlice = floor(time() / 30);
- $secretkey = @hex2bin($this->otpSecret);
- // Pack time into binary string
- $time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice);
- // Hash it with users secret key
- $hm = hash_hmac('SHA1', $time, $secretkey, true);
- // Use last nipple of result as index/offset
- $offset = ord(substr($hm, -1)) & 0x0F;
- // grab 4 bytes of the result
- $hashpart = substr($hm, $offset, 4);
- // Unpak binary value
- $value = unpack('N', $hashpart);
- $value = $value[1];
- // Only 32 bits
- $value = $value & 0x7FFFFFFF;
- $modulo = pow(10, $codeLength);
- return str_pad($value % $modulo, $codeLength, '0', STR_PAD_LEFT);
- }
-
+
/**
* Erzeugt ein neues OTP-Secret.
@@ -1160,7 +1087,6 @@ SQL
$stmt->setInt ( 'id' , $this->userid );
$stmt->execute();
-
}
diff --git a/modules/security/Password.class.php b/modules/security/Password.class.php
@@ -3,6 +3,8 @@ namespace security;
+use cms\base\Configuration;
+
/**
* Security functions for passwords.
*
@@ -231,4 +233,52 @@ class Password
time_nanosleep(0, Password::randomNumber(3)*10); // delay: 0-167772150ns (= 0-~168ms)
}
+
+ /**
+ * Creates a new, pronounceable password.
+ *
+ * Inspired by http://www.phpbuilder.com/annotate/message.php3?id=1014451
+ *
+ * @return String a random password
+ */
+ public static function createPassword()
+ {
+ $passwordConfig = Configuration::subset('security')->subset('password');
+
+ $pw = '';
+ $c = 'bcdfghjklmnprstvwz'; // consonants except hard to speak ones
+ $v = 'aeiou'; // vowels
+ $a = $c.$v.'123456789'; // both (plus numbers except zero)
+
+ //use two syllables...
+ for ( $i=0; $i < intval($passwordConfig->get('generated_length',16))/3; $i++ )
+ {
+ $pw .= $c[rand(0, strlen($c)-1)];
+ $pw .= $v[rand(0, strlen($v)-1)];
+ $pw .= $a[rand(0, strlen($a)-1)];
+ }
+
+ return $pw;
+ }
+
+
+
+ /**
+ * Pepper the password.
+ *
+ * Siehe http://de.wikipedia.org/wiki/Salt_%28Kryptologie%29#Pfeffer
+ * für weitere Informationen.
+ *
+ * @param $pass string password
+ * @return string peppered password
+ */
+ public static function pepperPassword( $pass )
+ {
+ $salt = Configuration::Conf()->subset('security')->subset('password')->get('pepper');
+
+ return $salt.$pass;
+ }
+
+
+
}
