commit c068e3b2c805cd95789d4f6cb263c0ed19d25eed
parent 8b88f16ab4bb2b211e52502d9520cb2ce6007da3
Author: Jan Dankert <devnull@localhost>
Date: Wed, 8 Nov 2017 20:33:21 +0100
Beim Anlegen neuer Benutzer ein neues OTP-Secret erzeugen.
Diffstat:
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/action/UserAction.class.php b/action/UserAction.class.php
@@ -217,7 +217,7 @@ class UserAction extends Action
$account = $this->user->name.'@'.$_SERVER['SERVER_NAME'];
$base32 = new Base2n(5, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567', FALSE, TRUE, TRUE);
- $secret = $base32->encode(hex2bin($this->user->otpSecret));
+ $secret = $base32->encode(@hex2bin($this->user->otpSecret));
$counter = $this->user->hotpCount;
@@ -226,7 +226,7 @@ class UserAction extends Action
array('totpSecretUrl' => "otpauth://totp/{$issuer}:{$account}?secret={$secret}&issuer={$issuer}",
'hotpSecretUrl' => "otpauth://hotp/{$issuer}:{$account}?secret={$secret}&issuer={$issuer}&counter={$counter}"
)
- + array('totpToken'=>$this->user->getCode())
+ + array('totpToken'=>$this->user->getTOTPCode())
);
$this->setTemplateVar( 'allstyles',$this->user->getAvailableStyles() );
diff --git a/model/User.class.php b/model/User.class.php
@@ -434,8 +434,8 @@ SQL
$this->userid = intval($sql->getOne($sql))+1;
$sql = $db->sql('INSERT INTO {{user}}'.
- ' (id,name,password_hash,ldap_dn,fullname,tel,mail,descr,style,is_admin)'.
- " VALUES( {userid},{name},'','','','','','','default',0 )" );
+ ' (id,name,password_hash,ldap_dn,fullname,tel,mail,descr,style,is_admin,password_salt)'.
+ " VALUES( {userid},{name},'','','','','','','default',0,'' )" );
$sql->setInt ('userid',$this->userid);
$sql->setString('name' ,$this->name );
@@ -443,6 +443,8 @@ SQL
$sql->query( $sql );
$this->addNewUserGroups(); // Neue Gruppen hinzufuegen.
+
+ $this->renewOTPSecret();
}
@@ -955,7 +957,7 @@ SQL
{
$codeLength = 6;
$timeSlice = floor(time() / 30);
- $secretkey = hex2bin($this->otpSecret);
+ $secretkey = @hex2bin($this->otpSecret);
// Pack time into binary string
$time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice);
// Hash it with users secret key
@@ -974,7 +976,23 @@ SQL
}
-
+ /**
+ * Erzeugt ein neues OTP-Secret.
+ */
+ public function renewOTPSecret() {
+
+ $secret = Password::randomHexString(64);
+
+ $db = db_connection();
+
+ $stmt = $db->sql('UPDATE {{user}} SET otp_secret={secret} WHERE id={id}');
+
+ $stmt->setString( 'secret', $secret );
+ $stmt->setInt ( 'id' , $this->userid );
+
+ $stmt->execute();
+
+ }
}