diff options
| author | Andrew Dolgov <[email protected]> | 2019-11-03 20:47:21 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2019-11-03 20:47:21 +0300 |
| commit | f6090655bfda2277fdec7ec5054b132c6d255213 (patch) | |
| tree | 151caee530b487a0c0f6db58cfad6e688a6eadf5 /plugins/auth_internal | |
| parent | 17e145f4810385534f076143276d5f2df43d025d (diff) | |
2fa: check TOTP based on previous secret values (oops of the year, 2019)
Diffstat (limited to 'plugins/auth_internal')
| -rw-r--r-- | plugins/auth_internal/init.php | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index 478ec1440..bcba7970a 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -31,14 +31,7 @@ class Auth_Internal extends Plugin implements IAuthModule { $sth->execute([$login]); if ($row = $sth->fetch()) { - - $base32 = new \OTPHP\Base32(); - $otp_enabled = $row['otp_enabled']; - $secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false); - - $topt = new \OTPHP\TOTP($secret); - $otp_check = $topt->now(); if ($otp_enabled) { @@ -48,7 +41,18 @@ class Auth_Internal extends Plugin implements IAuthModule { } if ($otp) { - if ($otp != $otp_check) { + $base32 = new \OTPHP\Base32(); + + $secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false); + $secret_legacy = $base32->encode(sha1($row["salt"])); + + $totp = new \OTPHP\TOTP($secret); + $otp_check = $totp->now(); + + $totp_legacy = new \OTPHP\TOTP($secret_legacy); + $otp_check_legacy = $totp_legacy->now(); + + if ($otp != $otp_check && $otp != $otp_check_legacy) { return false; } } else { |