Linux heracles.o2switch.net 4.18.0-553.62.1.lve.el8.x86_64 #1 SMP Mon Jul 21 17:50:35 UTC 2025 x86_64

/home/ophq1335/www/wp-content/plugins/two-factor-authentication/simba-tfa/providers/totp/

/home/ophq1335/www/wp-content/plugins/two-factor-authentication/simba-tfa/providers/totp/loader.php

<?php if (!defined('ABSPATH')) die('No direct access.'); if (!class_exists('HOTP')) require_once(__DIR__.'/hotp-php-master/hotp.php'); if (!class_exists('Base32')) require_once(__DIR__.'/Base32/Base32.php'); class Simba_TFA_Provider_totp { /** * Simba 2FA object * * @var object instance of Simba_Two_Factor_Authentication(_version) */ private $tfa; /** * OTP helper object * * @var object instance of HOTP */ private $otp_helper; /** * Forward counter window to check number of times * * @var int */ private $check_forward_counter_window; /** * Salt prefix * * @var string */ private $salt_prefix; /** * Password prefix * * @var string */ private $pw_prefix; /** * Time window size * * @var int */ private $time_window_size; /** * Check back time window * * @var int */ private $check_back_time_windows; /** * Check forward time windows * * @var int */ private $check_forward_time_windows; /** * OTP length * * @var int */ private $otp_length = 6; /** * Emergency codes length * * @var int */ private $emergency_codes_length = 8; /** * Default HMAC type * * @var string */ public $default_hmac = 'totp'; /** * Settings saved flag * * @var boolean */ private $settings_saved = false; /** * Class constructor * * @param Object - main Simba_Two_Factor_Authentication(_version) plugin class */ public function __construct($tfa) { $this->tfa = $tfa; $this->otp_helper = new HOTP(); add_action('plugins_loaded', array($this, 'plugins_loaded')); add_action('admin_init', array($this, 'admin_init')); if (!is_admin()) { add_action('init', array($this, 'check_possible_reset')); } // Potentially show off-sync message for hotp add_action('admin_notices', array($this, 'tfa_show_hotp_off_sync_message')); } /** * Return whether or not this class detected and saved new settings * * @return Boolean */ public function were_settings_saved() { return $this->settings_saved; } /** * Runs upon the WP action admin_init */ public function admin_init() { $this->check_possible_reset(); global $current_user; if (!empty($_REQUEST['_tfa_activate_nonce']) && !empty($_POST['tfa_enable_tfa']) && wp_verify_nonce($_REQUEST['_tfa_activate_nonce'], 'tfa_activate') && !empty($_GET['settings-updated'])) { $this->tfa->change_tfa_enabled_status($current_user->ID, $_POST['tfa_enable_tfa']); $this->settings_saved = true; } if (!empty($_REQUEST['_tfa_algorithm_nonce']) && !empty($_POST['tfa_algorithm_type']) && !empty($_GET['settings-updated']) && wp_verify_nonce($_REQUEST['_tfa_algorithm_nonce'], 'tfa_algorithm')) { $old_algorithm = $this->get_user_otp_algorithm($current_user->ID); if ($old_algorithm != $_POST['tfa_algorithm_type']) { $this->changeUserAlgorithmTo($current_user->ID, $_POST['tfa_algorithm_type']); } $this->settings_saved = true; } if (!empty($_GET['warning_button_clicked']) && !empty($_REQUEST['resyncnonce']) && wp_verify_nonce($_REQUEST['resyncnonce'], 'tfaresync')) { delete_user_meta($current_user->ID, 'tfa_hotp_off_sync'); } } /** * Enqueue adding of JavaScript for footer */ public function add_footer() { static $added_footer = false; if ($added_footer) return; $added_footer = true; $qr_script_file = (defined('SCRIPT_DEBUG') && SCRIPT_DEBUG) ? 'jquery-qrcode.js' : 'jquery-qrcode.min.js'; $qr_script_ver = (defined('WP_DEBUG') && WP_DEBUG) ? time() : filemtime($this->tfa->includes_dir()."/jquery-qrcode/$qr_script_file"); wp_register_script('jquery-qrcode', $this->tfa->includes_url()."/jquery-qrcode/$qr_script_file", array('jquery'), $qr_script_ver); $script_ver = (defined('WP_DEBUG') && WP_DEBUG) ? time() : filemtime($this->tfa->includes_dir()."/totp.js"); // Adds the necessary JavaScript for rendering and updating QR codes, and handling trusted devices removal in the admin area wp_enqueue_script('simba-tfa-totp', $this->tfa->includes_url()."/totp.js", array('jquery-qrcode'), $script_ver); wp_localize_script('simba-tfa-totp', 'simbatfa_totp', $this->translation_strings()); } /** * Get textual strings used from JavaScript * * @return Array */ private function translation_strings() { // It's possible that FORCE_ADMIN_SSL will make that SSL, whilst the user is on the front-end having logged in over non-SSL - and as a result, their login cookies won't get sent, and they're not registered as logged in. $ajax_url = admin_url('admin-ajax.php'); $also_try = ''; if (!is_admin() && substr(strtolower($ajax_url), 0, 6) == 'https:' && !is_ssl()) { $also_try = 'http:'.substr($ajax_url, 6); } return apply_filters('simba_tfa_totp_translation_strings', array( 'ajax_url' => $ajax_url, 'updating' => __('Updating...', 'two-factor-authentication'), 'tfa_shared_nonce' => wp_create_nonce('tfa_shared_nonce'), 'also_try' => $also_try, 'response' => __('Response:', 'two-factor-authentication'), )); } /** * Return a link to refresh the current OTP code * * @return String */ public function refresh_current_otp_link() { return '<a href="#" class="simbaotp_refresh">'.__('(update)', 'two-factor-authentication').'</a>'; } /** * Echo the radio buttons for changing between TOTP/HOTP * * TODO: Hide this choice on new installs (TOTP only) * * @param Integer $user_id */ protected function print_algorithm_choice_radios($user_id) { if (!$user_id) return; $types = array( 'totp' => __('TOTP (time based - most common algorithm; used by Google Authenticator)', 'two-factor-authentication'), 'hotp' => __('HOTP (event based)', 'two-factor-authentication') ); $setting = $this->get_user_otp_algorithm($user_id); foreach ($types as $id => $name) { print '<input type="radio" id="tfa_algorithm_type_'.esc_attr($id).'" name="tfa_algorithm_type" value="'.$id.'" '.($setting == $id ? 'checked="checked"' :'').'> <label for="tfa_algorithm_type_'.esc_attr($id).'">'.$name."</label><br>\n"; } } /** * Print out the advanced settings box - choice of algorithm * * @param Boolean|Callable $submit_button_callback - if not a callback, then <form> tags will be added */ public function advanced_settings_box($submit_button_callback = false) { global $current_user; $algorithm_type = $this->get_user_otp_algorithm($current_user->ID); ?> <h2 id="tfa_advanced_heading" style="clear:both;"><?php _e('Advanced settings', 'two-factor-authentication'); ?></h2> <div id="tfa_advanced_box" class="tfa_settings_form" style="margin-top: 20px;"> <?php if (false === $submit_button_callback) { ?> <form method="post" action="<?php print esc_url(add_query_arg('settings-updated', 'true', $_SERVER['REQUEST_URI'])); ?>"> <?php wp_nonce_field('tfa_algorithm', '_tfa_algorithm_nonce', false, true); ?> <?php } ?> <?php _e('Choose which algorithm for One Time Passwords you want to use.', 'two-factor-authentication'); ?> <p> <?php $this->print_algorithm_choice_radios($current_user->ID); if ('hotp' == $algorithm_type) { $counter = $this->getUserCounter($current_user->ID); print '<br>'.__('Your counter on the server is currently on', 'two-factor-authentication').': '.$counter; } ?> </p> <?php if (false === $submit_button_callback) { submit_button(); echo '</form>'; } else { call_user_func($submit_button_callback); } ?> </div> <?php } /** * Return an HTML snippet for the current OTP code * * @param Integer|Boolean $user_id * * @return String */ public function current_otp_code($user_id = false) { global $current_user; if (false == $user_id) $user_id = $current_user->ID; $tfa_priv_key_64 = get_user_meta($user_id, 'tfa_priv_key_64', true); if (!$tfa_priv_key_64) $tfa_priv_key_64 = $this->addPrivateKey($user_id); $time_now = time(); $refresh_after = 30 - ($time_now % 30); return '<span class="simba_current_otp" data-refresh_after="'.$refresh_after.'">'.$this->generateOTP($user_id, $tfa_priv_key_64).'</span>'; } /** * Runs upon the WP 'init' action - check for possible private key reset request from the user */ public function check_possible_reset() { if (!empty($_GET['simbatfa_priv_key_reset']) && !empty($_REQUEST['nonce']) && wp_verify_nonce($_REQUEST['nonce'], 'simbatfa_reset_private_key')) { $this->reset_private_key_and_emergency_codes(); exit; } } /** * Remove private key and emergency codes for the specified (or logged-in) user * * @param Boolean|Integer $user_id - WP user ID, or false for the currently logged-in user * @param Boolean $redirect - if this is not false, then a redirection will occur - where to depends upon the value of $_REQUEST['noredirect'] */ public function reset_private_key_and_emergency_codes($user_id = false, $redirect = true) { if (!$user_id) { global $current_user; $user_id = $current_user->ID; } delete_user_meta($user_id, 'tfa_priv_key_64'); delete_user_meta($user_id, 'simba_tfa_emergency_codes_64'); if (!$redirect) return; if (empty($_REQUEST['noredirect'])) { // TODO: Re-factoring wp_safe_redirect(admin_url('admin.php').'?page='. $this->tfa->get_user_settings_page_slug() .'&settings-updated=1'); } else { $url = (is_ssl() ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . remove_query_arg(array('simbatfa_priv_key_reset', 'noredirect', 'nonce')); wp_redirect(esc_url_raw($url)); } } /** * Return HTML for a link to reset the current user's private key * * @return String */ public function reset_link() { // TODO: Refactoring $url_base = is_admin() ? admin_url('admin.php').'?page='. $this->tfa->get_user_settings_page_slug() .'&settings-updated=1' : (( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST']); $add_query_args = array('simbatfa_priv_key_reset' => 1); if (!is_admin()) $add_query_args['noredirect'] = 1; $url = $url_base.add_query_arg($add_query_args); $url = wp_nonce_url($url, 'simbatfa_reset_private_key', 'nonce'); return '<a href="javascript:if(confirm(\''.__('Warning: if you reset this key you will have to update your apps with the new one. Are you sure you want this?', 'two-factor-authentication').'\')) { window.location = \''.esc_js($url).'\'; }">'.__('Reset private key', 'two-factor-authentication').'</a>'; } /** * Output the current codes box * * @param Boolean|Integer $user_id */ public function current_codes_box($user_id = false) { global $current_user; if (false == $user_id) $user_id = $current_user->ID; $admin = is_admin(); $this->add_footer(); $url = preg_replace('/^https?:\/\//i', '', site_url()); // TODO Replace this with an appropriate method $tfa_priv_key_64 = get_user_meta($user_id, 'tfa_priv_key_64', true); if (!$tfa_priv_key_64) $tfa_priv_key_64 = $this->addPrivateKey($user_id); $tfa_priv_key = trim($this->getPrivateKeyPlain($tfa_priv_key_64, $user_id), "\x00..\x1F"); $tfa_priv_key_32 = Base32::encode($tfa_priv_key); $algorithm_type = $this->get_user_otp_algorithm($user_id); if ($admin && $current_user->ID != $user_id) { $user = get_user_by('id', $user_id); $user_descrip = htmlspecialchars($user->user_nicename.' - '.$user->user_email); echo '<h2>'.sprintf(__('Current codes (login: %s)', 'two-factor-authentication'), $user_descrip).'</h2>'; } ?> <div class="postbox" style="clear:both;"> <?php if ($admin) { ?> <h3 style="padding: 10px 6px 0px; margin:4px 0 0; cursor: default;"> <span style="cursor: default;"><?php echo __('Current one-time password', 'two-factor-authentication').' '; if ($current_user->ID == $user_id) { echo $this->refresh_current_otp_link(); } ?> </span> <div class="inside"> <p><strong style="font-size: 3em;"><?php echo $this->current_otp_code($user_id); ?></strong></p> </div> </h3> <?php } else { ?> <div class="inside"> <p class="simbatfa-frontend-current-otp" style="font-size: 1.5em; margin-top:6px;"> <strong><?php echo __('Current one-time password', 'two-factor-authentication').' '.$this->refresh_current_otp_link(); ?></strong> : <?php // TODO: Compare this with what's in current_otp_code() - why are we not using that? $time_now = time(); $refresh_after = 30 - ($time_now % 30); ?><span class="simba_current_otp" data-refresh_after="<?php echo $refresh_after; ?>"><?php print $this->generateOTP($user_id, $tfa_priv_key_64); ?></span> </p> </div> <?php } ?> <?php if ($admin) { ?> <h3 style="padding-left: 10px; cursor: default;"> <span style="cursor: default;"><?php _e('Setting up - either scan the code, or type in the private key', 'two-factor-authentication'); ?></span> </h3> <?php } else { ?> <h2><?php _e('Setting up', 'two-factor-authentication'); ?></h2> <?php } ?> <div class="inside"> <p> <?php _e('For OTP apps that support using a camera to scan a setup code (below), that is the quickest way to set the app up (e.g. with Duo Mobile, Google Authenticator).', 'two-factor-authentication'); echo ' '; _e('Otherwise, you can type the textual private key (shown below) into your app. Always keep private keys secret.', 'two-factor-authentication'); ?> <?php printf(__('You are currently using %s, %s', 'two-factor-authentication'), strtoupper($algorithm_type), ($algorithm_type == 'totp') ? __('a time based algorithm', 'two-factor-authentication') : __('an event based algorithm', 'two-factor-authentication')); ?>. </p> <?php $qr_url = $this->tfa_qr_code_url($algorithm_type, $url, $tfa_priv_key, $user_id); ?> <div style="float: left; padding-right: 20px;" class="simbaotp_qr_container" data-qrcode="<?php echo esc_attr($qr_url); ?>"></div> <p> <?php $this->print_private_keys('full', $user_id); if ($current_user->ID == $user_id) { echo $this->reset_link($admin); } else { echo '<a id="tfa-reset-privkey-for-user" data-user_id="'.$user_id.'" href="#">'.__('Reset private key', 'two-factor-authentication').'</a>'; } ?> </p> <?php if ($admin || false !== apply_filters('simba_tfa_emergency_codes_user_settings', false, $user_id)) { ?> <div style="min-height: 100px;"> <h3 class="normal" style="cursor: default"><?php _e('Emergency codes', 'two-factor-authentication'); ?></h3> <?php $default_text = '<a href="'.esc_url($this->tfa->get_premium_version_url()).'">'.__('One-time emergency codes are a feature of the Premium version of this plugin.', 'two-factor-authentication').'</a>'; echo apply_filters('simba_tfa_emergency_codes_user_settings', $default_text, $user_id); ?> </div> <?php } ?> </div> </div> <?php } /** * Print out HTML showing the specified user's private key * * @param String $type * @param Boolean|Integer $user_id */ public function print_private_keys($type = 'full', $user_id = false) { global $current_user; if ($user_id == false) $user_id = $current_user->ID; $tfa_priv_key_64 = get_user_meta($user_id, 'tfa_priv_key_64', true); if (!$tfa_priv_key_64) $tfa_priv_key_64 = $this->addPrivateKey($user_id); $tfa_priv_key = trim($this->getPrivateKeyPlain($tfa_priv_key_64, $user_id), "\x00..\x1F"); $tfa_priv_key_32 = Base32::encode($tfa_priv_key); // The first (base32) private key used to have the description "base 32 - used by Google Authenticator and Authy", and the base64 version was just described as "private key". But basically the former is what everything uses. //<strong>Private key:</strong> htmlspecialchars($tfa_priv_key) if ('full' == $type) { ?> <strong><?php echo __('Private key:', 'two-factor-authentication').' </strong>'.htmlspecialchars($tfa_priv_key_32); ?><br> <?php } elseif ('plain' == $type) { echo htmlspecialchars($tfa_priv_key); } elseif ('base32' == $type) { echo htmlspecialchars($tfa_priv_key_32); } elseif ('base64' == $type) { echo htmlspecialchars($tfa_priv_key_64); } } /** * Return the URL for a QR code image * * @param String $algorithm_type - 'totp' or 'hotp' * @param String $url * @param String $tfa_priv_key * @param Boolean|Integer $user_id * * @return String */ public function tfa_qr_code_url($algorithm_type, $url, $tfa_priv_key, $user_id = false) { global $current_user; $user = (false == $user_id) ? $current_user : get_user_by('id', $user_id); $encode = 'otpauth://'.$algorithm_type.'/'.$url.':'.rawurlencode($user->user_login).'?secret='.Base32::encode($tfa_priv_key).'&issuer='.$url.'&counter='.$this->getUserCounter($user->ID); return $encode; } /** * See if HOTP is off sync, and if show, print out a message */ public function tfa_show_hotp_off_sync_message() { global $current_user; $is_off_sync = get_user_meta($current_user->ID, 'tfa_hotp_off_sync', true); if (!$is_off_sync) return; ?> <div class="error"> <h3><?php _e('Two Factor Authentication re-sync needed', 'two-factor-authentication');?></h3> <p> <?php _e('You need to resync your device for Two Factor Authentication since the OTP you last used is many steps ahead of the server.', 'two-factor-authentication'); ?> <br> <?php _e('Please re-sync or you might not be able to log in if you generate more OTPs without logging in.', 'two-factor-authentication');?> <br><br> <a href="<?php echo esc_url(wp_nonce_url('admin.php?page='. $this->tfa->get_user_settings_page_slug() .'&warning_button_clicked=1', 'tfaresync', 'resyncnonce')); ?>" class="button"><?php _e('Click here and re-scan the QR-Code', 'two-factor-authentication');?></a> </p> </div> <?php } /** * Runs upon the WP action plugins_loaded */ public function plugins_loaded() { $this->time_window_size = apply_filters('simbatfa_time_window_size', 30); $this->check_back_time_windows = apply_filters('simbatfa_check_back_time_windows', 2); $this->check_forward_time_windows = apply_filters('simbatfa_check_forward_time_windows', 1); $this->check_forward_counter_window = apply_filters('simbatfa_check_forward_counter_window', 20); $this->salt_prefix = defined('AUTH_SALT') ? AUTH_SALT : wp_salt('auth'); $this->pw_prefix = defined('AUTH_KEY') ? AUTH_KEY : get_site_option('auth_key'); } /** * Generate the current code for a specified user * * @param $user_id Integer - WordPress user ID * * @return String|Boolean - false if not set up */ public function get_current_code($user_id) { $tfa_priv_key_64 = get_user_meta($user_id, 'tfa_priv_key_64', true); if (!$tfa_priv_key_64) return false; return $this->generateOTP($user_id, $tfa_priv_key_64); } public function print_default_hmac_radios() { $setting = $this->tfa->get_option('tfa_default_hmac'); if (!$setting) $setting = $this->default_hmac; $types = array('totp' => __('TOTP (time based - most common algorithm; used by Google Authenticator)', 'two-factor-authentication'), 'hotp' => __('HOTP (event based)', 'two-factor-authentication')); foreach ($types as $id => $name) { print '<input type="radio" id="tfa_default_hmac_'.esc_attr($id).'" name="tfa_default_hmac" value="'.$id.'" '.($setting == $id ? 'checked="checked"' :'').'> '.'<label for="tfa_default_hmac_'.esc_attr($id).'">'."$name</label><br>\n"; } } public function generateOTP($user_ID, $key_b64, $length = 6, $counter = false) { $length = $length ? (int)$length : 6; $key = $this->decryptString($key_b64, $user_ID); $alg = $this->get_user_otp_algorithm($user_ID); if ('hotp' == $alg) { $db_counter = $this->getUserCounter($user_ID); $counter = $counter ? $counter : $db_counter; $otp_res = $this->otp_helper->generateByCounter($key, $counter); } else { //time() is supposed to be UTC $time = $counter ? $counter : time(); $otp_res = $this->otp_helper->generateByTime($key, $this->time_window_size, $time); } $code = $otp_res->toHotp($length); return $code; } /** * Generate a list of OTP codes based on the user, key and time window * * @param Integer $user_ID - user ID * @param String $key_b64 - the user's private key, in base64 format * * @return Array */ private function generate_otps_for_login_check($user_ID, $key_b64) { $key = trim($this->decryptString($key_b64, $user_ID)); $alg = $this->get_user_otp_algorithm($user_ID); if ('totp' == $alg) { $otp_res = $this->otp_helper->generateByTimeWindow($key, $this->time_window_size, -1*$this->check_back_time_windows, $this->check_forward_time_windows); } elseif ('hotp' == $alg) { $counter = $this->getUserCounter($user_ID); $otp_res = array(); for ($i = 0; $i < $this->check_forward_counter_window; $i++) { $otp_res[] = $this->otp_helper->generateByCounter($key, $counter+$i); } } return $otp_res; } /** * Generate a private key for the user. * * @param Integer $user_id - WordPress user ID * @param Boolean|String $key * * @return String */ public function addPrivateKey($user_id, $key = false) { // To work with Google Authenticator it has to be 10 bytes = 16 chars in base32 $code = $key ? $key : strtoupper($this->randString(10)); // Encrypt the key $code = $this->encryptString($code, $user_id); // Add private key to usermeta update_user_meta($user_id, 'tfa_priv_key_64', $code); $alg = $this->get_user_otp_algorithm($user_id); // This hook is used for generation of emergency codes to accompany the key do_action('simba_tfa_adding_private_key', $alg, $user_id, $code, $this); $this->changeUserAlgorithmTo($user_id, $alg); return $code; } /** * Port over keys that were encrypted with mcrypt and its non-compliant padding scheme, so that if the site is ever migrated to a server without mcrypt, they can still be decrypted */ public function potentially_port_private_keys() { $simba_tfa_priv_key_format = get_site_option('simba_tfa_priv_key_format', false); if ($simba_tfa_priv_key_format >= 1 || !function_exists('openssl_encrypt')) return; $attempts = 0; $successes = 0; error_log("TFA: Beginning attempt to port private key encryption over to openssl"); global $wpdb; $sql = "SELECT user_id, meta_value FROM ".$wpdb->usermeta." WHERE meta_key = 'tfa_priv_key_64'"; $user_results = $wpdb->get_results($sql); foreach ($user_results as $u) { $dec_openssl = $this->decryptString($u->meta_value, $u->user_id, true); $ported = false; if ('' == $dec_openssl) { $attempts++; $dec_default = $this->decryptString($u->meta_value, $u->user_id); if ('' != $dec_default) { $enc = $this->encryptString($dec_default, $u->user_id); if ($enc) { $ported = true; $successes++; update_user_meta($u->user_id, 'tfa_priv_key_64', $enc); } } } if ($ported) { error_log("TFA: Successfully ported the key for user with ID ".$u->user_id." over to openssl"); } else { error_log("TFA: Failed to port the key for user with ID ".$u->user_id." over to openssl"); } } if ($attempts == 0 || $successes > 0) update_site_option('simba_tfa_priv_key_format', 1); } /** * This function will attempt to encrypt all the users private keys and emergency codes * * @return boolean|WP_Error - true on success or WP_Error on failure */ public function potentially_encrypt_private_keys() { error_log("TFA: Beginning attempt to encrypt private keys"); global $wpdb; $sql = "SELECT user_id, meta_value FROM ".$wpdb->usermeta." WHERE meta_key = 'tfa_priv_key_64' AND meta_value != ''"; $user_results = $wpdb->get_results($sql); if (null === $user_results) { return new WP_Error( 'failed_to_get_priv_keys', __('Encrypt secrets feature not enabled: unable to get private keys from the database.', 'two-factor-authentication') ); } $number_ported = 0; $number_failed = 0; foreach ($user_results as $u) { $ported = false; $key = $this->decryptString($u->meta_value, $u->user_id); $enc = $this->encryptString($key, $u->user_id, true); if ($enc) { $ported = true; update_user_meta($u->user_id, 'tfa_priv_key_64', $enc); } $codes = get_user_meta($u->user_id, 'simba_tfa_emergency_codes_64', true); if (!is_array($codes)) $codes = array(); $enc_codes = array(); foreach ($codes as $code) { $plain_code = $this->decryptString($code, $u->user_id); $enc_codes[] = $this->encryptString($plain_code, $u->user_id, true); } if (!empty($enc_codes)) update_user_meta($u->user_id, 'simba_tfa_emergency_codes_64', $enc_codes); if ($ported) { $number_ported++; } else { $number_failed++; error_log("TFA: Failed to encrypt the key for user with ID ".$u->user_id); } } error_log("TFA: Number of user keys successfully encrypted: ".$number_ported.", number which failed to encrypt: ".$number_failed); return true; } public function getPrivateKeyPlain($enc, $user_ID) { $dec = $this->decryptString($enc, $user_ID); $this->potentially_port_private_keys(); return $dec; } /** * @param Integer $user_id - WP user ID * @param Boolean $generate_if_empty - generate some new codes if the list is empty * * @return String - human-usable codes, separated by ', ' (or a human-readable message, if there were none) */ public function get_emergency_codes_as_string($user_id, $generate_if_empty = false) { $codes = get_user_meta($user_id, 'simba_tfa_emergency_codes_64', true); if (!is_array($codes)) $codes = array(); if ($generate_if_empty && empty($codes)) { $tfa_priv_key = get_user_meta($user_id, 'tfa_priv_key_64', true); $algorithm = get_user_meta($user_id, 'tfa_algorithm_type', true); do_action('simba_tfa_emergency_codes_empty', $algorithm, $user_id, $tfa_priv_key, $this); $codes = get_user_meta($user_id, 'simba_tfa_emergency_codes_64', true); if (!is_array($codes)) $codes = array(); } $emergency_str = ''; foreach ($codes as $p_code) { $emergency_str .= $this->decryptString($p_code, $user_id).', '; } $emergency_str = rtrim($emergency_str, ', '); $emergency_str = $emergency_str ? $emergency_str : '<em>'.__('There are no emergency codes left. You will need to reset your private key to generate new ones.', 'two-factor-authentication').'</em>'; return $emergency_str; } /** * Check a code for a user (checks the code only - does not check activation status etc.) * * @param Integer $user_id - WP user ID * @param String $user_code - the code to check * @param Boolean $allow_emergency_code - whether to check against emergency codes * * @return Boolean */ public function check_code_for_user($user_id, $user_code, $allow_emergency_code = true) { $tfa_priv_key = get_user_meta($user_id, 'tfa_priv_key_64', true); // $tfa_last_login = get_user_meta($user_id, 'tfa_last_login', true); // Unused $tfa_last_pws_arr = get_user_meta($user_id, 'tfa_last_pws', true); $tfa_last_pws = @$tfa_last_pws_arr ? $tfa_last_pws_arr : array(); $alg = $this->get_user_otp_algorithm($user_id); $current_time_window = intval(time()/30); //Give the user 1,5 minutes time span to enter/retrieve the code //Or check $this->check_forward_counter_window number of events if hotp $codes = $this->generate_otps_for_login_check($user_id, $tfa_priv_key); //A recently used code was entered; that's not OK. if (in_array($this->hash($user_code, $user_id), $tfa_last_pws)) return false; $match = false; foreach ($codes as $index => $code) { if (hash_equals(trim($code->toHotp(6)), trim($user_code))) { $match = true; $found_index = $index; break; } } // Check emergency codes if (!$match) { $emergency_codes = $allow_emergency_code ? get_user_meta($user_id, 'simba_tfa_emergency_codes_64', true) : array(); if (!$emergency_codes) return $match; foreach ($emergency_codes as $key => $emergency_code) { $dec = trim($this->decryptString(trim($emergency_code), $user_id)); if (hash_equals($dec, trim($user_code))) { $match = true; // Remove emergency code unset($emergency_codes[$key]); break; } } // Update emergency codes array if ($match) { update_user_meta($user_id, 'simba_tfa_emergency_codes_64', $emergency_codes); do_action('simba_tfa_emergency_code_used', $user_id, $emergency_codes); } } else { //Add the used code as well so it cant be used again //Keep the two last codes $tfa_last_pws[] = $this->hash($user_code, $user_id); $nr_of_old_to_save = $alg == 'hotp' ? $this->check_forward_counter_window : $this->check_back_time_windows; if (count($tfa_last_pws) > $nr_of_old_to_save) array_splice($tfa_last_pws, 0, 1); update_user_meta($user_id, 'tfa_last_pws', $tfa_last_pws); } if ($match) { //Save the time window when the last successful login took place update_user_meta($user_id, 'tfa_last_login', $current_time_window); //Update the counter if HOTP was used if ($alg == 'hotp') { $counter = $this->getUserCounter($user_id); $enc_new_counter = $this->encryptString($counter+1, $user_id); update_user_meta($user_id, 'tfa_hotp_counter', $enc_new_counter); if ($found_index > 10) update_user_meta($user_id, 'tfa_hotp_off_sync', 1); } } return $match; } public function getUserCounter($user_ID) { $enc_counter = get_user_meta($user_ID, 'tfa_hotp_counter', true); return $enc_counter ? trim($this->decryptString(trim($enc_counter), $user_ID)) : ''; } public function changeUserAlgorithmTo($user_id, $new_algorithm) { update_user_meta($user_id, 'tfa_algorithm_type', $new_algorithm); delete_user_meta($user_id, 'tfa_hotp_off_sync'); $counter_start = rand(13, 999999999); $enc_counter_start = $this->encryptString($counter_start, $user_id); if ('hotp' == $new_algorithm) { update_user_meta($user_id, 'tfa_hotp_counter', $enc_counter_start); } else { delete_user_meta($user_id, 'tfa_hotp_counter'); } } /** * Whether HOTP or TOTP is being used * * @param Integer|Boolean $user_id - WordPress user ID, or false for the site-wide default * * @return String - 'hotp' or 'totp' */ public function get_user_otp_algorithm($user_id = false) { $setting = $user_id ? get_user_meta($user_id, 'tfa_algorithm_type', true) : false; $default_hmac = $this->tfa->get_option('tfa_default_hmac'); if (!$default_hmac) $default_hmac = $this->default_hmac; return $setting ? $setting : $default_hmac; } private function get_iv_size() { // mcrypt first, for backwards compatibility if (function_exists('mcrypt_get_iv_size')) { return $GLOBALS['simba_two_factor_authentication']->is_mcrypt_deprecated() ? @mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC) : mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); } elseif (function_exists('openssl_cipher_iv_length')) { return openssl_cipher_iv_length('AES-128-CBC'); } throw new Exception('One of the mcrypt or openssl PHP modules needs to be installed'); } private function encrypt($key, $string, $iv) { // Prefer OpenSSL, because it uses correct padding, and its output can be decrypted by mcrypt - whereas, the converse is not true if (function_exists('openssl_encrypt')) { return openssl_encrypt($string, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $iv); } elseif (function_exists('mcrypt_encrypt')) { return $GLOBALS['simba_two_factor_authentication']->is_mcrypt_deprecated() ? @mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $string, MCRYPT_MODE_CBC, $iv) : mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $string, MCRYPT_MODE_CBC, $iv); } throw new Exception('One of the mcrypt or openssl PHP modules needs to be installed'); } private function decrypt($key, $enc, $iv, $force_openssl = false) { // Prefer mcrypt, because it can decrypt the output of both mcrypt_encrypt() and openssl_decrypt(), whereas (because of mcrypt_encrypt() using bad padding), the converse is not true if (function_exists('mcrypt_decrypt') && !$force_openssl) { return $GLOBALS['simba_two_factor_authentication']->is_mcrypt_deprecated() ? @mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $enc, MCRYPT_MODE_CBC, $iv) : mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $enc, MCRYPT_MODE_CBC, $iv); } elseif (function_exists('openssl_decrypt')) { $decrypted = openssl_decrypt($enc, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $iv); if (false === $decrypted && !$force_openssl) { $extra = function_exists('wp_debug_backtrace_summary') ? " backtrace: ".wp_debug_backtrace_summary() : ''; error_log("TFA decryption failure: was your site migrated to a server without mcrypt? You may need to install mcrypt, or disable TFA, in order to successfully decrypt data that was previously encrypted with mcrypt.$extra"); } return $decrypted; } if ($force_openssl) return false; throw new Exception('One of the mcrypt or openssl PHP modules needs to be installed'); } public function encryptString($string, $salt_suffix, $force_encrypt = false) { $key = ($this->tfa->get_option('tfa_encrypt_secrets') && defined('SIMBA_TFA_DB_ENCRYPTION_KEY')) ? base64_decode(SIMBA_TFA_DB_ENCRYPTION_KEY) : $this->hashAndBin($this->pw_prefix.$salt_suffix, $this->salt_prefix.$salt_suffix); if ($force_encrypt && defined('SIMBA_TFA_DB_ENCRYPTION_KEY')) $key = base64_decode(SIMBA_TFA_DB_ENCRYPTION_KEY); $iv_size = $this->get_iv_size(); $iv = $GLOBALS['simba_two_factor_authentication']->random_bytes($iv_size); $enc = $this->encrypt($key, $string, $iv); if (false === $enc) return false; $enc = $iv.$enc; $enc_b64 = base64_encode($enc); return $enc_b64; } private function decryptString($enc_b64, $salt_suffix, $force_openssl = false) { $key = ($this->tfa->get_option('tfa_encrypt_secrets') && defined('SIMBA_TFA_DB_ENCRYPTION_KEY')) ? base64_decode(SIMBA_TFA_DB_ENCRYPTION_KEY) : $this->hashAndBin($this->pw_prefix.$salt_suffix, $this->salt_prefix.$salt_suffix); $iv_size = $this->get_iv_size(); $enc_conc = bin2hex(base64_decode($enc_b64)); $iv = hex2bin(substr($enc_conc, 0, $iv_size*2)); $enc = hex2bin(substr($enc_conc, $iv_size*2)); $string = $this->decrypt($key, $enc, $iv, $force_openssl); // Remove padding bytes return rtrim($string, "\x00..\x1F"); } private function hashAndBin($pw, $salt) { $key = $this->hash($pw, $salt); $key = pack('H*', $key); // Yes: it's a null encryption key. See: https://wordpress.org/support/topic/warning-mcrypt_decrypt-key-of-size-0-not-supported-by-this-algorithm-only-k?replies=5#post-6806922 // Basically: the original plugin had a bug here, which caused a null encryption key. This fails on PHP 5.6+. But, fixing it would break backwards compatibility for existing installs - and note that the only unknown once you have access to the encrypted data is the AUTH_SALT and AUTH_KEY constants... which means that actually the intended encryption was non-portable, + problematic if you lose your wp-config.php or try to migrate data to another site, or changes these values. (Normally changing these values only causes a compulsory re-log-in - but with the intended encryption in the original author's plugin, it'd actually cause a permanent lock-out until you disabled his plugin). If someone has read-access to the database, then it'd be reasonable to assume they have read-access to wp-config.php too: or at least, the number of attackers who can do one and not the other would be small. The "encryption's" not worth it. // In summary: this isn't encryption, and is not intended to be. return str_repeat(chr(0), 16); } private function hash($pw, $salt) { //$hash = hash_pbkdf2('sha256', $pw, $salt, 10); //$hash = crypt($pw, '$5$'.$salt.'$'); $hash = md5($salt.$pw); return $hash; } private function randString($len = 10) { $chars = '23456789QWERTYUPASDFGHJKLZXCVBNM'; $chars = str_split($chars); shuffle($chars); if (function_exists('random_int')) { $code = ''; for ($i = 1; $i <= $len; $i++) { $code .= $chars[random_int(0, count($chars)-1)]; } } else { $code = implode('', array_splice($chars, 0, $len)); } return $code; } }