X-Git-Url: http://git.pjr.cc/?p=ga4php.git;a=blobdiff_plain;f=lib%2Fga4php.php;h=0645657ff6b594bc8698b0788353ed98673adc0d;hp=8bc5946d6db8ac2be21d96926ab43b107a1a1e72;hb=33f663b5e670ff27f17bff7a7cfb0f6dc2baa3d8;hpb=18f8e04423dfe377ac53a8b27bb717944ce411dc diff --git a/lib/ga4php.php b/lib/ga4php.php index 8bc5946..0645657 100644 --- a/lib/ga4php.php +++ b/lib/ga4php.php @@ -2,7 +2,21 @@ abstract class GoogleAuthenticator { - function __construct() { + function __construct($totpskew=1, $hotpskew=10, $hotphuntvalue=200000) { + // the hotpskew is how many tokens forward we look to find the input + // code the user used + $this->hotpSkew = $hotpskew; + + // the totpskew value is how many tokens either side of the current + // token we should check, based on a time skew. + $this->totpSkew = $totpskew; + + // the hotphuntvalue is what we use to resync tokens. + // when a user resyncs, we search from 0 to $hutphutvalue to find + // the two token codes the user has entered - 200000 seems like overkill + // really as i cant imagine any token out there would ever make it + // past 200000 token code requests. + $this->hotpHuntValue = $hotphuntvalue; } abstract function getData($username); @@ -16,6 +30,7 @@ abstract class GoogleAuthenticator { $data["tokentimer"] = 30; // the token timer (For totp) and not supported by ga yet $data["tokencounter"] = 1; // the token counter for hotp $data["tokenalgorithm"] = "SHA1"; // the token algorithm (not supported by ga yet) + $data["user1"] = ""; // a place for implementors to store their own data return $data; } @@ -52,9 +67,8 @@ abstract class GoogleAuthenticator { $data = $this->internalGetData($username); $data["tokentype"] = $tokentype; - $this->internalPutData($username, $data); + return $this->internalPutData($username, $data); - return true; } @@ -68,7 +82,9 @@ abstract class GoogleAuthenticator { $token["tokenkey"] = $hkey; $token["tokentype"] = $ttype; - $this->internalPutData($username, $token); + if(!$this->internalPutData($username, $token)) { + return false; + } return $key; } @@ -106,10 +122,10 @@ abstract class GoogleAuthenticator { function authenticateUser($username, $code) { if(preg_match("/[0-9][0-9][0-9][0-9][0-9][0-9]/",$code)<1) return false; - error_log("begin auth user"); + //error_log("begin auth user"); $tokendata = $this->internalGetData($username); - $asdf = print_r($tokendata, true); - error_log("dat is $asdf"); + //$asdf = print_r($tokendata, true); + //error_log("dat is $asdf"); if($tokendata["tokenkey"] == "") { $errorText = "No Assigned Token"; @@ -121,13 +137,13 @@ abstract class GoogleAuthenticator { $tlid = $tokendata["tokencounter"]; $tkey = $tokendata["tokenkey"]; - $asdf = print_r($tokendata, true); - error_log("dat is $asdf"); + //$asdf = print_r($tokendata, true); + //error_log("dat is $asdf"); switch($ttype) { case "HOTP": error_log("in hotp"); $st = $tlid; - $en = $tlid+20; + $en = $tlid+$this->hotpSkew; for($i=$st; $i<$en; $i++) { $stest = $this->oath_hotp($tkey, $i); error_log("testing code: $code, $stest, $tkey, $tid"); @@ -142,10 +158,10 @@ abstract class GoogleAuthenticator { case "TOTP": error_log("in totp"); $t_now = time(); - $t_ear = $t_now - 45; - $t_lat = $t_now + 60; - $t_st = ((int)($t_ear/30)); - $t_en = ((int)($t_lat/30)); + $t_ear = $t_now - ($this->totpSkew*$tokendata["tokentimer"]); + $t_lat = $t_now + ($this->totpSkew*$tokendata["tokentimer"]); + $t_st = ((int)($t_ear/$tokendata["tokentimer"])); + $t_en = ((int)($t_lat/$tokendata["tokentimer"])); //error_log("kmac: $t_now, $t_ear, $t_lat, $t_st, $t_en"); for($i=$t_st; $i<=$t_en; $i++) { $stest = $this->oath_hotp($tkey, $i); @@ -156,7 +172,7 @@ abstract class GoogleAuthenticator { } break; default: - echo "how the frig did i end up here?"; + return false; } return false; @@ -190,7 +206,7 @@ abstract class GoogleAuthenticator { switch($ttype) { case "HOTP": $st = 0; - $en = 200000; + $en = $this->hotpHuntValue; for($i=$st; $i<$en; $i++) { $stest = $this->oath_hotp($tkey, $i); //echo "code: $code, $stest, $tkey\n"; @@ -206,6 +222,7 @@ abstract class GoogleAuthenticator { return false; break; case "TOTP": + // ignore it? break; default: echo "how the frig did i end up here?"; @@ -225,9 +242,10 @@ abstract class GoogleAuthenticator { $data = $this->internalGetData($user); $toktype = $data["tokentype"]; $key = $this->helperhex2b32($data["tokenkey"]); + $counter = $data["tokencounter"]; $toktype = strtolower($toktype); if($toktype == "hotp") { - $url = "otpauth://$toktype/$user?secret=$key&counter=1"; + $url = "otpauth://$toktype/$user?secret=$key&counter=$counter"; } else { $url = "otpauth://$toktype/$user?secret=$key"; } @@ -265,6 +283,7 @@ abstract class GoogleAuthenticator { } + // TODO: lots of error checking goes in here function helperb322hex($b32) { $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"; @@ -295,6 +314,7 @@ abstract class GoogleAuthenticator { return $out2; } + // TODO: lots of error checking goes in here function helperhex2b32($hex) { $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"; @@ -318,6 +338,10 @@ abstract class GoogleAuthenticator { return $out2; } + // i've put alot of faith in the code from the + // php site's examples for the hash_hmac algorithm + // i assume its mostly correct but i should do + // some testing to verify this is actually the case function oath_hotp($key, $counter) { $key = pack("H*", $key); @@ -339,6 +363,7 @@ abstract class GoogleAuthenticator { return str_pad($this->oath_truncate($hash), 6, "0", STR_PAD_LEFT); } + function oath_truncate($hash, $length = 6) { // Convert to dec @@ -367,6 +392,12 @@ abstract class GoogleAuthenticator { private $errorText; private $errorCode; + private $hotpSkew; + private $totpSkew; + + private $hotpHuntValue; + + /* * error codes * 1: Auth Failed