TwoFactorAuthenticator.php
195 lines
| 1 | <?php |
| 2 | /** |
| 3 | * PHP Class for handling Google Authenticator 2-factor authentication |
| 4 | * |
| 5 | * @author Michael Kliewe |
| 6 | * @copyright 2012 Michael Kliewe |
| 7 | * @license http://www.opensource.org/licenses/bsd-license.php BSD License |
| 8 | * @link http://www.phpgangsta.de/ |
| 9 | * |
| 10 | * small adjustments by @sgiehl / matomo.org |
| 11 | * - renamed class |
| 12 | * - removed method getQRCodeGoogleUrl |
| 13 | * small adjustments by matomo.org |
| 14 | * - use better random secret generator |
| 15 | */ |
| 16 | |
| 17 | class TwoFactorAuthenticator |
| 18 | { |
| 19 | protected $_codeLength = 6; |
| 20 | |
| 21 | /** |
| 22 | * Create new secret. |
| 23 | * 16 characters, randomly chosen from the allowed base32 characters. |
| 24 | * |
| 25 | * @param int $secretLength |
| 26 | * @return string |
| 27 | */ |
| 28 | public function createSecret($secretLength = 16) |
| 29 | { |
| 30 | $validChars = $this->_getBase32LookupTable(); |
| 31 | unset($validChars[32]); |
| 32 | |
| 33 | // modified by matomo.org |
| 34 | return \Piwik\Common::getRandomString($secretLength, implode('', $validChars)); |
| 35 | } |
| 36 | |
| 37 | /** |
| 38 | * Calculate the code, with given secret and point in time |
| 39 | * |
| 40 | * @param string $secret |
| 41 | * @param int|null $timeSlice |
| 42 | * @return string |
| 43 | */ |
| 44 | public function getCode($secret, $timeSlice = null) |
| 45 | { |
| 46 | if ($timeSlice === null) { |
| 47 | $timeSlice = floor(time() / 30); |
| 48 | } |
| 49 | |
| 50 | $secretkey = $this->_base32Decode($secret); |
| 51 | |
| 52 | // Pack time into binary string |
| 53 | $time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice); |
| 54 | // Hash it with users secret key |
| 55 | $hm = hash_hmac('SHA1', $time, $secretkey, true); |
| 56 | // Use last nipple of result as index/offset |
| 57 | $offset = ord(substr($hm, -1)) & 0x0F; |
| 58 | // grab 4 bytes of the result |
| 59 | $hashpart = substr($hm, $offset, 4); |
| 60 | |
| 61 | // Unpak binary value |
| 62 | $value = unpack('N', $hashpart); |
| 63 | $value = $value[1]; |
| 64 | // Only 32 bits |
| 65 | $value = $value & 0x7FFFFFFF; |
| 66 | |
| 67 | $modulo = pow(10, $this->_codeLength); |
| 68 | return str_pad($value % $modulo, $this->_codeLength, '0', STR_PAD_LEFT); |
| 69 | } |
| 70 | |
| 71 | /** |
| 72 | * Check if the code is correct. This will accept codes starting from $discrepancy*30sec ago to $discrepancy*30sec from now |
| 73 | * |
| 74 | * @param string $secret |
| 75 | * @param string $code |
| 76 | * @param int $discrepancy This is the allowed time drift in 30 second units (8 means 4 minutes before or after) |
| 77 | * @param int|null $currentTimeSlice time slice if we want use other that time() |
| 78 | * @return bool |
| 79 | */ |
| 80 | public function verifyCode($secret, $code, $discrepancy = 1, $currentTimeSlice = null) |
| 81 | { |
| 82 | if ($currentTimeSlice === null) { |
| 83 | $currentTimeSlice = floor(time() / 30); |
| 84 | } |
| 85 | |
| 86 | for ($i = -$discrepancy; $i <= $discrepancy; $i++) { |
| 87 | $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i); |
| 88 | if ($calculatedCode == $code ) { |
| 89 | return true; |
| 90 | } |
| 91 | } |
| 92 | |
| 93 | return false; |
| 94 | } |
| 95 | |
| 96 | /** |
| 97 | * Set the code length, should be >=6 |
| 98 | * |
| 99 | * @param int $length |
| 100 | * @return self |
| 101 | */ |
| 102 | public function setCodeLength($length) |
| 103 | { |
| 104 | $this->_codeLength = $length; |
| 105 | return $this; |
| 106 | } |
| 107 | |
| 108 | /** |
| 109 | * Helper class to decode base32 |
| 110 | * |
| 111 | * @param $secret |
| 112 | * @return bool|string |
| 113 | */ |
| 114 | protected function _base32Decode($secret) |
| 115 | { |
| 116 | if (empty($secret)) return ''; |
| 117 | |
| 118 | $base32chars = $this->_getBase32LookupTable(); |
| 119 | $base32charsFlipped = array_flip($base32chars); |
| 120 | |
| 121 | $paddingCharCount = substr_count($secret, $base32chars[32]); |
| 122 | $allowedValues = array(6, 4, 3, 1, 0); |
| 123 | if (!in_array($paddingCharCount, $allowedValues)) return false; |
| 124 | for ($i = 0; $i < 4; $i++){ |
| 125 | if ($paddingCharCount == $allowedValues[$i] && |
| 126 | substr($secret, -($allowedValues[$i])) != str_repeat($base32chars[32], $allowedValues[$i])) return false; |
| 127 | } |
| 128 | $secret = str_replace('=','', $secret); |
| 129 | $secret = str_split($secret); |
| 130 | $binaryString = ""; |
| 131 | for ($i = 0; $i < count($secret); $i = $i+8) { |
| 132 | $x = ""; |
| 133 | if (!in_array($secret[$i], $base32chars)) return false; |
| 134 | for ($j = 0; $j < 8; $j++) { |
| 135 | $x .= str_pad(base_convert(@$base32charsFlipped[@$secret[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT); |
| 136 | } |
| 137 | $eightBits = str_split($x, 8); |
| 138 | for ($z = 0; $z < count($eightBits); $z++) { |
| 139 | $binaryString .= ( ($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48 ) ? $y:""; |
| 140 | } |
| 141 | } |
| 142 | return $binaryString; |
| 143 | } |
| 144 | |
| 145 | /** |
| 146 | * Helper class to encode base32 |
| 147 | * |
| 148 | * @param string $secret |
| 149 | * @param bool $padding |
| 150 | * @return string |
| 151 | */ |
| 152 | protected function _base32Encode($secret, $padding = true) |
| 153 | { |
| 154 | if (empty($secret)) return ''; |
| 155 | |
| 156 | $base32chars = $this->_getBase32LookupTable(); |
| 157 | |
| 158 | $secret = str_split($secret); |
| 159 | $binaryString = ""; |
| 160 | for ($i = 0; $i < count($secret); $i++) { |
| 161 | $binaryString .= str_pad(base_convert(ord($secret[$i]), 10, 2), 8, '0', STR_PAD_LEFT); |
| 162 | } |
| 163 | $fiveBitBinaryArray = str_split($binaryString, 5); |
| 164 | $base32 = ""; |
| 165 | $i = 0; |
| 166 | while ($i < count($fiveBitBinaryArray)) { |
| 167 | $base32 .= $base32chars[base_convert(str_pad($fiveBitBinaryArray[$i], 5, '0'), 2, 10)]; |
| 168 | $i++; |
| 169 | } |
| 170 | if ($padding && ($x = strlen($binaryString) % 40) != 0) { |
| 171 | if ($x == 8) $base32 .= str_repeat($base32chars[32], 6); |
| 172 | elseif ($x == 16) $base32 .= str_repeat($base32chars[32], 4); |
| 173 | elseif ($x == 24) $base32 .= str_repeat($base32chars[32], 3); |
| 174 | elseif ($x == 32) $base32 .= $base32chars[32]; |
| 175 | } |
| 176 | return $base32; |
| 177 | } |
| 178 | |
| 179 | /** |
| 180 | * Get array with all 32 characters for decoding from/encoding to base32 |
| 181 | * |
| 182 | * @return array |
| 183 | */ |
| 184 | protected function _getBase32LookupTable() |
| 185 | { |
| 186 | return array( |
| 187 | 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', // 7 |
| 188 | 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15 |
| 189 | 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23 |
| 190 | 'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31 |
| 191 | '=' // padding char |
| 192 | ); |
| 193 | } |
| 194 | } |
| 195 |