webinterface.git

modules/googleauth/include/googleauth.php   1) <?php
modules/googleauth/include/googleauth.php   2) /*
modules/googleauth/include/googleauth.php   3) This file belongs to the Webinterface of schokokeks.org Hosting
modules/googleauth/include/googleauth.php   4) 

modules/webmailtotp/include/totp.php        5) Written 2008-2013 by schokokeks.org Hosting, namely

modules/googleauth/include/googleauth.php   6)   Bernd Wurst <bernd@schokokeks.org>
modules/googleauth/include/googleauth.php   7)   Hanno Böck <hanno@schokokeks.org>
modules/googleauth/include/googleauth.php   8) 
modules/googleauth/include/googleauth.php   9) To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
modules/googleauth/include/googleauth.php  10) 
modules/googleauth/include/googleauth.php  11) You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 
modules/googleauth/include/googleauth.php  12) http://creativecommons.org/publicdomain/zero/1.0/
modules/googleauth/include/googleauth.php  13) 
modules/googleauth/include/googleauth.php  14) Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.
modules/googleauth/include/googleauth.php  15) */
modules/googleauth/include/googleauth.php  16) 

modules/webmailtotp/include/totp.php       17) function account_has_totp($username)

modules/googleauth/include/googleauth.php  18) {
modules/googleauth/include/googleauth.php  19)   $username = mysql_real_escape_string($username);

modules/webmailtotp/include/totp.php       20)   $result = db_query("SELECT id FROM mail.webmail_totp WHERE email='{$username}'");

modules/googleauth/include/googleauth.php  21)   if (mysql_num_rows($result) > 0) {
modules/googleauth/include/googleauth.php  22)     $tmp = mysql_fetch_assoc($result);
modules/googleauth/include/googleauth.php  23)     $id = $tmp['id'];
modules/googleauth/include/googleauth.php  24)     return $id;
modules/googleauth/include/googleauth.php  25)   } else {
modules/googleauth/include/googleauth.php  26)     return false;
modules/googleauth/include/googleauth.php  27)   }
modules/googleauth/include/googleauth.php  28) }
modules/googleauth/include/googleauth.php  29) 
modules/googleauth/include/googleauth.php  30) 
modules/googleauth/include/googleauth.php  31) 
modules/googleauth/include/googleauth.php  32) function validate_password($username, $password) 
modules/googleauth/include/googleauth.php  33) {
modules/googleauth/include/googleauth.php  34)   $username = mysql_real_escape_string($username);
modules/googleauth/include/googleauth.php  35)   $result = db_query("SELECT account, cryptpass FROM mail.courier_mailaccounts WHERE account='{$username}' UNION SELECT account, cryptpass FROM mail.courier_virtual_accounts WHERE account='{$username}'");
modules/googleauth/include/googleauth.php  36)   if (mysql_num_rows($result) != 1) {
modules/googleauth/include/googleauth.php  37)     // Kein Account mit dem Namen oder Name nicht eindeutig
modules/googleauth/include/googleauth.php  38)     return false;
modules/googleauth/include/googleauth.php  39)   }
modules/googleauth/include/googleauth.php  40)   $account = mysql_fetch_assoc($result);
modules/googleauth/include/googleauth.php  41)   return (crypt($password, $account['cryptpass']) == $account['cryptpass']);
modules/googleauth/include/googleauth.php  42) }
modules/googleauth/include/googleauth.php  43) 
modules/googleauth/include/googleauth.php  44) 
modules/googleauth/include/googleauth.php  45) function store_webmail_password($username, $oldpw, $newpw)
modules/googleauth/include/googleauth.php  46) {
modules/googleauth/include/googleauth.php  47)   $secret = $newpw;
modules/googleauth/include/googleauth.php  48)   if (strlen($oldpw) > strlen($newpw)) {
modules/googleauth/include/googleauth.php  49)     $secret = str_pad($newpw, strlen($oldpw), $newpw);
modules/googleauth/include/googleauth.php  50)   }
modules/googleauth/include/googleauth.php  51)   if (strlen($oldpw) < strlen($newpw)) {
modules/googleauth/include/googleauth.php  52)     $newpw = substr($newpw, 0, strlen($oldpw));
modules/googleauth/include/googleauth.php  53)   }
modules/googleauth/include/googleauth.php  54)   if (strlen($oldpw) != strlen($secret)) {
modules/googleauth/include/googleauth.php  55)     system_failure('Interner Fehler: Passwörter sind nicht gleich lang');
modules/googleauth/include/googleauth.php  56)   }
modules/googleauth/include/googleauth.php  57)   $code = '';
modules/googleauth/include/googleauth.php  58)   for ($i = 0 ; $i != strlen($oldpw) ; $i++) {
modules/googleauth/include/googleauth.php  59)     $code .= chr( ord($oldpw[$i]) ^ ord($secret[$i]) );
modules/googleauth/include/googleauth.php  60)   }
modules/googleauth/include/googleauth.php  61)   $code = base64_encode($code);
modules/googleauth/include/googleauth.php  62)   DEBUG(array($oldpw, $newpw, $code));
modules/googleauth/include/googleauth.php  63) 

modules/googleauth/include/googleauth.php  64)   $uid = (int) $_SESSION['userinfo']['uid'];

modules/googleauth/include/googleauth.php  65) 

modules/webmailtotp/include/totp.php       66)   db_query("REPLACE INTO mail.webmail_totp (useraccount, email, webmailpass) VALUES ({$uid}, '{$username}', '{$code}')");

modules/googleauth/include/googleauth.php  67) }
modules/googleauth/include/googleauth.php  68) 
modules/googleauth/include/googleauth.php  69) 
modules/googleauth/include/googleauth.php  70) function decode_webmail_password($crypted, $webmailpw)   
modules/googleauth/include/googleauth.php  71) {
modules/googleauth/include/googleauth.php  72)   $crypted = base64_decode($crypted);
modules/googleauth/include/googleauth.php  73)   $secret = $webmailpw;
modules/googleauth/include/googleauth.php  74)   if (strlen($crypted) > strlen($webmailpw)) {
modules/googleauth/include/googleauth.php  75)     $secret = str_pad($webmailpw, strlen($crypted), $webmailpw);
modules/googleauth/include/googleauth.php  76)   }
modules/googleauth/include/googleauth.php  77)   if (strlen($crypted) < strlen($webmailpw)) {
modules/googleauth/include/googleauth.php  78)     $webmailpw = substr($webmailpw, 0, strlen($crypted));
modules/googleauth/include/googleauth.php  79)   }
modules/googleauth/include/googleauth.php  80)   $clear = '';
modules/googleauth/include/googleauth.php  81)   for ($i = 0 ; $i != strlen($crypted) ; $i++) {
modules/googleauth/include/googleauth.php  82)     $clear .= chr( ord($crypted[$i]) ^ ord($secret[$i]) );
modules/googleauth/include/googleauth.php  83)   }
modules/googleauth/include/googleauth.php  84)   DEBUG('decrypted: '.$clear);
modules/googleauth/include/googleauth.php  85)   return $clear;
modules/googleauth/include/googleauth.php  86) }
modules/googleauth/include/googleauth.php  87) 
modules/googleauth/include/googleauth.php  88) 

modules/googleauth/include/googleauth.php  89) function get_imap_password($username, $webmailpass) {

modules/googleauth/include/googleauth.php  90)   $username = mysql_real_escape_string($username);

modules/webmailtotp/include/totp.php       91)   $result = db_query("SELECT webmailpass FROM mail.webmail_totp WHERE email='{$username}'");

modules/googleauth/include/googleauth.php  92)   $tmp = mysql_fetch_assoc($result);
modules/googleauth/include/googleauth.php  93)   
modules/googleauth/include/googleauth.php  94)   $crypted = $tmp['webmailpass'];
modules/googleauth/include/googleauth.php  95)     
modules/googleauth/include/googleauth.php  96)   $clear = decode_webmail_password($crypted, $webmailpass);

modules/googleauth/include/googleauth.php  97)   return $clear;
modules/googleauth/include/googleauth.php  98) }

modules/googleauth/include/googleauth.php  99) 

modules/googleauth/include/googleauth.php 100) 
modules/googleauth/include/googleauth.php 101) function check_webmail_password($username, $webmailpass)
modules/googleauth/include/googleauth.php 102) {
modules/googleauth/include/googleauth.php 103)   $clear = get_imap_password($username, $webmailpass);

modules/googleauth/include/googleauth.php 104)   return validate_password($username, $clear);
modules/googleauth/include/googleauth.php 105) }
modules/googleauth/include/googleauth.php 106) 
modules/googleauth/include/googleauth.php 107) 
modules/googleauth/include/googleauth.php 108) function generate_secret($username)
modules/googleauth/include/googleauth.php 109) {
modules/googleauth/include/googleauth.php 110)   $username = mysql_real_escape_string($username);
modules/googleauth/include/googleauth.php 111)   require_once('external/googleauthenticator/GoogleAuthenticator.php');
modules/googleauth/include/googleauth.php 112)   $ga = new PHPGangsta_GoogleAuthenticator();
modules/googleauth/include/googleauth.php 113)   
modules/googleauth/include/googleauth.php 114)   $secret = $ga->createSecret();
modules/googleauth/include/googleauth.php 115)   DEBUG('GA-Secret: '.$secret);
modules/googleauth/include/googleauth.php 116)   DEBUG('QrCode: '.$ga->getQRCodeGoogleUrl('Blog', $secret));

modules/webmailtotp/include/totp.php      117)   db_query("UPDATE mail.webmail_totp SET totp_secret='{$secret}' WHERE email='{$username}'");

modules/googleauth/include/googleauth.php 118)   return $secret;
modules/googleauth/include/googleauth.php 119) }
modules/googleauth/include/googleauth.php 120) 

modules/googleauth/include/googleauth.php 121) function check_locked($username) 
modules/googleauth/include/googleauth.php 122) {
modules/googleauth/include/googleauth.php 123)   $username = mysql_real_escape_string($username);

modules/webmailtotp/include/totp.php      124)   $result = db_query("SELECT 1 FROM mail.webmail_totp WHERE unlock_timestamp IS NOT NULL and unlock_timestamp > NOW() AND email='{$username}'");

modules/googleauth/include/googleauth.php 125)   return (mysql_num_rows($result) > 0);
modules/googleauth/include/googleauth.php 126) }
modules/googleauth/include/googleauth.php 127) 

modules/webmailtotp/include/totp.php      128) function check_totp($username, $code) {

modules/googleauth/include/googleauth.php 129)   if (check_blacklist($username, $code)) {
modules/googleauth/include/googleauth.php 130)     DEBUG('Replay-Attack');
modules/googleauth/include/googleauth.php 131)     return false;
modules/googleauth/include/googleauth.php 132)   }
modules/googleauth/include/googleauth.php 133) 

modules/googleauth/include/googleauth.php 134)   $username = mysql_real_escape_string($username);
modules/googleauth/include/googleauth.php 135) 

modules/webmailtotp/include/totp.php      136)   $result = db_query("SELECT totp_secret, failures FROM mail.webmail_totp WHERE email='{$username}' AND (unlock_timestamp IS NULL OR unlock_timestamp <= NOW())");

modules/googleauth/include/googleauth.php 137)   $tmp = mysql_fetch_assoc($result);

modules/webmailtotp/include/totp.php      138)   $secret = $tmp['totp_secret'];

modules/googleauth/include/googleauth.php 139) 
modules/googleauth/include/googleauth.php 140)   require_once('external/googleauthenticator/GoogleAuthenticator.php');
modules/googleauth/include/googleauth.php 141)   $ga = new PHPGangsta_GoogleAuthenticator();
modules/googleauth/include/googleauth.php 142)   
modules/googleauth/include/googleauth.php 143)   $checkResult = $ga->verifyCode($secret, $code, 2);    // 2 = 2*30sec clock tolerance
modules/googleauth/include/googleauth.php 144)   if ($checkResult) {

modules/webmailtotp/include/totp.php      145)     db_query("UPDATE mail.webmail_totp SET failures = 0, unlock_timestamp=NULL WHERE email='{$username}'");

modules/googleauth/include/googleauth.php 146)     blacklist_token($username, $code);

modules/googleauth/include/googleauth.php 147)     DEBUG('OK');
modules/googleauth/include/googleauth.php 148)   } else {

modules/googleauth/include/googleauth.php 149)     if ($tmp['failures'] > 0 && $tmp['failures'] % 5 == 0) {

modules/webmailtotp/include/totp.php      150)       db_query("UPDATE mail.webmail_totp SET failures = failures+1, unlock_timestamp = NOW() + INTERVAL 5 MINUTE WHERE email='{$username}'");

modules/googleauth/include/googleauth.php 151)     } else {

modules/webmailtotp/include/totp.php      152)       db_query("UPDATE mail.webmail_totp SET failures = failures+1 WHERE email='{$username}'");

modules/googleauth/include/googleauth.php 153)     }
modules/googleauth/include/googleauth.php 154)     

modules/googleauth/include/googleauth.php 155)     DEBUG('FAILED');
modules/googleauth/include/googleauth.php 156)   }
modules/googleauth/include/googleauth.php 157)   return $checkResult;
modules/googleauth/include/googleauth.php 158) 
modules/googleauth/include/googleauth.php 159) }
modules/googleauth/include/googleauth.php 160) 
modules/googleauth/include/googleauth.php 161) function generate_qrcode_image($secret) {
modules/googleauth/include/googleauth.php 162)   $url = 'otpauth://totp/Webmail?secret='.$secret;
modules/googleauth/include/googleauth.php 163)   
modules/googleauth/include/googleauth.php 164)   $descriptorspec = array(
modules/googleauth/include/googleauth.php 165)     0 => array("pipe", "r"),  // STDIN ist eine Pipe, von der das Child liest
modules/googleauth/include/googleauth.php 166)     1 => array("pipe", "w"),  // STDOUT ist eine Pipe, in die das Child schreibt
modules/googleauth/include/googleauth.php 167)     2 => array("pipe", "w") 
modules/googleauth/include/googleauth.php 168)   );
modules/googleauth/include/googleauth.php 169) 
modules/googleauth/include/googleauth.php 170)   $process = proc_open('qrencode -t PNG -s 5 -o -', $descriptorspec, $pipes);
modules/googleauth/include/googleauth.php 171) 
modules/googleauth/include/googleauth.php 172)   if (is_resource($process)) {
modules/googleauth/include/googleauth.php 173)     // $pipes sieht nun so aus:
modules/googleauth/include/googleauth.php 174)     // 0 => Schreibhandle, das auf das Child STDIN verbunden ist
modules/googleauth/include/googleauth.php 175)     // 1 => Lesehandle, das auf das Child STDOUT verbunden ist
modules/googleauth/include/googleauth.php 176) 
modules/googleauth/include/googleauth.php 177)     fwrite($pipes[0], $url);
modules/googleauth/include/googleauth.php 178)     fclose($pipes[0]);
modules/googleauth/include/googleauth.php 179) 
modules/googleauth/include/googleauth.php 180)     $pngdata = stream_get_contents($pipes[1]);
modules/googleauth/include/googleauth.php 181)     fclose($pipes[1]);
modules/googleauth/include/googleauth.php 182) 
modules/googleauth/include/googleauth.php 183)     // Es ist wichtig, dass Sie alle Pipes schließen bevor Sie
modules/googleauth/include/googleauth.php 184)     // proc_close aufrufen, um Deadlocks zu vermeiden
modules/googleauth/include/googleauth.php 185)     $return_value = proc_close($process);
modules/googleauth/include/googleauth.php 186)   
modules/googleauth/include/googleauth.php 187)     return $pngdata;

modules/googleauth/include/googleauth.php 188)   } else {
modules/googleauth/include/googleauth.php 189)     warning('Es ist ein interner Fehler im Webinterface aufgetreten, aufgrund dessen kein QR-Code erstellt werden kann. Sollte dieser Fehler mehrfach auftreten, kontaktieren Sie bitte die Administratoren.');

modules/googleauth/include/googleauth.php 190)   }
modules/googleauth/include/googleauth.php 191)   
modules/googleauth/include/googleauth.php 192)   
modules/googleauth/include/googleauth.php 193) }
modules/googleauth/include/googleauth.php 194) 

modules/googleauth/include/googleauth.php 195) function accountname($id) 
modules/googleauth/include/googleauth.php 196) {
modules/googleauth/include/googleauth.php 197)   $id = (int) $id;
modules/googleauth/include/googleauth.php 198)   $uid = (int) $_SESSION['userinfo']['uid'];

modules/webmailtotp/include/totp.php      199)   $result = db_query("SELECT email FROM mail.webmail_totp WHERE id={$id} AND useraccount={$uid}");

modules/googleauth/include/googleauth.php 200)   if ($tmp = mysql_fetch_assoc($result)) {
modules/googleauth/include/googleauth.php 201)     return $tmp['email'];
modules/googleauth/include/googleauth.php 202)   }
modules/googleauth/include/googleauth.php 203) }
modules/googleauth/include/googleauth.php 204) 
modules/googleauth/include/googleauth.php 205) 

modules/webmailtotp/include/totp.php      206) function delete_totp($id) 

modules/googleauth/include/googleauth.php 207) {
modules/googleauth/include/googleauth.php 208)   $id = (int) $id;
modules/googleauth/include/googleauth.php 209)   $uid = (int) $_SESSION['userinfo']['uid'];
modules/googleauth/include/googleauth.php 210)   

modules/webmailtotp/include/totp.php      211)   db_query("DELETE FROM mail.webmail_totp WHERE id={$id} AND useraccount={$uid}");

modules/googleauth/include/googleauth.php 212) }
modules/googleauth/include/googleauth.php 213) 

modules/googleauth/include/googleauth.php 214) 
modules/googleauth/include/googleauth.php 215) function blacklist_token($email, $token)
modules/googleauth/include/googleauth.php 216) {
modules/googleauth/include/googleauth.php 217)   $email = mysql_real_escape_string($email);
modules/googleauth/include/googleauth.php 218)   $token = mysql_real_escape_string($token);

modules/webmailtotp/include/totp.php      219)   db_query("INSERT INTO mail.webmail_totp_blacklist (timestamp, email, token) VALUES (NOW(), '{$email}', '{$token}')");

modules/googleauth/include/googleauth.php 220) }
modules/googleauth/include/googleauth.php 221) 
modules/googleauth/include/googleauth.php 222) function check_blacklist($email, $token)
modules/googleauth/include/googleauth.php 223) {
modules/googleauth/include/googleauth.php 224)   $email = mysql_real_escape_string($email);
modules/googleauth/include/googleauth.php 225)   $token = mysql_real_escape_string($token);

modules/webmailtotp/include/totp.php      226)   db_query("DELETE FROM mail.webmail_totp_blacklist WHERE timestamp < NOW() - INTERVAL 10 MINUTE");
modules/webmailtotp/include/totp.php      227)   $result = db_query("SELECT id FROM mail.webmail_totp_blacklist WHERE email='{$email}' AND token='{$token}'");