blacklist für eingegebene Codes
Bernd Wurst commited on 2012-09-18 11:54:20
Zeige 2 geänderte Dateien mit 34 Einfügungen und 1 Löschungen.
- modules/googleauth/include/googleauth.php ca5c3a6..fe4820c
- modules/googleauth/test.php 17fa1fb..4a92c81
| ... | ... |
@@ -115,7 +115,19 @@ function generate_secret($username) |
| 115 | 115 |
return $secret; |
| 116 | 116 |
} |
| 117 | 117 |
|
| 118 |
+function check_locked($username) |
|
| 119 |
+{
|
|
| 120 |
+ $username = mysql_real_escape_string($username); |
|
| 121 |
+ $result = db_query("SELECT 1 FROM mail.webmail_googleauth WHERE unlock_timestamp IS NOT NULL and unlock_timestamp > NOW() AND email='{$username}'");
|
|
| 122 |
+ return (mysql_num_rows($result) > 0); |
|
| 123 |
+} |
|
| 124 |
+ |
|
| 118 | 125 |
function check_googleauth($username, $code) {
|
| 126 |
+ if (check_blacklist($username, $code)) {
|
|
| 127 |
+ DEBUG('Replay-Attack');
|
|
| 128 |
+ return false; |
|
| 129 |
+ } |
|
| 130 |
+ |
|
| 119 | 131 |
$username = mysql_real_escape_string($username); |
| 120 | 132 |
|
| 121 | 133 |
$result = db_query("SELECT ga_secret, failures FROM mail.webmail_googleauth WHERE email='{$username}' AND (unlock_timestamp IS NULL OR unlock_timestamp <= NOW())");
|
| ... | ... |
@@ -128,6 +140,7 @@ function check_googleauth($username, $code) {
|
| 128 | 140 |
$checkResult = $ga->verifyCode($secret, $code, 2); // 2 = 2*30sec clock tolerance |
| 129 | 141 |
if ($checkResult) {
|
| 130 | 142 |
db_query("UPDATE mail.webmail_googleauth SET failures = 0, unlock_timestamp=NULL WHERE email='{$username}'");
|
| 143 |
+ blacklist_token($username, $code); |
|
| 131 | 144 |
DEBUG('OK');
|
| 132 | 145 |
} else {
|
| 133 | 146 |
if ($tmp['failures'] > 0 && $tmp['failures'] % 5 == 0) {
|
| ... | ... |
@@ -195,3 +208,20 @@ function delete_googleauth($id) |
| 195 | 208 |
db_query("DELETE FROM mail.webmail_googleauth WHERE id={$id} AND useraccount={$uid}");
|
| 196 | 209 |
} |
| 197 | 210 |
|
| 211 |
+ |
|
| 212 |
+function blacklist_token($email, $token) |
|
| 213 |
+{
|
|
| 214 |
+ $email = mysql_real_escape_string($email); |
|
| 215 |
+ $token = mysql_real_escape_string($token); |
|
| 216 |
+ db_query("INSERT INTO mail.webmail_googleauth_blacklist (timestamp, email, token) VALUES (NOW(), '{$email}', '{$token}')");
|
|
| 217 |
+} |
|
| 218 |
+ |
|
| 219 |
+function check_blacklist($email, $token) |
|
| 220 |
+{
|
|
| 221 |
+ $email = mysql_real_escape_string($email); |
|
| 222 |
+ $token = mysql_real_escape_string($token); |
|
| 223 |
+ db_query("DELETE FROM mail.webmail_googleauth_blacklist WHERE timestamp < NOW() - INTERVAL 10 MINUTE");
|
|
| 224 |
+ $result = db_query("SELECT id FROM mail.webmail_googleauth_blacklist WHERE email='{$email}' AND token='{$token}'");
|
|
| 225 |
+ return (mysql_num_rows($result) > 0); |
|
| 226 |
+} |
|
| 227 |
+ |
| ... | ... |
@@ -35,7 +35,10 @@ if (isset($_REQUEST['username'])) {
|
| 35 | 35 |
$success = false; |
| 36 | 36 |
} |
| 37 | 37 |
|
| 38 |
- if (! check_googleauth($username, $ga_code)) {
|
|
| 38 |
+ if (check_locked($username)) {
|
|
| 39 |
+ input_error('Aufgrund einiger Fehlversuche wurde dieses Konto übergangsweise deaktiviert. Bitte warten Sie ein paar Minuten.');
|
|
| 40 |
+ $success = false; |
|
| 41 |
+ } elseif (! check_googleauth($username, $ga_code)) {
|
|
| 39 | 42 |
input_error('Der Google-Authenticator-Code wurde nicht akzeptiert.');
|
| 40 | 43 |
$success = false; |
| 41 | 44 |
} |
| 42 | 45 |