webinterface.git

@@ -0,0 +1,201 @@

+<?php

+

+/**

+ * PHP Class for handling Google Authenticator 2-factor authentication

+ *

+ * @author Michael Kliewe

+ * @copyright 2012 Michael Kliewe

+ * @license http://www.opensource.org/licenses/bsd-license.php BSD License

+ * @link http://www.phpgangsta.de/

+ */

+

+class PHPGangsta_GoogleAuthenticator

+{

+    protected $_codeLength = 6;

+

+    /**

+     * Create new secret.

+     * 16 characters, randomly chosen from the allowed base32 characters.

+     *

+     * @param int $secretLength

+     * @return string

+     */

+    public function createSecret($secretLength = 16)

+    {

+        $validChars = $this->_getBase32LookupTable();

+        unset($validChars[32]);

+

+        $secret = '';

+        for ($i = 0; $i < $secretLength; $i++) {

+            $secret .= $validChars[array_rand($validChars)];

+        }

+        return $secret;

+    }

+

+    /**

+     * Calculate the code, with given secret and point in time

+     *

+     * @param string $secret

+     * @param int|null $timeSlice

+     * @return string

+     */

+    public function getCode($secret, $timeSlice = null)

+    {

+        if ($timeSlice === null) {

+            $timeSlice = floor(time() / 30);

+        }

+

+        $secretkey = $this->_base32Decode($secret);

+

+        // Pack time into binary string

+        $time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice);

+        // Hash it with users secret key

+        $hm = hash_hmac('SHA1', $time, $secretkey, true);

+        // Use last nipple of result as index/offset

+        $offset = ord(substr($hm, -1)) & 0x0F;

+        // grab 4 bytes of the result

+        $hashpart = substr($hm, $offset, 4);

+

+        // Unpak binary value

+        $value = unpack('N', $hashpart);

+        $value = $value[1];

+        // Only 32 bits

+        $value = $value & 0x7FFFFFFF;

+

+        $modulo = pow(10, $this->_codeLength);

+        return str_pad($value % $modulo, $this->_codeLength, '0', STR_PAD_LEFT);

+    }

+

+    /**

+     * Get QR-Code URL for image, from google charts

+     *

+     * @param string $name

+     * @param string $secret

+     * @return string

+     */

+    public function getQRCodeGoogleUrl($name, $secret) {

+        $urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');

+        return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl='.$urlencoded.'';

+    }

+

+    /**

+     * Check if the code is correct. This will accept codes starting from $discrepancy*30sec ago to $discrepancy*30sec from now

+     *

+     * @param string $secret

+     * @param string $code

+     * @param int $discrepancy This is the allowed time drift in 30 second units (8 means 4 minutes before or after)

+     * @return bool

+     */

+    public function verifyCode($secret, $code, $discrepancy = 1)

+    {

+        $currentTimeSlice = floor(time() / 30);

+

+        for ($i = -$discrepancy; $i <= $discrepancy; $i++) {

+            $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);

+            if ($calculatedCode == $code ) {

+                return true;

+            }

+        }

+

+        return false;

+    }

+

+    /**

+     * Set the code length, should be >=6

+     *

+     * @param int $length

+     * @return PHPGangsta_GoogleAuthenticator

+     */

+    public function setCodeLength($length)

+    {

+        $this->_codeLength = $length;

+        return $this;

+    }

+

+    /**

+     * Helper class to decode base32

+     *

+     * @param $secret

+     * @return bool|string

+     */

+    protected function _base32Decode($secret)

+    {

+        if (empty($secret)) return '';

+

+        $base32chars = $this->_getBase32LookupTable();

+        $base32charsFlipped = array_flip($base32chars);

+

+        $paddingCharCount = substr_count($secret, $base32chars[32]);

+        $allowedValues = array(6, 4, 3, 1, 0);

+        if (!in_array($paddingCharCount, $allowedValues)) return false;

+        for ($i = 0; $i < 4; $i++){

+            if ($paddingCharCount == $allowedValues[$i] &&

+                substr($secret, -($allowedValues[$i])) != str_repeat($base32chars[32], $allowedValues[$i])) return false;

+        }

+        $secret = str_replace('=','', $secret);

+        $secret = str_split($secret);

+        $binaryString = "";

+        for ($i = 0; $i < count($secret); $i = $i+8) {

+            $x = "";

+            if (!in_array($secret[$i], $base32chars)) return false;

+            for ($j = 0; $j < 8; $j++) {

+                $x .= str_pad(base_convert(@$base32charsFlipped[@$secret[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT);

+            }

+            $eightBits = str_split($x, 8);

+            for ($z = 0; $z < count($eightBits); $z++) {

+                $binaryString .= ( ($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48 ) ? $y:"";

+            }

+        }

+        return $binaryString;

+    }

+

+    /**

+     * Helper class to encode base32

+     *

+     * @param string $secret

+     * @param bool $padding

+     * @return string

+     */

+    protected function _base32Encode($secret, $padding = true)

+    {

+        if (empty($secret)) return '';

+

+        $base32chars = $this->_getBase32LookupTable();

+

+        $secret = str_split($secret);

+        $binaryString = "";

+        for ($i = 0; $i < count($secret); $i++) {

+            $binaryString .= str_pad(base_convert(ord($secret[$i]), 10, 2), 8, '0', STR_PAD_LEFT);

+        }

+        $fiveBitBinaryArray = str_split($binaryString, 5);

+        $base32 = "";

+        $i = 0;

+        while ($i < count($fiveBitBinaryArray)) {

+            $base32 .= $base32chars[base_convert(str_pad($fiveBitBinaryArray[$i], 5, '0'), 2, 10)];

+            $i++;

+        }

+        if ($padding && ($x = strlen($binaryString) % 40) != 0) {

+            if ($x == 8) $base32 .= str_repeat($base32chars[32], 6);

+            elseif ($x == 16) $base32 .= str_repeat($base32chars[32], 4);

+            elseif ($x == 24) $base32 .= str_repeat($base32chars[32], 3);

+            elseif ($x == 32) $base32 .= $base32chars[32];

+        }

+        return $base32;

+    }

+

+    /**

+     * Get array with all 32 characters for decoding from/encoding to base32

+     *

+     * @return array

+     */

+    protected function _getBase32LookupTable()

+    {

+        return array(

+            'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', //  7

+            'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15

+            'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23

+            'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31

+            '='  // padding char

+        );

+    }

+}

@@ -289,9 +289,9 @@ function encode_querystring($querystring)

 }

-function addnew($file, $label, $querystring = '')

+function addnew($file, $label, $querystring = '', $attribs = '')

 {

-  output('<p class="addnew">'.internal_link($file, $label, $querystring).'</p>');

+  output('<p class="addnew">'.internal_link($file, $label, $querystring, $attribs).'</p>');

 }

@@ -0,0 +1,53 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written 2008-2012 by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.

+

+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 

+http://creativecommons.org/publicdomain/zero/1.0/

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+require_once('inc/base.php');

+require_role(ROLE_SYSTEMUSER);

+

+require_once('googleauth.php');

+

+$username = urldecode($_REQUEST['username']);

+

+$oldpw = $_REQUEST['oldpw'];

+$newpw = $_REQUEST['newpw'];

+

+if (! validate_password($username, $oldpw)) {

+  system_failure('Ihr bestehendes Mailbox-Passwort hat nicht gestimmt.');

+}

+

+store_webmail_password($username, $oldpw, $newpw);

+$secret = generate_secret($username);

+

+title("Sicherer Zugang zum Webmailer");

+

+output('<p>Bitte geben Sie den folgenden Initialisierungs-Code in Ihre Google-Authenticator-Software ein oder Scannen Sie den QR-Code mit der Google-Authenticator-App Ihres Mobiltelefons.</p>');

+

+$qrcode_image = generate_qrcode_image($secret);

+

+output('<h4>Ihr Initialisierungs-Code</h4><p style="font-size: 120%;">'.$secret.'</p><p><img src="data:image/png;base64,'.base64_encode($qrcode_image).'" /></p>');

+

+output('<h3>Testen Sie es...</h3><p>Nachdem Sie den Startwert in Ihren Google-Authenticator eingegeben haben bzw. den QRCode eingescannt haben, erhalten Sie umgehend einen Zugangscode. Geben Sie diesen hier ein um die Funktion zu testen:</p>');

+

+$form = '<p>Ihr Webmail-Benutzername: <input type="text" name="username" value="'.filter_input_general($username).'" /></p>

+<p>Ihr neues Webmail-Passwort: <input type="password" name="webmailpass" /></p>

+<p>Der aktuellste Einmal-Code von Google-Authenticator: <input type="text" name="ga_code" /></p>

+<p><input type="submit" value="Prüfen!" /></p>';

+

+

+output(html_form('googleauth_test', 'test', '', $form));

+

+

+?>

@@ -0,0 +1,168 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written 2008-2012 by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.

+

+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 

+http://creativecommons.org/publicdomain/zero/1.0/

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+

+function account_has_googleauth($username)

+{

+  $username = mysql_real_escape_string($username);

+  $result = db_query("SELECT id FROM mail.webmail_googleauth WHERE email='{$username}'");

+  if (mysql_num_rows($result) > 0) {

+    $tmp = mysql_fetch_assoc($result);

+    $id = $tmp['id'];

+    return $id;

+  } else {

+    return false;

+  }

+}

+

+

+

+function validate_password($username, $password) 

+{

+  $username = mysql_real_escape_string($username);

+  $result = db_query("SELECT account, cryptpass FROM mail.courier_mailaccounts WHERE account='{$username}' UNION SELECT account, cryptpass FROM mail.courier_virtual_accounts WHERE account='{$username}'");

+  if (mysql_num_rows($result) != 1) {

+    // Kein Account mit dem Namen oder Name nicht eindeutig

+    return false;

+  }

+  $account = mysql_fetch_assoc($result);

+  return (crypt($password, $account['cryptpass']) == $account['cryptpass']);

+}

+

+

+function store_webmail_password($username, $oldpw, $newpw)

+{

+  $secret = $newpw;

+  if (strlen($oldpw) > strlen($newpw)) {

+    $secret = str_pad($newpw, strlen($oldpw), $newpw);

+  }

+  if (strlen($oldpw) < strlen($newpw)) {

+    $newpw = substr($newpw, 0, strlen($oldpw));

+  }

+  if (strlen($oldpw) != strlen($secret)) {

+    system_failure('Interner Fehler: Passwörter sind nicht gleich lang');

+  }

+  $code = '';

+  for ($i = 0 ; $i != strlen($oldpw) ; $i++) {

+    $code .= chr( ord($oldpw[$i]) ^ ord($secret[$i]) );

+  }

+  $code = base64_encode($code);

+  DEBUG(array($oldpw, $newpw, $code));

+

+

+  db_query("REPLACE INTO mail.webmail_googleauth (email, webmailpass) VALUES ('{$username}', '{$code}')");

+}

+

+

+function decode_webmail_password($crypted, $webmailpw)   

+{

+  $crypted = base64_decode($crypted);

+  $secret = $webmailpw;

+  if (strlen($crypted) > strlen($webmailpw)) {

+    $secret = str_pad($webmailpw, strlen($crypted), $webmailpw);

+  }

+  if (strlen($crypted) < strlen($webmailpw)) {

+    $webmailpw = substr($webmailpw, 0, strlen($crypted));

+  }

+  $clear = '';

+  for ($i = 0 ; $i != strlen($crypted) ; $i++) {

+    $clear .= chr( ord($crypted[$i]) ^ ord($secret[$i]) );

+  }

+  DEBUG('decrypted: '.$clear);

+  return $clear;

+}

+

+

+function check_webmail_password($username, $webmailpass)

+{

+  $username = mysql_real_escape_string($username);

+  $result = db_query("SELECT webmailpass FROM mail.webmail_googleauth WHERE email='{$username}'");

+  $tmp = mysql_fetch_assoc($result);

+  

+  $crypted = $tmp['webmailpass'];

+    

+  $clear = decode_webmail_password($crypted, $webmailpass);

+

+  return validate_password($username, $clear);

+  

+}

+

+

+function generate_secret($username)

+{

+  $username = mysql_real_escape_string($username);

+  require_once('external/googleauthenticator/GoogleAuthenticator.php');

+  $ga = new PHPGangsta_GoogleAuthenticator();

+  

+  $secret = $ga->createSecret();

+  DEBUG('GA-Secret: '.$secret);

+  DEBUG('QrCode: '.$ga->getQRCodeGoogleUrl('Blog', $secret));

+  db_query("UPDATE mail.webmail_googleauth SET ga_secret='{$secret}' WHERE email='{$username}'");

+  return $secret;

+}

+

+function check_googleauth($username, $code) {

+  $username = mysql_real_escape_string($username);

+

+  $result = db_query("SELECT ga_secret FROM mail.webmail_googleauth WHERE email='{$username}'");

+  $tmp = mysql_fetch_assoc($result);

+  $secret = $tmp['ga_secret'];

+

+  require_once('external/googleauthenticator/GoogleAuthenticator.php');

+  $ga = new PHPGangsta_GoogleAuthenticator();

+  

+  $checkResult = $ga->verifyCode($secret, $code, 2);    // 2 = 2*30sec clock tolerance

+  if ($checkResult) {

+    DEBUG('OK');

+  } else {

+    DEBUG('FAILED');

+  }

+  return $checkResult;

+

+}

+

+function generate_qrcode_image($secret) {

+  $url = 'otpauth://totp/Webmail?secret='.$secret;

+  

+  $descriptorspec = array(

+    0 => array("pipe", "r"),  // STDIN ist eine Pipe, von der das Child liest

+    1 => array("pipe", "w"),  // STDOUT ist eine Pipe, in die das Child schreibt

+    2 => array("pipe", "w") 

+  );

+

+  $process = proc_open('qrencode -t PNG -s 5 -o -', $descriptorspec, $pipes);

+

+  if (is_resource($process)) {

+    // $pipes sieht nun so aus:

+    // 0 => Schreibhandle, das auf das Child STDIN verbunden ist

+    // 1 => Lesehandle, das auf das Child STDOUT verbunden ist

+

+    fwrite($pipes[0], $url);

+    fclose($pipes[0]);

+

+    $pngdata = stream_get_contents($pipes[1]);

+    fclose($pipes[1]);

+

+    // Es ist wichtig, dass Sie alle Pipes schließen bevor Sie

+    // proc_close aufrufen, um Deadlocks zu vermeiden

+    $return_value = proc_close($process);

+  

+    return $pngdata;

+  }

+  

+  

+}

+

@@ -0,0 +1,24 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written 2008-2012 by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.

+

+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 

+http://creativecommons.org/publicdomain/zero/1.0/

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+$role = $_SESSION['role'];

+

+if ($role & (ROLE_SYSTEMUSER | ROLE_MAILACCOUNT | ROLE_VMAIL_ACCOUNT)) {

+  $menu["googleauth_overview"] = array("label" => "Sicheres Webmail", "file" => "overview", "weight" => 5, "submenu" => "email_vmail" );

+}

+

+

+?>

@@ -0,0 +1,108 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written 2008-2012 by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.

+

+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 

+http://creativecommons.org/publicdomain/zero/1.0/

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+require_once('googleauth.php');

+require_role(ROLE_SYSTEMUSER);

+

+title("Sicherer Zugang zum Webmailer");

+

+output('<p>Sie können bei '.config('company_name').' den Zugang zum Webmailer mit einem Zwei-Faktor-Prozess mit abweichendem Passwort schützen.</p>

+<p>Dieses System schützt Sie vor mitgelesenen Tastatureingaben in nicht vertrauenswürdiger Umgebung z.B. in einem Internet-Café.</p>

+<p>Beim Zwei-Faktor-Prozess müssen Sie zum Login ein festes Webmail-Passwort und zusätzlich ein variabler Code, den beispielsweise Ihr Smartphone erzeugen kann, eingeben. Da sich dieser Code alle 30 Sekunden ändert, kann ein Angreifer sich nicht später mit einem abgehörten Passwort noch einmal anmelden. Zum Erzeugen des Einmal-Codes benötigen Sie ein Gerät, das <strong>Google-Authenticator</strong>-Codes erzeugen kann. Meist ist dies ein Smartphne mit einer entsprechenden App.</p>

+<p><strong>Beachten Sie:</strong> Die Zwei-Faktor-Authentifizierung funktioniert nur für Webmail, beim Login via IMAP wird weiterhin nur das Passwort Ihres Postfachs benötigt. Damit dieses Passwort von einem Angreifer nicht mitgelesen werden kann, müssen Sie zur Zwei-Faktor-Authentifizierung unbedingt ein separates Passwort festlegen.</p>

+<h3>Fügen Sie Zwei-Faktor-Authentifizierung zu Ihren bestehenden Postfächern hinzu</h3>

+');

+

+

+require_once('modules/email/include/hasaccount.php');

+require_once('modules/email/include/vmail.php');

+

+if (! (user_has_accounts() || count(get_vmail_accounts())>0)) {

+  

+  output('<p><em>Bisher haben Sie kein Postfach. Bitte erstellen sie zunächst ein Postfach.</em></p>');

+}

+else

+{

+

+/* VMAIL */

+

+$domains = get_vmail_domains();

+$vmail_accounts = get_vmail_accounts();

+

+$sorted_by_domains = array();

+foreach ($vmail_accounts AS $account)

+{

+  if ($account['password'] == '') {

+    continue;

+  }

+  if (array_key_exists($account['domain'], $sorted_by_domains))

+    array_push($sorted_by_domains[$account['domain']], $account);

+  else

+    $sorted_by_domains[$account['domain']] = array($account);

+}

+

+DEBUG($sorted_by_domains);

+

+if (count($sorted_by_domains) > 0)

+{

+  foreach ($sorted_by_domains as $accounts_on_domain)

+  {

+      if (count($sorted_by_domains) > 2) {

+	      output('<h4>'.$accounts_on_domain[0]['domainname'].'</h4>');

+      }

+

+	    foreach ($accounts_on_domain AS $this_account)

+	    {

+        $username = $this_account['local'].'@'.$this_account['domainname'];  

+        output('<div style="margin-left: 2em;"><p style="margin-left: -2em;"><strong>'.$username.'</strong></p>');

+        $id = account_has_googleauth($username);

+        if ($id) {

+          output(addnew('delete', 'Sicheren Zugang für dieses Postfach abschalten', 'username='.urlencode($username), 'style="background-image: url('.$prefix.'images/delete.png); color: red;"'));

+        } else {

+          output(addnew('setup', 'Sicheren Zugang für dieses Postfach aktivieren', 'username='.urlencode($username)));

+        }

+        output('</div>');

+	    }

+  }

+}

+

+/* Mailaccounts */

+

+require_once('modules/email/include/mailaccounts.php');

+

+$accounts = mailaccounts($_SESSION['userinfo']['uid']);

+

+if (count($accounts) > 0) {

+

+if (count($sorted_by_domains) > 0) {

+  output('<h3>IMAP/POP3-Accounts</h3>');

+}

+

+

+foreach ($accounts AS $acc) {

+  if ($acc['mailbox']) {

+    output('<div style="margin-left: 2em;"><p style="margin-left: -2em;"><strong>'.$acc['account'].'</strong></p>');

+    output(addnew('setup', 'Sicheren Zugang für dieses Postfach aktivieren', 'username='.urlencode($acc['account'])));

+    output('</div>');

+  }

+}

+

+

+}

+

+}

+

+?>

@@ -0,0 +1,38 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written 2008-2012 by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.

+

+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 

+http://creativecommons.org/publicdomain/zero/1.0/

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+require_once('inc/base.php');

+require_once('inc/security.php');

+require_role(ROLE_SYSTEMUSER);

+

+$username = urldecode($_REQUEST['username']);

+

+title("Sicherer Zugang zum Webmailer");

+

+output('<p><strong>Hinweise:</strong></p><ul><li>Nach Einrichtung der Zwei-Faktor-Authentifizierung funktioniert bei der Anmeldung über <a href="'.config('webmail_url').'">die zentrale Webmail-Login-Seite</a> nur noch dieses Passwort zusammen mit dem Einmal-Code, der mit dem Google-Authenticator erzeugt wird.</li>

+<li>Ihr bestehendes IMAP-Passwort wird mit dem neuen Passwort verschlüsselt.</li><li>Über IMAP bzw. POP3 kann weiterhin nur mit dem bisherigen Passwort zugegriffen werden.</li><li>Wenn Sie ihr IMAP-Passwort ändern, wird diese Zwei-Faktor-Authentifizierung automatisch abgeschaltet.</li></ul>');

+

+$form = '<p>Geben Sie zunächst bitte das bestehende Passwort des Postfachs <strong>'.filter_input_general($username).'</strong> ein:</p>

+<p>Postfach-Passwort: <input type="password" name="oldpw" /></p>';

+

+$form .= '<p>Geben sie hier bitte das neue Passwort ein, mit dem sich der Benutzer <strong>'.filter_input_general($username).'</strong> zukünftig anmelden muss.</p>

+<p>Neues Webmail-Passwort: <input type="password" name="newpw" /></p>';

+

+$form .= '<p><input type="submit" value="Einrichten" /></p>';

+

+output(html_form('googleauth_setup', 'generate', 'username='.urlencode($username), $form));

+

+?>

@@ -0,0 +1,59 @@

+<?php

+/*

+This file belongs to the Webinterface of schokokeks.org Hosting

+

+Written 2008-2012 by schokokeks.org Hosting, namely

+  Bernd Wurst <bernd@schokokeks.org>

+  Hanno Böck <hanno@schokokeks.org>

+

+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.

+

+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see 

+http://creativecommons.org/publicdomain/zero/1.0/

+

+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code.

+*/

+

+require_once('inc/base.php');

+require_once('inc/icons.php');

+require_role(ROLE_SYSTEMUSER);

+

+require_once('googleauth.php');

+

+$username = $_REQUEST['username'];

+$webmailpw = $_REQUEST['webmailpass'];

+$ga_code = $_REQUEST['ga_code'];

+

+$success = true;

+

+if (! check_webmail_password($username, $webmailpw)) {

+  input_error('Das Webmail-Passwort hat nicht gestimmt.');

+  $success = false;

+}

+

+if (! check_googleauth($username, $ga_code)) {

+  input_error('Der Google-Authenticator-Code wurde nicht akzeptiert.');

+  $success = false;

+}

+

+title('Test der Zwei-Faktor-authentifizierung');

+

+if ($success) {

+  output('<p>'.icon_ok().' Der Test war erfolgreich!');

+} else {

+  output('<p>'.icon_error().' Der Test war leider nicht erfolgreich.');

+}

+

+

+output('<h3>Weiterer Test</h3>');

+

+$form = '<p>Ihr Webmail-Benutzername: <input type="text" name="username" value="'.filter_input_general($username).'" /></p>

+<p>Ihr neues Webmail-Passwort: <input type="password" name="webmailpass" /></p>

+<p>Der aktuellste Einmal-Code von Google-Authenticator: <input type="text" name="ga_code" /></p>

+<p><input type="submit" value="Prüfen!" /></p>';

+

+

+output(html_form('googleauth_test', 'test', '', $form));

+

+

+?>