2fa: check TOTP based on previous secret values (oops of the year, 2019)

This commit is contained in:
Andrew Dolgov 2019-11-03 20:47:21 +03:00
parent 17e145f481
commit f6090655bf
1 changed files with 12 additions and 8 deletions

View File

@ -31,14 +31,7 @@ class Auth_Internal extends Plugin implements IAuthModule {
$sth->execute([$login]);
if ($row = $sth->fetch()) {
$base32 = new \OTPHP\Base32();
$otp_enabled = $row['otp_enabled'];
$secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false);
$topt = new \OTPHP\TOTP($secret);
$otp_check = $topt->now();
if ($otp_enabled) {
@ -48,7 +41,18 @@ class Auth_Internal extends Plugin implements IAuthModule {
}
if ($otp) {
if ($otp != $otp_check) {
$base32 = new \OTPHP\Base32();
$secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false);
$secret_legacy = $base32->encode(sha1($row["salt"]));
$totp = new \OTPHP\TOTP($secret);
$otp_check = $totp->now();
$totp_legacy = new \OTPHP\TOTP($secret_legacy);
$otp_check_legacy = $totp_legacy->now();
if ($otp != $otp_check && $otp != $otp_check_legacy) {
return false;
}
} else {