Project

General

Profile

Download (113 KB)

Feature #20382 » 02_rsaauth_sysext.diff

Administrator Admin, 2009-04-30 17:31

View differences:

typo3/sysext/rsaauth/ext_tables.php (revision 0)
<?php
if (!defined ('TYPO3_MODE')) {
die('Access denied.');
}
// Define the table for keys. Make sure that it cannot be edited or seen by
// any user in any way.
$TCA['tx_rsaauth_keys'] = array (
'ctrl' => array (
'adminOnly' => true,
'hideTable' => true,
'is_static' => true,
'label' => 'uid',
'readOnly' => true,
'rootLevel' => 1,
'title' => 'Oops! You should not see this!'
),
'columns' => array(
),
'types' => array(
'0' => array(
'showitem' => ''
)
)
);
?>
typo3/sysext/rsaauth/hooks/class.tx_rsaauth_feloginhook.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: $
*/
require_once(t3lib_extMgm::extPath('rsaauth') . 'sv1/backends/class.tx_rsaauth_backendfactory.php');
require_once(t3lib_extMgm::extPath('rsaauth') . 'sv1/storage/class.tx_rsaauth_storagefactory.php');
/**
* This class contains a hook to implement RSA authentication for the TYPO3
* Frontend. Warning: felogin must be USER_INT for this to work!
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
class tx_rsaauth_feloginhook {
/**
* Hooks to the felogin extension to provide additional code for FE login
*
* @return array 0 => onSubmit function, 1 => extra fields and required files
*/
public function loginFormHook() {
$result = array(0 => '', 1 => '');
if ($GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] == 'rsa') {
$backend = tx_rsaauth_backendfactory::getBackend();
if ($backend) {
$result[0] = 'tx_rsaauth_feencrypt(this);';
$javascriptPath = t3lib_extMgm::siteRelPath('rsaauth') . 'resources/';
$files = array(
'jsbn/jsbn.js',
'jsbn/prng4.js',
'jsbn/rng.js',
'jsbn/rsa.js',
'jsbn/base64.js',
'rsaauth_min.js'
);
foreach ($files as $file) {
$result[1] .= '<script type="text/javascript" src="' .
t3lib_div::getIndpEnv('TYPO3_SITE_URL') .
$javascriptPath . $file . '"></script>';
}
// Generate a new key pair
$keyPair = $backend->createNewKeyPair();
// Save private key
$storage = tx_rsaauth_storagefactory::getStorage();
/* @var $storage tx_rsaauth_abstract_storage */
$storage->put($keyPair->getPrivateKey());
// Add RSA hidden fields
$result[1] .= '<input type="hidden" id="rsa_n" name="n" value="' . htmlspecialchars($keyPair->getPublicKeyModulus()) . '" />';
$result[1] .= '<input type="hidden" id="rsa_e" name="e" value="' . sprintf('%x', $keyPair->getExponent()) . '" />';
}
}
return $result;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/hooks/class.tx_rsaauth_feloginhook.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/hooks/class.tx_rsaauth_feloginhook.php']);
}
?>
typo3/sysext/rsaauth/hooks/class.tx_rsaauth_loginformhook.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_loginformhook.php 19655 2009-04-28 16:01:58Z dmitry $
*/
require_once(t3lib_extMgm::extPath('rsaauth') . 'sv1/backends/class.tx_rsaauth_backendfactory.php');
require_once(t3lib_extMgm::extPath('rsaauth', 'sv1/storage/class.tx_rsaauth_storagefactory.php'));
/**
* This class provides a hook to the login form to add extra javascript code
* and supply a proper form tag.
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
class tx_rsaauth_loginformhook {
/**
* Adds RSA-specific JavaScript and returns a form tag
*
* @return string Form tag
*/
public function getLoginFormTag(array $params, SC_index& $pObj) {
$form = null;
if ($pObj->loginSecurityLevel == 'rsa') {
// If we can get the backend, we can proceed
$backend = tx_rsaauth_backendfactory::getBackend();
if (!is_null($backend)) {
// Add form tag
$form = '<form action="index.php" method="post" name="loginform" onsubmit="tx_rsaauth_encrypt();">';
// Generate a new key pair
$keyPair = $backend->createNewKeyPair();
// Save private key
$storage = tx_rsaauth_storagefactory::getStorage();
/* @var $storage tx_rsaauth_abstract_storage */
$storage->put($keyPair->getPrivateKey());
// Add RSA hidden fields
$form .= '<input type="hidden" id="rsa_n" name="n" value="' . htmlspecialchars($keyPair->getPublicKeyModulus()) . '" />';
$form .= '<input type="hidden" id="rsa_e" name="e" value="' . sprintf('%x', $keyPair->getExponent()) . '" />';
}
}
return $form;
}
/**
* Provides form code for the superchallenged authentication.
*
* @param array $params Parameters to the script
* @param SC_index $pObj Calling object
* @return string The code for the login form
*/
public function getLoginScripts(array $params, SC_index &$pObj) {
$content = '';
if ($pObj->loginSecurityLevel == 'rsa') {
$javascriptPath = t3lib_extMgm::siteRelPath('rsaauth') . 'resources/';
$files = array(
'jsbn/jsbn.js',
'jsbn/prng4.js',
'jsbn/rng.js',
'jsbn/rsa.js',
'jsbn/base64.js',
'rsaauth_min.js'
);
$content = '';
foreach ($files as $file) {
$content .= '<script type="text/javascript" src="' .
t3lib_div::getIndpEnv('TYPO3_SITE_URL') .
$javascriptPath . $file . '"></script>';
}
}
return $content;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/hooks/class.tx_rsaauth_loginformhook.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/hooks/class.tx_rsaauth_loginformhook.php']);
}
?>
typo3/sysext/rsaauth/hooks/locallang.xml (revision 0)
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<T3locallang>
<meta type="array">
<type>module</type>
<description>Language labels for the backend warning hook of the rsaauth extension</description>
</meta>
<data type="array">
<languageKey index="default" type="array">
<label index="hook_empty_directory">RSA temporary directory is empty. This is a security risk. Please, go to the Extension Manager, select the "RSA authentication" extension and set the directory according to instructions there.</label>
<label index="hook_directory_not_absolute">RSA temporary directory path is not absolute. This may cause RSA authentication errors and it is a security risk. Please, go to the Extension Manager, select the "RSA authentication" extension and set the directory according to instructions there.</label>
<label index="hook_directory_not_exist">RSA temporary directory does not exist. This is a security risk because an insecure directory will be used for RSA operations. Please, go to the Extension Manager, select the "RSA authentication" extension and set the directory according to instructions there.</label>
<label index="hook_directory_not_writable">RSA temporary directory is not writable. This may cause RSA authentication errors and it is a security risk. Please, go to the Extension Manager, select the "RSA authentication" extension and set the directory according to instructions there.</label>
<label index="hook_directory_inside_siteroot">RSA temporary directory is inside the web site root directory. This is a security risk. Please, go to the Extension Manager, select the "RSA authentication" extension and set the directory according to instructions there.</label>
<label index="hook_using_cmdline">RSA authentication could not detect the openssl PHP extension. Currently RSA authentication uses a command line openssl utility. This is slower and less secure. Please, consider installing openssl PHP extension.</label>
</languageKey>
</data>
</T3locallang>
typo3/sysext/rsaauth/hooks/class.tx_rsaauth_backendwarnings.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_backendwarnings.php 19635 2009-04-28 13:54:40Z dmitry $
*/
require_once(t3lib_extMgm::extPath('rsaauth', 'sv1/backends/class.tx_rsaauth_backendfactory.php'));
/**
* This class contains a hook to the backend warnings collection. It checks
* RSA configuration and create a warning if the configuration is wrong.
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
class tx_rsaauth_backendwarnings {
/**
* Checks RSA configuration and creates warnings if necessary.
*
* @param array $warnings Warnings
* @return void
* @see t3lib_BEfunc::displayWarningMessages()
*/
public function displayWarningMessages_postProcess(array &$warnings) {
$backend = tx_rsaauth_backendfactory::getBackend();
if ($backend instanceof tx_rsaauth_cmdline_backend) {
// Not using the PHP extension!
$warnings['rsaauth_cmdline'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_using_cmdline');
// Check the path
$extconf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['rsaauth']);
$path = trim($extconf['temporaryDirectory']);
if ($path == '') {
// Path is empty
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_empty_directory');
}
elseif (!t3lib_div::isAbsPath($path)) {
// Path is not absolute
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_directory_not_absolute');
}
elseif (!@is_dir($path)) {
// Path does not represent a directory
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_directory_not_exist');
}
elseif (!@is_writable($path)) {
// Directory is not writable
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_directory_not_writable');
}
elseif (substr($path, 0, strlen(PATH_site)) == PATH_site) {
// Directory is inside the site root
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_directory_inside_siteroot');
}
}
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/hooks/class.tx_rsaauth_backendwarnings.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/hooks/class.tx_rsaauth_backendwarnings.php']);
}
?>
typo3/sysext/rsaauth/ext_localconf.php (revision 0)
<?php
if (!defined ('TYPO3_MODE')) {
die ('Access denied.');
}
// Add the service
t3lib_extMgm::addService($_EXTKEY, 'auth' /* sv type */, 'tx_rsaauth_sv1' /* sv key */,
array(
'title' => 'RSA authentication',
'description' => 'Authenticates users by using encrypted passwords',
'subtype' => 'getUserBE,authUserBE,getUserFE,authUserFE',
'available' => TRUE,
'priority' => 60, // tx_svauth_sv1 has 50, t3sec_saltedpw has 55. This service must have higher priority!
'quality' => 60, // tx_svauth_sv1 has 50. This service must have higher quality!
'os' => '',
'exec' => '', // Do not put a dependency on openssh here or service loading will fail!
'classFile' => t3lib_extMgm::extPath($_EXTKEY) . 'sv1/class.tx_rsaauth_sv1.php',
'className' => 'tx_rsaauth_sv1',
)
);
// Add a hook to the BE login form
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/index.php']['loginFormHook'][$_EXTKEY] = 'EXT:' . $_EXTKEY . '/hooks/class.tx_rsaauth_loginformhook.php:tx_rsaauth_loginformhook->getLoginFormTag';
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/index.php']['loginScriptHook'][$_EXTKEY] = 'EXT:' . $_EXTKEY . '/hooks/class.tx_rsaauth_loginformhook.php:tx_rsaauth_loginformhook->getLoginScripts';
// Add a hook to the FE login form (felogin system extension)
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['felogin']['loginFormOnSubmitFuncs'][$_EXTKEY] = 'EXT:' . $_EXTKEY . '/hooks/class.tx_rsaauth_feloginhook.php:tx_rsaauth_feloginhook->loginFormHook';
// Add a hook to show Backend warnings
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_befunc.php']['displayWarningMessages'][$_EXTKEY] = 'EXT:' . $_EXTKEY . '/hooks/class.tx_rsaauth_backendwarnings.php:tx_rsaauth_backendwarnings';
?>
typo3/sysext/rsaauth/ChangeLog (revision 0)
2009-04-30 Dmitry Dulepov <dmitry@typo3.org>
* Increased service priority to make it run before t3sec_saltedpw
2009-04-28 Dmitry Dulepov <dmitry@typo3.org>
* Added a method to set an alternative storage to the storage factory
* Do not use expired keys in the split storage
* Rename publicKey to publicKeyModulus in the keypair class
* Fixed: wrong unserializaion of the extension configuration
* Added a configuration check and warnings in the backend if the check fails
* Added a warning if command line backend is used
* Move login JavaScript addition to a separate hook
* Updated core patch, fixed some JavaScript errors on the login page
2009-04-13 Dmitry Dulepov <dmitry@typo3.org>
* Added a "split" storage for keys
* Fix XCLASS definitions
* Added FE authentication
* Added manual
2009-04-03 Dmitry Dulepov <dmitry@typo3.org>
* Added a factory for backends
* Added a factory for storages
2009-04-03 Dmitry Dulepov <dmitry@typo3.org>
* The service is working for BE users
* Change priority for the service from 100 to 55
* Added core patch to extras/ directory
* Fix command line backend for openssl versions with different base64 syntax
2009-03-16 Dmitry Dulepov <dmitry@typo3.org>
* Extension is generated and initial work is performed
typo3/sysext/rsaauth/ext_tables.sql (revision 0)
#
# Table structure for table 'tx_rsauth_keys'
#
CREATE TABLE tx_rsaauth_keys (
uid int(11) NOT NULL auto_increment,
pid int(11) DEFAULT '0' NOT NULL,
crdate int(11) DEFAULT '0' NOT NULL,
key_value text,
PRIMARY KEY (uid),
KEY crdate (crdate)
);
typo3/sysext/rsaauth/sv1/storage/class.tx_rsaauth_abstract_storage.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_abstract_storage.php 17901 2009-03-16 16:58:22Z dmitry $
*/
/**
* This class contains the abstract storage for the RSA private keys
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
abstract class tx_rsaauth_abstract_storage {
/**
* Retrieves the key from the storage
*
* @return string The key or null
*/
abstract public function get();
/**
* Stores the key in the storage
*
* @param string $key The key
*/
abstract public function put($key);
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/storage/class.tx_rsaauth_abstract_storage.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/storage/class.tx_rsaauth_abstract_storage.php']);
}
?>
typo3/sysext/rsaauth/sv1/storage/class.tx_rsaauth_session_storage.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_session_storage.php 18942 2009-04-13 09:42:01Z dmitry $
*/
require_once(t3lib_extMgm::extPath('rsaauth', 'sv1/storage/class.tx_rsaauth_abstract_storage.php'));
/**
* This class contains a session-based storage for private keys. This storage
* is not secure enough because its implementation stores keys completely in the
* PHP sessions. PHP sessions usually store data in the file system and it is
* easy to extract. This storage is useful only as an example. It is better to
* use "split" storage for keys.
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
class tx_rsaauth_session_storage extends tx_rsaauth_abstract_storage {
/**
* Creates an instance of this class. It checks and initializes PHP
* sessions if necessary.
*
* @return void
*/
public function __construct() {
if (!isset($_SESSION) || !is_array($_SESSION)) {
session_start();
}
}
/**
* Obtains key from the session
*
* @return string The key or null
* @see tx_rsaauth_abstract_storage::get()
*/
public function get() {
return (isset($_SESSION['tx_rsaauth_key']) ? $_SESSION['tx_rsaauth_key'] : null);
}
/**
* Puts key to the session
*
* @param string $key The key
* @see tx_rsaauth_abstract_storage::put()
*/
public function put($key) {
$_SESSION['tx_rsaauth_key'] = $key;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/storage/class.tx_rsaauth_session_storage.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/storage/class.tx_rsaauth_session_storage.php']);
}
?>
typo3/sysext/rsaauth/sv1/storage/class.tx_rsaauth_storagefactory.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_storagefactory.php 19605 2009-04-28 12:12:32Z dmitry $
*/
require_once(t3lib_extMgm::extPath('rsaauth', 'sv1/storage/class.tx_rsaauth_abstract_storage.php'));
/**
* This class contains a factory for the RSA backends.
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
class tx_rsaauth_storagefactory {
/**
* A list of all available storages. Currently this list cannot be extended.
* This is for security reasons to avoid inserting some dummy storage to
* the list.
*
* @var string
*/
static protected $preferredStorage = 'EXT:rsaauth/sv1/storage/class.tx_rsaauth_split_storage.php:tx_rsaauth_split_storage';
/**
* An instance of the storage. This member is set in the getStorage() function.
* It will not be an abstract storage as shown below but a real class, which is
* derieved from the tx_rsaauth_abstract_storage.
*
* <!-- Please, keep the variable type! It helps IDEs to provide autocomple! -->
*
* @var tx_rsaauth_abstract_storage
*/
static protected $storageInstance = null;
/**
* Obtains a storage. This function will return a non-abstract class, which
* is derieved from the tx_rsaauth_abstract_storage. Applications should
* not use anoy methods that are not declared in the tx_rsaauth_abstract_storage.
*
* @return tx_rsaauth_abstract_storage A storage
*/
static public function getStorage() {
if (is_null(self::$storageInstance)) {
self::$storageInstance = t3lib_div::getUserObj(self::$preferredStorage);
}
return self::$storageInstance;
}
/**
* Sets the preffered storage to the factory. This method can be called from
* another extension or ext_localconf.php
*
* @param string $preferredStorage Preffered storage
* @return void
*/
static public function setPreferredStorage($preferredStorage) {
self::$preferredStorage = $preferredStorage;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/storage/class.tx_rsaauth_storagefactory.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/storage/class.tx_rsaauth_storagefactory.php']);
}
?>
typo3/sysext/rsaauth/sv1/storage/class.tx_rsaauth_split_storage.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_split_storage.php 19606 2009-04-28 12:16:30Z dmitry $
*/
require_once(t3lib_extMgm::extPath('rsaauth', 'sv1/storage/class.tx_rsaauth_abstract_storage.php'));
/**
* This class contains a "split" storage for the data. It keeps part of the data
* in the database, part in the database.
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
class tx_rsaauth_split_storage extends tx_rsaauth_abstract_storage {
/**
* Creates an instance of this class. It checks and initializes PHP
* sessions if necessary.
*
* @return void
*/
public function __construct() {
if (!isset($_SESSION) || !is_array($_SESSION)) {
session_start();
}
}
/**
* Obtains a key from the database
*
* @return string The key or null
* @see tx_rsaauth_abstract_storage::get()
*/
public function get() {
$result = null;
list($keyId, $keyPart1) = $_SESSION['tx_rsaauth_key'];
if (t3lib_div::testInt($keyId)) {
// Remove expired keys (more than 30 minutes old)
$GLOBALS['TYPO3_DB']->exec_DELETEquery('tx_rsaauth_keys',
'crdate<' . (time() - 30*60));
// Get our value
list($row) = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows('key_value',
'tx_rsaauth_keys', 'uid=' . $keyId);
if (is_array($row)) {
$result = $keyPart1 . $row['key_value'];
}
}
return $result;
}
/**
* Adds a key to the storage or removes existing key
*
* @param string $key The key
* @return void
* @see tx_rsaauth_abstract_storage::put()
*/
public function put($key) {
if ($key == null) {
// Remove existing key
list($keyId) = $_SESSION['tx_rsaauth_key'];
if (t3lib_div::testInt($keyId)) {
$GLOBALS['TYPO3_DB']->exec_DELETEquery('tx_rsaauth_keys',
'uid=' . $keyId);
unset($_SESSION['tx_rsaauth_key']);
}
}
else {
// Add key
// Get split point. First part is always smaller than the second
// because it goes to the file system
$keyLength = strlen($key);
$splitPoint = rand(intval($keyLength/10), intval($keyLength/2));
// Get key parts
$keyPart1 = substr($key, 0, $splitPoint);
$keyPart2 = substr($key, $splitPoint);
// Store part of the key in the database
//
// Notice: we may not use TCEmain below to insert key part into the
// table because TCEmain requires a valid BE user!
$time = time();
$GLOBALS['TYPO3_DB']->exec_INSERTquery('tx_rsaauth_keys', array(
'pid' => 0,
'crdate' => $time,
'key_value' => $keyPart2
));
$keyId = $GLOBALS['TYPO3_DB']->sql_insert_id();
// Store another part in session
$_SESSION['tx_rsaauth_key'] = array($keyId, $keyPart1);
}
// Remove expired keys (more than 30 minutes old)
$GLOBALS['TYPO3_DB']->exec_DELETEquery('tx_rsaauth_keys',
'crdate<' . (time() - 30*60));
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/storage/class.tx_rsaauth_split_storage.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/storage/class.tx_rsaauth_split_storage.php']);
}
?>
typo3/sysext/rsaauth/sv1/class.tx_rsaauth_sv1.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_sv1.php 19610 2009-04-28 12:53:15Z dmitry $
*/
require_once(t3lib_extMgm::extPath('sv') . 'class.tx_sv_auth.php');
require_once(t3lib_extMgm::extPath('rsaauth') . 'sv1/backends/class.tx_rsaauth_backendfactory.php');
require_once(t3lib_extMgm::extPath('rsaauth') . 'sv1/storage/class.tx_rsaauth_storagefactory.php');
// Include backends
/**
* Service "RSA authentication" for the "rsaauth" extension. This service will
* authenticate a user using hos password encoded with one time public key. It
* uses the standard TYPO3 service to do all dirty work. Firsts, it will decode
* the password and then pass it to the parent service ('sv'). This ensures that it
* always works, even if other TYPO3 internals change.
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
class tx_rsaauth_sv1 extends tx_sv_auth {
/**
* An RSA backend.
*
* @var tx_rsaauth_abstract_backend
*/
protected $backend = null;
/**
* Standard extension key for the service
*
* @var string
*/
public $extKey = 'rsaauth'; // The extension key.
/**
* Standard prefix id for the service
*
* @var string
*/
public $prefixId = 'tx_rsaauth_sv1'; // Same as class name
/**
* Standard relative path for the service
*
* @var string
*/
public $scriptRelPath = 'sv1/class.tx_rsaauth_sv1.php'; // Path to this script relative to the extension dir.
/**
* Authenticates a user. The function decrypts the password, runs evaluations
* on it and passes to the parent authentication service.
*
* @param array $userRecord User record
* @return int Code that shows if user is really authenticated.
* @see t3lib_userAuth::checkAuthentication()
*/
public function authUser(array $userRecord) {
$result = 100;
if ($this->pObj->security_level == 'rsa') {
$storage = tx_rsaauth_storagefactory::getStorage();
/* @var $storage tx_rsaauth_abstract_storage */
// Set failure status by default
$result = -1;
// Preprocess the password
$password = $this->login['uident'];
$key = $storage->get();
if ($key != null && substr($password, 0, 4) == 'rsa:') {
// Decode password and pass to parent
$decryptedPassword = $this->backend->decrypt($key, substr($password, 4));
if ($decryptedPassword != null) {
// Run the password through the eval function
$decryptedPassword = $this->runPasswordEvaluations($decryptedPassword);
if ($decryptedPassword != null) {
$this->login['uident'] = $decryptedPassword;
if (parent::authUser($userRecord)) {
$result = 200;
}
}
}
// Reset the password to its original value
$this->login['uident'] = $password;
// Remove the key
$storage->put(null);
}
}
return $result;
}
/**
* Initializes the service.
*
* @return boolean
*/
public function init() {
$available = parent::init();
if ($available) {
// Get the backend
$this->backend = tx_rsaauth_backendfactory::getBackend();
if (is_null($this->backend)) {
$available = false;
}
}
return $available;
}
/**
* Runs password evaluations. This is necessary because other extensions can
* modify the way the password is stored in the database. We check for all
* evaluations for the password column and run those.
*
* Notes:
* - we call t3lib_TCEmain::checkValue_input_Eval() but it is risky: if a hook
* relies on BE_USER, it will fail. No hook should do this, so we risk it.
* - we cannot use t3lib_TCEmain::checkValue_input_Eval() for running all
* evaluations because it does not create md5 hashes.
*
* @param string $password Evaluated password
* @return void
* @see t3lib_TCEmain::checkValue_input_Eval()
*/
protected function runPasswordEvaluations($password) {
$table = $this->pObj->user_table;
t3lib_div::loadTCA($table);
$conf = &$GLOBALS['TCA'][$table]['columns'][$this->pObj->userident_column]['config'];
$evaluations = $conf['eval'];
if ($evaluations) {
$tce = null;
foreach (t3lib_div::trimExplode(',', $evaluations, true) as $evaluation) {
switch ($evaluation) {
case 'md5':
$password = md5($password);
break;
case 'upper':
// We do not pass this to TCEmain because TCEmain will use objects unavailable in FE
$csConvObj = (TYPO3_MODE == 'BE' ? $GLOBALS['LANG']->csConvObj : $GLOBALS['TSFE']->csConvObj);
$charset = (TYPO3_MODE == 'BE' ? $GLOBALS['LANG']->charSet : $GLOBALS['TSFE']->metaCharset);
$password = $csConvObj->conv_case($charset, $password, 'toUpper');
break;
case 'lower':
// We do not pass this to TCEmain because TCEmain will use objects unavailable in FE
$csConvObj = (TYPO3_MODE == 'BE' ? $GLOBALS['LANG']->csConvObj : $GLOBALS['TSFE']->csConvObj);
$charset = (TYPO3_MODE == 'BE' ? $GLOBALS['LANG']->charSet : $GLOBALS['TSFE']->metaCharset);
$password = $csConvObj->conv_case($charset, $password, 'toLower');
break;
case 'password':
case 'required':
// Do nothing!
break;
default:
// We must run these evaluations through TCEmain to avoid
// code duplication and ensure that any custom evaluations
// are called in a proper context
if ($tce == null) {
t3lib_div::requireOnce(PATH_t3lib . 'class.t3lib_tcemain.php');
$tce = t3lib_div::makeInstance('t3lib_TCEmain');
/* @var $tce t3lib_TCEmain */
}
$result = $tce->checkValue_input_Eval($password, array($evaluation), $conf['is_in']);
if (!isset($result['value'])) {
// Failure!!!
return null;
}
$password = $result['value'];
}
}
}
return $password;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/class.tx_rsaauth_sv1.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/class.tx_rsaauth_sv1.php']);
}
?>
typo3/sysext/rsaauth/sv1/backends/class.tx_rsaauth_keypair.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_keypair.php 19610 2009-04-28 12:53:15Z dmitry $
*/
/**
* This class contain an RSA keypair class. Its purpose is to keep to keys
* and trasnfer these keys between other PHP classes.
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
final class tx_rsaauth_keypair {
/**
* RSA public exponent (3 or 0x10001)
*
* @var int
*/
protected $exponent = 0x10001;
/**
* The private key
*
* @var string
*/
protected $privateKey = '';
/**
* The public key modulus
*
* @var string
*/
protected $publicKeyModulus = '';
/**
* Retrieves the exponent.
*
* @return string The exponent
*/
public function getExponent() {
return $this->exponent;
}
/**
* Sets the private key
*
* @param string $privateKey The new private key
* @return void
*/
public function setExponent($exponent) {
$this->exponent = $exponent;
}
/**
* Retrieves the private key.
*
* @return string The private key
*/
public function getPrivateKey() {
return $this->privateKey;
}
/**
* Sets the private key
*
* @param string $privateKey The new private key
* @return void
*/
public function setPrivateKey($privateKey) {
$this->privateKey = $privateKey;
}
/**
* Retrieves the public key modulus
*
* @return string The public key modulus
*/
public function getPublicKeyModulus() {
return $this->publicKeyModulus;
}
/**
* Sets the public key modulus
*
* @param string $publicKeyModulus The new public key modulus
* @return void
*/
public function setPublicKey($publicKeyModulus) {
$this->publicKeyModulus = $publicKeyModulus;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/backends/class.tx_rsaauth_keypair.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/backends/class.tx_rsaauth_keypair.php']);
}
?>
typo3/sysext/rsaauth/sv1/backends/class.tx_rsaauth_abstract_backend.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_abstract_backend.php 18249 2009-03-24 11:00:01Z dmitry $
*/
require_once(t3lib_extMgm::extPath('rsaauth', 'sv1/backends/class.tx_rsaauth_keypair.php'));
/**
* This class contains an abstract SSL backend for the TYPO3 RSA authentication
* service.
*
* There are two steps:
* - prepare data for encoding
* - decode incoming data
*
* To prepare data for encoding, the createNewKeyPair() method should be called.
* This method returns an instance of tx_rsaauth_keypair class, which contains
* the private and public keys. Public key is sent to the client to encode data.
* Private key should be stored somewhere (preferrably in user's session).
*
* To decode data, the decrypt() method should be called with the private key
* created at the previous step and the data to decode. If the data is decoded
* successfully, the result is a string. Otherwise it is null.
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
abstract class tx_rsaauth_abstract_backend {
/**
* Error message for the last operation. Derieved classes should always set
* or clear this variable inside the createNewKeyPair() or decypt().
*
* @var string
*/
protected $error = '';
/**
* Creates a new key pair for the encryption.
*
* @return tx_rsaauth_keypair A new key pair or null in case of error
*/
abstract public function createNewKeyPair();
/**
* Decripts the data using the private key.
*
* @param string $privateKey The private key (obtained from a call to createNewKeyPair())
* @param string $data Data to decrypt (base64-encoded)
* @return string Decrypted data or null in case of a error
*/
abstract public function decrypt($privateKey, $data);
/**
* Checks if this backend is available for calling.
*
* @return void
*/
abstract public function isAvailable();
/**
* Retrieves a error message.
*
* @return string A error message or empty string if there were no error
*/
public function getLastError() {
return $this->error;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/backend/class.tx_rsaauth_abstract_backend.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/backend/class.tx_rsaauth_abstract_backend.php']);
}
?>
typo3/sysext/rsaauth/sv1/backends/class.tx_rsaauth_php_backend.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*
* $Id: class.tx_rsaauth_php_backend.php 18661 2009-04-03 14:44:24Z dmitry $
*/
require_once(t3lib_extMgm::extPath('rsaauth', 'sv1/backends/class.tx_rsaauth_abstract_backend.php'));
/**
* This class contains a PHP OpenSSL backend for the TYPO3 RSA authentication
* service. See class tx_rsaauth_abstract_backend for the information on using
* backends.
*
* @author Dmitry Dulepov <dmitry@typo3.org>
* @package TYPO3
* @subpackage tx_rsaauth
*/
class tx_rsaauth_php_backend extends tx_rsaauth_abstract_backend {
/**
* Creates a new public/private key pair using PHP OpenSSL extension.
*
* @return tx_rsaauth_keypair A new key pair or null in case of error
* @see tx_rsaauth_abstract_backend::createNewKeyPair()
*/
public function createNewKeyPair() {
$result = null;
$privateKey = @openssl_pkey_new();
if ($privateKey) {
// Create private key as string
$privateKeyStr = '';
openssl_pkey_export($privateKey, $privateKeyStr);
// Prepare public key information
$exportedData = '';
$csr = openssl_csr_new(array(), $privateKey);
openssl_csr_export($csr, $exportedData, false);
// Get public key (in fact modulus) and exponent
$publicKey = $this->extractPublicKeyModulus($exportedData);
$exponent = $this->extractExponent($exportedData);
// Create result object
$result = t3lib_div::makeInstance('tx_rsaauth_keypair');
/* @var $result tx_rsaauth_keypair */
$result->setExponent($exponent);
$result->setPrivateKey($privateKeyStr);
$result->setPublicKey($publicKey);
// Clean up all resources
openssl_free_key($privateKey);
}
return $result;
}
/**
* Decrypts data using the private key. This implementation uses PHP OpenSSL
* extension.
*
* @param string $privateKey The private key (obtained from a call to createNewKeyPair())
* @param string $data Data to decrypt (base64-encoded)
* @return string Decrypted data or null in case of a error
* @see tx_rsaauth_abstract_backend::decrypt()
*/
public function decrypt($privateKey, $data) {
$result = '';
if (!@openssl_private_decrypt(base64_decode($data), $result, $privateKey)) {
$result = null;
}
return $result;
}
/**
* Checks if this backend is available for calling. In particular checks if
* PHP OpenSSl extension is installed and functional.
*
* @return void
* @see tx_rsaauth_abstract_backend::isAvailable()
*/
public function isAvailable() {
$result = false;
if (is_callable('openssl_pkey_new')) {
if (TYPO3_OS !== 'WIN') {
// If the server does not run Windows, we can be sure than
// OpenSSL will work
$result = true;
}
else {
// On Windows PHP extension has to be configured properly. It
// can be installed and available but will not work unless
// configured. So we check if it works.
$testKey = @openssl_pkey_new();
if ($testKey) {
openssl_free_key($testKey);
$result = true;
}
}
}
return $result;
}
/**
* Extracts the exponent from the OpenSSL CSR
*
* @param string $data The result of openssl_csr_export()
* @return int The exponent as a number
*/
protected function extractExponent($data) {
$index = strpos($data, 'Exponent: ');
// We do not check for '$index === false' because the exponent is
// always there!
return intval(substr($data, $index + 10));
}
/**
* Extracts public key modulus from the OpenSSL CSR.
*
* @param string $data The result of openssl_csr_export()
* @return string Modulus as uppercase hex string
*/
protected function extractPublicKeyModulus($data) {
$fragment = preg_replace('/.*Modulus.*?\n(.*)Exponent:.*/ms', '\1', $data);
$fragment = preg_replace('/[\s\n\r:]/', '', $fragment);
$result = trim(strtoupper(substr($fragment, 2)));
return $result;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/backends/class.tx_rsaauth_php_backend.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/rsaauth/sv1/backends/class.tx_rsaauth_php_backend.php']);
}
?>
typo3/sysext/rsaauth/sv1/backends/class.tx_rsaauth_backendfactory.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2009 Dmitry Dulepov <dmitry@typo3.org>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
... This diff was truncated because it exceeds the maximum size that can be displayed.
(2-2/3)