aboutsummaryrefslogtreecommitdiff
path: root/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationCookie.php
diff options
context:
space:
mode:
Diffstat (limited to 'srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationCookie.php')
-rw-r--r--srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationCookie.php964
1 files changed, 0 insertions, 964 deletions
diff --git a/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationCookie.php b/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationCookie.php
deleted file mode 100644
index 7a794d0..0000000
--- a/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationCookie.php
+++ /dev/null
@@ -1,964 +0,0 @@
-<?php
-/* vim: set expandtab sw=4 ts=4 sts=4: */
-/**
- * Cookie Authentication plugin for phpMyAdmin
- *
- * @package PhpMyAdmin-Authentication
- * @subpackage Cookie
- */
-declare(strict_types=1);
-
-namespace PhpMyAdmin\Plugins\Auth;
-
-use PhpMyAdmin\Config;
-use PhpMyAdmin\Core;
-use PhpMyAdmin\LanguageManager;
-use PhpMyAdmin\Message;
-use PhpMyAdmin\Plugins\AuthenticationPlugin;
-use PhpMyAdmin\Response;
-use PhpMyAdmin\Server\Select;
-use PhpMyAdmin\Session;
-use PhpMyAdmin\Template;
-use PhpMyAdmin\Url;
-use PhpMyAdmin\Util;
-use phpseclib\Crypt;
-use phpseclib\Crypt\Random;
-use ReCaptcha;
-
-/**
- * Remember where to redirect the user
- * in case of an expired session.
- */
-if (! empty($_REQUEST['target'])) {
- $GLOBALS['target'] = $_REQUEST['target'];
-} elseif (Core::getenv('SCRIPT_NAME')) {
- $GLOBALS['target'] = basename(Core::getenv('SCRIPT_NAME'));
-}
-
-/**
- * Handles the cookie authentication method
- *
- * @package PhpMyAdmin-Authentication
- */
-class AuthenticationCookie extends AuthenticationPlugin
-{
- /**
- * IV for encryption
- */
- private $_cookie_iv = null;
-
- /**
- * Whether to use OpenSSL directly
- */
- private $_use_openssl;
-
- /**
- * Constructor
- */
- public function __construct()
- {
- parent::__construct();
- $this->_use_openssl = ! class_exists(Random::class);
- }
-
- /**
- * Forces (not)using of openSSL
- *
- * @param boolean $use The flag
- *
- * @return void
- */
- public function setUseOpenSSL($use)
- {
- $this->_use_openssl = $use;
- }
-
- /**
- * Displays authentication form
- *
- * this function MUST exit/quit the application
- *
- * @global string $conn_error the last connection error
- *
- * @return boolean|void
- */
- public function showLoginForm()
- {
- global $conn_error;
-
- $response = Response::getInstance();
-
- // When sending login modal after session has expired, send the new token explicitly with the response to update the token in all the forms having a hidden token.
- $session_expired = isset($_REQUEST['check_timeout']) || isset($_REQUEST['session_timedout']);
- if (! $session_expired && $response->loginPage()) {
- if (defined('TESTSUITE')) {
- return true;
- } else {
- exit;
- }
- }
-
- // When sending login modal after session has expired, send the new token explicitly with the response to update the token in all the forms having a hidden token.
- if ($session_expired) {
- $response->setRequestStatus(false);
- $response->addJSON(
- 'new_token',
- $_SESSION[' PMA_token ']
- );
- }
-
- // logged_in response parameter is used to check if the login, using the modal was successful after session expiration
- if (isset($_REQUEST['session_timedout'])) {
- $response->addJSON(
- 'logged_in',
- 0
- );
- }
-
- // No recall if blowfish secret is not configured as it would produce
- // garbage
- if ($GLOBALS['cfg']['LoginCookieRecall']
- && ! empty($GLOBALS['cfg']['blowfish_secret'])
- ) {
- $default_user = $this->user;
- $default_server = $GLOBALS['pma_auth_server'];
- $autocomplete = '';
- } else {
- $default_user = '';
- $default_server = '';
- // skip the IE autocomplete feature.
- $autocomplete = ' autocomplete="off"';
- }
-
- // wrap the login form in a div which overlays the whole page.
- if ($session_expired) {
- echo $this->template->render('login/header', [
- 'theme' => $GLOBALS['PMA_Theme'],
- 'add_class' => ' modal_form',
- 'session_expired' => 1,
- ]);
- } else {
- echo $this->template->render('login/header', [
- 'theme' => $GLOBALS['PMA_Theme'],
- 'add_class' => '',
- 'session_expired' => 0,
- ]);
- }
-
- if ($GLOBALS['cfg']['DBG']['demo']) {
- echo '<fieldset>';
- echo '<legend>' , __('phpMyAdmin Demo Server') , '</legend>';
- printf(
- __(
- 'You are using the demo server. You can do anything here, but '
- . 'please do not change root, debian-sys-maint and pma users. '
- . 'More information is available at %s.'
- ),
- '<a href="url.php?url=https://demo.phpmyadmin.net/" target="_blank" rel="noopener noreferrer">demo.phpmyadmin.net</a>'
- );
- echo '</fieldset>';
- }
-
- // Show error message
- if (! empty($conn_error)) {
- Message::rawError((string) $conn_error)->display();
- } elseif (isset($_GET['session_expired'])
- && intval($_GET['session_expired']) == 1
- ) {
- Message::rawError(
- __('Your session has expired. Please log in again.')
- )->display();
- }
-
- // Displays the languages form
- $language_manager = LanguageManager::getInstance();
- if (empty($GLOBALS['cfg']['Lang']) && $language_manager->hasChoice()) {
- echo "<div class='hide js-show'>";
- // use fieldset, don't show doc link
- echo $language_manager->getSelectorDisplay(new Template(), true, false);
- echo '</div>';
- }
- echo '
- <br>
- <!-- Login form -->
- <form method="post" id="login_form" action="index.php" name="login_form"' , $autocomplete ,
- ' class="' . ($session_expired ? "" : "disableAjax hide ") . 'login js-show">
- <fieldset>
- <legend>';
- echo '<input type="hidden" name="set_session" value="', htmlspecialchars(session_id()), '">';
-
- // Add a hidden element session_timedout which is used to check if the user requested login after session expiration
- if ($session_expired) {
- echo '<input type="hidden" name="session_timedout" value="1">';
- }
- echo __('Log in');
- echo Util::showDocu('index');
- echo '</legend>';
- if ($GLOBALS['cfg']['AllowArbitraryServer']) {
- echo '
- <div class="item">
- <label for="input_servername" title="';
- echo __(
- 'You can enter hostname/IP address and port separated by space.'
- );
- echo '">';
- echo __('Server:');
- echo '</label>
- <input type="text" name="pma_servername" id="input_servername"';
- echo ' value="';
- echo htmlspecialchars($default_server);
- echo '" size="24" class="textfield" title="';
- echo __(
- 'You can enter hostname/IP address and port separated by space.'
- ); echo '">
- </div>';
- }
- echo '<div class="item">
- <label for="input_username">' , __('Username:') , '</label>
- <input type="text" name="pma_username" id="input_username" '
- , 'value="' , htmlspecialchars($default_user) , '" size="24"'
- , ' class="textfield">
- </div>
- <div class="item">
- <label for="input_password">' , __('Password:') , '</label>
- <input type="password" name="pma_password" id="input_password"'
- , ' value="" size="24" class="textfield">
- </div>';
- if (count($GLOBALS['cfg']['Servers']) > 1) {
- echo '<div class="item">
- <label for="select_server">' . __('Server Choice:') . '</label>
- <select name="server" id="select_server"';
- if ($GLOBALS['cfg']['AllowArbitraryServer']) {
- echo ' onchange="document.forms[\'login_form\'].'
- , 'elements[\'pma_servername\'].value = \'\'" ';
- }
- echo '>';
- echo Select::render(false, false);
- echo '</select></div>';
- } else {
- echo ' <input type="hidden" name="server" value="'
- , $GLOBALS['server'] , '">';
- } // end if (server choice)
-
- echo '</fieldset><fieldset class="tblFooters">';
-
- // binds input field with invisible reCaptcha if enabled
- if (empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
- && empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
- ) {
- echo '<input class="btn btn-primary" value="' , __('Go') , '" type="submit" id="input_go">';
- } else {
- echo '<script src="https://www.google.com/recaptcha/api.js?hl='
- , $GLOBALS['lang'] , '" async defer></script>';
- echo '<input class="btn btn-primary g-recaptcha" data-sitekey="'
- , htmlspecialchars($GLOBALS['cfg']['CaptchaLoginPublicKey']),'"'
- . ' data-callback="Functions_recaptchaCallback" value="' , __('Go') , '" type="submit" id="input_go">';
- }
- $_form_params = [];
- if (! empty($GLOBALS['target'])) {
- $_form_params['target'] = $GLOBALS['target'];
- }
- if (strlen($GLOBALS['db'])) {
- $_form_params['db'] = $GLOBALS['db'];
- }
- if (strlen($GLOBALS['table'])) {
- $_form_params['table'] = $GLOBALS['table'];
- }
- // do not generate a "server" hidden field as we want the "server"
- // drop-down to have priority
- echo Url::getHiddenInputs($_form_params, '', 0, 'server');
- echo '</fieldset>
- </form>';
-
- if ($GLOBALS['error_handler']->hasDisplayErrors()) {
- echo '<div id="pma_errors">';
- $GLOBALS['error_handler']->dispErrors();
- echo '</div>';
- }
-
- // close the wrapping div tag, if the request is after session timeout
- if ($session_expired) {
- echo $this->template->render('login/footer', ['session_expired' => 1]);
- } else {
- echo $this->template->render('login/footer', ['session_expired' => 0]);
- }
-
- echo Config::renderFooter();
-
- if (! defined('TESTSUITE')) {
- exit;
- } else {
- return true;
- }
- }
-
- /**
- * Gets authentication credentials
- *
- * this function DOES NOT check authentication - it just checks/provides
- * authentication credentials required to connect to the MySQL server
- * usually with $GLOBALS['dbi']->connect()
- *
- * it returns false if something is missing - which usually leads to
- * showLoginForm() which displays login form
- *
- * it returns true if all seems ok which usually leads to auth_set_user()
- *
- * it directly switches to showFailure() if user inactivity timeout is reached
- *
- * @return boolean whether we get authentication settings or not
- */
- public function readCredentials()
- {
- global $conn_error;
-
- // Initialization
- /**
- * @global $GLOBALS['pma_auth_server'] the user provided server to
- * connect to
- */
- $GLOBALS['pma_auth_server'] = '';
-
- $this->user = $this->password = '';
- $GLOBALS['from_cookie'] = false;
-
- if (isset($_POST['pma_username']) && strlen($_POST['pma_username']) > 0) {
- // Verify Captcha if it is required.
- if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
- && ! empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
- ) {
- if (! empty($_POST["g-recaptcha-response"])) {
- if (function_exists('curl_init')) {
- $reCaptcha = new ReCaptcha\ReCaptcha(
- $GLOBALS['cfg']['CaptchaLoginPrivateKey'],
- new ReCaptcha\RequestMethod\CurlPost()
- );
- } elseif (ini_get('allow_url_fopen')) {
- $reCaptcha = new ReCaptcha\ReCaptcha(
- $GLOBALS['cfg']['CaptchaLoginPrivateKey'],
- new ReCaptcha\RequestMethod\Post()
- );
- } else {
- $reCaptcha = new ReCaptcha\ReCaptcha(
- $GLOBALS['cfg']['CaptchaLoginPrivateKey'],
- new ReCaptcha\RequestMethod\SocketPost()
- );
- }
-
- // verify captcha status.
- $resp = $reCaptcha->verify(
- $_POST["g-recaptcha-response"],
- Core::getIp()
- );
-
- // Check if the captcha entered is valid, if not stop the login.
- if ($resp == null || ! $resp->isSuccess()) {
- $codes = $resp->getErrorCodes();
-
- if (in_array('invalid-json', $codes)) {
- $conn_error = __('Failed to connect to the reCAPTCHA service!');
- } else {
- $conn_error = __('Entered captcha is wrong, try again!');
- }
- return false;
- }
- } else {
- $conn_error = __('Missing reCAPTCHA verification, maybe it has been blocked by adblock?');
- return false;
- }
- }
-
- // The user just logged in
- $this->user = Core::sanitizeMySQLUser($_POST['pma_username']);
- $this->password = isset($_POST['pma_password']) ? $_POST['pma_password'] : '';
- if ($GLOBALS['cfg']['AllowArbitraryServer']
- && isset($_REQUEST['pma_servername'])
- ) {
- if ($GLOBALS['cfg']['ArbitraryServerRegexp']) {
- $parts = explode(' ', $_REQUEST['pma_servername']);
- if (count($parts) === 2) {
- $tmp_host = $parts[0];
- } else {
- $tmp_host = $_REQUEST['pma_servername'];
- }
-
- $match = preg_match(
- $GLOBALS['cfg']['ArbitraryServerRegexp'],
- $tmp_host
- );
- if (! $match) {
- $conn_error = __(
- 'You are not allowed to log in to this MySQL server!'
- );
- return false;
- }
- }
- $GLOBALS['pma_auth_server'] = Core::sanitizeMySQLHost($_REQUEST['pma_servername']);
- }
- /* Secure current session on login to avoid session fixation */
- Session::secure();
- return true;
- }
-
- // At the end, try to set the $this->user
- // and $this->password variables from cookies
-
- // check cookies
- $serverCookie = $GLOBALS['PMA_Config']->getCookie('pmaUser-' . $GLOBALS['server']);
- if (empty($serverCookie)) {
- return false;
- }
-
- $value = $this->cookieDecrypt(
- $serverCookie,
- $this->_getEncryptionSecret()
- );
-
- if ($value === false) {
- return false;
- }
-
- $this->user = $value;
- // user was never logged in since session start
- if (empty($_SESSION['browser_access_time'])) {
- return false;
- }
-
- // User inactive too long
- $last_access_time = time() - $GLOBALS['cfg']['LoginCookieValidity'];
- foreach ($_SESSION['browser_access_time'] as $key => $value) {
- if ($value < $last_access_time) {
- unset($_SESSION['browser_access_time'][$key]);
- }
- }
- // All sessions expired
- if (empty($_SESSION['browser_access_time'])) {
- Util::cacheUnset('is_create_db_priv');
- Util::cacheUnset('is_reload_priv');
- Util::cacheUnset('db_to_create');
- Util::cacheUnset('dbs_where_create_table_allowed');
- Util::cacheUnset('dbs_to_test');
- Util::cacheUnset('db_priv');
- Util::cacheUnset('col_priv');
- Util::cacheUnset('table_priv');
- Util::cacheUnset('proc_priv');
-
- $this->showFailure('no-activity');
- if (! defined('TESTSUITE')) {
- exit;
- } else {
- return false;
- }
- }
-
- // check password cookie
- $serverCookie = $GLOBALS['PMA_Config']->getCookie('pmaAuth-' . $GLOBALS['server']);
-
- if (empty($serverCookie)) {
- return false;
- }
- $value = $this->cookieDecrypt(
- $serverCookie,
- $this->_getSessionEncryptionSecret()
- );
- if ($value === false) {
- return false;
- }
-
- $auth_data = json_decode($value, true);
-
- if (! is_array($auth_data) || ! isset($auth_data['password'])) {
- return false;
- }
- $this->password = $auth_data['password'];
- if ($GLOBALS['cfg']['AllowArbitraryServer'] && ! empty($auth_data['server'])) {
- $GLOBALS['pma_auth_server'] = $auth_data['server'];
- }
-
- $GLOBALS['from_cookie'] = true;
-
- return true;
- }
-
- /**
- * Set the user and password after last checkings if required
- *
- * @return boolean always true
- */
- public function storeCredentials()
- {
- global $cfg;
-
- if ($GLOBALS['cfg']['AllowArbitraryServer']
- && ! empty($GLOBALS['pma_auth_server'])
- ) {
- /* Allow to specify 'host port' */
- $parts = explode(' ', $GLOBALS['pma_auth_server']);
- if (count($parts) === 2) {
- $tmp_host = $parts[0];
- $tmp_port = $parts[1];
- } else {
- $tmp_host = $GLOBALS['pma_auth_server'];
- $tmp_port = '';
- }
- if ($cfg['Server']['host'] != $GLOBALS['pma_auth_server']) {
- $cfg['Server']['host'] = $tmp_host;
- if (! empty($tmp_port)) {
- $cfg['Server']['port'] = $tmp_port;
- }
- }
- unset($tmp_host, $tmp_port, $parts);
- }
-
- return parent::storeCredentials();
- }
-
- /**
- * Stores user credentials after successful login.
- *
- * @return void|bool
- */
- public function rememberCredentials()
- {
- // Name and password cookies need to be refreshed each time
- // Duration = one month for username
-
- $this->storeUsernameCookie($this->user);
-
- // Duration = as configured
- // Do not store password cookie on password change as we will
- // set the cookie again after password has been changed
- if (! isset($_POST['change_pw'])) {
- $this->storePasswordCookie($this->password);
- }
- // URL where to go:
- $redirect_url = './index.php';
-
- // any parameters to pass?
- $url_params = [];
- if (strlen($GLOBALS['db']) > 0) {
- $url_params['db'] = $GLOBALS['db'];
- }
- if (strlen($GLOBALS['table']) > 0) {
- $url_params['table'] = $GLOBALS['table'];
- }
- // any target to pass?
- if (! empty($GLOBALS['target'])
- && $GLOBALS['target'] != 'index.php'
- ) {
- $url_params['target'] = $GLOBALS['target'];
- }
-
- // user logged in successfully after session expiration
- if (isset($_REQUEST['session_timedout'])) {
- $response = Response::getInstance();
- $response->addJSON(
- 'logged_in',
- 1
- );
- $response->addJSON(
- 'success',
- 1
- );
- $response->addJSON(
- 'new_token',
- $_SESSION[' PMA_token ']
- );
-
- if (! defined('TESTSUITE')) {
- exit;
- } else {
- return false;
- }
- }
- // Set server cookies if required (once per session) and, in this case,
- // force reload to ensure the client accepts cookies
- if (! $GLOBALS['from_cookie']) {
-
- /**
- * Clear user cache.
- */
- Util::clearUserCache();
-
- Response::getInstance()
- ->disable();
-
- Core::sendHeaderLocation(
- $redirect_url . Url::getCommonRaw($url_params),
- true
- );
- if (! defined('TESTSUITE')) {
- exit;
- } else {
- return false;
- }
- } // end if
-
- return true;
- }
-
- /**
- * Stores username in a cookie.
- *
- * @param string $username User name
- *
- * @return void
- */
- public function storeUsernameCookie($username)
- {
- // Name and password cookies need to be refreshed each time
- // Duration = one month for username
- $GLOBALS['PMA_Config']->setCookie(
- 'pmaUser-' . $GLOBALS['server'],
- $this->cookieEncrypt(
- $username,
- $this->_getEncryptionSecret()
- )
- );
- }
-
- /**
- * Stores password in a cookie.
- *
- * @param string $password Password
- *
- * @return void
- */
- public function storePasswordCookie($password)
- {
- $payload = ['password' => $password];
- if ($GLOBALS['cfg']['AllowArbitraryServer'] && ! empty($GLOBALS['pma_auth_server'])) {
- $payload['server'] = $GLOBALS['pma_auth_server'];
- }
- // Duration = as configured
- $GLOBALS['PMA_Config']->setCookie(
- 'pmaAuth-' . $GLOBALS['server'],
- $this->cookieEncrypt(
- json_encode($payload),
- $this->_getSessionEncryptionSecret()
- ),
- null,
- (int) $GLOBALS['cfg']['LoginCookieStore']
- );
- }
-
- /**
- * User is not allowed to login to MySQL -> authentication failed
- *
- * prepares error message and switches to showLoginForm() which display the error
- * and the login form
- *
- * this function MUST exit/quit the application,
- * currently done by call to showLoginForm()
- *
- * @param string $failure String describing why authentication has failed
- *
- * @return void
- */
- public function showFailure($failure)
- {
- global $conn_error;
-
- parent::showFailure($failure);
-
- // Deletes password cookie and displays the login form
- $GLOBALS['PMA_Config']->removeCookie('pmaAuth-' . $GLOBALS['server']);
-
- $conn_error = $this->getErrorMessage($failure);
-
- $response = Response::getInstance();
-
- // needed for PHP-CGI (not need for FastCGI or mod-php)
- $response->header('Cache-Control: no-store, no-cache, must-revalidate');
- $response->header('Pragma: no-cache');
-
- $this->showLoginForm();
- }
-
- /**
- * Returns blowfish secret or generates one if needed.
- *
- * @return string
- */
- private function _getEncryptionSecret()
- {
- if (empty($GLOBALS['cfg']['blowfish_secret'])) {
- return $this->_getSessionEncryptionSecret();
- }
-
- return $GLOBALS['cfg']['blowfish_secret'];
- }
-
- /**
- * Returns blowfish secret or generates one if needed.
- *
- * @return string
- */
- private function _getSessionEncryptionSecret()
- {
- if (empty($_SESSION['encryption_key'])) {
- if ($this->_use_openssl) {
- $_SESSION['encryption_key'] = openssl_random_pseudo_bytes(32);
- } else {
- $_SESSION['encryption_key'] = Crypt\Random::string(32);
- }
- }
- return $_SESSION['encryption_key'];
- }
-
- /**
- * Concatenates secret in order to make it 16 bytes log
- *
- * This doesn't add any security, just ensures the secret
- * is long enough by copying it.
- *
- * @param string $secret Original secret
- *
- * @return string
- */
- public function enlargeSecret($secret)
- {
- while (strlen($secret) < 16) {
- $secret .= $secret;
- }
- return substr($secret, 0, 16);
- }
-
- /**
- * Derives MAC secret from encryption secret.
- *
- * @param string $secret the secret
- *
- * @return string the MAC secret
- */
- public function getMACSecret($secret)
- {
- // Grab first part, up to 16 chars
- // The MAC and AES secrets can overlap if original secret is short
- $length = strlen($secret);
- if ($length > 16) {
- return substr($secret, 0, 16);
- }
- return $this->enlargeSecret(
- $length == 1 ? $secret : substr($secret, 0, -1)
- );
- }
-
- /**
- * Derives AES secret from encryption secret.
- *
- * @param string $secret the secret
- *
- * @return string the AES secret
- */
- public function getAESSecret($secret)
- {
- // Grab second part, up to 16 chars
- // The MAC and AES secrets can overlap if original secret is short
- $length = strlen($secret);
- if ($length > 16) {
- return substr($secret, -16);
- }
- return $this->enlargeSecret(
- $length == 1 ? $secret : substr($secret, 1)
- );
- }
-
- /**
- * Cleans any SSL errors
- *
- * This can happen from corrupted cookies, by invalid encryption
- * parameters used in older phpMyAdmin versions or by wrong openSSL
- * configuration.
- *
- * In neither case the error is useful to user, but we need to clear
- * the error buffer as otherwise the errors would pop up later, for
- * example during MySQL SSL setup.
- *
- * @return void
- */
- public function cleanSSLErrors()
- {
- if (function_exists('openssl_error_string')) {
- do {
- $hasSslErrors = openssl_error_string();
- } while ($hasSslErrors !== false);
- }
- }
-
- /**
- * Encryption using openssl's AES or phpseclib's AES
- * (phpseclib uses mcrypt when it is available)
- *
- * @param string $data original data
- * @param string $secret the secret
- *
- * @return string the encrypted result
- */
- public function cookieEncrypt($data, $secret)
- {
- $mac_secret = $this->getMACSecret($secret);
- $aes_secret = $this->getAESSecret($secret);
- $iv = $this->createIV();
- if ($this->_use_openssl) {
- $result = openssl_encrypt(
- $data,
- 'AES-128-CBC',
- $aes_secret,
- 0,
- $iv
- );
- } else {
- $cipher = new Crypt\AES(Crypt\Base::MODE_CBC);
- $cipher->setIV($iv);
- $cipher->setKey($aes_secret);
- $result = base64_encode($cipher->encrypt($data));
- }
- $this->cleanSSLErrors();
- $iv = base64_encode($iv);
- return json_encode(
- [
- 'iv' => $iv,
- 'mac' => hash_hmac('sha1', $iv . $result, $mac_secret),
- 'payload' => $result,
- ]
- );
- }
-
- /**
- * Decryption using openssl's AES or phpseclib's AES
- * (phpseclib uses mcrypt when it is available)
- *
- * @param string $encdata encrypted data
- * @param string $secret the secret
- *
- * @return string|false original data, false on error
- */
- public function cookieDecrypt($encdata, $secret)
- {
- $data = json_decode($encdata, true);
-
- if (! is_array($data) || ! isset($data['mac']) || ! isset($data['iv']) || ! isset($data['payload'])
- || ! is_string($data['mac']) || ! is_string($data['iv']) || ! is_string($data['payload'])
- ) {
- return false;
- }
-
- $mac_secret = $this->getMACSecret($secret);
- $aes_secret = $this->getAESSecret($secret);
- $newmac = hash_hmac('sha1', $data['iv'] . $data['payload'], $mac_secret);
-
- if (! hash_equals($data['mac'], $newmac)) {
- return false;
- }
-
- if ($this->_use_openssl) {
- $result = openssl_decrypt(
- $data['payload'],
- 'AES-128-CBC',
- $aes_secret,
- 0,
- base64_decode($data['iv'])
- );
- } else {
- $cipher = new Crypt\AES(Crypt\Base::MODE_CBC);
- $cipher->setIV(base64_decode($data['iv']));
- $cipher->setKey($aes_secret);
- $result = $cipher->decrypt(base64_decode($data['payload']));
- }
- $this->cleanSSLErrors();
- return $result;
- }
-
- /**
- * Returns size of IV for encryption.
- *
- * @return int
- */
- public function getIVSize()
- {
- if ($this->_use_openssl) {
- return openssl_cipher_iv_length('AES-128-CBC');
- }
- return (new Crypt\AES(Crypt\Base::MODE_CBC))->block_size;
- }
-
- /**
- * Initialization
- * Store the initialization vector because it will be needed for
- * further decryption. I don't think necessary to have one iv
- * per server so I don't put the server number in the cookie name.
- *
- * @return string
- */
- public function createIV()
- {
- /* Testsuite shortcut only to allow predictable IV */
- if ($this->_cookie_iv !== null) {
- return $this->_cookie_iv;
- }
- if ($this->_use_openssl) {
- return openssl_random_pseudo_bytes(
- $this->getIVSize()
- );
- }
-
- return Crypt\Random::string(
- $this->getIVSize()
- );
- }
-
- /**
- * Sets encryption IV to use
- *
- * This is for testing only!
- *
- * @param string $vector The IV
- *
- * @return void
- */
- public function setIV($vector)
- {
- $this->_cookie_iv = $vector;
- }
-
- /**
- * Callback when user changes password.
- *
- * @param string $password New password to set
- *
- * @return void
- */
- public function handlePasswordChange($password)
- {
- $this->storePasswordCookie($password);
- }
-
- /**
- * Perform logout
- *
- * @return void
- */
- public function logOut()
- {
- /** @var Config $PMA_Config */
- global $PMA_Config;
-
- // -> delete password cookie(s)
- if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
- foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
- $PMA_Config->removeCookie('pmaAuth-' . $key);
- if ($PMA_Config->issetCookie('pmaAuth-' . $key)) {
- $PMA_Config->removeCookie('pmaAuth-' . $key);
- }
- }
- } else {
- $cookieName = 'pmaAuth-' . $GLOBALS['server'];
- $PMA_Config->removeCookie($cookieName);
- if ($PMA_Config->issetCookie($cookieName)) {
- $PMA_Config->removeCookie($cookieName);
- }
- }
- parent::logOut();
- }
-}
generated by cgit (git 2.34.1) at 2026-05-16 14:28:11 +0000