[WebAuthn] remove old u2f functions

2022-01-16 17:53:59 +01:00 · 2022-01-16 17:53:59 +01:00 · 8316e763fa
parent a849d03a00
commit 8316e763fa
5 changed files with 7 additions and 78 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@ -1140,7 +1140,6 @@ function is_valid_domain_name($domain_name) {
 function set_tfa($_data) {
  global $pdo;
  global $yubi;
-  global $u2f;
  global $tfa;
  $_data_log = $_data["tfa_method"];
  !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*';
@ -1242,35 +1241,6 @@ function set_tfa($_data) {
        'msg' => array('object_modified', htmlspecialchars($username))
      );
    break;
-    // u2f - deprecated, should be removed
-    case "u2f":
-      $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"];
-      try {
-        $reg = $u2f->doRegister(json_decode($_SESSION['regReq']), json_decode($_data['token']));
-
-        $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `authmech` != 'u2f'");
-        $stmt->execute(array(':username' => $username));
-
-        $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `keyHandle`, `publicKey`, `certificate`, `counter`, `active`) VALUES (?, ?, 'u2f', ?, ?, ?, ?, '1')");
-        $stmt->execute(array($username, $key_id, $reg->keyHandle, $reg->publicKey, $reg->certificate, $reg->counter));
-
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $_data_log),
-          'msg' => array('object_modified', $username)
-        );
-        $_SESSION['regReq'] = null;
-      }
-      catch (Exception $e) {
-        $_SESSION['return'][] =  array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_data_log),
-          'msg' => array('u2f_verification_failed', $e->getMessage())
-        );
-        $_SESSION['regReq'] = null;
-        return false;
-      }
-    break;
    case "totp":
      $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"];
      if ($tfa->verifyCode($_POST['totp_secret'], $_POST['totp_confirm_token']) === true) {
@ -2050,13 +2020,7 @@ function rspamd_ui($action, $data = null) {
    break;
  }
 }
-// u2f - deprecated, should be removed
-function get_u2f_registrations($username) {
-  global $pdo;
-  $sel = $pdo->prepare("SELECT * FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = ? AND `active` = '1'");
-  $sel->execute(array($username));
-  return $sel->fetchAll(PDO::FETCH_OBJ);
-}
+
 function get_logs($application, $lines = false) {
  if ($lines === false) {
    $lines = $GLOBALS['LOG_LINES'] - 1;
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@ -392,45 +392,6 @@ if (isset($_GET['query'])) {
        exit();
      }
      switch ($category) {
-        // u2f - deprecated, should be removed
-        case "u2f-registration":
-          header('Content-Type: application/javascript');
-          if (isset($_SESSION["mailcow_cc_role"]) && $_SESSION["mailcow_cc_username"] == $object) {
-            list($req, $sigs) = $u2f->getRegisterData(get_u2f_registrations($object));
-            $_SESSION['regReq'] = json_encode($req);
-            $_SESSION['regSigs'] = json_encode($sigs);
-            echo 'var req = ' . json_encode($req) . ';';
-            echo 'var registeredKeys = ' . json_encode($sigs) . ';';
-            echo 'var appId = req.appId;';
-            echo 'var registerRequests = [{version: req.version, challenge: req.challenge}];';
-            return;
-          }
-          else {
-            return;
-          }
-        break;
-        case "u2f-authentication":
-          header('Content-Type: application/javascript');
-          if (isset($_SESSION['pending_mailcow_cc_username']) && $_SESSION['pending_mailcow_cc_username'] == $object) {
-            $auth_data = $u2f->getAuthenticateData(get_u2f_registrations($object));
-            $challenge = $auth_data[0]->challenge;
-            $appId = $auth_data[0]->appId;
-            foreach ($auth_data as $each) {
-              $key = array(); // Empty array
-              $key['version']   = $each->version;
-              $key['keyHandle'] = $each->keyHandle;
-              $registeredKey[]  = $key;
-            }
-            $_SESSION['authReq']  = json_encode($auth_data);
-            echo 'var appId = "' . $appId . '";';
-            echo 'var challenge = ' . json_encode($challenge) . ';';
-            echo 'var registeredKeys = ' . json_encode($registeredKey) . ';';
-            return;
-          }
-          else {
-            return;
-          }
-        break;
        // fido2
        case "fido2-registration":
          header('Content-Type: application/json');
--- a/data/web/lang/lang.de.json
+++ b/data/web/lang/lang.de.json
@ -994,6 +994,8 @@
        "tfa": "Zwei-Faktor-Authentifizierung",
        "tfa_token_invalid": "TFA-Token ungültig!",
        "totp": "Time-based-OTP (Google Authenticator etc.)",
+        "u2f_deprecated": "Es sieht so aus als wurde der Schlüssel mit der alten U2F Methode registriert. Wir werden die Zwei-Faktor-Authentifizierung deaktivieren und deinen Schlüssel löschen.",
+        "u2f_deprecated_important": "Bitte registriere den Schlüssel im Adminbereich mit der neuen WebAuthn Methode.",
        "webauthn": "WebAuthn-Authentifizierung",
        "waiting_usb_auth": "<i>Warte auf USB-Gerät...</i><br><br>Bitte jetzt den vorgesehenen Taster des USB-Gerätes berühren.",
        "waiting_usb_register": "<i>Warte auf USB-Gerät...</i><br><br>Bitte zuerst das obere Passwortfeld ausfüllen und erst dann den vorgesehenen Taster des USB-Gerätes berühren.",
--- a/data/web/lang/lang.en.json
+++ b/data/web/lang/lang.en.json
@ -1001,6 +1001,8 @@
        "tfa": "Two-factor authentication",
        "tfa_token_invalid": "TFA token invalid",
        "totp": "Time-based OTP (Google Authenticator, Authy, etc.)",
+        "u2f_deprecated": "It seems that your Key was registered using the deprecated U2F method. We will deactivate Two-Factor-Authenticaiton for you and delete your Key.",
+        "u2f_deprecated_important": "Please register your Key in the admin panel with the new WebAuthn method.",
        "webauthn": "WebAuthn authentication",
        "waiting_usb_auth": "<i>Waiting for USB device...</i><br><br>Please tap the button on your USB device now.",
        "waiting_usb_register": "<i>Waiting for USB device...</i><br><br>Please enter your password above and confirm your registration by tapping the button on your USB device.",
--- a/data/web/templates/modals/footer.twig
+++ b/data/web/templates/modals/footer.twig
@ -191,8 +191,8 @@
        {# leave this here to inform users that u2f is deprecated #}
        {% if pending_tfa_method == 'u2f' %}
        <form role="form" method="post" id="u2f_auth_form">
-          <p>It seems that your Key was registered using the deprecated U2F method. We will deactivate Two-Factor-Authenticaiton for you and delete your Key.</p>
-          <p><b>Please register your Key in the admin panel with the new WebAuthn method.</b></p>
+          <p>lang.tfa.u2f_deprecated</p>
+          <p><b>lang.tfa.u2f_deprecated_important</b></p>
          <input type="hidden" name="token" value="destroy" />
          <input type="hidden" name="tfa_method" value="u2f">
          <input type="hidden" name="verify_tfa_login"/><br/>