From 8316e763fad0971b60b8fef3b55a6ad3523a3b44 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Sun, 16 Jan 2022 17:53:59 +0100 Subject: [PATCH] [WebAuthn] remove old u2f functions --- data/web/inc/functions.inc.php | 38 +------------------------- data/web/json_api.php | 39 --------------------------- data/web/lang/lang.de.json | 2 ++ data/web/lang/lang.en.json | 2 ++ data/web/templates/modals/footer.twig | 4 +-- 5 files changed, 7 insertions(+), 78 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index b540c581..58d82623 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1140,7 +1140,6 @@ function is_valid_domain_name($domain_name) { function set_tfa($_data) { global $pdo; global $yubi; - global $u2f; global $tfa; $_data_log = $_data["tfa_method"]; !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*'; @@ -1242,35 +1241,6 @@ function set_tfa($_data) { 'msg' => array('object_modified', htmlspecialchars($username)) ); break; - // u2f - deprecated, should be removed - case "u2f": - $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; - try { - $reg = $u2f->doRegister(json_decode($_SESSION['regReq']), json_decode($_data['token'])); - - $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `authmech` != 'u2f'"); - $stmt->execute(array(':username' => $username)); - - $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `keyHandle`, `publicKey`, `certificate`, `counter`, `active`) VALUES (?, ?, 'u2f', ?, ?, ?, ?, '1')"); - $stmt->execute(array($username, $key_id, $reg->keyHandle, $reg->publicKey, $reg->certificate, $reg->counter)); - - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('object_modified', $username) - ); - $_SESSION['regReq'] = null; - } - catch (Exception $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_data_log), - 'msg' => array('u2f_verification_failed', $e->getMessage()) - ); - $_SESSION['regReq'] = null; - return false; - } - break; case "totp": $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; if ($tfa->verifyCode($_POST['totp_secret'], $_POST['totp_confirm_token']) === true) { @@ -2050,13 +2020,7 @@ function rspamd_ui($action, $data = null) { break; } } -// u2f - deprecated, should be removed -function get_u2f_registrations($username) { - global $pdo; - $sel = $pdo->prepare("SELECT * FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = ? AND `active` = '1'"); - $sel->execute(array($username)); - return $sel->fetchAll(PDO::FETCH_OBJ); -} + function get_logs($application, $lines = false) { if ($lines === false) { $lines = $GLOBALS['LOG_LINES'] - 1; diff --git a/data/web/json_api.php b/data/web/json_api.php index dfaa7383..278c1460 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -392,45 +392,6 @@ if (isset($_GET['query'])) { exit(); } switch ($category) { - // u2f - deprecated, should be removed - case "u2f-registration": - header('Content-Type: application/javascript'); - if (isset($_SESSION["mailcow_cc_role"]) && $_SESSION["mailcow_cc_username"] == $object) { - list($req, $sigs) = $u2f->getRegisterData(get_u2f_registrations($object)); - $_SESSION['regReq'] = json_encode($req); - $_SESSION['regSigs'] = json_encode($sigs); - echo 'var req = ' . json_encode($req) . ';'; - echo 'var registeredKeys = ' . json_encode($sigs) . ';'; - echo 'var appId = req.appId;'; - echo 'var registerRequests = [{version: req.version, challenge: req.challenge}];'; - return; - } - else { - return; - } - break; - case "u2f-authentication": - header('Content-Type: application/javascript'); - if (isset($_SESSION['pending_mailcow_cc_username']) && $_SESSION['pending_mailcow_cc_username'] == $object) { - $auth_data = $u2f->getAuthenticateData(get_u2f_registrations($object)); - $challenge = $auth_data[0]->challenge; - $appId = $auth_data[0]->appId; - foreach ($auth_data as $each) { - $key = array(); // Empty array - $key['version'] = $each->version; - $key['keyHandle'] = $each->keyHandle; - $registeredKey[] = $key; - } - $_SESSION['authReq'] = json_encode($auth_data); - echo 'var appId = "' . $appId . '";'; - echo 'var challenge = ' . json_encode($challenge) . ';'; - echo 'var registeredKeys = ' . json_encode($registeredKey) . ';'; - return; - } - else { - return; - } - break; // fido2 case "fido2-registration": header('Content-Type: application/json'); diff --git a/data/web/lang/lang.de.json b/data/web/lang/lang.de.json index 8b28f751..643ce6ce 100644 --- a/data/web/lang/lang.de.json +++ b/data/web/lang/lang.de.json @@ -994,6 +994,8 @@ "tfa": "Zwei-Faktor-Authentifizierung", "tfa_token_invalid": "TFA-Token ungültig!", "totp": "Time-based-OTP (Google Authenticator etc.)", + "u2f_deprecated": "Es sieht so aus als wurde der Schlüssel mit der alten U2F Methode registriert. Wir werden die Zwei-Faktor-Authentifizierung deaktivieren und deinen Schlüssel löschen.", + "u2f_deprecated_important": "Bitte registriere den Schlüssel im Adminbereich mit der neuen WebAuthn Methode.", "webauthn": "WebAuthn-Authentifizierung", "waiting_usb_auth": "Warte auf USB-Gerät...

Bitte jetzt den vorgesehenen Taster des USB-Gerätes berühren.", "waiting_usb_register": "Warte auf USB-Gerät...

Bitte zuerst das obere Passwortfeld ausfüllen und erst dann den vorgesehenen Taster des USB-Gerätes berühren.", diff --git a/data/web/lang/lang.en.json b/data/web/lang/lang.en.json index bb07df2f..10410ba4 100644 --- a/data/web/lang/lang.en.json +++ b/data/web/lang/lang.en.json @@ -1001,6 +1001,8 @@ "tfa": "Two-factor authentication", "tfa_token_invalid": "TFA token invalid", "totp": "Time-based OTP (Google Authenticator, Authy, etc.)", + "u2f_deprecated": "It seems that your Key was registered using the deprecated U2F method. We will deactivate Two-Factor-Authenticaiton for you and delete your Key.", + "u2f_deprecated_important": "Please register your Key in the admin panel with the new WebAuthn method.", "webauthn": "WebAuthn authentication", "waiting_usb_auth": "Waiting for USB device...

Please tap the button on your USB device now.", "waiting_usb_register": "Waiting for USB device...

Please enter your password above and confirm your registration by tapping the button on your USB device.", diff --git a/data/web/templates/modals/footer.twig b/data/web/templates/modals/footer.twig index 1edf9ca9..6ac0ba48 100644 --- a/data/web/templates/modals/footer.twig +++ b/data/web/templates/modals/footer.twig @@ -191,8 +191,8 @@ {# leave this here to inform users that u2f is deprecated #} {% if pending_tfa_method == 'u2f' %}
-

It seems that your Key was registered using the deprecated U2F method. We will deactivate Two-Factor-Authenticaiton for you and delete your Key.

-

Please register your Key in the admin panel with the new WebAuthn method.

+

lang.tfa.u2f_deprecated

+

lang.tfa.u2f_deprecated_important