[WebAuthn] remove old u2f functions

master
FreddleSpl0it 2022-01-16 17:53:59 +01:00
parent a849d03a00
commit 8316e763fa
No known key found for this signature in database
GPG Key ID: 38F5FCC689C181F9
5 changed files with 7 additions and 78 deletions

View File

@ -1140,7 +1140,6 @@ function is_valid_domain_name($domain_name) {
function set_tfa($_data) { function set_tfa($_data) {
global $pdo; global $pdo;
global $yubi; global $yubi;
global $u2f;
global $tfa; global $tfa;
$_data_log = $_data["tfa_method"]; $_data_log = $_data["tfa_method"];
!isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*'; !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*';
@ -1242,35 +1241,6 @@ function set_tfa($_data) {
'msg' => array('object_modified', htmlspecialchars($username)) 'msg' => array('object_modified', htmlspecialchars($username))
); );
break; break;
// u2f - deprecated, should be removed
case "u2f":
$key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"];
try {
$reg = $u2f->doRegister(json_decode($_SESSION['regReq']), json_decode($_data['token']));
$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `authmech` != 'u2f'");
$stmt->execute(array(':username' => $username));
$stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `keyHandle`, `publicKey`, `certificate`, `counter`, `active`) VALUES (?, ?, 'u2f', ?, ?, ?, ?, '1')");
$stmt->execute(array($username, $key_id, $reg->keyHandle, $reg->publicKey, $reg->certificate, $reg->counter));
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_data_log),
'msg' => array('object_modified', $username)
);
$_SESSION['regReq'] = null;
}
catch (Exception $e) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_data_log),
'msg' => array('u2f_verification_failed', $e->getMessage())
);
$_SESSION['regReq'] = null;
return false;
}
break;
case "totp": case "totp":
$key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"]; $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"];
if ($tfa->verifyCode($_POST['totp_secret'], $_POST['totp_confirm_token']) === true) { if ($tfa->verifyCode($_POST['totp_secret'], $_POST['totp_confirm_token']) === true) {
@ -2050,13 +2020,7 @@ function rspamd_ui($action, $data = null) {
break; break;
} }
} }
// u2f - deprecated, should be removed
function get_u2f_registrations($username) {
global $pdo;
$sel = $pdo->prepare("SELECT * FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = ? AND `active` = '1'");
$sel->execute(array($username));
return $sel->fetchAll(PDO::FETCH_OBJ);
}
function get_logs($application, $lines = false) { function get_logs($application, $lines = false) {
if ($lines === false) { if ($lines === false) {
$lines = $GLOBALS['LOG_LINES'] - 1; $lines = $GLOBALS['LOG_LINES'] - 1;

View File

@ -392,45 +392,6 @@ if (isset($_GET['query'])) {
exit(); exit();
} }
switch ($category) { switch ($category) {
// u2f - deprecated, should be removed
case "u2f-registration":
header('Content-Type: application/javascript');
if (isset($_SESSION["mailcow_cc_role"]) && $_SESSION["mailcow_cc_username"] == $object) {
list($req, $sigs) = $u2f->getRegisterData(get_u2f_registrations($object));
$_SESSION['regReq'] = json_encode($req);
$_SESSION['regSigs'] = json_encode($sigs);
echo 'var req = ' . json_encode($req) . ';';
echo 'var registeredKeys = ' . json_encode($sigs) . ';';
echo 'var appId = req.appId;';
echo 'var registerRequests = [{version: req.version, challenge: req.challenge}];';
return;
}
else {
return;
}
break;
case "u2f-authentication":
header('Content-Type: application/javascript');
if (isset($_SESSION['pending_mailcow_cc_username']) && $_SESSION['pending_mailcow_cc_username'] == $object) {
$auth_data = $u2f->getAuthenticateData(get_u2f_registrations($object));
$challenge = $auth_data[0]->challenge;
$appId = $auth_data[0]->appId;
foreach ($auth_data as $each) {
$key = array(); // Empty array
$key['version'] = $each->version;
$key['keyHandle'] = $each->keyHandle;
$registeredKey[] = $key;
}
$_SESSION['authReq'] = json_encode($auth_data);
echo 'var appId = "' . $appId . '";';
echo 'var challenge = ' . json_encode($challenge) . ';';
echo 'var registeredKeys = ' . json_encode($registeredKey) . ';';
return;
}
else {
return;
}
break;
// fido2 // fido2
case "fido2-registration": case "fido2-registration":
header('Content-Type: application/json'); header('Content-Type: application/json');

View File

@ -994,6 +994,8 @@
"tfa": "Zwei-Faktor-Authentifizierung", "tfa": "Zwei-Faktor-Authentifizierung",
"tfa_token_invalid": "TFA-Token ungültig!", "tfa_token_invalid": "TFA-Token ungültig!",
"totp": "Time-based-OTP (Google Authenticator etc.)", "totp": "Time-based-OTP (Google Authenticator etc.)",
"u2f_deprecated": "Es sieht so aus als wurde der Schlüssel mit der alten U2F Methode registriert. Wir werden die Zwei-Faktor-Authentifizierung deaktivieren und deinen Schlüssel löschen.",
"u2f_deprecated_important": "Bitte registriere den Schlüssel im Adminbereich mit der neuen WebAuthn Methode.",
"webauthn": "WebAuthn-Authentifizierung", "webauthn": "WebAuthn-Authentifizierung",
"waiting_usb_auth": "<i>Warte auf USB-Gerät...</i><br><br>Bitte jetzt den vorgesehenen Taster des USB-Gerätes berühren.", "waiting_usb_auth": "<i>Warte auf USB-Gerät...</i><br><br>Bitte jetzt den vorgesehenen Taster des USB-Gerätes berühren.",
"waiting_usb_register": "<i>Warte auf USB-Gerät...</i><br><br>Bitte zuerst das obere Passwortfeld ausfüllen und erst dann den vorgesehenen Taster des USB-Gerätes berühren.", "waiting_usb_register": "<i>Warte auf USB-Gerät...</i><br><br>Bitte zuerst das obere Passwortfeld ausfüllen und erst dann den vorgesehenen Taster des USB-Gerätes berühren.",

View File

@ -1001,6 +1001,8 @@
"tfa": "Two-factor authentication", "tfa": "Two-factor authentication",
"tfa_token_invalid": "TFA token invalid", "tfa_token_invalid": "TFA token invalid",
"totp": "Time-based OTP (Google Authenticator, Authy, etc.)", "totp": "Time-based OTP (Google Authenticator, Authy, etc.)",
"u2f_deprecated": "It seems that your Key was registered using the deprecated U2F method. We will deactivate Two-Factor-Authenticaiton for you and delete your Key.",
"u2f_deprecated_important": "Please register your Key in the admin panel with the new WebAuthn method.",
"webauthn": "WebAuthn authentication", "webauthn": "WebAuthn authentication",
"waiting_usb_auth": "<i>Waiting for USB device...</i><br><br>Please tap the button on your USB device now.", "waiting_usb_auth": "<i>Waiting for USB device...</i><br><br>Please tap the button on your USB device now.",
"waiting_usb_register": "<i>Waiting for USB device...</i><br><br>Please enter your password above and confirm your registration by tapping the button on your USB device.", "waiting_usb_register": "<i>Waiting for USB device...</i><br><br>Please enter your password above and confirm your registration by tapping the button on your USB device.",

View File

@ -191,8 +191,8 @@
{# leave this here to inform users that u2f is deprecated #} {# leave this here to inform users that u2f is deprecated #}
{% if pending_tfa_method == 'u2f' %} {% if pending_tfa_method == 'u2f' %}
<form role="form" method="post" id="u2f_auth_form"> <form role="form" method="post" id="u2f_auth_form">
<p>It seems that your Key was registered using the deprecated U2F method. We will deactivate Two-Factor-Authenticaiton for you and delete your Key.</p> <p>lang.tfa.u2f_deprecated</p>
<p><b>Please register your Key in the admin panel with the new WebAuthn method.</b></p> <p><b>lang.tfa.u2f_deprecated_important</b></p>
<input type="hidden" name="token" value="destroy" /> <input type="hidden" name="token" value="destroy" />
<input type="hidden" name="tfa_method" value="u2f"> <input type="hidden" name="tfa_method" value="u2f">
<input type="hidden" name="verify_tfa_login"/><br/> <input type="hidden" name="verify_tfa_login"/><br/>