555 function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false) |
555 function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false) |
556 { |
556 { |
557 global $db, $session, $paths, $template, $plugins; // Common objects |
557 global $db, $session, $paths, $template, $plugins; // Common objects |
558 |
558 |
559 $privcache = $this->private_key; |
559 $privcache = $this->private_key; |
560 |
560 |
561 // Lockout stuff |
561 if ( !defined('IN_ENANO_INSTALL') ) |
562 $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; |
562 { |
563 $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; |
563 // Lockout stuff |
564 // convert to minutes |
564 $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; |
565 $duration = $duration * 60; |
565 $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; |
566 $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; |
566 // convert to minutes |
567 if ( $policy == 'captcha' && $captcha_hash && $captcha_code ) |
567 $duration = $duration * 60; |
568 { |
568 $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; |
569 // policy is captcha -- check if it's correct, and if so, bypass lockout check |
569 if ( $policy == 'captcha' && $captcha_hash && $captcha_code ) |
570 $real_code = $this->get_captcha($captcha_hash); |
570 { |
571 } |
571 // policy is captcha -- check if it's correct, and if so, bypass lockout check |
572 if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) ) |
572 $real_code = $this->get_captcha($captcha_hash); |
573 { |
573 } |
574 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
574 if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) ) |
575 $timestamp_cutoff = time() - $duration; |
575 { |
576 $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); |
576 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
577 $fails = $db->numrows(); |
577 $timestamp_cutoff = time() - $duration; |
578 if ( $fails > $threshold ) |
578 $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); |
579 { |
579 $fails = $db->numrows(); |
580 // ooh boy, somebody's in trouble ;-) |
580 if ( $fails > $threshold ) |
581 $row = $db->fetchrow(); |
581 { |
|
582 // ooh boy, somebody's in trouble ;-) |
|
583 $row = $db->fetchrow(); |
|
584 $db->free_result(); |
|
585 return array( |
|
586 'success' => false, |
|
587 'error' => 'locked_out', |
|
588 'lockout_threshold' => $threshold, |
|
589 'lockout_duration' => ( $duration / 60 ), |
|
590 'lockout_fails' => $fails, |
|
591 'lockout_policy' => $policy, |
|
592 'lockout_last_time' => $row['timestamp'] |
|
593 ); |
|
594 } |
582 $db->free_result(); |
595 $db->free_result(); |
583 return array( |
596 } |
584 'success' => false, |
|
585 'error' => 'locked_out', |
|
586 'lockout_threshold' => $threshold, |
|
587 'lockout_duration' => ( $duration / 60 ), |
|
588 'lockout_fails' => $fails, |
|
589 'lockout_policy' => $policy, |
|
590 'lockout_last_time' => $row['timestamp'] |
|
591 ); |
|
592 } |
|
593 $db->free_result(); |
|
594 } |
597 } |
595 |
598 |
596 // Instanciate the Rijndael encryption object |
599 // Instanciate the Rijndael encryption object |
597 $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); |
600 $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); |
598 |
601 |
631 // This wasn't logged in <1.0.2, dunno how it slipped through |
634 // This wasn't logged in <1.0.2, dunno how it slipped through |
632 if($level > USER_LEVEL_MEMBER) |
635 if($level > USER_LEVEL_MEMBER) |
633 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
636 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
634 else |
637 else |
635 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
638 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
636 |
639 |
637 if ( $policy != 'disable' ) |
640 if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') ) |
638 { |
641 { |
639 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
642 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
640 // increment fail count |
643 // increment fail count |
641 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); |
644 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); |
642 $fails++; |
645 $fails++; |
744 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
747 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
745 else |
748 else |
746 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
749 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
747 |
750 |
748 // Do we also need to increment the lockout countdown? |
751 // Do we also need to increment the lockout countdown? |
749 if ( $policy != 'disable' ) |
752 if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') ) |
750 { |
753 { |
751 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
754 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
752 // increment fail count |
755 // increment fail count |
753 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); |
756 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); |
754 $fails++; |
757 $fails++; |
789 if($this->compat) |
792 if($this->compat) |
790 { |
793 { |
791 return $this->login_compat($username, $pass_hashed, $level); |
794 return $this->login_compat($username, $pass_hashed, $level); |
792 } |
795 } |
793 |
796 |
794 // Lockout stuff |
797 if ( !defined('IN_ENANO_INSTALL') ) |
795 $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; |
798 { |
796 $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; |
799 // Lockout stuff |
797 // convert to minutes |
800 $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; |
798 $duration = $duration * 60; |
801 $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; |
799 $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; |
802 // convert to minutes |
800 if ( $policy == 'captcha' && $captcha_hash && $captcha_code ) |
803 $duration = $duration * 60; |
801 { |
804 $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; |
802 // policy is captcha -- check if it's correct, and if so, bypass lockout check |
805 if ( $policy == 'captcha' && $captcha_hash && $captcha_code ) |
803 $real_code = $this->get_captcha($captcha_hash); |
806 { |
804 } |
807 // policy is captcha -- check if it's correct, and if so, bypass lockout check |
805 if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) ) |
808 $real_code = $this->get_captcha($captcha_hash); |
806 { |
809 } |
807 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
810 if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) ) |
808 $timestamp_cutoff = time() - $duration; |
811 { |
809 $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); |
812 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
810 $fails = $db->numrows(); |
813 $timestamp_cutoff = time() - $duration; |
811 if ( $fails > $threshold ) |
814 $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); |
812 { |
815 $fails = $db->numrows(); |
813 // ooh boy, somebody's in trouble ;-) |
816 if ( $fails > $threshold ) |
814 $row = $db->fetchrow(); |
817 { |
|
818 // ooh boy, somebody's in trouble ;-) |
|
819 $row = $db->fetchrow(); |
|
820 $db->free_result(); |
|
821 return array( |
|
822 'success' => false, |
|
823 'error' => 'locked_out', |
|
824 'lockout_threshold' => $threshold, |
|
825 'lockout_duration' => ( $duration / 60 ), |
|
826 'lockout_fails' => $fails, |
|
827 'lockout_policy' => $policy, |
|
828 'lockout_last_time' => $row['timestamp'] |
|
829 ); |
|
830 } |
815 $db->free_result(); |
831 $db->free_result(); |
816 return array( |
832 } |
817 'success' => false, |
|
818 'error' => 'locked_out', |
|
819 'lockout_threshold' => $threshold, |
|
820 'lockout_duration' => ( $duration / 60 ), |
|
821 'lockout_fails' => $fails, |
|
822 'lockout_policy' => $policy, |
|
823 'lockout_last_time' => $row['timestamp'] |
|
824 ); |
|
825 } |
|
826 $db->free_result(); |
|
827 } |
833 } |
828 |
834 |
829 // Instanciate the Rijndael encryption object |
835 // Instanciate the Rijndael encryption object |
830 $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); |
836 $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); |
831 |
837 |
841 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
847 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
842 else |
848 else |
843 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
849 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
844 |
850 |
845 // Do we also need to increment the lockout countdown? |
851 // Do we also need to increment the lockout countdown? |
846 if ( $policy != 'disable' ) |
852 if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') ) |
847 { |
853 { |
848 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
854 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
849 // increment fail count |
855 // increment fail count |
850 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); |
856 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); |
851 $fails++; |
857 $fails++; |
946 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
952 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
947 else |
953 else |
948 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
954 $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); |
949 |
955 |
950 // Do we also need to increment the lockout countdown? |
956 // Do we also need to increment the lockout countdown? |
951 if ( $policy != 'disable' ) |
957 if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') ) |
952 { |
958 { |
953 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
959 $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); |
954 // increment fail count |
960 // increment fail count |
955 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); |
961 $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); |
956 $fails++; |
962 $fails++; |