363 function page_Special_Login_preloader() // adding _preloader to the end of the function name calls the function before $session and $paths setup routines are called |
380 function page_Special_Login_preloader() // adding _preloader to the end of the function name calls the function before $session and $paths setup routines are called |
364 { |
381 { |
365 global $db, $session, $paths, $template, $plugins; // Common objects |
382 global $db, $session, $paths, $template, $plugins; // Common objects |
366 global $__login_status; |
383 global $__login_status; |
367 global $lang; |
384 global $lang; |
|
385 if ( $paths->getParam(0) === 'action.json' ) |
|
386 { |
|
387 if ( !isset($_POST['r']) ) |
|
388 die('No request.'); |
|
389 |
|
390 $request = $_POST['r']; |
|
391 try |
|
392 { |
|
393 $request = enano_json_decode($request); |
|
394 } |
|
395 catch ( Exception $e ) |
|
396 { |
|
397 die(enano_json_encode(array( |
|
398 'mode' => 'error', |
|
399 'error' => 'ERR_JSON_PARSE_FAILED' |
|
400 ))); |
|
401 } |
|
402 |
|
403 echo enano_json_encode($session->process_login_request($request)); |
|
404 |
|
405 $db->close(); |
|
406 exit; |
|
407 } |
368 if ( isset($_GET['act']) && $_GET['act'] == 'ajaxlogin' ) |
408 if ( isset($_GET['act']) && $_GET['act'] == 'ajaxlogin' ) |
369 { |
409 { |
370 $plugins->attachHook('login_password_reset', 'SpecialLogin_SendResponse_PasswordReset($row[\'user_id\'], $row[\'temp_password\']);'); |
410 $plugins->attachHook('login_password_reset', 'SpecialLogin_SendResponse_PasswordReset($row[\'user_id\'], $row[\'temp_password\']);'); |
371 $data = enano_json_decode($_POST['params']); |
411 $data = enano_json_decode($_POST['params']); |
372 $captcha_hash = ( isset($data['captcha_hash']) ) ? $data['captcha_hash'] : false; |
412 $captcha_hash = ( isset($data['captcha_hash']) ) ? $data['captcha_hash'] : false; |
373 $captcha_code = ( isset($data['captcha_code']) ) ? $data['captcha_code'] : false; |
413 $captcha_code = ( isset($data['captcha_code']) ) ? $data['captcha_code'] : false; |
374 $level = ( isset($data['level']) ) ? intval($data['level']) : USER_LEVEL_MEMBER; |
414 $level = ( isset($data['level']) ) ? intval($data['level']) : USER_LEVEL_MEMBER; |
375 $result = $session->login_with_crypto($data['username'], $data['crypt_data'], $data['crypt_key'], $data['challenge'], $level, $captcha_hash, $captcha_code); |
415 |
|
416 // 1.1.3: Diffie Hellman |
|
417 global $dh_supported; |
|
418 global $_math; |
|
419 if ( $data['diffiehellman'] && isset($data['publickey_client']) && isset($data['publickey_server']) && isset($data['crypt_key_check']) ) |
|
420 { |
|
421 if ( !$dh_supported ) |
|
422 { |
|
423 die('Special:Login: Illegal request for Diffie Hellman exchange'); |
|
424 } |
|
425 // retrieve our public key |
|
426 if ( !preg_match('/^[0-9]+$/', $data['publickey_server']) ) |
|
427 { |
|
428 die('Special:Login: Illegal request for Diffie Hellman exchange'); |
|
429 } |
|
430 $pubkey_server =& $data['publickey_server']; |
|
431 |
|
432 // retrieve our private key |
|
433 $q = $db->sql_query('SELECT private_key, key_id FROM ' . table_prefix . "diffiehellman WHERE public_key = '$pubkey_server';"); |
|
434 if ( !$q ) |
|
435 $db->die_json(); |
|
436 |
|
437 if ( $db->numrows() < 1 ) |
|
438 { |
|
439 die('Special:Login: Couldn\'t lookup Diffie Hellman key: ' . $pubkey_server); |
|
440 } |
|
441 list($privkey_server, $key_id) = $db->fetchrow_num(); |
|
442 $db->free_result(); |
|
443 |
|
444 // get shared secret |
|
445 $dh_secret = dh_gen_shared_secret($privkey_server, $data['publickey_client']); |
|
446 $dh_secret = $_math->str($dh_secret); |
|
447 $secret_check = sha1($dh_secret); |
|
448 if ( $secret_check !== $data['crypt_key_check'] ) |
|
449 { |
|
450 die(enano_json_encode(array( |
|
451 'mode' => 'error', |
|
452 'error' => 'Diffie Hellman redundancy check failed, couldn\'t rebuild the AES key.', |
|
453 'debug' => array( |
|
454 'server private key' => $privkey_server, |
|
455 'client public key' => $data['publickey_client'], |
|
456 'expected sha1' => $data['crypt_key_check'], |
|
457 'actual sha1' => $secret_check |
|
458 ) |
|
459 ))); |
|
460 } |
|
461 // we have the secret, now get the sha256 hash |
|
462 $crypt_key = substr(sha256($dh_secret), 0, ( AES_BITS / 4 )); |
|
463 } |
|
464 else if ( !$data['diffiehellman'] && isset($data['crypt_key']) && isset($data['crypt_data']) ) |
|
465 { |
|
466 $crypt_key = $data['crypt_key']; |
|
467 } |
|
468 else |
|
469 { |
|
470 die('Special:Login: Illegal request'); |
|
471 } |
|
472 |
|
473 $result = $session->login_with_crypto($data['username'], $data['crypt_data'], $crypt_key, $data['challenge'], $level, $captcha_hash, $captcha_code, !$dh_supported); |
376 |
474 |
377 if ( $result['success'] ) |
475 if ( $result['success'] ) |
378 { |
476 { |
379 $response = Array( |
477 $response = Array( |
380 'result' => 'success', |
478 'result' => 'success', |
466 $paths->main_page(); |
564 $paths->main_page(); |
467 |
565 |
468 $l = $session->logout(); |
566 $l = $session->logout(); |
469 if ( $l == 'success' ) |
567 if ( $l == 'success' ) |
470 { |
568 { |
471 |
569 $url = makeUrl(getConfig('main_page'), false, true); |
472 redirect(makeUrl(getConfig('main_page'), false, true), $lang->get('user_logout_success_title'), $lang->get('user_logout_success_body'), 4); |
570 if ( $pi = $paths->getAllParams() ) |
|
571 { |
|
572 list($pid, $ns) = RenderMan::strToPageID($pi); |
|
573 $perms = $session->fetch_page_acl($pid, $ns); |
|
574 if ( $perms->get_permissions('read') ) |
|
575 { |
|
576 $url = makeUrl($pi, false, true); |
|
577 } |
|
578 } |
|
579 redirect($url, $lang->get('user_logout_success_title'), $lang->get('user_logout_success_body'), 4); |
473 } |
580 } |
474 $template->header(); |
581 $template->header(); |
475 echo '<h3>' . $lang->get('user_logout_err_title') . '</h3>'; |
582 echo '<h3>' . $lang->get('user_logout_err_title') . '</h3>'; |
476 echo '<p>' . $l . '</p>'; |
583 echo '<p>' . $l . '</p>'; |
477 $template->footer(); |
584 $template->footer(); |