New release 5.8.1.9

FIX: Cookie privacy (httponly and secure) backported to previous virtual appliances ENH: Weak SSL ciphers disabled ENH: Better Docker support ENH: Better log handling
multiOTP · Mar 25, 2021 · 60a652d · 60a652d
1 parent e60e7ea
commit 60a652d
Show file tree

Hide file tree

Showing 19 changed files with 1,113 additions and 217 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -15,15 +15,16 @@
 # Please check http://www.multiOTP.net/ and you will find the magic button ;-)
 #
 # @author    Andre Liechti, SysCo systemes de communication sa, <[email protected]>
-# @version   5.8.1.2 (apt-offline removed)
-# @date      2021-03-24
+# @version   5.8.1.9
+# @date      2021-03-25
 # @since     2013-11-29
-# @copyright (c) 2013-2018 by SysCo systemes de communication sa
+# @copyright (c) 2013-2021 SysCo systemes de communication sa
 # @copyright GNU Lesser General Public License
 #
 # docker build .
 # docker run --mount source=multiotp-data,target=/etc/multiotp -p 80:80 -p 443:443 -p 1812:1812/udp -p 1813:1813/udp -d xxxxxxxxxxxx
 #
+# 2021-03-25 5.8.1.9 SysCo/al Remove apt-offline, which is not used
 # 2020-08-31 5.8.0.0 SysCo/al Debian Buster 10.5 support
 # 2019-10-22 5.6.1.3 SysCo/al Debian 10 support
 # 2019-01-07 5.4.1.1 SysCo/al Debian 9 support
@@ -40,7 +41,7 @@ MAINTAINER Andre Liechti <[email protected]>
 LABEL Description="multiOTP open source, running on Debian ${DEBIAN} with PHP${PHPVERSION}." \
       License="LGPL-3.0" \
       Usage="docker run --mount source=[SOURCE PERSISTENT VOLUME],target=/etc/multiotp -p [HOST WWW PORT NUMBER]:80 -p [HOST SSL PORT NUMBER]:443 -p [HOST RADIUS-AUTH PORT NUMBER]:1812/udp -p [HOST RADIUS-ACCNT PORT NUMBER]:1813/udp -d multiotp-open-source" \
-      Version="5.8.1.1"
+      Version="5.8.1.9"
 
 ARG DEBIAN_FRONTEND=noninteractive
 
@@ -101,7 +102,7 @@ COPY raspberry/boot-part/multiotp-tree /boot/multiotp-tree/
 # (if you want to build an image with the latest
 #  available version instead of the local one)
 #
-# RUN wget -q http://download.multiotp.net/multiotp.zip -O /tmp/multiotp.zip && \
+# RUN wget -q https://download.multiotp.net/multiotp.zip -O /tmp/multiotp.zip && \
 #     unzip -q -o /tmp/multiotp.zip -d /tmp/multiotp
 # 
 # RUN mv /tmp/multiotp/raspberry/boot-part/* /boot && \

diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ multiOTP open source is OATH certified for HOTP/TOTP
 (c) 2010-2021 SysCo systemes de communication sa  
 http://www.multiOTP.net/
 
-Current build: 5.8.1.1 (2021-03-14)
+Current build: 5.8.1.9 (2021-03-25)
 
 Binary download: https://download.multiotp.net/ (including virtual appliance image)
 
@@ -311,6 +311,15 @@ WHAT'S NEW IN THE RELEASES
 CHANGE LOG OF RELEASED VERSIONS
 ===============================
 ```
+2021-03-25 5.8.1.9 FIX: Cookie privacy (httponly and secure) backported to previous virtual appliances
+                   ENH: Cookie privacy (httponly and secure) are now handled in the application directly
+                   ENH: Weak SSL ciphers disabled
+                   ENH: Better Docker support
+                   ENH: Better log handling
+2021-03-21 5.8.1.2 ENH: Test (1 == GetUserPrefixPin()) replaced by IsUserPrefixPin()
+2021-03-14 5.8.1.1 FIX: In some cases, the HOTP/TOTP was not well computed
+2021-03-21 5.8.1.2 FIX: Dockerfile corrected, apt-offline removed
+                   ENH: Enhanced log file handling
 2021-03-14 5.8.1.1 FIX: In some cases, the HOTP/TOTP was not well computed
 2021-02-12 5.8.1.0 ENH: Enhanced Web GUI accounts list (green=AD/LDAP synced, orange = delayed, red=locked)
 2020-12-11 5.8.0.7 ENH: -sync-delete-retention-days= option is set by default to 30 days
@@ -1679,7 +1688,7 @@ MULTIOTP COMMAND LINE TOOL
 ==========================
 
 ``` 
-multiOTP 5.8.1.1 (2021-03-14)
+multiOTP 5.8.1.9 (2021-03-25)
 (c) 2010-2021 SysCo systemes de communication sa
 http://www.multiOTP.net   (you can try the [Donate] button ;-)
 
@@ -1724,7 +1733,7 @@ Return codes:
 15 INFO: Tokens definition file successfully imported 
 16 INFO: QRcode successfully created 
 17 INFO: UrlLink successfully created 
-18 INFO: SMS code request received 
+18 INFO: Static code request received 
 19 INFO: Requested operation successfully done 
 20 ERROR: User blacklisted 
 21 ERROR: User doesn't exist 
@@ -1759,10 +1768,15 @@ Return codes:
 62 ERROR: SMS provider not supported 
 63 ERROR: This SMS code has expired 
 64 ERROR: Cannot resent an SMS code right now 
+65 ERROR: SMS code request not allowed 
+66 ERROR: Email code request not allowed 
+67 ERROR: No information on where to send Email code 
+68 ERROR: Email code request received, but an error occurred during transmission 
 69 ERROR: Failed to send email 
 70 ERROR: Server authentication error 
 71 ERROR: Server request is not correctly formatted 
 72 ERROR: Server answer is not correctly formatted 
+73 ERROR: Email SMTP server not defined 
 79 ERROR: AD/LDAP connection error 
 80 ERROR: Server cache error 
 81 ERROR: Cache too old for this user, account autolocked 
@@ -2020,7 +2034,8 @@ Backup/restore commands:
 Other information commands:
 
  multiotp -phpinfo         : print the current PHP version
- multiotp -showlog         : print the log file
+ multiotp -showlog         : print the log entries
+ multiotp -clearlog        : clear the log entries
  multiotp -tokenslist      : print the list of the tokens
  multiotp -userslist       : print the list of the users
  multiotp -lockeduserslist : print the list of the locked users
@@ -2179,8 +2194,8 @@ Visit https://forum.multiotp.net/ for additional support
 ``` 
 
 ``` 
-Hash verification for multiotp_5.8.1.1.zip 
-SHA256:9cd03e212323964cd8c9fc2a132a01792d9cc5186c02125d0f06aef957801711 
-SHA1:f45b31f5cd7fe596ff7ff8090316b1fbbd611016 
-MD5:5d0b90c902edc5f21df5e528001835b3 
+Hash verification for multiotp_5.8.1.9.zip 
+SHA256:f07fdc9420a2700f5f3627a4f6e8e50fca64ae485214a2fa25ba7a5e738b2fd1 
+SHA1:87159d78fb582b20f8d796bd7549e1ba78232fbf 
+MD5:3b7d16b66ceb83be0c5800c74ac2a7bc 
 ``` 
diff --git a/check.multiotp.class.php b/check.multiotp.class.php
@@ -22,8 +22,8 @@
  * PHP 5.3.0 or higher is supported.
  *
  * @author    Andre Liechti, SysCo systemes de communication sa, <[email protected]>
- * @version   5.8.1.1
- * @date      2021-03-14
+ * @version   5.8.1.9
+ * @date      2021-03-25
  * @since     2013-07-10
  * @copyright (c) 2013-2021 SysCo systemes de communication sa
  * @copyright GNU Lesser General Public License
@@ -134,6 +134,8 @@
     $GLOBALS['noresume'] = $_GET['noresume'];
 }
 
+$test_mail = isset($GLOBALS['test_mail'])?$GLOBALS['test_mail']:'';
+
 if (!function_exists('echo_full')) {
     function echo_full($to_display) {
         if (!$GLOBALS['minima']) {
@@ -498,7 +500,7 @@ function scrollToObject(object_div)
     echo_full($crlf);
 
 
-   //====================================================================
+    //====================================================================
     // Delete the user test_user if it exists
     echo_full($i_on);
     echo_full("Deleting the test_user".$crlf);
@@ -514,7 +516,7 @@ function scrollToObject(object_div)
     echo_full($crlf);
 
 
-   //====================================================================
+    //====================================================================
     // Delete the user test_user twice if it exists
     echo_full($i_on);
     echo_full("Deleting the test_user (twice)".$crlf);
@@ -530,7 +532,7 @@ function scrollToObject(object_div)
     echo_full($crlf);
 
 
-   //====================================================================
+    //====================================================================
     // Delete the user test_totp if it exists
     echo_full($i_on);
     echo_full("Deleting the test_totp".$crlf);
@@ -546,7 +548,7 @@ function scrollToObject(object_div)
     echo_full($crlf);
 
 
-   //====================================================================
+    //====================================================================
     //====================================================================
     // Delete the token test_token if it exists
     echo_full($i_on);
@@ -563,7 +565,7 @@ function scrollToObject(object_div)
     echo_full($crlf);
 
 
-   //====================================================================
+    //====================================================================
     //====================================================================
     // Delete the token test_token_totp if it exists
     echo_full($i_on);
@@ -773,6 +775,26 @@ function scrollToObject(object_div)
     echo_full($crlf);
 
 
+    //================================================
+    // TEST: Generate Email token for the current user
+    if ('' != $test_mail) {
+        $tests++;
+        echo_full($b_on."Generate Email token for user test_user".$b_off.$crlf);
+        $multiotp->SetUser('test_user');
+        $multiotp->SetEmailCodeAllowed(1);
+        $multiotp->SetUserEmail($test_mail);
+        $multiotp->WriteUserData();
+        $token_result = $multiotp->GenerateEmailToken();
+        if (18 == $token_result) {
+            echo_full("- ".$ok_on.'OK!'.$ok_off." Email token successfully generated".$crlf);
+            $successes++;
+        } else {
+            echo_full("- ".$ko_on.'KO!'.$ko_off." Email token generation failed, error $token_result.".$crlf);
+        }
+        echo_full($crlf);
+    }
+
+
     //====================================================================
     // Delete the user test_user8 if it exists
     echo_full($i_on);

diff --git a/checkmultiotp.cmd b/checkmultiotp.cmd
@@ -11,8 +11,8 @@ REM
 REM Windows batch file for Windows 2K/XP/2003/7/2008/8/2012/10/2019
 REM
 REM @author    Andre Liechti, SysCo systemes de communication sa, <[email protected]>
-REM @version   5.8.1.1
-REM @date      2021-03-14
+REM @version   5.8.1.9
+REM @date      2021-03-25
 REM @since     2010-07-10
 REM @copyright (c) 2010-2021 SysCo systemes de communication sa
 REM @copyright GNU Lesser General Public License
@@ -250,9 +250,9 @@ SET /A TOTAL_TESTS=TOTAL_TESTS+1
 ECHO.
 ECHO Test replay rejection for user test_user
 %_multiotp% -keep-local -log test_user "ThisIsALongNonDigitPinCode!755224"
-IF NOT ERRORLEVEL 1 ECHO - KO! Replayed token *WRONGLY* accepted
-IF NOT ERRORLEVEL 1 ECHO - KO! Replayed token *WRONGLY* accepted (%_backend%) >>"%TEMP%\multiotp_error.log"
-IF NOT ERRORLEVEL 1 GOTO ErrorReplay
+IF NOT ERRORLEVEL 26 ECHO - KO! Replayed token *WRONGLY* accepted
+IF NOT ERRORLEVEL 26 ECHO - KO! Replayed token *WRONGLY* accepted (%_backend%) >>"%TEMP%\multiotp_error.log"
+IF NOT ERRORLEVEL 26 GOTO ErrorReplay
 ECHO - OK! Token of the user test_user successfully REJECTED (replay)
 SET /A SUCCESSES=SUCCESSES+1
 :ErrorReplay
@@ -310,11 +310,11 @@ ECHO.
 ECHO Authenticate test_user with replayed token 162583 with prefix using MS-CHAPv2
 REM user test_user and password "ThisIsALongNonDigitPinCode!162583"
 %_multiotp% -keep-local -log test_user -ms-chap-challenge=0xc5356d83125a36b655c59a05b2245d68 -ms-chap2-response=0x00006cea45ad4f3e3a6af414cc09619aeb1e00000000000000004dd32ee9f3b898cf4fcd665ba167a303ce2c1266e7a26f10
-IF NOT ERRORLEVEL 1 ECHO - KO! Replayed token of the user test_user wrongly accepted
-IF NOT ERRORLEVEL 1 ECHO - KO! Replayed token of the user test_user wrongly accepted (%_backend%) >>"%TEMP%\multiotp_error.log"
-IF NOT ERRORLEVEL 1 GOTO ErrorReplayedMsChapV2
-IF ERRORLEVEL 1 ECHO - OK! Replayed Token of the test_user successfully REJECTED
-IF ERRORLEVEL 1 SET /A SUCCESSES=SUCCESSES+1
+IF NOT ERRORLEVEL 26 ECHO - KO! Replayed token of the user test_user wrongly accepted
+IF NOT ERRORLEVEL 26 ECHO - KO! Replayed token of the user test_user wrongly accepted (%_backend%) >>"%TEMP%\multiotp_error.log"
+IF NOT ERRORLEVEL 26 GOTO ErrorReplayedMsChapV2
+IF ERRORLEVEL 26 ECHO - OK! Replayed Token of the test_user successfully REJECTED
+IF ERRORLEVEL 26 SET /A SUCCESSES=SUCCESSES+1
 :ErrorReplayedMsChapV2
 SET /A TOTAL_TESTS=TOTAL_TESTS+1
 

diff --git a/contrib/MultiotpTools.php b/contrib/MultiotpTools.php
@@ -70,6 +70,26 @@ function pcre_fnmatch($pattern, $string, $flags = 0) {
 } 
 
 
+/***********************************************************************
+ * Name: bytes_nice_format
+ * Short description: nice format for a size in bytes
+ *
+ * Creation 2021-03-14
+ * Update   2021-03-14
+ * @version 1.0.0
+ * @author  Adapted from https://www.php.net/manual/en/function.disk-free-space.php#103382
+ *
+ * @param   int     $bytes   size in bytes
+ * @return  string           nice size in a string
+ ***********************************************************************/
+function bytes_nice_format($bytes) {
+    $size_prefix = array( 'B', 'KB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB', 'YB' );
+    $base = 1024;
+    $class = min((int)log($bytes , $base) , count($size_prefix) - 1);
+    return sprintf('%1.2f' , $bytes / pow($base,$class)) . ' ' . $size_prefix[$class];
+}
+
+
 /***********************************************************************
  * Name: bcmod
  * Short description: description: Patch for bcmod
@@ -845,12 +865,17 @@ function rmrf($dir) {
 }
 
 
-/**
- * Based on http://snipplr.com/view/57982/convert-html-to-text/
- *   by kendsnyder (2011-08-18)
+/***********************************************************************
+ * Name: html2text
+ * Short description: Convert html to text
+ *   Based on http://snipplr.com/view/57982/convert-html-to-text/
  *
- * Enhanced by SysCo/al
- */
+ * Creation 2011-08-18 kendsnyder
+ * Update   2021-03-23
+ * @version 2.0.0
+ * @author  SysCo/al
+ ***********************************************************************/
+
 if (!function_exists('html2text'))
 {
     function html2text($value)
@@ -878,8 +903,7 @@ function html2text($value)
                         '@&(cent|#162);@i',               //   Cent
                         '@&(pound|#163);@i',              //   Pound
                         '@&(copy|#169);@i',               //   Copyright
-                        '@&(reg|#174);@i',                //   Registered
-                        '@&#(d+);@e');                    // Evaluate as php
+                        '@&(reg|#174);@i');               //   Registered
         $Replace = array ('',  // Strip out javascript
                           '',  // Strip out style
                           '',  // Strip out title
@@ -895,9 +919,11 @@ function html2text($value)
                           chr(162), // Cent
                           chr(163), // Pound
                           chr(169), // Copyright
-                          chr(174), // Registered
-                          'chr()'); // Evaluate as php
+                          chr(174)); // Registered
         $Document = preg_replace($Rules, $Replace, $Document);
+
+        $Document = preg_replace_callback('@&#(d+);@i', function ($match) { return (((intval($match) >= 1) && (intval($match) <= 255)) ? chr(intval($match)) : ''); }, $Document);
+
         $Document = preg_replace('@[\r\n]@', '', $Document);
         $Document = str_replace('*CRLF*',chr(13).chr(10),$Document);
         $Document = preg_replace('@[\r\n][ ]+@', chr(13).chr(10), $Document);

diff --git a/launcher/ReadMe.txt b/launcher/ReadMe.txt
@@ -15,8 +15,8 @@ The multiOTP C++ launcher is simply used to launch PHP
 and run multiotp.windows.php with the provided arguments.
 
 @author    Andre Liechti, SysCo systemes de communication sa, <[email protected]>
-@version   5.8.1.1
-@date      2021-03-14
+@version   5.8.1.9
+@date      2021-03-25
 @since     2016-12-08
 @copyright (c) 2010-2021 SysCo systemes de communication sa
 @copyright GNU Lesser General Public License

diff --git a/launcher/launcher.cpp b/launcher/launcher.cpp
@@ -14,8 +14,8 @@
  * and run multiotp.windows.php with the provided arguments.
  *
  * @author    Andre Liechti, SysCo systemes de communication sa, <[email protected]>
- * @version   5.8.1.1
- * @date      2021-03-14
+ * @version   5.8.1.9
+ * @date      2021-03-25
  * @since     2016-12-08
  * @copyright (c) 2010-2021 SysCo systemes de communication sa
  * @copyright GNU Lesser General Public License
@@ -68,8 +68,8 @@
 #include <iostream>
 
 #define SOFTWARE    "LAUNCHPHPMULTIOTP"
-#define VER_NUMBER  "5.8.1.1"
-#define VER_DATE    "2021-03-14"
+#define VER_NUMBER  "5.8.1.9"
+#define VER_DATE    "2021-03-25"
 
 int _tmain(int argc, _TCHAR* argv[])
 {