New release 5.9.9.1

FIX: Windows backup temp folder is now the default system temp folder
FIX: Adding -sync-delete-retention-days parameter doesn't return missing parameters error
FIX: Case sensitive issue has been fixed with MSCHAPv2 authentication (thanks Alexey)
FIX: Case sensitive issue has been fixed during FastCreateUser process
FIX: {MultiotpUserDisplayName} tag usage in templates (was not replaced in the QRcode)
ENH: Created users are trimmed to avoid bad space prefix/suffix during copy/paste
ENH: multiOTP Credential Provider enhanced support
ENH: New default-2fa-digits command line option to set the default amount of OTP digits
ENH: PHP 8.4.x deprecated code cleaned (xml_set_object removed)
ENH: New Message-Authenticator requirement support for FortiGate v7.2.10+, v7.4.5+ and v7.6.1+
ENH: New SetCurrentUserSid function for new Credential Provider -usersid option
ENH: Embedded Windows PHP edition updated to version 8.3.15
ENH: Embedded Windows nginx edition updated to version 1.27.3

Dockerfile

@@ -15,10 +15,10 @@
 # Please check https://www\.multiOTP.net/ and you will find the magic button ;-)
 #
 # @author    Andre Liechti, SysCo systemes de communication sa, <info@multiotp.net>
-# @version   5.9.8.0
-# @date      2024-08-26
+# @version   5.9.9.1
+# @date      2025-01-20
 # @since     2013-11-29
-# @copyright (c) 2013-2024 SysCo systemes de communication sa
+# @copyright (c) 2013-2025 SysCo systemes de communication sa
 # @copyright GNU Lesser General Public License
 #
 # docker build .
@@ -47,7 +47,7 @@ MAINTAINER Andre Liechti <andre.liechti@multiotp.net>
 LABEL Description="multiOTP open source, running on Debian ${DEBIAN} with PHP${PHPVERSION}." \
       License="LGPL-3.0" \
       Usage="docker run -v [PATH/TO/MULTIOTP/DATA/VOLUME]:/etc/multiotp -v [PATH/TO/FREERADIUS/CONFIG/VOLUME]:/etc/freeradius -v [PATH/TO/MULTIOTP/LOG/VOLUME]:/var/log/multiotp -v [PATH/TO/FREERADIUS/LOG/VOLUME]:/var/log/freeradius -p [HOST WWW PORT NUMBER]:80 -p [HOST SSL PORT NUMBER]:443 -p [HOST RADIUS-AUTH PORT NUMBER]:1812/udp -p [HOST RADIUS-ACCNT PORT NUMBER]:1813/udp -d multiotp-open-source" \
-      Version="5.9.8.0"
+      Version="5.9.9.1"
 
 ARG DEBIAN_FRONTEND=noninteractive
 

README.md

@@ -3,10 +3,10 @@ multiOTP open source
 multiOTP open source is a GNU LGPL implementation of a strong two-factor authentication PHP class  
 multiOTP open source is OATH certified for HOTP/TOTP
 
-(c) 2010-2024 SysCo systemes de communication sa  
+(c) 2010-2025 SysCo systemes de communication sa  
 https://www.multiotp.net/
 
-Current build: 5.9.8.0 (2024-08-26)
+Current build: 5.9.9.1 (2025-01-20)
 
 Binary download: https://download.multiotp.net/ (including virtual appliance image)
 
@@ -151,13 +151,26 @@ WHAT'S NEW IN THIS 5.9.x RELEASE
 - Users without 2FA tokens don't see the second screen in the Credential Provider during logon
 - New Raspberry, Hyper-V and OVA appliances available (version 011, based on Debian 11)
 - Scratchlist can be generated from the Web GUI
-- {MultiOtpDisplayName} (AD/LDAP DisplayName) can be used in templates
+- {MultiotpUserDisplayName} (AD/LDAP DisplayName) can be used in templates
 - New open source on-premises SMS provider support (https://github.com/multiOTP/SMSGateway)
 
 
 CHANGE LOG OF RELEASED VERSIONS
 ===============================
 ```
+2025-01-20 5.9.9.1 FIX: Windows backup temp folder is now the default system temp folder
+                   FIX: Adding -sync-delete-retention-days parameter doesn't return missing parameters error
+                   FIX: Case sensitive issue has been fixed with MSCHAPv2 authentication (thanks Alexey)
+                   FIX: Case sensitive issue has been fixed during FastCreateUser process
+                   ENH: Created users are trimmed to avoid bad space prefix/suffix during copy/paste
+                   ENH: multiOTP Credential Provider enhanced support
+                   ENH: New default-2fa-digits command line option to set the default amount of OTP digits 
+                   ENH: PHP 8.4.x deprecated code cleaned (xml_set_object removed)
+2025-01-10 5.9.8.3 FIX: {MultiotpUserDisplayName} tag usage in templates (was not replaced in the QRcode)
+                   ENH: New Message-Authenticator requirement support for FortiGate v7.2.10+, v7.4.5+ and v7.6.1+
+                   ENH: New SetCurrentUserSid function for new Credential Provider -usersid option
+                   ENH: Embedded Windows PHP edition updated to version 8.3.15
+                   ENH: Embedded Windows nginx edition updated to version 1.27.3
 2024-08-26 5.9.8.0 FIX: Database backend setup and initialization was not working well with some PHP version
                    ENH: New option to force writing logs only in file (even if the backend is a database)
                    ENH: Spryng SMS provider support
@@ -227,7 +240,7 @@ CHANGE LOG OF RELEASED VERSIONS
                    ENH: Additional CLI option -nt-key-only added
 2022-05-26 5.9.0.3 FIX: Issue with /run/php when a Docker container is restarted
                    FIX: {MultiOtpVersion} is now correctly replaced in scratchtemplate.html
-                   ENH: {MultiOtpDisplayName} tag (AD/LDAP DisplayName) can be used in templates
+                   ENH: {MultiotpUserDisplayName} tag (AD/LDAP DisplayName) can be used in templates
 2022-05-20 5.9.0.2 FIX: User account containing octal encoded ISO characters are now also converted to UTF
 2022-05-18 5.9.0.1 FIX: Set specific flags to run Perl scripts from FreeRADIUS
 2022-05-18 5.9.0.0 FIX: User account containing special ISO characters are now also converted to UTF
@@ -1916,8 +1929,8 @@ MULTIOTP COMMAND LINE TOOL
 ==========================
 
 ``` 
-multiOTP 5.9.8.0 (2024-08-26)
-(c) 2010-2024 SysCo systemes de communication sa
+multiOTP 5.9.9.1 (2025-01-20)
+(c) 2010-2025 SysCo systemes de communication sa
 http://www.multiOTP.net   (you can try the [Donate] button ;-)
 
 multiotp will check if the token of a user is correct, based on a specified
@@ -1942,7 +1955,7 @@ If the PIN is not given, it is generated randomly.
 
 To quickly create a user without a prefix PIN request, use -fastcreatenopin
 
-To quickly create a user with a prefix PIN request, use -fastecreatewithpin
+To quickly create a user with a prefix PIN request, use -fastcreatewithpin
 
 If a token is locked (return code 24), you have to resync the token to unlock.
 Requesting an SMS token (put sms as the password), and typing the received
@@ -2041,7 +2054,7 @@ Usage:
 
  multiotp -fastcreate user [pin] (create a TOTP compatible token)
  multiotp -fastcreatenopin user (create a user without a prefix PIN)
- multiotp -fastecreatewithpin user [pin] (create a user with a prefix PIN)
+ multiotp -fastcreatewithpin user [pin] (create a user with a prefix PIN)
  multiotp -createga user base32_seed [pin] (create Google Auth user with TOTP)
  multiotp -create user algo seed pin digits [pos|interval]
  multiotp -create -token-id user token-id pin
@@ -2107,6 +2120,7 @@ Usage:
                              (code result are also displayed on the console)
                debug-prefix: add a prefix when using the debug mode
                              (for example 'Reply-Message := ' for FreeRADIUS)
+         default-2fa-digits: [6-16] set the default amount of OTP digits
          default-pin-digits: [4-32] set the default amount of PIN digits
  default-request-prefix-pin: [0|1] prefix PIN enabled/disabled by default
    default-request-ldap-pwd: [0|1] LDAP/AD password enabled/disabled by default
@@ -2247,6 +2261,8 @@ Authentication parameters:
  -state=State
  -tag=Client-Shortname
 
+ -usersid=Windows SID of the user (provided by multiOTP Credential Provider)
+
 
 Client/server inline parameters:
 
@@ -2446,8 +2462,8 @@ Visit https://forum.multiotp.net/ for additional support
 ``` 
 
 ``` 
-Hash verification for multiotp_5.9.8.0.zip 
-SHA256:13cfaad7da594014c106faec4a934d12d720ce92820b21816e6f0d5d4e1231e4 
-SHA1:9df76683482959dab99c2688332e7eaa3b4033b7 
-MD5:1d73c1f2c102b3243b1b21025cb412f5 
+Hash verification for multiotp_5.9.9.1.zip 
+SHA256:d391722d8c2fcf231773d0a0075a628cbbdfd10a3d78f9573ed663bede2ec32d 
+SHA1:4564e108a96d062b06979b5cf5e35dde30ca3ca6 
+MD5:0c9bc189ddc4e4a66ea5112636b683b2 
 ``` 

check.multiotp.class.php

@@ -22,17 +22,17 @@
  * PHP 5.4.0 or higher is supported.
  *
  * @author    Andre Liechti, SysCo systemes de communication sa, <info@multiotp.net>
- * @version   5.9.8.0
- * @date      2024-08-26
+ * @version   5.9.9.1
+ * @date      2025-01-20
  * @since     2013-07-10
- * @copyright (c) 2013-2024 SysCo systemes de communication sa
+ * @copyright (c) 2013-2025 SysCo systemes de communication sa
  * @copyright GNU Lesser General Public License
  *
  *//*
  *
  * LICENCE
  *
- *   Copyright (c) 2013-2024 SysCo systemes de communication sa
+ *   Copyright (c) 2013-2025 SysCo systemes de communication sa
  *   SysCo (tm) is a trademark of SysCo systemes de communication sa
  *   (http://www.sysco.ch/)
  *   All rights reserved.

checkmultiotp.cmd

@@ -11,10 +11,10 @@ REM
 REM Windows batch file for Windows 2K/XP/2003/7/2008/8/2012/10/2019
 REM
 REM @author    Andre Liechti, SysCo systemes de communication sa, <info@multiotp.net>
-REM @version   5.9.8.0
-REM @date      2024-08-26
+REM @version   5.9.9.1
+REM @date      2025-01-20
 REM @since     2010-07-10
-REM @copyright (c) 2010-2024 SysCo systemes de communication sa
+REM @copyright (c) 2010-2025 SysCo systemes de communication sa
 REM @copyright GNU Lesser General Public License
 REM
 REM
@@ -38,7 +38,7 @@ REM
 REM
 REM Licence
 REM
-REM   Copyright (c) 2010-2024 SysCo systemes de communication sa
+REM   Copyright (c) 2010-2025 SysCo systemes de communication sa
 REM   SysCo (tm) is a trademark of SysCo systemes de communication sa
 REM   (http://www.sysco.ch/)
 REM   All rights reserved.
@@ -142,6 +142,9 @@ REM Web service test ports
 IF "%_check_web_port%"=="" SET _check_web_port=58112
 IF "%_check_ssl_port%"=="" SET _check_ssl_port=58113
 
+REM SID value
+IF "%_check_sid%"=="" SET _check_ssl_port=1-2-3-4
+
 REM Ports can also be defined as parameters
 IF NOT "%1"=="" SET _check_r_auth_port=%1
 IF NOT "%2"=="" SET _check_r_acct_port=%2
@@ -208,7 +211,32 @@ IF "mysql"=="%_backend%" %_multiotp% -display-log -initialize-backend
 IF "pgsql"=="%_backend%" %_multiotp% -display-log -initialize-backend
 
 
-REM Delete the test_stéphane (if existing)
+REM Delete the user test_2fa_8 (if existing), result is 12 if deleted
+%_multiotp% -log -delete test_2fa_8
+IF NOT ERRORLEVEL 13 ECHO.
+IF NOT ERRORLEVEL 13 ECHO - User test_2fa_8 successfully deleted
+
+ECHO.
+ECHO Create user test_2fa_8 with the RFC test values HOTP token and an alpha PIN
+%_multiotp% -log -config default-2fa-digits=8
+%_multiotp% -log -create -prefix-pin test_2fa_8 HOTP 3132333435363738393031323334353637383930 "ThisIsMyPinCode"
+IF NOT ERRORLEVEL 12 ECHO - OK! User test_2fa_8 successfully created
+IF NOT ERRORLEVEL 12 SET /A SUCCESSES=SUCCESSES+1
+IF ERRORLEVEL 12 ECHO - KO! Error %ERRORLEVEL% creating the user test_2fa_8
+IF ERRORLEVEL 12 ECHO - KO! Error %ERRORLEVEL% creating the user test_2fa_8 (%_backend%) >>"%TEMP%\multiotp_error.log"
+%_multiotp% -log -config default-2fa-digits=6
+SET /A TOTAL_TESTS=TOTAL_TESTS+1
+
+ECHO.
+ECHO Authenticate test_2fa_8 with the second token of the RFC test values, with prefix
+%_multiotp% -keep-local -log test_2fa_8 "ThisIsMyPinCode94287082"
+IF NOT ERRORLEVEL 1 ECHO - OK! Token of the user test_2fa_8 successfully accepted
+IF NOT ERRORLEVEL 1 SET /A SUCCESSES=SUCCESSES+1
+IF ERRORLEVEL 1 ECHO - KO! Error %ERRORLEVEL% authenticating test_2fa_8 with prefix
+IF ERRORLEVEL 1 ECHO - KO! Error %ERRORLEVEL% authenticating test_2fa_8 with prefix (%_backend%) >>"%TEMP%\multiotp_error.log"
+SET /A TOTAL_TESTS=TOTAL_TESTS+1
+
+REM Delete the user test_stéphane (if existing)
 %_multiotp% -log -delete test_stéphane
 IF NOT ERRORLEVEL 13 ECHO.
 IF NOT ERRORLEVEL 13 ECHO - User test_stéphane successfully deleted
@@ -218,28 +246,28 @@ ECHO Create user test_stéphane with the RFC test values HOTP token and a big al
 %_multiotp% -log -create -prefix-pin test_stéphane HOTP 3132333435363738393031323334353637383930 "ThisIsALongNonDigitPinCode!" 6 0
 IF NOT ERRORLEVEL 12 ECHO - OK! User test_stéphane successfully created
 IF NOT ERRORLEVEL 12 SET /A SUCCESSES=SUCCESSES+1
-IF ERRORLEVEL 12 ECHO - KO! Error creating the user test_stéphane
-IF ERRORLEVEL 12 ECHO - KO! Error creating the user test_stéphane (%_backend%) >>"%TEMP%\multiotp_error.log"
+IF ERRORLEVEL 12 ECHO - KO! Error %ERRORLEVEL% creating the user test_stéphane
+IF ERRORLEVEL 12 ECHO - KO! Error %ERRORLEVEL% creating the user test_stéphane (%_backend%) >>"%TEMP%\multiotp_error.log"
 SET /A TOTAL_TESTS=TOTAL_TESTS+1
 
 ECHO.
 ECHO Authenticate test_stéphane with the first token of the RFC test values, no prefix
-%_multiotp% -keep-local -log test_st\351phane 755224
-IF NOT ERRORLEVEL 1 ECHO - KO! Token of the user test_stéphane successfully accepted without prefix
-IF NOT ERRORLEVEL 1 ECHO - KO! Token of the user test_stéphane successfully accepted without prefix (%_backend%) >>"%TEMP%\multiotp_error.log"
-IF NOT ERRORLEVEL 1 GOTO ErrorNoPrefix
-IF ERRORLEVEL 1 ECHO - OK! Token of the user test_stéphane successfully REJECTED (no prefix)
-IF ERRORLEVEL 1 SET /A SUCCESSES=SUCCESSES+1
+%_multiotp% -usersid=%_check_sid% -keep-local -log test_st\351phane 755224
+IF NOT ERRORLEVEL 90 ECHO - KO! Token of user test_stéphane (SID %_check_sid%) not refused (error %ERRORLEVEL%)
+IF NOT ERRORLEVEL 90 ECHO - KO! Token of user test_stéphane (SID %_check_sid%) not refused (error %ERRORLEVEL%) (%_backend%) >>"%TEMP%\multiotp_error.log"
+IF NOT ERRORLEVEL 90 GOTO ErrorNoPrefix
+IF ERRORLEVEL 90 ECHO - OK! Token of the user test_stéphane successfully REJECTED (no prefix)
+IF ERRORLEVEL 90 SET /A SUCCESSES=SUCCESSES+1
 :ErrorNoPrefix
 SET /A TOTAL_TESTS=TOTAL_TESTS+1
 
 ECHO.
 ECHO Authenticate test_stéphane with the first token of the RFC test values, with prefix
-%_multiotp% -keep-local -log test_st\351phane "ThisIsALongNonDigitPinCode!755224"
-IF NOT ERRORLEVEL 1 ECHO - OK! Token of the user test_stéphane successfully accepted
+%_multiotp% -usersid=%_check_sid% -keep-local -log test_st\351phane "ThisIsALongNonDigitPinCode!755224"
+IF NOT ERRORLEVEL 1 ECHO - OK! Token of the user test_stéphane (SID %_check_sid%) successfully accepted
 IF NOT ERRORLEVEL 1 SET /A SUCCESSES=SUCCESSES+1
-IF ERRORLEVEL 1 ECHO - KO! Error authenticating the user test_stéphane with the first token
-IF ERRORLEVEL 1 ECHO - KO! Error authenticating the user test_stéphane with the first token (%_backend%) >>"%TEMP%\multiotp_error.log"
+IF ERRORLEVEL 1 ECHO - KO! Error %ERRORLEVEL% authenticating test_stéphane (SID %_check_sid%) with prefix
+IF ERRORLEVEL 1 ECHO - KO! Error %ERRORLEVEL% authenticating test_stéphane (SID %_check_sid%) with prefix (%_backend%) >>"%TEMP%\multiotp_error.log"
 SET /A TOTAL_TESTS=TOTAL_TESTS+1
 
 REM Delete the test_user (if existing)
@@ -252,8 +280,8 @@ ECHO Create user test_user with the RFC test values HOTP token and a big alpha P
 %_multiotp% -log -create -prefix-pin test_user HOTP 3132333435363738393031323334353637383930 "ThisIsALongNonDigitPinCode!" 6 0
 IF NOT ERRORLEVEL 12 ECHO - OK! User test_user successfully created
 IF NOT ERRORLEVEL 12 SET /A SUCCESSES=SUCCESSES+1
-IF ERRORLEVEL 12 ECHO - KO! Error creating the user test_user
-IF ERRORLEVEL 12 ECHO - KO! Error creating the user test_user (%_backend%) >>"%TEMP%\multiotp_error.log"
+IF ERRORLEVEL 12 ECHO - KO! Error %ERRORLEVEL% creating the user test_user
+IF ERRORLEVEL 12 ECHO - KO! Error %ERRORLEVEL% creating the user test_user (%_backend%) >>"%TEMP%\multiotp_error.log"
 SET /A TOTAL_TESTS=TOTAL_TESTS+1
 
 ECHO.

contrib/MultiotpAdLdap.php

@@ -3,10 +3,11 @@
     PHP LDAP CLASS FOR MANIPULATING ACTIVE DIRECTORY
     Version 2.1+
 
-	Adapted 2013-2022 by SysCo/al 5.9.5.5 (2023-01-18)
+	Adapted 2013-2024 by SysCo/al 5.9.8.2 (2024-12-20)
 
  *
- * 
+ *   2024-12-20 5.9.8.2 SysCo/al $attributes["telephoneNumber"] checked
+ *
  *   2023-01-18 5.9.5.5 SysCo/al New _ldap_filter attribute
  *                               New paging support for 7.3+
  *
@@ -1470,6 +1471,7 @@ function adldap_schema($attributes) {
       if ($attributes["script_path"]){ $mod["scriptPath"][0]=$attributes["script_path"]; }
       if ($attributes["surname"]){ $mod["sn"][0]=$attributes["surname"]; }
       if ($attributes["title"]){ $mod["title"][0]=$attributes["title"]; }
+      if ($attributes["telephoneNumber"]){ $mod["telephoneNumber"][0]=$attributes["telephoneNumber"]; }
       if ($attributes["telephone"]){ $mod["telephoneNumber"][0]=$attributes["telephone"]; }
       if ($attributes["mobile"]){ $mod["telephoneNumber"][0]=$attributes["mobile"]; }
       if ($attributes["web_page"]){ $mod["wWWHomePage"][0]=$attributes["web_page"]; }

contrib/MultiotpTools.php

@@ -1198,4 +1198,22 @@ function mask2cidr($mask) {
     }
 }
 
+
+if (!function_exists('protect_file'))
+{
+  function protect_file(
+    $file,
+    $sid
+  ) {
+    if (mb_strtolower(mb_substr(PHP_OS, 0, 3),'UTF-8') === 'win') {
+      $sidAdmin = 'S-1-5-32-544';
+      $sidUsers = 'S-1-5-32-545';
+      $sidAuthenticatedUsers = 'S-1-5-11';
+      exec("icacls \"$file\" /grant *$sid:F");
+      exec("icacls \"$file\" /grant *$sidAdmin:F");
+      exec("icacls \"$file\" /inheritance:r /remove:g *$sidUsers");
+      exec("icacls \"$file\" /inheritance:r /remove:g *$sidAuthenticatedUsers");
+    }
+  }
+}
 ?>

contrib/MultiotpXmlParser.php

@@ -88,11 +88,8 @@ function Parse()
     {
         //Create the parser resource
         $this->parser = xml_parser_create();
-
-        //Set the handlers
-        xml_set_object($this->parser, $this);
-        xml_set_element_handler($this->parser, 'StartElement', 'EndElement');
-        xml_set_character_data_handler($this->parser, 'CharacterData');
+        xml_set_element_handler($this->parser, [$this, 'StartElement'], [$this, 'EndElement']);
+        xml_set_character_data_handler($this->parser, [$this, 'CharacterData']);
 
         //Error handling
         if (!xml_parse($this->parser, $this->xml))

launcher/ReadMe.txt

@@ -15,15 +15,15 @@ The multiOTP C++ launcher is simply used to launch PHP
 and run multiotp.windows.php with the provided arguments.
 
 @author    Andre Liechti, SysCo systemes de communication sa, <info@multiotp.net>
-@version   5.9.8.0
-@date      2024-08-26
+@version   5.9.9.1
+@date      2025-01-20
 @since     2016-12-08
-@copyright (c) 2010-2024 SysCo systemes de communication sa
+@copyright (c) 2010-2025 SysCo systemes de communication sa
 @copyright GNU Lesser General Public License
 
 LICENCE
 
-Copyright (c) 2010-2024 SysCo systemes de communication sa
+Copyright (c) 2010-2025 SysCo systemes de communication sa
 SysCo (tm) is a trademark of SysCo systemes de communication sa
 (http://www.sysco.ch)
 All rights reserved.

launcher/launcher.cpp

@@ -14,17 +14,17 @@
  * and run multiotp.windows.php with the provided arguments.
  *
  * @author    Andre Liechti, SysCo systemes de communication sa, <info@multiotp.net>
- * @version   5.9.8.0
- * @date      2024-08-26
+ * @version   5.9.9.1
+ * @date      2025-01-20
  * @since     2016-12-08
- * @copyright (c) 2010-2024 SysCo systemes de communication sa
+ * @copyright (c) 2010-2025 SysCo systemes de communication sa
  * @copyright GNU Lesser General Public License
  *
  *//*
  *
  * LICENCE
  *
- *   Copyright (c) 2010-2024 SysCo systemes de communication sa
+ *   Copyright (c) 2010-2025 SysCo systemes de communication sa
  *   SysCo (tm) is a trademark of SysCo systemes de communication sa
  *   (http://www.sysco.ch)
  *   All rights reserved.
@@ -68,8 +68,8 @@
 #include <iostream>
 
 #define SOFTWARE    "LAUNCHPHPMULTIOTP"
-#define VER_NUMBER  "5.9.8.0"
-#define VER_DATE    "2024-08-26"
+#define VER_NUMBER  "5.9.9.1"
+#define VER_DATE    "2025-01-20"
 
 void replaceAll(std::string& str, const std::string& from, const std::string& to) {
     if (from.empty())