mirror of
https://github.com/Yubico/yubikey-ksm.git
synced 2024-12-12 03:08:54 +01:00
Standardise logging in YK-KSM to be like YK-VAL (use logdie() and a
logger function). Remove unused $logfacility variable in config. Enable $logging switch to enable or disable any logging. Default to not logging anything out-of-the-box.
This commit is contained in:
parent
b08cff5d4c
commit
8e36c1b482
3
Makefile
3
Makefile
@ -30,7 +30,7 @@ VERSION = 1.14
|
|||||||
PACKAGE = yubikey-ksm
|
PACKAGE = yubikey-ksm
|
||||||
CODE = .htaccess Makefile NEWS README ykksm-config.php ykksm-db.sql \
|
CODE = .htaccess Makefile NEWS README ykksm-config.php ykksm-db.sql \
|
||||||
ykksm-decrypt.php ykksm-export ykksm-gen-keys \
|
ykksm-decrypt.php ykksm-export ykksm-gen-keys \
|
||||||
ykksm-import ykksm-utils.php ykksm-checksum
|
ykksm-import ykksm-utils.php ykksm-log.php ykksm-checksum
|
||||||
DOCS = doc/DecryptionProtocol.wiki doc/DesignGoals.wiki \
|
DOCS = doc/DecryptionProtocol.wiki doc/DesignGoals.wiki \
|
||||||
doc/GenerateKeys.wiki doc/GenerateKSMKey.wiki \
|
doc/GenerateKeys.wiki doc/GenerateKSMKey.wiki \
|
||||||
doc/ImportKeysToKSM.wiki doc/Installation.wiki \
|
doc/ImportKeysToKSM.wiki doc/Installation.wiki \
|
||||||
@ -56,6 +56,7 @@ wwwgroup = www-data
|
|||||||
install: $(MANS)
|
install: $(MANS)
|
||||||
install -D --mode 640 .htaccess $(DESTDIR)$(phpprefix)/.htaccess
|
install -D --mode 640 .htaccess $(DESTDIR)$(phpprefix)/.htaccess
|
||||||
install -D --mode 640 ykksm-decrypt.php $(DESTDIR)$(phpprefix)/ykksm-decrypt.php
|
install -D --mode 640 ykksm-decrypt.php $(DESTDIR)$(phpprefix)/ykksm-decrypt.php
|
||||||
|
install -D --mode 640 ykksm-log.php $(DESTDIR)$(phpprefix)/ykksm-log.php
|
||||||
install -D --mode 640 ykksm-utils.php $(DESTDIR)$(phpprefix)/ykksm-utils.php
|
install -D --mode 640 ykksm-utils.php $(DESTDIR)$(phpprefix)/ykksm-utils.php
|
||||||
install -D ykksm-gen-keys $(DESTDIR)$(binprefix)/ykksm-gen-keys
|
install -D ykksm-gen-keys $(DESTDIR)$(binprefix)/ykksm-gen-keys
|
||||||
install -D ykksm-import $(DESTDIR)$(binprefix)/ykksm-import
|
install -D ykksm-import $(DESTDIR)$(binprefix)/ykksm-import
|
||||||
|
@ -15,5 +15,6 @@ $db_dsn = "$dbtype:dbname=$dbname;host=127.0.0.1";
|
|||||||
$db_username = $dbuser;
|
$db_username = $dbuser;
|
||||||
$db_password = $dbpass;
|
$db_password = $dbpass;
|
||||||
$db_options = array();
|
$db_options = array();
|
||||||
$logfacility = LOG_AUTH;
|
|
||||||
|
$logging = FALSE; // set to TRUE to log anything
|
||||||
?>
|
?>
|
||||||
|
@ -30,20 +30,19 @@
|
|||||||
|
|
||||||
require_once 'ykksm-config.php';
|
require_once 'ykksm-config.php';
|
||||||
require_once 'ykksm-utils.php';
|
require_once 'ykksm-utils.php';
|
||||||
|
require_once('ykksm-log.php');
|
||||||
|
|
||||||
openlog("ykksm", LOG_PID, $logfacility)
|
$myLog = new Log('ykksm-decrypt');
|
||||||
or die("ERR Syslog open error\n");
|
$myLog->addField('ip', $_SERVER['REMOTE_ADDR']);
|
||||||
|
|
||||||
$otp = $_REQUEST["otp"];
|
$otp = $_REQUEST["otp"];
|
||||||
if (!$otp) {
|
if (!$otp) {
|
||||||
syslog(LOG_INFO, "No OTP provided");
|
logdie($myLog, "NO OTP provided", $logging);
|
||||||
die("ERR No OTP provided\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!preg_match("/^([cbdefghijklnrtuv]{0,16})([cbdefghijklnrtuv]{32})$/",
|
if (!preg_match("/^([cbdefghijklnrtuv]{0,16})([cbdefghijklnrtuv]{32})$/",
|
||||||
$otp, $matches)) {
|
$otp, $matches)) {
|
||||||
syslog(LOG_INFO, "Invalid OTP format: $otp");
|
logdie($myLog, "Invalid OTP format: $otp", $logging);
|
||||||
die("ERR Invalid OTP format\n");
|
|
||||||
}
|
}
|
||||||
$id = $matches[1];
|
$id = $matches[1];
|
||||||
$modhex_ciphertext = $matches[2];
|
$modhex_ciphertext = $matches[2];
|
||||||
@ -56,8 +55,7 @@ if (!$use_oci) {
|
|||||||
try {
|
try {
|
||||||
$dbh = new PDO($db_dsn, $db_username, $db_password, $db_options);
|
$dbh = new PDO($db_dsn, $db_username, $db_password, $db_options);
|
||||||
} catch (PDOException $e) {
|
} catch (PDOException $e) {
|
||||||
syslog(LOG_ERR, "Database error: " . $e->getMessage());
|
logdie($myLog, "Database error: " . $e->getMessage(), $logging);
|
||||||
die("ERR Database error\n");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
@ -66,8 +64,7 @@ else {
|
|||||||
$dbh = oci_connect($db_username, $db_password, $db_dsn);
|
$dbh = oci_connect($db_username, $db_password, $db_dsn);
|
||||||
if (!$dbh) {
|
if (!$dbh) {
|
||||||
$error = oci_error();
|
$error = oci_error();
|
||||||
syslog(LOG_err, "Database error: " . $error["message"]);
|
logdie($myLog, "Database error: " . $error["message"], $logging);
|
||||||
die("ERR Database error\n");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -78,9 +75,8 @@ if (!$use_oci) {
|
|||||||
$sql .= "(active OR active = 'true')";
|
$sql .= "(active OR active = 'true')";
|
||||||
$result = $dbh->query($sql);
|
$result = $dbh->query($sql);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
syslog(LOG_ERR, "Database query error. Query: " . $sql . " Error: " .
|
logdie($myLog, "Database query error. Query: " . $sql . " Error: " .
|
||||||
print_r ($dbh->errorInfo (), true));
|
print_r ($dbh->errorInfo (), true), $logging);
|
||||||
die("ERR Database error\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$row = $result->fetch(PDO::FETCH_ASSOC);
|
$row = $result->fetch(PDO::FETCH_ASSOC);
|
||||||
@ -93,10 +89,9 @@ else {
|
|||||||
$execute = oci_execute($result);
|
$execute = oci_execute($result);
|
||||||
if (!$execute) {
|
if (!$execute) {
|
||||||
$error = oci_error($result);
|
$error = oci_error($result);
|
||||||
syslog(LOG_ERR, 'Database query error. Query: ' . $sql . 'Error: CODE : ' . $error["code"] .
|
logdie($myLog, 'Database query error. Query: ' . $sql . 'Error: CODE : ' . $error["code"] .
|
||||||
' MESSAGE : ' . $error["message"] . ' POSITION : ' . $error["offset"] .
|
' MESSAGE : ' . $error["message"] . ' POSITION : ' . $error["offset"] .
|
||||||
' STATEMENT : ' . $error["sqltext"]);
|
' STATEMENT : ' . $error["sqltext"], $logging);
|
||||||
die("ERR Database error\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$row = oci_fetch_array($result, OCI_ASSOC);
|
$row = oci_fetch_array($result, OCI_ASSOC);
|
||||||
@ -105,8 +100,7 @@ else {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!$aeskey) {
|
if (!$aeskey) {
|
||||||
syslog(LOG_INFO, "Unknown yubikey: " . $otp);
|
logdie($myLog, "Unknown yubikey: " . $otp, $logging);
|
||||||
die("ERR Unknown yubikey\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$ciphertext = modhex2hex($modhex_ciphertext);
|
$ciphertext = modhex2hex($modhex_ciphertext);
|
||||||
@ -114,13 +108,11 @@ $plaintext = aes128ecb_decrypt($aeskey, $ciphertext);
|
|||||||
|
|
||||||
$uid = substr($plaintext, 0, 12);
|
$uid = substr($plaintext, 0, 12);
|
||||||
if (strcmp($uid, $internalname) != 0) {
|
if (strcmp($uid, $internalname) != 0) {
|
||||||
syslog(LOG_ERR, "UID error: $otp $plaintext: $uid vs $internalname");
|
logdie($myLog, "UID error: $otp $plaintext: $uid vs $internalname", $logging);
|
||||||
die("ERR Corrupt OTP\n");;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!crc_is_good($plaintext)) {
|
if (!crc_is_good($plaintext)) {
|
||||||
syslog(LOG_ERR, "CRC error: $otp: $plaintext");
|
logdie($myLog, "CRC error: $otp: $plaintext", $logging);
|
||||||
die("ERR Corrupt OTP\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Mask out interesting fields
|
# Mask out interesting fields
|
||||||
@ -131,8 +123,7 @@ $use = substr($plaintext, 22, 2);
|
|||||||
|
|
||||||
$out = "OK counter=$counter low=$low high=$high use=$use";
|
$out = "OK counter=$counter low=$low high=$high use=$use";
|
||||||
|
|
||||||
syslog(LOG_INFO, "SUCCESS OTP $otp PT $plaintext $out")
|
$myLog->log(LOG_DEBUG, "SUCCESS OTP $otp PT $plaintext $out", NULL, $logging);
|
||||||
or die("ERR Log error\n");
|
|
||||||
|
|
||||||
print "$out\n";
|
print "$out\n";
|
||||||
|
|
||||||
|
76
ykksm-log.php
Normal file
76
ykksm-log.php
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
# Copyright (c) 2010-2013 Yubico AB
|
||||||
|
# All rights reserved.
|
||||||
|
#
|
||||||
|
# Redistribution and use in source and binary forms, with or without
|
||||||
|
# modification, are permitted provided that the following conditions are
|
||||||
|
# met:
|
||||||
|
#
|
||||||
|
# * Redistributions of source code must retain the above copyright
|
||||||
|
# notice, this list of conditions and the following disclaimer.
|
||||||
|
#
|
||||||
|
# * Redistributions in binary form must reproduce the above
|
||||||
|
# copyright notice, this list of conditions and the following
|
||||||
|
# disclaimer in the documentation and/or other materials provided
|
||||||
|
# with the distribution.
|
||||||
|
#
|
||||||
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||||
|
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
|
||||||
|
class Log
|
||||||
|
{
|
||||||
|
|
||||||
|
function __construct($name='ykksm')
|
||||||
|
{
|
||||||
|
$this->name=$name;
|
||||||
|
$this->fields=array();
|
||||||
|
|
||||||
|
$this->LOG_LEVELS = array(LOG_EMERG=>'LOG_EMERG',
|
||||||
|
LOG_ALERT=>'LOG_ALERT',
|
||||||
|
LOG_CRIT=>'LOG_CRIT',
|
||||||
|
LOG_ERR=>'LOG_ERR',
|
||||||
|
LOG_WARNING=>'LOG_WARNING',
|
||||||
|
LOG_NOTICE=>'LOG_NOTICE',
|
||||||
|
LOG_INFO=>'LOG_INFO',
|
||||||
|
LOG_DEBUG=>'LOG_DEBUG');
|
||||||
|
|
||||||
|
openlog("ykksm", LOG_PID, LOG_LOCAL0);
|
||||||
|
}
|
||||||
|
|
||||||
|
function addField($name, $value)
|
||||||
|
{
|
||||||
|
$this->fields[$name]=$value;
|
||||||
|
}
|
||||||
|
|
||||||
|
function log($priority, $message, $arr=null, $logging=FALSE){
|
||||||
|
if ($logging) {
|
||||||
|
if (is_array($arr)) {
|
||||||
|
foreach($arr as $key=>$value){
|
||||||
|
$message.=" $key=$value ";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# Add fields
|
||||||
|
$msg_fields = "";
|
||||||
|
foreach ($this->fields as $field=>$value) {
|
||||||
|
$msg_fields .= "[" . $value . "] ";
|
||||||
|
}
|
||||||
|
syslog($priority,
|
||||||
|
$this->LOG_LEVELS[$priority] . ':' .
|
||||||
|
$this->name . ':' .
|
||||||
|
$msg_fields .
|
||||||
|
$message);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
@ -77,4 +77,11 @@ function crc_is_good($token) {
|
|||||||
return $crc == 0xf0b8;
|
return $crc == 0xf0b8;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function logdie ($logger, $str, $logging=FALSE)
|
||||||
|
{
|
||||||
|
$logger->log(LOG_INFO, $str, NULL, $logging);
|
||||||
|
die($str . "\n");
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
Loading…
Reference in New Issue
Block a user