Standardise logging in YK-KSM to be like YK-VAL (use logdie() and a

logger function).

Remove unused $logfacility variable in config.

Enable $logging switch to enable or disable any logging. Default to
not logging anything out-of-the-box.

Makefile

@@ -30,7 +30,7 @@ VERSION = 1.14
 PACKAGE = yubikey-ksm
 CODE = .htaccess Makefile NEWS README ykksm-config.php ykksm-db.sql	\
 	ykksm-decrypt.php ykksm-export ykksm-gen-keys	\
-	ykksm-import ykksm-utils.php ykksm-checksum
+	ykksm-import ykksm-utils.php ykksm-log.php ykksm-checksum
 DOCS = doc/DecryptionProtocol.wiki doc/DesignGoals.wiki		\
 	doc/GenerateKeys.wiki doc/GenerateKSMKey.wiki		\
 	doc/ImportKeysToKSM.wiki doc/Installation.wiki		\
@@ -56,6 +56,7 @@ wwwgroup = www-data
 install: $(MANS)
 	install -D --mode 640 .htaccess $(DESTDIR)$(phpprefix)/.htaccess
 	install -D --mode 640 ykksm-decrypt.php $(DESTDIR)$(phpprefix)/ykksm-decrypt.php
+	install -D --mode 640 ykksm-log.php $(DESTDIR)$(phpprefix)/ykksm-log.php
 	install -D --mode 640 ykksm-utils.php $(DESTDIR)$(phpprefix)/ykksm-utils.php
 	install -D ykksm-gen-keys $(DESTDIR)$(binprefix)/ykksm-gen-keys
 	install -D ykksm-import $(DESTDIR)$(binprefix)/ykksm-import

ykksm-config.php

@@ -15,5 +15,6 @@ $db_dsn      = "$dbtype:dbname=$dbname;host=127.0.0.1";
 $db_username = $dbuser;
 $db_password = $dbpass;
 $db_options  = array();
-$logfacility = LOG_AUTH;
+
+$logging     = FALSE; // set to TRUE to log anything
 ?>

ykksm-decrypt.php

@@ -30,20 +30,19 @@
 
 require_once 'ykksm-config.php';
 require_once 'ykksm-utils.php';
+require_once('ykksm-log.php');
 
-openlog("ykksm", LOG_PID, $logfacility)
-  or die("ERR Syslog open error\n");
+$myLog = new Log('ykksm-decrypt');
+$myLog->addField('ip', $_SERVER['REMOTE_ADDR']);
 
 $otp = $_REQUEST["otp"];
 if (!$otp) {
-  syslog(LOG_INFO, "No OTP provided");
-  die("ERR No OTP provided\n");
- }
+  logdie($myLog, "NO OTP provided", $logging);
+  }
 
 if (!preg_match("/^([cbdefghijklnrtuv]{0,16})([cbdefghijklnrtuv]{32})$/",
 		$otp, $matches)) {
-  syslog(LOG_INFO, "Invalid OTP format: $otp");
-  die("ERR Invalid OTP format\n");
+  logdie($myLog, "Invalid OTP format: $otp", $logging);
  }
 $id = $matches[1];
 $modhex_ciphertext = $matches[2];
@@ -56,8 +55,7 @@ if (!$use_oci) {
   try {
     $dbh = new PDO($db_dsn, $db_username, $db_password, $db_options);
    } catch (PDOException $e) {
-    syslog(LOG_ERR, "Database error: " . $e->getMessage());
-    die("ERR Database error\n");
+    logdie($myLog, "Database error: " . $e->getMessage(), $logging);
    }
  }
 else {
@@ -66,8 +64,7 @@ else {
   $dbh = oci_connect($db_username, $db_password, $db_dsn);
   if (!$dbh) {
     $error = oci_error();
-    syslog(LOG_err, "Database error: " . $error["message"]);
-    die("ERR Database error\n");
+    logdie($myLog, "Database error: " . $error["message"], $logging);
    }
  }
 
@@ -78,9 +75,8 @@ if (!$use_oci) {
   $sql .= "(active OR active = 'true')";
   $result = $dbh->query($sql);
   if (!$result) {
-    syslog(LOG_ERR, "Database query error.  Query: " . $sql . " Error: " .
-           print_r ($dbh->errorInfo (), true));
-    die("ERR Database error\n");
+    logdie($myLog, "Database query error.  Query: " . $sql . " Error: " .
+           print_r ($dbh->errorInfo (), true), $logging);
    }
 
   $row = $result->fetch(PDO::FETCH_ASSOC);
@@ -93,10 +89,9 @@ else {
   $execute = oci_execute($result);
   if (!$execute) {
     $error = oci_error($result);
-    syslog(LOG_ERR, 'Database query error.   Query:  ' . $sql . 'Error: CODE : ' . $error["code"] .
+    logdie($myLog, 'Database query error.   Query:  ' . $sql . 'Error: CODE : ' . $error["code"] .
            ' MESSAGE : ' . $error["message"] . ' POSITION : ' . $error["offset"] .
-           ' STATEMENT : ' . $error["sqltext"]);
-    die("ERR Database error\n");
+           ' STATEMENT : ' . $error["sqltext"], $logging);
    }
 
   $row = oci_fetch_array($result, OCI_ASSOC);
@@ -105,8 +100,7 @@ else {
  }
 
 if (!$aeskey) {
-  syslog(LOG_INFO, "Unknown yubikey: " . $otp);
-  die("ERR Unknown yubikey\n");
+  logdie($myLog, "Unknown yubikey: " . $otp, $logging);
  }
 
 $ciphertext = modhex2hex($modhex_ciphertext);
@@ -114,13 +108,11 @@ $plaintext = aes128ecb_decrypt($aeskey, $ciphertext);
 
 $uid = substr($plaintext, 0, 12);
 if (strcmp($uid, $internalname) != 0) {
-  syslog(LOG_ERR, "UID error: $otp $plaintext: $uid vs $internalname");
-  die("ERR Corrupt OTP\n");;
+  logdie($myLog, "UID error: $otp $plaintext: $uid vs $internalname", $logging);
  }
 
 if (!crc_is_good($plaintext)) {
-  syslog(LOG_ERR, "CRC error: $otp: $plaintext");
-  die("ERR Corrupt OTP\n");
+  logdie($myLog, "CRC error: $otp: $plaintext", $logging);
  }
 
 # Mask out interesting fields
@@ -131,8 +123,7 @@ $use = substr($plaintext, 22, 2);
 
 $out = "OK counter=$counter low=$low high=$high use=$use";
 
-syslog(LOG_INFO, "SUCCESS OTP $otp PT $plaintext $out")
-  or die("ERR Log error\n");
+$myLog->log(LOG_DEBUG, "SUCCESS OTP $otp PT $plaintext $out", NULL, $logging);
 
 print "$out\n";
 

ykksm-log.php

@@ -0,0 +1,76 @@
+<?php
+
+# Copyright (c) 2010-2013 Yubico AB
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#   * Redistributions of source code must retain the above copyright
+#     notice, this list of conditions and the following disclaimer.
+#
+#   * Redistributions in binary form must reproduce the above
+#     copyright notice, this list of conditions and the following
+#     disclaimer in the documentation and/or other materials provided
+#     with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+class Log
+{
+
+  function __construct($name='ykksm')
+  {
+    $this->name=$name;
+    $this->fields=array();
+
+    $this->LOG_LEVELS = array(LOG_EMERG=>'LOG_EMERG',
+                              LOG_ALERT=>'LOG_ALERT',
+                              LOG_CRIT=>'LOG_CRIT',
+                              LOG_ERR=>'LOG_ERR',
+                              LOG_WARNING=>'LOG_WARNING',
+                              LOG_NOTICE=>'LOG_NOTICE',
+                              LOG_INFO=>'LOG_INFO',
+                              LOG_DEBUG=>'LOG_DEBUG');
+
+    openlog("ykksm", LOG_PID, LOG_LOCAL0);
+  }
+
+  function addField($name, $value)
+  {
+    $this->fields[$name]=$value;
+  }
+
+  function log($priority, $message, $arr=null, $logging=FALSE){
+    if ($logging) {
+      if (is_array($arr)) {
+        foreach($arr as $key=>$value){
+          $message.=" $key=$value ";
+        }
+      }
+      # Add fields
+      $msg_fields = "";
+      foreach ($this->fields as $field=>$value) {
+        $msg_fields .= "[" . $value . "] ";
+      }
+      syslog($priority,
+             $this->LOG_LEVELS[$priority] . ':' .
+             $this->name . ':' .
+             $msg_fields .
+             $message);
+    }
+  }
+}
+
+?>

ykksm-utils.php

@@ -77,4 +77,11 @@ function crc_is_good($token) {
   return $crc == 0xf0b8;
 }
 
+
+function logdie ($logger, $str, $logging=FALSE)
+{
+  $logger->log(LOG_INFO, $str, NULL, $logging);
+  die($str . "\n");
+}
+
 ?>