2009-12-02 18:32:20 +01:00
< ? php
require_once 'ykval-common.php' ;
require_once 'ykval-config.php' ;
2009-12-15 11:17:51 +01:00
require_once 'ykval-synclib.php' ;
2009-12-02 18:32:20 +01:00
$apiKey = '' ;
header ( " content-type: text/plain " );
2010-01-11 13:06:00 +01:00
$myLog = new Log ( 'ykval-sync' );
2010-01-14 12:25:17 +01:00
$myLog -> addField ( 'ip' , $_SERVER [ 'REMOTE_ADDR' ]);
2010-01-11 13:06:00 +01:00
$myLog -> log ( LOG_INFO , " Request: " . $_SERVER [ 'QUERY_STRING' ]);
$sync = new SyncLib ( 'ykval-sync:synclib' );
2010-01-14 12:58:19 +01:00
$sync -> addField ( 'ip' , $_SERVER [ 'REMOTE_ADDR' ]);
2009-12-02 18:32:20 +01:00
2009-12-15 11:17:51 +01:00
if ( ! $sync -> isConnected ()) {
2009-12-02 18:32:20 +01:00
sendResp ( S_BACKEND_ERROR , $apiKey );
exit ;
2009-12-15 11:17:51 +01:00
}
2009-12-02 18:32:20 +01:00
2010-01-11 11:25:25 +01:00
#
# Verify that request comes from valid server
#
2010-01-11 13:06:00 +01:00
$myLog -> log ( LOG_INFO , 'remote request ip is ' . $_SERVER [ 'REMOTE_ADDR' ]);
2010-01-11 11:25:25 +01:00
$allowed = False ;
foreach ( $baseParams [ '__YKVAL_ALLOWED_SYNC_POOL__' ] as $server ) {
2010-01-11 13:06:00 +01:00
$myLog -> log ( LOG_DEBUG , 'checking against ip ' . $server );
2010-01-11 11:25:25 +01:00
if ( $_SERVER [ 'REMOTE_ADDR' ] == $server ) {
2010-01-11 13:06:00 +01:00
$myLog -> log ( LOG_DEBUG , 'server ' . $server . ' is allowed' );
2010-01-11 11:25:25 +01:00
$allowed = True ;
break ;
}
}
if ( ! $allowed ) {
2010-01-11 13:06:00 +01:00
$myLog -> log ( LOG_NOTICE , 'Operation not allowed from IP ' . $_SERVER [ 'REMOTE_ADDR' ]);
2010-01-11 11:25:25 +01:00
sendResp ( S_OPERATION_NOT_ALLOWED , $apiKey );
exit ;
}
2009-12-02 18:32:20 +01:00
#
# Define requirements on protocoll
#
2009-12-15 11:17:51 +01:00
$syncParams = array ( 'modified' => Null ,
'otp' => Null ,
'nonce' => Null ,
2010-01-08 14:54:33 +01:00
'yk_publicname' => Null ,
2009-12-15 11:17:51 +01:00
'yk_counter' => Null ,
'yk_use' => Null ,
'yk_high' => Null ,
'yk_low' => Null );
2009-12-02 18:32:20 +01:00
#
# Extract values from HTTP request
#
2010-01-11 13:06:00 +01:00
$tmp_log = " Received " ;
2009-12-02 18:32:20 +01:00
foreach ( $syncParams as $param => $value ) {
$value = getHttpVal ( $param , Null );
if ( $value == Null ) {
2010-01-11 13:06:00 +01:00
$myLog -> log ( LOG_NOTICE , " Recevied request with parameter[s] missing " );
2009-12-02 18:32:20 +01:00
sendResp ( S_MISSING_PARAMETER , '' );
exit ;
}
$syncParams [ $param ] = $value ;
$local_log .= " $param = $value " ;
}
2010-01-11 13:06:00 +01:00
$myLog -> log ( LOG_INFO , $tmp_log );
2009-12-02 18:32:20 +01:00
2010-01-14 12:25:17 +01:00
#
# At this point we should have to otp so let's add it to the logging module
#
$myLog -> addField ( 'otp' , $syncParams [ 'otp' ]);
2010-01-14 12:58:19 +01:00
$sync -> addField ( 'otp' , $syncParams [ 'otp' ]);
2010-01-14 12:25:17 +01:00
2010-01-14 10:39:48 +01:00
#
# Verify correctness of input parameters
#
foreach ( array ( 'modified' , 'yk_counter' , 'yk_use' , 'yk_high' , 'yk_low' ) as $param ) {
if ( preg_match ( " /^[0-9]* $ / " , $syncParams [ $param ]) == 0 ) {
$myLog -> log ( LOG_NOTICE , 'Input parameters ' . $param . ' not correct' );
sendResp ( S_MISSING_PARAMETER , $apiKey );
exit ;
}
}
2009-12-02 18:32:20 +01:00
#
# Get local counter data
#
2010-01-08 14:54:33 +01:00
$yk_publicname = $syncParams [ 'yk_publicname' ];
$localParams = $sync -> getLocalParams ( $yk_publicname );
2009-12-15 11:17:51 +01:00
if ( ! $localParams ) {
2010-01-11 13:06:00 +01:00
$myLog -> log ( LOG_NOTICE , 'Invalid Yubikey ' . $yk_publicname );
2009-12-15 11:17:51 +01:00
sendResp ( S_BACKEND_ERROR , $apiKey );
exit ;
2009-12-02 18:32:20 +01:00
}
2009-12-15 11:17:51 +01:00
if ( $localParams [ 'active' ] != 1 ) {
2010-01-11 13:06:00 +01:00
$myLog -> log ( LOG_NOTICE , 'De-activated Yubikey ' . $yk_publicname );
2009-12-02 18:32:20 +01:00
sendResp ( S_BAD_OTP , $apiKey );
exit ;
}
2010-01-14 10:39:48 +01:00
/* Conditional update local database */
$sync -> updateDbCounters ( $syncParams );
$myLog -> log ( LOG_DEBUG , 'Local params ' , $localParams );
$myLog -> log ( LOG_DEBUG , 'Sync request params ' , $syncParams );
2009-12-02 18:32:20 +01:00
#
# Compare sync and local counters and generate warnings according to
#
# http://code.google.com/p/yubikey-val-server-php/wiki/ServerReplicationProtocol
#
2009-12-15 11:17:51 +01:00
2010-01-13 13:32:38 +01:00
2009-12-15 11:17:51 +01:00
if ( $sync -> countersHigherThan ( $localParams , $syncParams )) {
2010-01-13 13:32:38 +01:00
$myLog -> log ( LOG_WARNING , 'Remote server out of sync.' );
2009-12-15 11:17:51 +01:00
}
2010-01-14 10:39:48 +01:00
2009-12-15 11:17:51 +01:00
if ( $sync -> countersEqual ( $localParams , $syncParams )) {
2010-01-14 10:39:48 +01:00
if ( $syncParams [ 'modified' ] == $localParams [ 'modified' ] &&
$syncParams [ 'nonce' ] == $localParams [ 'nonce' ]) {
2010-01-13 13:32:38 +01:00
$myLog -> log ( LOG_NOTICE , 'Sync request unnessecarily sent' );
2009-12-15 11:17:51 +01:00
}
2010-01-14 10:39:48 +01:00
if ( $syncParams [ 'modified' ] != $localParams [ 'modified' ] &&
$syncParams [ 'nonce' ] == $localParams [ 'nonce' ]) {
$deltaModified = $syncParams [ 'modified' ] - $localParams [ 'modified' ];
$myLog -> log ( LOG_WARNING , 'We might have a replay. 2 events at different times have generated the same counters. The time difference is ' . $deltaModified . ' seconds' );
}
2009-12-15 11:17:51 +01:00
if ( $syncParams [ 'nonce' ] != $localParams [ 'nonce' ]) {
2010-01-14 10:39:48 +01:00
$myLog -> log ( LOG_WARNING , 'Remote server has received a request to validate an already validated OTP ' );
2009-12-02 18:32:20 +01:00
}
}
2010-01-14 10:39:48 +01:00
2009-12-02 18:32:20 +01:00
2009-12-15 11:17:51 +01:00
$extra = array ( 'modified' => $localParams [ 'modified' ],
'nonce' => $localParams [ 'nonce' ],
2010-01-08 14:54:33 +01:00
'yk_publicname' => $yk_publicname ,
2009-12-15 11:17:51 +01:00
'yk_counter' => $localParams [ 'yk_counter' ],
'yk_use' => $localParams [ 'yk_use' ],
'yk_high' => $localParams [ 'yk_high' ],
'yk_low' => $localParams [ 'yk_low' ]);
sendResp ( S_OK , '' , $extra );
2009-12-02 18:32:20 +01:00
?>