2009-03-10 23:20:56 +01:00
|
|
|
<?php
|
|
|
|
require_once 'common.php';
|
2009-03-11 02:42:23 +01:00
|
|
|
require_once 'config.php';
|
2008-09-17 19:11:16 +02:00
|
|
|
|
2009-03-10 23:20:56 +01:00
|
|
|
header("content-type: text/plain");
|
2008-09-17 19:11:16 +02:00
|
|
|
|
2009-03-11 01:54:19 +01:00
|
|
|
debug("Request: " . $_SERVER['QUERY_STRING']);
|
2009-03-10 23:20:56 +01:00
|
|
|
|
2009-03-11 02:42:23 +01:00
|
|
|
$conn = mysql_connect($baseParams['__DB_HOST__'],
|
|
|
|
$baseParams['__DB_USER__'],
|
|
|
|
$baseParams['__DB_PW__'])
|
|
|
|
or die('Could not connect to database: ' . mysql_error());
|
|
|
|
mysql_select_db($baseParams['__DB_NAME__'], $conn)
|
|
|
|
or die('Could not select database');
|
|
|
|
|
2009-03-10 23:20:56 +01:00
|
|
|
//// Extract values from HTTP request
|
|
|
|
//
|
2009-03-18 15:39:32 +01:00
|
|
|
$h = getHttpVal('h', '');
|
|
|
|
|
2009-03-10 23:20:56 +01:00
|
|
|
$client = getHttpVal('id', 0);
|
|
|
|
if ($client <= 0) {
|
|
|
|
debug('Client ID is missing');
|
2009-03-11 01:54:19 +01:00
|
|
|
sendResp(S_MISSING_PARAMETER);
|
2009-03-10 23:20:56 +01:00
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
$otp = getHttpVal('otp', '');
|
|
|
|
if ($otp == '') {
|
|
|
|
debug('OTP is missing');
|
2009-03-11 01:54:19 +01:00
|
|
|
sendResp(S_MISSING_PARAMETER);
|
2009-03-10 23:20:56 +01:00
|
|
|
exit;
|
|
|
|
}
|
|
|
|
$otp = strtolower($otp);
|
|
|
|
|
|
|
|
//// Get Client info from DB
|
|
|
|
//
|
2009-03-11 03:06:02 +01:00
|
|
|
$cd = getClientData($conn, $client);
|
2009-03-10 23:20:56 +01:00
|
|
|
if ($cd == null) {
|
|
|
|
debug('Invalid client id ' . $client);
|
2009-03-11 01:54:19 +01:00
|
|
|
sendResp(S_NO_SUCH_CLIENT);
|
2009-03-10 23:20:56 +01:00
|
|
|
exit;
|
|
|
|
}
|
|
|
|
debug($cd);
|
|
|
|
|
|
|
|
//// Check client signature
|
|
|
|
//
|
|
|
|
$apiKey = base64_decode($cd['secret']);
|
|
|
|
|
|
|
|
if ($cd['chk_sig'] && $h == '') {
|
|
|
|
debug('Signature missing');
|
2009-03-11 01:54:19 +01:00
|
|
|
sendResp(S_MISSING_PARAMETER);
|
2009-03-10 23:20:56 +01:00
|
|
|
exit;
|
|
|
|
} else if ($cd['chk_sig'] || $h != '') {
|
|
|
|
// Create the signature using the API key
|
|
|
|
$a = array ();
|
|
|
|
$a['id'] = $client;
|
|
|
|
$a['otp'] = $otp;
|
|
|
|
$hmac = sign($a, $apiKey);
|
|
|
|
|
|
|
|
// Compare it
|
|
|
|
if ($hmac != $h) {
|
|
|
|
debug('client hmac=' . $h . ', server hmac=' . $hmac);
|
2009-03-11 01:54:19 +01:00
|
|
|
sendResp(S_BAD_SIGNATURE);
|
2009-03-10 23:20:56 +01:00
|
|
|
exit;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-03-18 15:39:32 +01:00
|
|
|
//// Sanity check OTP
|
|
|
|
//
|
|
|
|
if (strlen($otp) <= TOKEN_LEN) {
|
|
|
|
debug('Too short OTP: ' . $otp);
|
|
|
|
sendResp(S_BAD_OTP);
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
2009-03-10 23:20:56 +01:00
|
|
|
//// Decode OTP from input
|
|
|
|
//
|
2009-03-11 02:42:23 +01:00
|
|
|
$otpinfo = decryptOTP($otp, $baseParams['__YKKMS_URL__']);
|
2009-03-11 01:19:59 +01:00
|
|
|
if (!is_array($otpinfo)) {
|
2009-03-11 02:37:07 +01:00
|
|
|
sendResp(S_BACKEND_ERROR);
|
2009-03-10 23:20:56 +01:00
|
|
|
exit;
|
|
|
|
}
|
2009-03-11 02:37:07 +01:00
|
|
|
debug($otpinfo);
|
2009-03-10 23:20:56 +01:00
|
|
|
|
2009-03-11 12:02:55 +01:00
|
|
|
//// Get Yubikey from DB
|
|
|
|
//
|
2009-03-18 12:00:48 +01:00
|
|
|
$devId = substr($otp, 0, strlen ($otp) - TOKEN_LEN);
|
2009-03-11 12:02:55 +01:00
|
|
|
$ad = getAuthData($conn, $devId);
|
|
|
|
if (!is_array($ad)) {
|
|
|
|
debug('Invalid Yubikey ' . $devId);
|
|
|
|
sendResp(S_BAD_OTP);
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
debug($ad);
|
|
|
|
|
2009-03-10 23:20:56 +01:00
|
|
|
//// Check the session counter
|
|
|
|
//
|
2009-03-11 01:19:59 +01:00
|
|
|
$sessionCounter = $otpinfo["session_counter"]; // From the req
|
2009-03-10 23:20:56 +01:00
|
|
|
$seenSessionCounter = $ad['counter']; // From DB
|
2009-03-11 01:19:59 +01:00
|
|
|
if ($sessionCounter < $seenSessionCounter) {
|
|
|
|
debug("Replay, session counter, seen=" . $seenSessionCounter .
|
|
|
|
" this=" . $sessionCounter);
|
2009-03-10 23:20:56 +01:00
|
|
|
sendResp(S_REPLAYED_OTP);
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
//// Check the session use
|
|
|
|
//
|
2009-03-11 01:19:59 +01:00
|
|
|
$sessionUse = $otpinfo["session_use"]; // From the req
|
2009-03-10 23:20:56 +01:00
|
|
|
$seenSessionUse = $ad['sessionUse']; // From DB
|
2009-03-11 01:19:59 +01:00
|
|
|
if ($sessionCounter == $seenSessionCounter && $sessionUse <= $seenSessionUse) {
|
|
|
|
debug("Replay, session use, seen=" . $seenSessionUse .
|
|
|
|
' this=' . $sessionUse);
|
2009-03-10 23:20:56 +01:00
|
|
|
sendResp(S_REPLAYED_OTP);
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
|
2009-03-11 01:54:19 +01:00
|
|
|
//// Valid OTP, update database
|
|
|
|
//
|
|
|
|
$stmt = 'UPDATE yubikeys SET accessed=NOW()' .
|
|
|
|
', counter=' .$otpinfo['session_counter'] .
|
|
|
|
', sessionUse=' . $otpinfo['session_use'] .
|
|
|
|
', low=' . $otpinfo['low'] .
|
|
|
|
', high=' . $otpinfo['high'] .
|
|
|
|
' WHERE id=' . $ad['id'];
|
2009-03-11 03:06:02 +01:00
|
|
|
query($conn, $stmt);
|
2009-03-10 23:20:56 +01:00
|
|
|
|
2009-03-11 01:19:59 +01:00
|
|
|
//// Check the time stamp
|
2009-03-10 23:20:56 +01:00
|
|
|
//
|
2009-03-11 01:19:59 +01:00
|
|
|
if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
|
2009-03-11 02:37:07 +01:00
|
|
|
$ts = ($otpinfo['high'] << 16) + $otpinfo['low'];
|
2009-03-11 01:19:59 +01:00
|
|
|
$seenTs = ($ad['high'] << 16) + $ad['low'];
|
|
|
|
$tsDiff = $ts - $seenTs;
|
|
|
|
$tsDelta = $tsDiff * TS_SEC;
|
|
|
|
|
|
|
|
//// Check the real time
|
|
|
|
//
|
|
|
|
$lastTime = strtotime($ad['accessed']);
|
|
|
|
$now = time();
|
|
|
|
$elapsed = $now - $lastTime;
|
|
|
|
$deviation = abs($elapsed - $tsDelta);
|
2009-03-11 01:26:57 +01:00
|
|
|
$percent = $deviation/$elapsed;
|
2009-03-11 01:19:59 +01:00
|
|
|
debug("Timestamp seen=" . $seenTs . " this=" . $ts .
|
|
|
|
" delta=" . $tsDiff . ' secs=' . $tsDelta .
|
|
|
|
' accessed=' . $lastTime .' (' . $ad['accessed'] . ') now='
|
|
|
|
. $now . ' (' . strftime("%Y-%m-%d %H:%M:%S", $now)
|
|
|
|
. ') elapsed=' . $elapsed .
|
|
|
|
' deviation=' . $deviation . ' secs or '.
|
2009-03-11 01:26:57 +01:00
|
|
|
round(100*$percent) . '%');
|
|
|
|
if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) {
|
2009-03-11 01:19:59 +01:00
|
|
|
debug("OTP failed phishing test");
|
2009-03-18 12:18:10 +01:00
|
|
|
if ($cd['chk_time']) {
|
2009-03-11 01:19:59 +01:00
|
|
|
sendResp(S_DELAYED_OTP);
|
|
|
|
exit;
|
|
|
|
}
|
|
|
|
}
|
2009-03-10 23:20:56 +01:00
|
|
|
}
|
|
|
|
|
2009-03-11 01:19:59 +01:00
|
|
|
sendResp(S_OK);
|
|
|
|
|
2009-03-10 23:20:56 +01:00
|
|
|
//////////////////////////
|
|
|
|
// Functions
|
|
|
|
//////////////////////////
|
|
|
|
|
2009-03-11 01:54:19 +01:00
|
|
|
function sendResp($status) {
|
|
|
|
global $apiKey;
|
2009-03-10 23:20:56 +01:00
|
|
|
|
|
|
|
if ($status == null) {
|
|
|
|
$status = S_BACKEND_ERROR;
|
|
|
|
}
|
|
|
|
|
|
|
|
$a['status'] = $status;
|
|
|
|
$a['t'] = getUTCTimeStamp();
|
|
|
|
$h = sign($a, $apiKey);
|
|
|
|
|
|
|
|
echo "h=" . $h . "\r\n";
|
|
|
|
echo "t=" . ($a['t']) . "\r\n";
|
|
|
|
echo "status=" . ($a['status']) . "\r\n";
|
|
|
|
echo "\r\n";
|
|
|
|
|
|
|
|
} // End sendResp
|
2008-09-17 19:11:16 +02:00
|
|
|
?>
|