1
0
mirror of https://github.com/Yubico/yubikey-val.git synced 2024-12-01 15:24:16 +01:00
yubikey-val/ykval-verify.php

244 lines
6.3 KiB
PHP
Raw Normal View History

2009-03-10 23:20:56 +01:00
<?php
2009-05-04 16:41:18 +02:00
require_once 'ykval-common.php';
require_once 'ykval-config.php';
require_once 'ykval-synclib.php';
2008-09-17 19:11:16 +02:00
2009-05-06 17:07:05 +02:00
$apiKey = '';
2009-03-10 23:20:56 +01:00
header("content-type: text/plain");
2008-09-17 19:11:16 +02:00
2009-03-11 01:54:19 +01:00
debug("Request: " . $_SERVER['QUERY_STRING']);
2009-03-10 23:20:56 +01:00
$conn = mysql_connect($baseParams['__YKVAL_DB_HOST__'],
$baseParams['__YKVAL_DB_USER__'],
$baseParams['__YKVAL_DB_PW__']);
2009-05-06 16:23:04 +02:00
if (!$conn) {
2009-05-06 17:07:05 +02:00
sendResp(S_BACKEND_ERROR, $apiKey);
2009-05-06 16:23:04 +02:00
exit;
}
if (!mysql_select_db($baseParams['__YKVAL_DB_NAME__'], $conn)) {
2009-05-06 17:07:05 +02:00
sendResp(S_BACKEND_ERROR, $apiKey);
2009-05-06 16:23:04 +02:00
exit;
}
2009-03-11 02:42:23 +01:00
2009-03-10 23:20:56 +01:00
//// Extract values from HTTP request
//
$h = getHttpVal('h', '');
2009-03-10 23:20:56 +01:00
$client = getHttpVal('id', 0);
$otp = getHttpVal('otp', '');
$otp = strtolower($otp);
$timestamp = getHttpVal('timestamp', 0);
2009-03-10 23:20:56 +01:00
//// Get Client info from DB
//
2009-05-06 17:07:05 +02:00
if ($client <= 0) {
debug('Client ID is missing');
sendResp(S_MISSING_PARAMETER, $apiKey);
exit;
}
2009-03-11 03:06:02 +01:00
$cd = getClientData($conn, $client);
2009-03-10 23:20:56 +01:00
if ($cd == null) {
2009-05-06 17:07:05 +02:00
debug('Invalid client id ' . $client);
sendResp(S_NO_SUCH_CLIENT);
exit;
2009-03-10 23:20:56 +01:00
}
debug("Client data:", $cd);
2009-03-10 23:20:56 +01:00
//// Check client signature
//
$apiKey = base64_decode($cd['secret']);
2009-03-18 16:05:59 +01:00
if ($h != '') {
2009-05-06 17:07:05 +02:00
// Create the signature using the API key
$a = array ();
$a['id'] = $client;
$a['otp'] = $otp;
// include timestamp in signature if it exists
if ($timestamp) $a['timestamp'] = $timestamp;
2009-05-06 17:07:05 +02:00
$hmac = sign($a, $apiKey);
// Compare it
if ($hmac != $h) {
debug('client hmac=' . $h . ', server hmac=' . $hmac);
sendResp(S_BAD_SIGNATURE, $apiKey);
exit;
}
2009-03-10 23:20:56 +01:00
}
//// Sanity check OTP
//
2009-05-06 17:07:05 +02:00
if ($otp == '') {
debug('OTP is missing');
sendResp(S_MISSING_PARAMETER, $apiKey);
exit;
}
if (strlen($otp) <= TOKEN_LEN) {
debug('Too short OTP: ' . $otp);
2009-05-06 17:07:05 +02:00
sendResp(S_BAD_OTP, $apiKey);
exit;
}
//// Which YK-KSM should we talk to?
//
$urls = otp2ksmurls ($otp, $client);
if (!is_array($urls)) {
2009-05-06 17:07:05 +02:00
sendResp(S_BACKEND_ERROR, $apiKey);
exit;
}
2009-03-10 23:20:56 +01:00
//// Decode OTP from input
//
$otpinfo = KSMdecryptOTP($urls);
2009-03-11 01:19:59 +01:00
if (!is_array($otpinfo)) {
2009-05-06 17:07:05 +02:00
sendResp(S_BAD_OTP, $apiKey);
exit;
2009-03-10 23:20:56 +01:00
}
debug("Decrypted OTP:", $otpinfo);
2009-03-10 23:20:56 +01:00
2009-03-11 12:02:55 +01:00
//// Get Yubikey from DB
//
2009-03-18 12:00:48 +01:00
$devId = substr($otp, 0, strlen ($otp) - TOKEN_LEN);
2009-03-11 12:02:55 +01:00
$ad = getAuthData($conn, $devId);
if (!is_array($ad)) {
2009-05-06 17:07:05 +02:00
debug('Discovered Yubikey ' . $devId);
addNewKey($conn, $devId);
$ad = getAuthData($conn, $devId);
if (!is_array($ad)) {
debug('Invalid Yubikey ' . $devId);
sendResp(S_BACKEND_ERROR, $apiKey);
exit;
}
2009-03-11 12:02:55 +01:00
}
debug("Auth data:", $ad);
if ($ad['active'] != 1) {
2009-05-06 17:07:05 +02:00
debug('De-activated Yubikey ' . $devId);
sendResp(S_BAD_OTP, $apiKey);
exit;
}
2009-03-11 12:02:55 +01:00
2009-03-10 23:20:56 +01:00
//// Check the session counter
//
2009-03-11 01:19:59 +01:00
$sessionCounter = $otpinfo["session_counter"]; // From the req
2009-03-10 23:20:56 +01:00
$seenSessionCounter = $ad['counter']; // From DB
2009-03-11 01:19:59 +01:00
if ($sessionCounter < $seenSessionCounter) {
2009-05-06 17:07:05 +02:00
debug("Replay, session counter, seen=" . $seenSessionCounter .
" this=" . $sessionCounter);
sendResp(S_REPLAYED_OTP, $apiKey);
exit;
2009-03-10 23:20:56 +01:00
}
//// Check the session use
//
2009-03-11 01:19:59 +01:00
$sessionUse = $otpinfo["session_use"]; // From the req
2009-03-10 23:20:56 +01:00
$seenSessionUse = $ad['sessionUse']; // From DB
2009-03-11 01:19:59 +01:00
if ($sessionCounter == $seenSessionCounter && $sessionUse <= $seenSessionUse) {
2009-05-06 17:07:05 +02:00
debug("Replay, session use, seen=" . $seenSessionUse .
' this=' . $sessionUse);
sendResp(S_REPLAYED_OTP, $apiKey);
exit;
2009-03-10 23:20:56 +01:00
}
2009-03-11 01:54:19 +01:00
//// Valid OTP, update database
//
$stmt = 'UPDATE yubikeys SET accessed=NOW()' .
', counter=' .$otpinfo['session_counter'] .
', sessionUse=' . $otpinfo['session_use'] .
', low=' . $otpinfo['low'] .
', high=' . $otpinfo['high'] .
' WHERE id=' . $ad['id'];
$r=query($conn, $stmt);
$stmt = 'SELECT accessed FROM yubikeys WHERE id=' . $ad['id'];
$r=query($conn, $stmt);
if (mysql_num_rows($r) > 0) {
$row = mysql_fetch_assoc($r);
mysql_free_result($r);
$modified=DbTimeToUnix($row['accessed']);
}
else {
$modified=0;
}
//// Queue sync requests
$sl = new SyncLib();
// We need the modifed value from the DB
$stmp = 'SELECT accessed FROM yubikeys WHERE id=' . $ad['id'];
2009-03-11 03:06:02 +01:00
query($conn, $stmt);
$sl->queue($modified,
$otp,
$devId,
$otpinfo['session_counter'],
$otpinfo['session_use'],
$otpinfo['high'],
$otpinfo['low']);
$required_answers=$sl->getNumberOfServers();
$syncres=$sl->sync($required_answers);
$answers=$sl->getNumberOfAnswers();
$valid_answers=$sl->getNumberOfValidAnswers();
debug("ykval-verify:notice:number of servers=" . $required_answers);
debug("ykval-verify:notice:number of answers=" . $answers);
debug("ykval-verify:notice:number of valid answers=" . $valid_answers);
if($syncres==False) {
# sync returned false, indicating that
# either at least 1 answer marked OTP as invalid or
# there were not enough answers
debug("ykval-verify:notice:Sync failed");
if ($valid_answers!=$answers) {
sendResp(S_REPLAYED_OTP, $apiKey);
exit;
} else {
sendResp(S_NOT_ENOUGH_ANSWERS, $apiKey);
exit;
}
}
2009-03-10 23:20:56 +01:00
2009-03-11 01:19:59 +01:00
//// Check the time stamp
2009-03-10 23:20:56 +01:00
//
2009-03-11 01:19:59 +01:00
if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
$ts = ($otpinfo['high'] << 16) + $otpinfo['low'];
2009-03-11 01:19:59 +01:00
$seenTs = ($ad['high'] << 16) + $ad['low'];
$tsDiff = $ts - $seenTs;
$tsDelta = $tsDiff * TS_SEC;
//// Check the real time
//
$lastTime = strtotime($ad['accessed']);
$now = time();
$elapsed = $now - $lastTime;
$deviation = abs($elapsed - $tsDelta);
// Time delta server might verify multiple OTPS in a row. In such case validation server doesn't
// have time to tick a whole second and we need to avoid division by zero.
if ($elapsed != 0) {
$percent = $deviation/$elapsed;
} else {
$percent = 1;
}
2009-03-11 01:19:59 +01:00
debug("Timestamp seen=" . $seenTs . " this=" . $ts .
" delta=" . $tsDiff . ' secs=' . $tsDelta .
' accessed=' . $lastTime .' (' . $ad['accessed'] . ') now='
. $now . ' (' . strftime("%Y-%m-%d %H:%M:%S", $now)
. ') elapsed=' . $elapsed .
' deviation=' . $deviation . ' secs or '.
round(100*$percent) . '%');
if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) {
2009-03-11 01:19:59 +01:00
debug("OTP failed phishing test");
2009-05-06 15:20:40 +02:00
if (0) {
2009-05-06 17:07:05 +02:00
sendResp(S_DELAYED_OTP, $apiKey);
2009-03-11 01:19:59 +01:00
exit;
}
}
2009-03-10 23:20:56 +01:00
}
if ($timestamp==1){
$extra['timestamp'] = ($otpinfo['high'] << 16) + $otpinfo['low'];
$extra['sessioncounter'] = $sessionCounter;
$extra['sessionuse'] = $sessionUse;
sendResp(S_OK, $apiKey, $extra);
} else {
sendResp(S_OK, $apiKey);
}
2008-09-17 19:11:16 +02:00
?>