yubikey-val/verify.php

<?php
require_once 'common.php';

header("content-type: text/plain");

if (!isset ($trace)) {
	$trace = 0;
}

//// Extract values from HTTP request
//
$client = getHttpVal('id', 0);
if ($client <= 0) {
	debug('Client ID is missing');
	sendResp(S_MISSING_PARAMETER, 'id');
	exit;
}

$otp = getHttpVal('otp', '');
if ($otp == '') {
	debug('OTP is missing');
	sendResp(S_MISSING_PARAMETER, 'otp');
	exit;
}
$otp = strtolower($otp);

//// Get Client info from DB
//
$cd = getClientData($client);
if ($cd == null) {
	debug('Invalid client id ' . $client);
	sendResp(S_NO_SUCH_CLIENT, $client);
	exit;
}
debug($cd);

//// Check client signature
//
$apiKey = base64_decode($cd['secret']);
$h = getHttpVal('h', '');

if ($cd['chk_sig'] && $h == '') {
	sendResp(S_MISSING_PARAMETER, 'h');
	debug('Signature missing');
	exit;
} else if ($cd['chk_sig'] || $h != '') {
	// Create the signature using the API key
	$a = array ();
	$a['id'] = $client;
	$a['otp'] = $otp;
	$hmac = sign($a, $apiKey);

	// Compare it
	if ($hmac != $h) {
		sendResp(S_BAD_SIGNATURE);
		debug('client hmac=' . $h . ', server hmac=' . $hmac);
		exit;
	}
	debug('signature ok h=' . $h);
}

//// Get Yubikey from DB
//
$devId = substr($otp, 0, 12);
$ad = getAuthData($devId);

if ($ad == null) {
	debug('Invalid Yubikey ' . $devId);
	sendResp(S_BAD_OTP, $otp);
	exit;
} else {
	debug($ad);
}

$k = b64ToModhex($ad['secret']);
//debug('aes key in modhex = '.$k);
$key16 = ModHex :: Decode($k);
//debug('aes key in hex = ['.$key16.'], length = '.strlen($key16));

//// Decode OTP from input
//
debug('OTP validation req:');
$otpinfo = Yubikey :: Decode($otp, $key16);
debug($otpinfo);
if (!is_array($otpinfo)) {
	sendResp(S_BAD_OTP, $otp);
	exit;
}

//// Check the session counter
//
$sessionCounter = $otpinfo["session_counter"]; // From the req
$seenSessionCounter = $ad['counter']; // From DB
if ($sessionCounter < $seenSessionCounter) {
	debug("Replay, session counter, seen=" . $seenSessionCounter .
	      " this=" . $sessionCounter);
	sendResp(S_REPLAYED_OTP);
	exit;
} else {
	debug("Session counter OK, seen=" . $seenSessionCounter .
	      " this=" . $sessionCounter);
}

//// Check the session use
//
$sessionUse = $otpinfo["session_use"]; // From the req
$seenSessionUse = $ad['sessionUse']; // From DB
if ($sessionCounter == $seenSessionCounter && $sessionUse <= $seenSessionUse) {
	debug("Replay, session use, seen=" . $seenSessionUse .
	      ' this=' . $sessionUse);
	sendResp(S_REPLAYED_OTP);
	exit;
} else {
	debug("Session use OK, seen=" . $seenSessionUse .
	      ' this=' . $sessionUse);
}

updateDB($ad['id'], $otpinfo['session_counter'], $otpinfo['session_use'],
	 $otpinfo['high'], $otpinfo['low']);

//// Check the time stamp
//
if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
  $ts = $otpinfo['timestamp'];
  $seenTs = ($ad['high'] << 16) + $ad['low'];
  $tsDiff = $ts - $seenTs;
  $tsDelta = $tsDiff * TS_SEC;

  //// Check the real time
  //
  $lastTime = strtotime($ad['accessed']);
  $now = time();
  $elapsed = $now - $lastTime;
  $deviation = abs($elapsed - $tsDelta);
  $percent = $deviation/$elapsed;
  debug("Timestamp seen=" . $seenTs . " this=" . $ts .
	" delta=" . $tsDiff . ' secs=' . $tsDelta .
	' accessed=' . $lastTime .' (' . $ad['accessed'] . ') now='
	. $now . ' (' . strftime("%Y-%m-%d %H:%M:%S", $now)
	. ') elapsed=' . $elapsed .
	' deviation=' . $deviation . ' secs or '.
	round(100*$percent) . '%');
  if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) {
    debug("OTP failed phishing test");
    if ($ad['chk_time']) {
      sendResp(S_DELAYED_OTP);
      exit;
    }
  }
}

sendResp(S_OK);

//////////////////////////
// 		Functions
//////////////////////////

function sendResp($status, $info = null) {
	global $ad, $apiKey;

	if ($status == null) {
		$status = S_BACKEND_ERROR;
	}

	$a['status'] = $status;
	#$a['info'] = $info;
	$a['t'] = getUTCTimeStamp();
	$h = sign($a, $apiKey);

	echo "h=" . $h . "\r\n";
	echo "t=" . ($a['t']) . "\r\n";
	echo "status=" . ($a['status']) . "\r\n";
	if ($a['info'] != null) {
		echo "info=" . ($a['info']) . "\r\n";
	}
	echo "\r\n";

} // End sendResp

function updateDB($id, $session_counter, $session_use, $ts_high, $ts_low) {
  $stmt = 'UPDATE yubikeys SET ' .
    'accessed=NOW(),' .
    'counter=' . $session_counter . ',' .
    'sessionUse=' . $session_use . ',' .
    'low=' . $ts_low . ',' .
    'high=' . $ts_high .
    ' WHERE id=' . $id;
  query($stmt);
}
?>
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`<?php`
			`require_once 'common.php';`
Init, experiment 2008-09-17 17:11:16 +00:00
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`header("content-type: text/plain");`
Init, experiment 2008-09-17 17:11:16 +00:00
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`if (!isset ($trace)) {`
			`$trace = 0;`
			`}`

			`//// Extract values from HTTP request`
			`//`
			`$client = getHttpVal('id', 0);`
			`if ($client <= 0) {`
			`debug('Client ID is missing');`
			`sendResp(S_MISSING_PARAMETER, 'id');`
			`exit;`
			`}`

			`$otp = getHttpVal('otp', '');`
			`if ($otp == '') {`
			`debug('OTP is missing');`
			`sendResp(S_MISSING_PARAMETER, 'otp');`
			`exit;`
			`}`
			`$otp = strtolower($otp);`

			`//// Get Client info from DB`
			`//`
			`$cd = getClientData($client);`
			`if ($cd == null) {`
			`debug('Invalid client id ' . $client);`
			`sendResp(S_NO_SUCH_CLIENT, $client);`
			`exit;`
			`}`
			`debug($cd);`

			`//// Check client signature`
			`//`
			`$apiKey = base64_decode($cd['secret']);`
			`$h = getHttpVal('h', '');`

			`if ($cd['chk_sig'] && $h == '') {`
			`sendResp(S_MISSING_PARAMETER, 'h');`
			`debug('Signature missing');`
			`exit;`
			`} else if ($cd['chk_sig'] \|\| $h != '') {`
			`// Create the signature using the API key`
			`$a = array ();`
			`$a['id'] = $client;`
			`$a['otp'] = $otp;`
			`$hmac = sign($a, $apiKey);`

			`// Compare it`
			`if ($hmac != $h) {`
			`sendResp(S_BAD_SIGNATURE);`
			`debug('client hmac=' . $h . ', server hmac=' . $hmac);`
			`exit;`
			`}`
			`debug('signature ok h=' . $h);`
			`}`

			`//// Get Yubikey from DB`
			`//`
			`$devId = substr($otp, 0, 12);`
			`$ad = getAuthData($devId);`

			`if ($ad == null) {`
			`debug('Invalid Yubikey ' . $devId);`
			`sendResp(S_BAD_OTP, $otp);`
			`exit;`
			`} else {`
			`debug($ad);`
			`}`

			`$k = b64ToModhex($ad['secret']);`
			`//debug('aes key in modhex = '.$k);`
			`$key16 = ModHex :: Decode($k);`
			`//debug('aes key in hex = ['.$key16.'], length = '.strlen($key16));`

			`//// Decode OTP from input`
			`//`
			`debug('OTP validation req:');`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`$otpinfo = Yubikey :: Decode($otp, $key16);`
			`debug($otpinfo);`
			`if (!is_array($otpinfo)) {`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`sendResp(S_BAD_OTP, $otp);`
			`exit;`
			`}`

			`//// Check the session counter`
			`//`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`$sessionCounter = $otpinfo["session_counter"]; // From the req`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`$seenSessionCounter = $ad['counter']; // From DB`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`if ($sessionCounter < $seenSessionCounter) {`
			`debug("Replay, session counter, seen=" . $seenSessionCounter .`
			`" this=" . $sessionCounter);`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`sendResp(S_REPLAYED_OTP);`
			`exit;`
			`} else {`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`debug("Session counter OK, seen=" . $seenSessionCounter .`
			`" this=" . $sessionCounter);`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`}`

			`//// Check the session use`
			`//`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`$sessionUse = $otpinfo["session_use"]; // From the req`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`$seenSessionUse = $ad['sessionUse']; // From DB`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`if ($sessionCounter == $seenSessionCounter && $sessionUse <= $seenSessionUse) {`
			`debug("Replay, session use, seen=" . $seenSessionUse .`
			`' this=' . $sessionUse);`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`sendResp(S_REPLAYED_OTP);`
			`exit;`
			`} else {`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`debug("Session use OK, seen=" . $seenSessionUse .`
			`' this=' . $sessionUse);`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`}`

Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`updateDB($ad['id'], $otpinfo['session_counter'], $otpinfo['session_use'],`
			`$otpinfo['high'], $otpinfo['low']);`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`//// Check the time stamp`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`//`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {`
			`$ts = $otpinfo['timestamp'];`
			`$seenTs = ($ad['high'] << 16) + $ad['low'];`
			`$tsDiff = $ts - $seenTs;`
			`$tsDelta = $tsDiff * TS_SEC;`

			`//// Check the real time`
			`//`
			`$lastTime = strtotime($ad['accessed']);`
			`$now = time();`
			`$elapsed = $now - $lastTime;`
			`$deviation = abs($elapsed - $tsDelta);`
Use absolute timestamp tolerance as well. 2009-03-11 00:26:57 +00:00			`$percent = $deviation/$elapsed;`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`debug("Timestamp seen=" . $seenTs . " this=" . $ts .`
			`" delta=" . $tsDiff . ' secs=' . $tsDelta .`
			`' accessed=' . $lastTime .' (' . $ad['accessed'] . ') now='`
			`. $now . ' (' . strftime("%Y-%m-%d %H:%M:%S", $now)`
			`. ') elapsed=' . $elapsed .`
			`' deviation=' . $deviation . ' secs or '.`
Use absolute timestamp tolerance as well. 2009-03-11 00:26:57 +00:00			`round(100*$percent) . '%');`
			`if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) {`
Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`debug("OTP failed phishing test");`
			`if ($ad['chk_time']) {`
			`sendResp(S_DELAYED_OTP);`
			`exit;`
			`}`
			`}`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`}`

Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`sendResp(S_OK);`

Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`//////////////////////////`
			`// Functions`
			`//////////////////////////`

			`function sendResp($status, $info = null) {`
			`global $ad, $apiKey;`

			`if ($status == null) {`
			`$status = S_BACKEND_ERROR;`
			`}`

			`$a['status'] = $status;`
			`#$a['info'] = $info;`
			`$a['t'] = getUTCTimeStamp();`
			`$h = sign($a, $apiKey);`

			`echo "h=" . $h . "\r\n";`
			`echo "t=" . ($a['t']) . "\r\n";`
			`echo "status=" . ($a['status']) . "\r\n";`
			`if ($a['info'] != null) {`
			`echo "info=" . ($a['info']) . "\r\n";`
			`}`
			`echo "\r\n";`

			`} // End sendResp`

Improve checking of OTPs. 2009-03-11 00:19:59 +00:00			`function updateDB($id, $session_counter, $session_use, $ts_high, $ts_low) {`
			`$stmt = 'UPDATE yubikeys SET ' .`
			`'accessed=NOW(),' .`
			`'counter=' . $session_counter . ',' .`
			`'sessionUse=' . $session_use . ',' .`
			`'low=' . $ts_low . ',' .`
			`'high=' . $ts_high .`
			`' WHERE id=' . $id;`
			`query($stmt);`
Move verifyOTP.php to verify.php. 2009-03-10 22:20:56 +00:00			`}`
Init, experiment 2008-09-17 17:11:16 +00:00			`?>`